Case Study · ATReview

Turning manual audit trail reviews into a real-time, exception-based workflow.

RoleSenior Product Designer (sole designer)

ClientOrise Digital

Standards21 CFR Part 11 · ALCOA+ · GAMP · MHRA

Duration~12 months

Pharmaceutical QA teams were spending days reviewing audit trail data in spreadsheets, manually checking thousands of records and still only covering a fraction. I designed ATReview from zero to launch brand identity to usability testing delivering a validated, compliant product that reduced review effort by over 80% and achieved 100% critical event coverage.

Review reduction

0%+

Routine noise filtered automatically before QA review more coverage with less manual effort

Critical coverage

Every critical event surfaces for human review no more sampling and hoping

Usability

0/10

Post-iteration usability score 67% of participants rated a perfect 10

atreview.app/dashboard

01Context

No product, no spec, no visual identity. Just a problem worth solving.

Audit trail review is one of the most demanding compliance tasks in regulated pharmaceutical environments. Every change made to a GxP system must be traceable, reviewable, and defensible to regulators. Most companies were managing this in Excel: periodic exports, manual filtering, and enough volume that full coverage was simply impossible.

A competitive analysis confirmed the opportunity. Every tool in the space was built for compliance, not for people. Dense interfaces, punishing navigation, visual design that felt fifteen years old. These products existed because QA teams had no alternative not because anyone had designed them well. That gap became a deliberate direction from the start.

Orise Digital's ask was direct: build a tool that digitises audit trail review from the ground up automated, continuous, and compliant. I joined at the very beginning.

Area	My ownership	Type
Discovery & research	Competitive analysis, stakeholder interviews, domain immersion in GxP compliance and ALCOA+ principles	Mine alone
Brand & visual identity	Logo, colour system, typography built from scratch to feel trustworthy yet distinctly modern in pharma software	Mine alone
UX & interaction design	Information architecture, role-based dashboards, review workflows, exception-based filtering model	Mine alone
Usability testing	Two rounds with 10 participants across QA, operators, and system owners baseline to 9.6/10	Mine alone
Feature design (Bulk Update)	Benchmarking, four solution concepts, user testing before build, final guided-flow implementation	Mine alone
Engineering & QA automation	Front-end build, back-end integration, automated test coverage collaborative with engineering team	Shared

Process notes

Three things about how this work got made that don't fit inside the numbered narrative.

01 / Sole designer, cross-functional collaborator

I was the only designer on the project across the full 12-month engagement. My collaborators were a Product Owner, a Front-End Engineer, a Back-End Engineer, and a QA Automation Engineer. All design decisions from brand identity to interaction patterns to usability testing were mine. Engineering decisions were collaborative, and I made sure the QA Automation Engineer joined stakeholder sessions from the start so user scenarios could feed directly into end-to-end test coverage.

02 / Compliance as design material

21 CFR Part 11 and ALCOA+ requirements aren't typically treated as UX inputs. I treated them as the primary design brief. Every interaction that touched a regulated record submitting a reason for change, approving a review, mapping an unattributed user had to produce an immutable, timestamped, identity-verified audit entry. The compliance requirements shaped simpler flows: when every action is captured and verified by design, the interface becomes the source of truth.

03 / Designing without existing users

There were no existing users to observe just QA professionals describing a process they'd done for years without questioning it. Stakeholder interviews surfaced what surveys wouldn't: the real anxiety wasn't the volume of records, it was the fear of missing a critical one. That insight reframed the entire design direction.

02The Problem

Nothing in the existing process could prove a change was routine without a human manually verifying it.

Before ATReview, QA teams managed audit trail reviews the only way they could: manually, periodically, in spreadsheets. A single GxP system could generate thousands of log entries in a review cycle. Teams would export the data, filter what they could, and review as much as time allowed.

Volume made full coverage impossible

Sampling is not reviewing. Critical events could and did fall through the gaps. The larger the company, the worse the problem. Teams reviewed what time allowed and hoped the critical events were in the portion they checked.

Thousands of raw log entries per review cycle · Manual filtering in Excel · Full coverage structurally impossible at scale

Excel couldn't satisfy ALCOA+ in practice

The data integrity standard requires every record to be Attributable, Contemporaneous, Legible, Original, and Accurate. Spreadsheets couldn't enforce any of it. Generic shared accounts made attribution impossible. Retroactive entries broke contemporaneity. Records could be altered with no trace.

ALCOA+ · Attributable, Legible, Contemporaneous, Original, Accurate none enforceable in a shared spreadsheet environment

Regulatory audits meant scrambling

When an inspector arrived, teams had to reconstruct activity manually across scattered files and forms. Stressful, slow, and entirely reactive. The root cause wasn't that reviews were slow it was that every entry had to be treated as suspicious because the system had no way to say otherwise.

Manual reconstruction across scattered files · No always-on audit trail · Entirely reactive compliance posture

03Key Decisions

Compliance constraints became design constraints, not legal footnotes. Five design decisions shaped ATReview. Each one came from treating compliance constraints as design constraints not legal footnotes to address after the interface was built.

Decision01

Review by Exception make routine events invisible

GapThe real anxiety wasn't the volume of records it was the fear of missing a critical one. The existing process treated every entry as suspicious because the system had no way to say otherwise.

ChoiceThe system filters out routine events automatically, based on configurable rules derived from the client's own Risk Assessment. QA only sees what requires human judgement.

ConsideredFaster manual review tools, better spreadsheet templates, or a universal inbox showing all events with priority tags.

WhyLess manual effort, more coverage. Excel could only sample. ATReview filters over 80% of routine noise and achieves 100% coverage of critical events. The counterintuitive result: reviewing less means catching more.

Decision02

Role-based dashboards, not a universal view

GapWhen asked "what do you need to see first?" each user type had a completely different answer. QA wanted pending reviews. System Owners wanted trend data. Operators wanted their action queue.

ChoiceEach role lands on exactly what matters to them dedicated dashboards shaped by their specific workflow needs

ConsideredA single view with filters which would have pushed the work of finding relevance back onto the user, recreating the spreadsheet problem in a different form.

WhyThe tradeoff was additional design and build complexity. The alternative was a tool that felt overwhelming to everyone. Role-based views eliminated the need for users to configure their own relevance.

Decision03

Visual identity built from scratch and made intentional

GapNo existing brand. Competitive analysis showed every pharma compliance tool looked fifteen years old. The category had no visual standard worth following.

ChoiceA design language that feels trustworthy in a regulated context while being distinctly more modern than anything else in the pharma software space

WhyClient feedback confirmed it landed. Multiple users commented the interface felt fresh in a way they weren't used to from pharmaceutical software. That perception of quality directly influenced how the product was received during demos.

Decision04

User scenarios written with engineering, not after them

GapStandard practice separates design artefacts from test coverage. Scenarios designed in isolation can't guarantee they're precise enough for automated testing.

ChoiceQA Automation Engineer joined stakeholder sessions from the start scenarios fed directly into end-to-end test coverage

WhyScenarios had to be precise and grounded in real workflows, not idealised journeys. This produced better design artefacts and automated test coverage simultaneously.

Decision05

Knowing what not to build

GapWith 10 usability participants and a 7-column table, no one asked for drag-and-drop column management, pinning, or resizing. No one struggled without it.

ChoiceWe didn't build it. Scope discipline kept the interface clean and sprints focused on validated problems.

WhyScope discipline is part of the design, and evidence is what makes it defensible. Features not validated as problems don't earn their place in the interface.

03.5Early Concepts

Initial explorations before the final direction

Before landing on the final solution, I explored several directions for the parameter changes workflow from rough sketches to early UI concepts.

Concept 1

Early concept: Parameter Changes flow

Excalidraw sketch exploring the initial information architecture and navigation patterns for the parameter changes view

Concept 2

Early concept: Relevant parameter changes

Early exploration of the Relevant Parameter Changes table, visualising record changes alongside their status

💡

These explorations helped clarify that the core problem wasn't displaying data it was helping users understand which changes were relevant to their current review task.

04Solution

A continuous, exception-based workflow that replaced the spreadsheet entirely.

ATReview transforms audit trail review from a periodic, spreadsheet-driven task into a continuous, exception-based workflow.

A GxP system generates a change event

ATReview classifies it against the configured Risk Assessment

Routine events are filtered automatically QA never sees them

Relevant changes surface in the review table

The operator adds context: what changed, why, with their verified identity and a timestamp

QA receives a notification, reviews the record, approves or rejects

Every action is logged immutably: user identity, eSignature hash, timestamp to the second

Each change moves through four states, with role-based handoffs and rejection loops built in at every stage.

RPC lifecycle diagram showing the exception-based review workflow

Dashboard four KPIs answer 'where are we?' in seconds

atreview.app/dashboard

Exception-driven focus the visualisation centres on what's incomplete and needs attention, not what's already done.

Role-aware lens QA and System Owners see the same underlying data through different views shaped by their workflow.

Relevant Parameter Changes the worklist that replaced the spreadsheet

atreview.app/rpc

'Relevant' already means the noise has been filtered status badges make workflow state scannable at a glance without opening individual records.

Exception-based review QA only sees what requires human judgement, not every log entry the system generated.

RPC Detail structured capture at the moment of change

atreview.app/rpc/detail

ALCOA+ met through one well-designed input operator's reason tied to their verified identity and timestamp.

Read-only change data visually distinct from operator fields QA can trust data integrity without cross-referencing source systems.

Activity Log every action, every actor, in sequence

atreview.app/activity-log

System actions logged identically to human actions ATReview itself is audited the same way users are.

Always-on, instantly auditable no manual reconstruction when an inspector arrives.

Usability testing

10 participants across QA engineers, operators, and system owners. Initial score: 7.8/10. Post-iteration: 9.6/10.

Session 1 of 5

Task: Review and triage critical events

Participant: Compliance officer navigating the events list, applying filters, identifying incomplete records

Session 4 of 5

Task: Complete an incomplete event record

Participant: System owner locating the event detail, entering reason text, referencing an SOP ID

💡

Both tasks revealed the same friction point: participants couldn't tell if an event was actionable by them or assigned to someone else. This became the primary design problem for the status model.

05Impact

Purchased by a pharmaceutical company after seeing it in action, now Orise Digital's core product.

ATReview was purchased by a pharmaceutical company after seeing it in action. It is now Orise Digital's core product, with active plans to deploy across a Tier 1 pharmaceutical company's systems.

“The application was very easy on the eyes, very easy to see what was changed, and very nice and beautiful to navigate. We're not used to modern, well-designed UIs in pharmaceutical software, and we were very impressed by how the information was laid out and how easy it was to see exactly what needs to be done.”— Client, Pharmaceutical Company

Review volume

0%+

Routine noise filtered before review from thousands of raw entries to only what requires human judgement.

Coverage

Critical event coverage every meaningful change surfaces for review. No more sampling.

Usability

0.0/10

Post-iteration score up from 7.8/10 baseline. 67% rated a perfect 10, no ratings below 9.

Before ATReview: sampling in Excel, days to weeks per review cycle, generic accounts with no attribution, manual reconstruction for audits. After: 100% critical event coverage, real-time exception-driven review, enforced attribution at record level, and an always-on activity log that's instantly auditable.

The Bulk Update feature designed after launch to handle scale landed with 67% rating a perfect 10 and 33% rating a 9. Testing before building meant the implementation shipped cleanly from day one. No rework, no user confusion to unpick after release.

06Reflection

Compliance isn't something you layer on top. It's something you embed into every interaction from the start.

When ALCOA+ principles become design constraints rather than legal requirements, the result is simpler for users and stronger for auditors. Those goals aren't in tension they reinforce each other. Every interaction that touches a regulated record was designed to produce an immutable, timestamped, identity-verified audit entry. That meant designing for auditability at the interaction level, not bolting on a log at the end.

The Bulk Update feature reinforced something I now apply consistently: testing before building is not slower, it's faster. The time spent validating a design upfront is always less than the time spent fixing a shipped feature that doesn't work for users.

What I'd do differently

I'd formalise the competitive analysis into a living benchmark that updated as we iterated not just a one-time discovery artefact. The initial analysis was sharp, but by month eight the competitive landscape had shifted and I was relying on memory rather than documented reference points. A quarterly refresh would have kept positioning decisions grounded.

“The interface that earns trust in a regulated environment isn't the one that shows the most data. It's the one that proves it's already handled the data you don't need to see.”