Data Integrity

FDA 21 CFR Part 11 Audit Trail Requirements: What Your System Must Capture

8 min read By Ahmad Al-Sharif, Senior CSV Consultant

FDA 21 CFR Part 11 is the regulation that establishes the conditions under which the FDA considers electronic records to be equivalent to paper records and electronic signatures to be equivalent to handwritten signatures. Enacted in 1997 and reinterpreted through the FDA's 2003 guidance and 2018 Data Integrity guidance, Part 11 contains specific requirements for audit trails that remain one of the most frequently cited deficiencies in FDA inspections of pharmaceutical facilities.

This guide focuses specifically on the audit trail provisions of Part 11, explains what your computerised system must capture, and identifies the most common configuration failures that lead to inspection findings.

What Is a Pharmaceutical Audit Trail?

An audit trail is a secure, computer-generated, time-stamped record that allows reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. The FDA's definition under 21 CFR Part 11.3(b)(4) includes this concept explicitly.

In practical terms, an audit trail captures:

  • Who performed an action (user identity)
  • What action was performed (create, modify, delete, approve, reject)
  • When the action occurred (date and time, typically to the second)
  • What data was changed (before and after values for modifications)
  • Why the change was made (reason for change, when required)

What 21 CFR Part 11 Specifically Requires for Audit Trails

Section 11.10(e) of 21 CFR Part 11 states that systems must use computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The key regulatory provisions are:

  • Computer-generated - the audit trail must be automatically generated by the system, not manually created by users
  • Time-stamped - must include date and time. The system clock must be reliable and protected from manipulation
  • Independent - the audit trail must record actions independently of the user - users cannot switch it off or edit audit trail entries
  • For all records subject to Part 11 - audit trails are required for all electronic records that replace required paper records under FDA-applicable regulations

Review requirement: The FDA's 2018 Data Integrity guidance clarifies that audit trails must be reviewed as part of the routine batch record review process - not only when a discrepancy is suspected. Review of audit trails should be documented.

What Events Must Be Captured?

All GxP-relevant actions in a system subject to Part 11 must be captured in the audit trail. This includes:

  • Data entry events - initial entry of all GxP data values
  • Data modification events - any change to a previously entered value, including the original value, the new value, the user who made the change, the date/time, and the reason for change
  • Data deletion events - records of deleted entries (with the deleted values retained, not erased)
  • System access events - login, logout, failed login attempts
  • Electronic signature events - identity of the signer, meaning of the signature (review, approval, etc.), and date/time
  • System administration events - user account creation, modification, or deletion; privilege changes; system configuration changes
  • Sequence interruptions - for instrument systems (HPLC, GC), any interruption to an analytical sequence must be captured

Audit Trail Configuration Requirements

The technical configuration of an audit trail must ensure that:

  • The audit trail cannot be disabled by any user, including system administrators and IT staff
  • Audit trail entries cannot be modified or deleted - only new entries may be appended
  • The system clock is synchronised (NTP) and protected from manipulation
  • Audit trail data is backed up and retained for the same retention period as the GxP records it covers
  • Audit trail data can be exported and reviewed in a human-readable format without requiring specialist tools

Most Common Audit Trail Inspection Findings

Based on published FDA Warning Letters and EMA inspection reports, the most frequent audit trail findings are:

  1. Audit trail not enabled - the system has audit trail functionality but it was not turned on, or was selectively enabled for some functions but not others
  2. Audit trail not reviewed - audit trail data exists but is not reviewed as part of batch release or data review processes
  3. Administrators can delete audit trail entries - system configuration allows privileged users to edit or clear audit trail records
  4. System clock not protected - users can change the system date/time, creating the opportunity for backdating
  5. Audit trail excluded for "test" or "practice" runs - analytical instruments configured to exclude test injections from the audit trail, creating the possibility for selective exclusion of failing data
  6. Retention mismatch - audit trail data is purged on a shorter cycle than the associated GxP records

Free 21 CFR Part 11 Audit Trail Configuration Checklist

Download our 35-point checklist for verifying 21 CFR Part 11 audit trail compliance in pharmaceutical computerised systems - including review, retention, and configuration checks.

Download Free Checklist →
21 CFR Part 11 Audit Trail Electronic Records FDA Data Integrity Pharmaceutical Compliance
A

Ahmad Al-Sharif

Senior CSV Consultant · 12 years in pharmaceutical validation

Ahmad leads PHARPRO's CSV and digital validation practice. He has delivered validation projects across Jordan, UAE, Saudi Arabia, and Europe - covering FDA 21 CFR Part 11, EU GMP Annex 11, and ISPE GAMP 5 frameworks.

Frequently asked questions

No. Part 11 applies to electronic records that are created, modified, maintained, archived, retrieved, or transmitted under FDA-applicable regulations, and where the FDA requires those records to be maintained. Systems used exclusively for non-GxP business purposes (HR systems, general email, accounting software not used for GxP records) are not subject to Part 11. The determination of Part 11 applicability is made during the system's GxP impact assessment.
21 CFR Part 11.10(e) requires that audit trails record the date and time of entries and actions. The FDA's 2018 Data Integrity guidance adds that for modifications to GxP records, the reason for the change should be documented. Many systems capture this as a mandatory 'reason for change' field that users must complete when modifying a record. This is considered best practice and is expected by inspectors even where the regulation itself does not explicitly mandate it.
Audit trail records must be retained for at least as long as the GxP records they are associated with. For batch production records, this is typically at least one year after the expiry date of the batch (FDA 21 CFR Part 211.180(a)) - in practice often 5–15 years depending on the product type. Audit trail data should never be purged on a shorter cycle than the associated records.
This is a common situation with older laboratory instruments. Options include: upgrading the software to a compliant version, implementing a middleware solution that captures audit trail data at the instrument level, replacing the instrument, or implementing compensating controls (enhanced supervision, dual witness procedures, paper-based audit documentation) justified through a formal risk assessment. PHARPRO can assist with the risk assessment and remediation strategy.

Ready to work with PHARPRO?

Get a free assessment of your compliance programme - no obligation.

Request Free Assessment Explore CSV Services
PHARPRO - Expert Pharma Consulting

Struggling with audit trail compliance for FDA 21 CFR Part 11? PHARPRO reviews, remediates, and validates your GxP computerised systems.

CSV & Audit Trail Consulting → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

FDA 21 CFR Part 11: Data Integrity Requirements
Electronic records, e-signatures, and audit-trail requirements every regulated system must meet.
EU GMP Annex 11: A Practical Compliance Checklist
Supplier assessment, validation documentation, audit trails, and data integrity - 2025 edition.
CSV for SaaS and Cloud Applications in Pharma
Validation approach, vendor qualification, and documentation strategy for cloud-hosted GxP systems.
Data Integrity in Pharma: ALCOA+ Requirements
ALCOA+ principles, FDA and EU GMP expectations, audit trail controls, and the most common gaps.
Pharmaceutical Validation Software: Buyer's Guide 2026
How DVS and competing platforms compare - what to look for before you buy.