FDA 21 CFR Part 11 is the regulation that establishes the conditions under which the FDA considers electronic records to be equivalent to paper records and electronic signatures to be equivalent to handwritten signatures. Enacted in 1997 and reinterpreted through the FDA's 2003 guidance and 2018 Data Integrity guidance, Part 11 contains specific requirements for audit trails that remain one of the most frequently cited deficiencies in FDA inspections of pharmaceutical facilities.
This guide focuses specifically on the audit trail provisions of Part 11, explains what your computerised system must capture, and identifies the most common configuration failures that lead to inspection findings.
What Is a Pharmaceutical Audit Trail?
An audit trail is a secure, computer-generated, time-stamped record that allows reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. The FDA's definition under 21 CFR Part 11.3(b)(4) includes this concept explicitly.
In practical terms, an audit trail captures:
- Who performed an action (user identity)
- What action was performed (create, modify, delete, approve, reject)
- When the action occurred (date and time, typically to the second)
- What data was changed (before and after values for modifications)
- Why the change was made (reason for change, when required)
What 21 CFR Part 11 Specifically Requires for Audit Trails
Section 11.10(e) of 21 CFR Part 11 states that systems must use computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The key regulatory provisions are:
- Computer-generated - the audit trail must be automatically generated by the system, not manually created by users
- Time-stamped - must include date and time. The system clock must be reliable and protected from manipulation
- Independent - the audit trail must record actions independently of the user - users cannot switch it off or edit audit trail entries
- For all records subject to Part 11 - audit trails are required for all electronic records that replace required paper records under FDA-applicable regulations
Review requirement: The FDA's 2018 Data Integrity guidance clarifies that audit trails must be reviewed as part of the routine batch record review process - not only when a discrepancy is suspected. Review of audit trails should be documented.
What Events Must Be Captured?
All GxP-relevant actions in a system subject to Part 11 must be captured in the audit trail. This includes:
- Data entry events - initial entry of all GxP data values
- Data modification events - any change to a previously entered value, including the original value, the new value, the user who made the change, the date/time, and the reason for change
- Data deletion events - records of deleted entries (with the deleted values retained, not erased)
- System access events - login, logout, failed login attempts
- Electronic signature events - identity of the signer, meaning of the signature (review, approval, etc.), and date/time
- System administration events - user account creation, modification, or deletion; privilege changes; system configuration changes
- Sequence interruptions - for instrument systems (HPLC, GC), any interruption to an analytical sequence must be captured
Audit Trail Configuration Requirements
The technical configuration of an audit trail must ensure that:
- The audit trail cannot be disabled by any user, including system administrators and IT staff
- Audit trail entries cannot be modified or deleted - only new entries may be appended
- The system clock is synchronised (NTP) and protected from manipulation
- Audit trail data is backed up and retained for the same retention period as the GxP records it covers
- Audit trail data can be exported and reviewed in a human-readable format without requiring specialist tools
Most Common Audit Trail Inspection Findings
Based on published FDA Warning Letters and EMA inspection reports, the most frequent audit trail findings are:
- Audit trail not enabled - the system has audit trail functionality but it was not turned on, or was selectively enabled for some functions but not others
- Audit trail not reviewed - audit trail data exists but is not reviewed as part of batch release or data review processes
- Administrators can delete audit trail entries - system configuration allows privileged users to edit or clear audit trail records
- System clock not protected - users can change the system date/time, creating the opportunity for backdating
- Audit trail excluded for "test" or "practice" runs - analytical instruments configured to exclude test injections from the audit trail, creating the possibility for selective exclusion of failing data
- Retention mismatch - audit trail data is purged on a shorter cycle than the associated GxP records
Free 21 CFR Part 11 Audit Trail Configuration Checklist
Download our 35-point checklist for verifying 21 CFR Part 11 audit trail compliance in pharmaceutical computerised systems - including review, retention, and configuration checks.
Download Free Checklist →