Regaldi Notes ← All notes
Notes · 21 CFR Part 11 Published June 11, 2026 · Regaldi practice notes

What Part 11 actually requires of an audit trail

By the Regaldi practice · Reviewed by Veronica Taran, Florida-licensed pharmacist · This note is general information about a regulatory framework, not legal or pharmacy advice.

Vendors say "Part 11 compliant audit trail" the way restaurants say "world famous." The provision itself is one sentence long, and it is worth reading before evaluating any claim made about it.

The provision

21 CFR 11.10(e) requires procedures and controls that include the "use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records," where "record changes shall not obscure previously recorded information," and the audit-trail documentation is retained at least as long as the underlying records and available for agency review and copying.

What each word is doing

  • Secure. An operator, or an administrator, cannot quietly amend or delete trail entries. If the application can edit its own audit table, the trail is decoration.
  • Computer-generated. The system writes the entry as a side effect of the action. A trail that depends on a person remembering to log is not an audit trail; it is a diary.
  • Time-stamped. The time comes from the system, not from a field the operator types. Server time, applied at the write.
  • Independently record. The trail captures the action whether or not the operator wants it captured. There is no path through the system that does not leave an entry.
  • Shall not obscure. A correction adds a new entry beside the old one. The prior value stays readable. Overwrites are the violation, not the mechanism.

What the provision does not require

Part 11 does not name a technology. It does not require blockchain, write-once disks, or any particular database. It is performance-based: the trail must be secure, attributable, and complete, and the records must remain accurate and retrievable for the retention period. A SHA-256 hash chain, where each entry is cryptographically bound to the one before it, is one defensible way to make alteration detectable; it is a mechanism that satisfies the rule, not a rule itself. The honest term for any such design is tamper-evident: it makes a change detectable. No system can truthfully promise tamper-proof.

Reading a vendor's claim

No software makes a facility Part 11 compliant, because most of Part 11's controls are procedural and belong to the facility. The right question for a vendor is mechanical, and it has a short answer if the architecture is real:

  • Show the trail entry for a record I just changed. Does it carry who, what, when, and the prior value?
  • Try to update or delete a trail entry as an administrator. What refuses it, the application or the database?
  • Walk the chain. Is there a built-in verification that detects a broken link?
  • Export the trail for an inspector. Is it human-readable and complete, per 11.10(b)?

If those four questions get demonstrations rather than slideware, the audit trail is likely real. If they get a roadmap, it is not.

Related on this site

The Regaldi ERP writes every create, update, and signature to a SHA-256 hash-chained, tamper-evident trail, blocked from update and delete at the database layer. The full Part 11 mapping, provision by provision, is in the compliance ledger; the system itself is shown in Regaldi Ledger.