How Electronic Batch Records Actually Work: A GMP Comparison Guide for Manufacturers and Consultants
An FDA investigator sits down with your quality manager and asks to see the batch record for lot BB-2241. Your team pulls up the electronic batch record system, navigates to the batch, and produces the document.
The investigator then asks three questions that most EBR software cannot answer cleanly:
- "Can you show me that the operator completed the blend step before the QC sampling step? Not just that both are marked complete, but that the system enforced the sequence?"
- "How do I know the person who signed off on QA release actually re-authenticated their identity at the moment of signing, rather than just being logged in from earlier in the day?"
- "If I look at this entry for the lot allocation, how do I know it hasn't been modified after the fact?"
These are not trick questions. They are the standard of review for 21 CFR Part 11 compliant electronic records. And they reveal a gap that exists in most EBR implementations: the difference between software that records what happened and software that enforces how things must happen.
This guide explains that difference in technical terms, covers what a structurally enforced EBR looks like, and gives manufacturers and consultants a framework for evaluating any EBR solution before committing to it.
What an Electronic Batch Record Is Supposed to Do
The FDA's predicate rules under 21 CFR Part 111 (dietary supplements), 21 CFR Part 110/117 (food), and related GMP regulations require that manufacturers document every step in their manufacturing process: what was made, what ingredients were used (and from which lots), who performed each step, who verified it, and what the outcome was.
A paper batch record satisfies this requirement with a physical document. An electronic batch record satisfies it with an electronic system that, under 21 CFR Part 11, must meet specific requirements for record integrity, audit trails, and electronic signatures.
The problem is that "electronic batch record" as a product category has come to mean very different things. At one end, it means a PDF with fillable fields that gets saved to a shared drive. At the other end, it means a system where every entry is timestamped, identity-verified, and cryptographically chained to the record in a way that makes post-hoc modification mathematically detectable.
Both get sold as EBR software. Only one of them survives an FDA inspection.
How Most EBR Software Works
The majority of EBR implementations in the supplement and food manufacturing space fall into one of three categories:
Category 1: Digital Paper
Software that digitizes the paper batch record without adding structural controls. Operators fill in fields sequentially (or not sequentially). They click "submit" when they're done. The system records who submitted the form and when.
The problem: the software has no mechanism to enforce that step 3 cannot be completed before step 2. There is no system-level prevention of backdating entries. The "signature" is typically a checkbox or a button click by whoever is logged in, not a verified re-authentication at the point of action. The audit trail, if it exists, is a log file that may or may not be tamper-evident.
This is the most common form of EBR in use today. It looks compliant on the surface. It is not.
Category 2: QMS Add-On Modules
General quality management systems that were originally designed for pharmaceuticals or medical devices, with EBR added as a module. These systems often have more robust controls, but they face two structural problems for supplement and food manufacturers.
First, they are not purpose-built for 21 CFR Part 111 or FSMA workflows. The batch record concept, the lot allocation rules, the COA and release workflows, all require configuration that is time-consuming to implement correctly and fragile to maintain.
Second, they treat compliance as a layer on top of the manufacturing workflow rather than something built into it. The system can enforce that a field is filled in. It generally cannot enforce that the ingredient allocated to this batch came from the oldest available lot in your warehouse.
Category 3: Spreadsheet-Based EBR with a Digital Signature Layer
A growing number of manufacturers use Excel or Google Sheets templates with a DocuSign or similar layer added for signatures. This approach fails 21 CFR Part 11 on multiple grounds: the spreadsheet content can be modified after signing without invalidating the signature (the signature is attached to the document, not cryptographically bound to its content), there is no system-enforced sequence of operations, and audit trails are nonexistent or manual.
What Structural EBR Enforcement Looks Like
A structurally enforced EBR system does not ask operators to follow procedure. It makes it technically impossible to deviate from it.
Mandatory Sequential Checkpoints
Each step in the batch record must be completed before the next step becomes available. This is not a workflow suggestion or a warning message the operator can dismiss. The system will not render the next step as actionable until the previous step's required data has been entered and saved.
This matters because "they should have done it in order" and "the system prevented them from doing it out of order" are two very different things when you are responding to a 483 observation. One is a policy. The other is evidence.
FIFO Lot Allocation Without Operator Choice
Ingredients should be allocated to production runs in First-In, First-Out order. In most EBR systems, this is a recommendation. The operator is expected to select the correct lot from a dropdown.
In a structurally enforced system, the lot allocation is automatic. The system determines which lot to use based on receipt date and inventory status. The operator receives the lot, not a list of options. This eliminates a category of operator error that is difficult to catch and even more difficult to explain to an FDA investigator who finds that a lot with a shorter shelf life was used before an older lot.
Identity Verification at the Point of Signature
21 CFR Part 11 requires that electronic signatures include at least two distinct identification components. For non-biometric signatures, this means a user ID and password entered at the moment of signing.
Being logged into the system is not the same thing as signing. If an operator logged in at 7:00 AM and a QA manager signs off on a batch release at 3:00 PM using the same active session, the signature is not compliant. The authentication event and the signature event are the same action under Part 11, not two separate things.
A compliant EBR system re-authenticates the user at each signature event. The identity verification happens when the signature is applied, not when the session started.
Cryptographic Hash Chaining
Every entry in a compliant EBR should be hashed and chained to the previous entry. This means that each record contains a cryptographic hash that incorporates the content of the current entry plus the hash of the previous entry.
The practical result: if any entry is modified after the fact, the hash chain breaks. The modification is mathematically detectable, not just administratively detectable. An FDA investigator with access to the raw data can verify independently that the record has not been altered.
This is distinct from a standard audit log. An audit log records changes. A hash chain makes undocumented changes cryptographically impossible to hide. These are very different assurances.
A Release Gate Enforced in the System, Not in Policy
The QA release step should be a hard gate in the system. The batch cannot be shipped, the finished goods cannot be allocated, the COA cannot be generated, until a QA-authorized user has applied a compliant electronic signature to the release record.
A release gate enforced by policy means the system will let you ship the batch, and you are counting on no one doing so without QA approval. A release gate enforced in the system means the workflow physically prevents shipment until the signature exists. The distinction matters when you are trying to demonstrate to an FDA investigator that a non-conforming batch could not have been released.
The External Signature Chain
A part of the batch record story that most EBR vendors do not address is what happens on either side of the production run itself.
Before the batch starts: A supplier provides a Certificate of Analysis for the incoming ingredient lot. In most operations, that COA is received as an email attachment, filed somewhere, and referenced later. The COA is not cryptographically linked to the batch record that used the lot. If the COA is altered, there is no mechanism to detect it.
A complete EBR system allows the supplier to sign their COA directly within the platform. The supplier's electronic signature is cryptographically bound to the incoming lot record. The authenticity of the COA is verifiable at any point in the future because the signature is tied to the document content, not just attached to a file.
After the batch ships: A client or brand owner receives a QC release certificate. In most operations, they acknowledge receipt by email. That acknowledgment is not part of the batch record.
A complete EBR system routes the QC release certificate to the client through a portal and captures their electronic acknowledgment as part of the permanent record. The client signature carries the same timestamp and identity verification as every other signature in the record chain.
The result is a continuous chain: supplier signs the COA, your QA releases the batch, your client acknowledges the certificate. All three signatures are in the same tamper-evident audit trail. When an FDA investigator asks for documentation of the complete chain of custody, you produce one record, not three separate systems.
What to Look for When Evaluating EBR Software
If you are advising a manufacturing client on EBR software selection, or evaluating options for your own operation, these are the questions that separate structurally compliant systems from digital paper:
On sequence enforcement: "If an operator tries to complete step 4 without completing step 3, what does the system do? Can you show me?"
The correct answer is that the system makes step 4 unavailable. A warning message the operator can dismiss is not enforcement.
On lot allocation: "Does the system automatically select which ingredient lot to use based on FIFO, or does the operator choose?"
Automatic allocation is the structurally correct implementation. Operator selection with a FIFO recommendation is a policy control, not a system control.
On electronic signatures: "When a QA manager signs off on a batch release, does the system require them to re-enter their credentials at that moment, or does it use their existing session?"
Re-authentication at signature event is required for Part 11 compliance. Session-based signatures are not compliant.
On audit trail integrity: "How does your system ensure that an audit trail entry cannot be modified after it is written? Can you show me the technical mechanism?"
The answer should describe either a hash chain, a write-once data store, or a comparable cryptographic control. "We have access controls that prevent modification" is an administrative control, not a technical one.
On the release gate: "What prevents a batch from being shipped if it has not received a QA electronic signature?"
The answer should describe a system-level block, not a process requirement. The system should make it technically impossible to create a shipment record for a batch that has not been QA-released.
On supplier and client documentation: "How does the COA from our supplier become part of the batch record? And how does our client's acknowledgment of the certificate get recorded?"
If the answer involves email, file attachments, or a separate system, the chain of custody documentation is incomplete.
What a 483 Defense Looks Like With Structural EBR
When a manufacturer with a structurally enforced EBR receives a 483 observation related to electronic records, the corrective action response looks fundamentally different from a manufacturer with digital paper.
Digital paper response: "We have retrained our operators on the correct procedure for completing batch records in sequence. We have updated our SOP to clarify signature requirements."
Structural EBR response: "The system does not permit out-of-sequence completion. We can provide the system configuration documentation and a live demonstration. We can also provide the hash verification report showing that no batch record entries have been modified after initial entry."
The first response is a policy commitment. The second response is evidence. FDA investigators know the difference.
How BatchBuddy Implements Structural EBR
If you run the six evaluation questions above against BatchBuddy, here is what you get:
On sequence enforcement: Step availability is controlled at the database level. When a production run is active, the API will not return the next step as actionable until the current step's required fields have been written and the entry locked. There is no operator-facing override. There is no warning message to dismiss. The next step does not exist in the UI until the previous step is complete.
On lot allocation: BatchBuddy allocates ingredient lots automatically in FIFO order by receipt date. The operator receives a specific lot number. There is no dropdown with multiple lots to choose from. The decision is not available to them.
On electronic signatures: Every signature event triggers a re-authentication modal. The user's existing session is not used. They enter their credentials at the moment of signing, and the system records their identity, the timestamp, and the declared meaning of the signature (batch release, formulation approval, QC sign-off) as 21 CFR Part 11 requires. If the re-authentication fails, the signature does not execute.
On audit trail integrity: Every entry is locked with an HMAC-SHA256 hash on write. Each hash incorporates the content of the current entry plus the hash of the previous entry. If any entry is modified after the fact, the chain breaks. The break is detectable by anyone with access to the raw data, including an FDA investigator. This is not an access control. It is a mathematical constraint.
On the release gate: Finished goods inventory cannot be allocated and COAs cannot be issued until a QA-authorized user has applied a compliant electronic signature to the release record. This is enforced at the application layer. The shipment workflow does not have a path around it.
On supplier and client documentation: Suppliers sign incoming COAs directly inside BatchBuddy. The signature is cryptographically bound to the lot record at the moment of signing. When your QA releases a batch, the certificate routes to your client through the Client Portal. Their acknowledgment is captured as a signed entry in the same audit trail, same timestamp format, same hash chain, same 21 CFR Part 11 signature standard as every other entry in the record.
The result: when an FDA investigator asks for the complete batch record for lot BB-2241, you produce one record from one system. Supplier COA signature. Every production step in sequence. QA release signature. Client acknowledgment. Hash verification showing nothing was modified after entry. You don't pull three systems. You don't attach email threads. You export the record and hand it over.
We run BatchBuddy in live regulated production at our own contract manufacturing facility. These are not theoretical controls. We built them because we needed them ourselves.
The Bottom Line
If you run the six questions in this guide against your current EBR system and don't like the answers, that's the finding. Before the investigator gets there.
BatchBuddy answers all six. See it demonstrated, not described.