21 CFR Part 11 Audit Trail Requirements [Explained]

The 21 CFR Part 11 is a part of the regulation by the US FDA that establishes the criteria for electronic records and digital signatures. According to this regulation, all electronically stored records must have an audit trail ensuring traceability.

Audit Trails are a critical component of compliance with 21 CFR Part 11 requirements as they provide a record of all activities in a computer system and allow for the reconstruction of events, should an investigation be required.

In this article, we will take a look at the requirements for audit trails in 21 CFR Part 11. We will also look into some of the main components of an audit trail, and key audit trail system features, and explain how SimplerQMS meets the requirements for audit trails according to 21 CFR Part 11.

Learn about 21 CFR Part 11 compliant audit trails by exploring these topics:

• Audit Trail Definition as per FDA
• What are 21 CFR Part 11 Audit Trail Requirements?
• Components of an Audit Trail Entry
• Key Audit Trail System Features
• Benefits of Implementing the Recording of Audit Trails
• How SimplerQMS Meets 21 CFR Part 11 Audit Trail Requirements

Audit Trail Definition as per FDA

According to the FDA’s guidance for industry on computerized systems used in clinical trials, an audit trail is defined as:

 “A secure, computer-generated, time-stamped electronic record that allows reconstruction of the course of events relating to the creation, modification, and deletion of an electronic record.”

In other words, an audit trail is the history of all actions performed in a document, including the responsible person for the action, when, which action was taken, and any other relevant details.

Audit trails enable tracking the document time-sequence development to ensure they have not been altered in any way that would compromise accuracy or reliability.

What are 21 CFR Part 11 Audit Trail Requirements?

The FDA 21 CFR Part 11 regulation requires the system used to manage electronic records to provide a secure, computer-generated, and time-stamped audit trail.

Its purpose is to accurately record changes made to documents.

Below, we will cover the audit trail requirements outlined in 21 CFR Part 11 section 11.10 and provide a few brief examples of how solutions like SimplerQMS can help companies meet them.

Ensure Audit Trail Security

Only authorized individuals must have access to the system and be able to make changes and sign off documents. This ensures that the audit trail is a secure and trustworthy record of actions.

According to 21 CFR 11.10(e), audit trails must be secure.

To achieve security, the system should limit access to only authorized individuals, as stated in 21 CFR 11.10(d).

Enabling access, the ability to make changes, and document sign-offs only by authorized individuals ensure a secure and trustworthy audit trail of actions.

For example, SimplerQMS meets these security requirements using Microsoft Entra ID (previously known as Microsoft Azure Active Directory) for controlling user access within the system, ensuring secure authentication and authorization.

Implement Computer-Generated Audit Trail

As outlined in 21 CFR 11.10(e), an audit trail must be automatically generated by the system and not manually created to eliminate human errors.

For instance, solutions like SimplerQMS, by default, automatically generate and store every version of a document, file, and record.

Automate Time-Stamping

As per section 21 CFR 11.10(e), the audit trail must document the time and date of actions performed in the electronic record, including:

• Creation events
• Modification events
• Document approval events
• Retirement events
• Etc.

The system should also provide the ability to choose the system’s standard time zone, including UTC, as the FDA recommends.

Verify User Identity

The audit trail must record the user’s identity who performed actions inside the system.

According to 21 CFR 11.10(g), authority checks must be in place to ensure that only authorized individuals can use the system.

To give an example, user identity is automatically recorded in SimplerQMS keeping track of who created, reviewed, approved, updated, and retired documents.

Track Performed Actions

As outlined in 21 CFR 11.10(e), the audit trail must capture and record all performed actions and changes made to the electronic records.

For example, in SimplerQMS, every time a document is edited, reviewed, approved, or retired, the system automatically records and stores all the relevant data. Including user identity (who performed the action), date and time of changes, and type of change made to the document.

The audit trail also lists all versions of documents and provides a simple way to compare them as well as restore any of the previous versions if needed.

Preserve Previously Recorded Information

As stated in 21 CFR 11.10(e), the audit trail must not hide or overwrite previously recorded information.

In a solution such as SimplerQMS, all records have a complete version history and it is not possible to delete electronic records. They can only be archived or retired.

Retain Audit Trail Documentation

As per 21 CFR 11.10(e), the audit trail must be stored for a period that is appropriate for the record based on its content and purpose.

In SimplerQMS, for example, audit trail data can be stored and retained for as long as required by the user. All records are securely stored in the cloud and can be accessed anytime with full control over who has access to them.

Regular data backups and disaster recovery plans also ensure that no data is lost in case of any unforeseen events.

Ensure Audit Trail Availability for FDA Inspection

According to 21 CFR 11.10(e), the audit trail should be easily accessible for review and copying by the FDA during an inspection.

For instance, SimplerQMS allows you to easily view the history of any record, as well as copying or exporting of system records and data for inspection purposes.

You can also create document collections with relevant records for upcoming audits.

It is important to note that this article only covers the audit trail requirements outlined in 21 CFR Part 11. However, there are many other requirements outlined in this regulation that must be met to ensure compliance.

If you are interested in learning more about 21 CFR Part 11, we recommend checking out our full guide on 21 CFR Part 11 compliance.

Components of an Audit Trail Entry

When it comes to audit trail entries, several components are included.

Here is an example of what an audit trail entry in SimplerQMS looks like when viewing document history:

• Name: The title or label that is used to identify the document.
• Version: Unique identifier that is assigned to each saved version of a document or file within a system.
• User: The system records the identification code or name that identifies the person who altered the document.
• State: A document’s state refers to its current status within a specific workflow.

Key Audit Trail System Features

An effective audit trail system must capture accurate and comprehensive data. It helps maintain a history of all actions and changes made to their electronic records.

Some key features of audit trail systems include:

• User Access Control: The system should limit user access to only authorized individuals. Companies must also perform periodic authority checks to ensure access control.
• Electronic Signatures: The system should allow users to digitally sign off and approve documents, providing a secure and traceable method of releasing documents.
• Time-Stamping: The system should record the exact time and date of each event or change to the document in a time-stamped, computer-generated audit trail.
• Version History and Traceability: The system should be able to track changes to a document or file over time, provide the ability to restore previous versions if needed, and offer traceability by showing who made the changes, when, and why.
• Data Integrity: The system should ensure the integrity of the data by using secure data storage, access controls, and encryption to prevent unauthorized alteration.
• Retention and Archiving: The system should allow companies to retain and archive audit trails for the same period required for the related electronic record.
• Synchronized Clock System: The system should maintain consistent time across multiple devices, ensuring that all events are accurately time-stamped and logged.

Benefits of Implementing the Recording of Audit Trails

Implementing the recording of an audit trail offers several benefits to companies in regulated industries, such as pharmaceuticals, medical devices, and biotechnology.

These benefits include:

• Ensuring data integrity and accuracy: Audit trails provide a detailed record of all system actions, including when changes were made, who made them, and why. This helps to maintain the authenticity and integrity of electronic records.
• Facilitating traceability and accountability: Audit trails provide a clear and complete history of document handling and system usage, which can help identify errors or mistakes, pinpoint the source of issues, and hold individuals accountable for their actions.
• Supporting regulatory compliance: Audit trails are required by 21 CFR Part 11 to achieve compliance. They provide system and data integrity evidence and help Life Science companies prepare for regulatory inspections and audits.
• Reducing risks of data tampering, fraud, and unauthorized access: Audit trails can help detect and prevent data tampering, fraud, and unauthorized access by identifying suspicious activities and unauthorized changes to documents.
• Improving inspection readiness: The audit trail provides inspectors with a complete record of all actions taken on electronic records, which can be quickly and easily reviewed during audits and inspections.
• Improving operational efficiency: By providing visibility into dates and times of every activity completion, audit trails can help identify inefficiencies and areas for improvement in processes.

Overall, by maintaining a complete record of all system actions, audit trails can help companies improve their data management and maintain regulatory compliance.

How SimplerQMS Meets 21 CFR Part 11 Audit Trail Requirements

SimplerQMS is a cloud-based QMS software designed to help Life Science companies meet and exceed the 21 CFR Part 11 and EU GMP Annex 11 requirements. As well as help companies comply with other requirements related to the Life Science industry, such as ICH Q10, ISO 13485:2016, MDR and IVDR, FDA 21 CFR Part 210, 211, 820, and many others.

The following are some of the features of SimplerQMS that help meet 21 CFR Part 11 audit trail requirements specifically.

SimplerQMS uses Microsoft Entra ID (previously known as Microsoft Azure Active Directory) for controlling user access within the system, ensuring secure authentication and authorization.

Each user has only one user account to ensure a clear one-to-one relationship between the authorized person and their login account.

In compliance with 21 CFR Part 11, our software automatically records all audit trail data entry creating an independent record of:

• Date
• Time
• User name
• Actions performed on electronic records

The system ensures that new record changes do not overwrite past recorded information in the audit trail. SimplerQMS tracks and displays the changes made to a document or file over time, as well as provides the ability to restore previous versions if necessary.

All documents are stored in a cloud-based system for as long as required, having them readily available for inspections.

Inspectors can also view documents in the SimplerQMS system during audits. This includes an overview of the entire version history of each record, including approvals, signatures, comments, and metadata changes.

SimplerQMS provides a comprehensive QMS software solution with all Life Science QMS modules fully integrated. This includes change control, document management, CAPA handling, employee training, supplier management, and more.

If you are uncertain about the advantages of implementing an eQMS solution in your company, we suggest downloading our eQMS Business Case template.

This tool provides a structured approach for assessing the value of an eQMS for your business.

By utilizing our template, you can ensure that you have considered all the relevant factors, including cost savings, improved efficiency, and better compliance with regulations, such as 21 CFR Part 11. After that, present a compelling case to your management or board.

Final Thoughts

The 21 CFR Part 11 is an FDA regulation that outlines the requirements for electronic records and digital signatures.

This regulation includes audit trail requirements, which specify systems should provide a history of actions taken on electronic records, such as creation, changes, and approvals, as well as information on who made the changes and when.

Audit trails are critical to achieving compliance with 21 CFR Part 11 requirements.

A growing number of Life Science companies are implementing 21 CFR Part 11 compliant eQMS solutions to improve their quality process management efficiency and ensure regulatory compliance.

SimplerQMS provides such a solution. You can effortlessly manage your electronic records and sign documents using an electronic signature while ensuring their authenticity, integrity, and reliability.

We offer all QMS modules integrated to optimize workflows and streamline processes, such as document management, change control, employee training, CAPA management, customer complaint handling, and more.

Book your demo of SimplerQMS to see how our solution can help you achieve and maintain compliance with 21 CFR Part 11.