Medical Device Audit Trail Requirements: What FDA Expects

What Is an Audit Trail in the Medical Device Context

An audit trail is a chronological, tamper-evident record that captures who did what, when, and — in quality system contexts — why. For medical device manufacturers, audit trails are required across multiple regulatory frameworks: 21 CFR Part 11 for electronic records and signatures, 21 CFR Part 820 and QMSR for quality system records, and ISO 13485:2016 for quality management documentation.

The concept of an audit trail extends beyond electronic systems. Paper-based quality systems have audit trail requirements too — every change to a controlled document must be dated, identified by the person making the change, and must not obscure the original entry. The principle is the same whether your quality system runs on paper binders or a cloud-based eQMS: every modification to a quality record must be traceable to a responsible individual and a point in time.

Audit trails serve two regulatory purposes. First, they enable reconstruction of events — when an adverse event occurs or a process failure is discovered, audit trail data allows investigators (internal or external) to trace the sequence of events, identify when the problem first appeared, and determine what actions were taken. Second, they demonstrate control — a robust audit trail is evidence that your quality system is operating with appropriate oversight and accountability.

FDA 21 CFR Part 11: Electronic Audit Trail Requirements

For manufacturers using electronic records and electronic signatures, 21 CFR Part 11 establishes the specific audit trail requirements that apply to records submitted to FDA or records used to satisfy FDA record-keeping requirements.

21 CFR §11.10(e) requires that computer systems used to create, modify, maintain, archive, retrieve, or transmit electronic records include audit trail functionality that: captures the date and time of operator entries and actions that create, modify, or delete electronic records; captures the identity of the individual creating, modifying, or deleting the record; and retains the audit trail for a period at least as long as the record itself.

Crucially, audit trails under Part 11 must be computer-generated. A manually maintained change log does not satisfy Part 11. The system itself must automatically generate the audit trail without relying on user action. Systems that allow users to disable or clear the audit trail do not satisfy Part 11 requirements.

Part 11 also requires that audit trails be available for FDA review and copying. FDA investigators conducting inspections will request audit trail data for electronic quality records — particularly complaint records, CAPA records, and batch records — to verify that changes to records are appropriate and traceable.

Validation of Part 11-compliant systems must include testing of the audit trail functionality. Your system qualification documentation should include test protocols and results confirming that the audit trail captures the required elements, that it cannot be altered by users, and that it is appropriately preserved according to your record retention schedule.

QMS Document Control and the Change History Requirement

Beyond electronic records, quality system document control creates a form of audit trail for every controlled document: the revision history. Every controlled document — procedures, work instructions, forms, drawings, specifications — must have a revision history that captures what changed, when it changed, who approved the change, and why the change was made.

FDA's QSR §820.40 and QMSR equivalent require that document changes be reviewed and approved by an individual designated in the quality system. Changes must be communicated to affected personnel, and obsolete documents must be removed from use. ISO 13485:2016 Clause 4.2.4 similarly requires that changes to documents be identified and that a change history be maintained.

What FDA investigators look for in document revision histories: Investigators reviewing document control will examine whether revision histories are complete (no gaps in revision numbering or dating), whether approvals are appropriate (right role, right authority level), and whether the reason for changes is documented. Revision histories that only say "Updated" or "Revised" without stating what changed and why are a common finding — this is particularly problematic when the change involves risk management or safety-critical documents.

For design documents, the revision history connects directly to your design change control procedure. Design changes that require a new risk assessment, updated verification/validation, or regulatory submission need to be traceable from the design output revision history to the change order, risk management update, and any associated V&V documentation.

Device History Records and Batch Traceability

The Device History Record (DHR) is the production audit trail for each manufactured device or batch. FDA QSR §820.184 requires that DHRs be maintained for each device or batch of devices to demonstrate that the device was manufactured in accordance with the Device Master Record (DMR). DHR requirements are retained in QMSR.

A complete DHR provides a complete audit trail of every production step: the date of manufacture, the quantity manufactured, the quantity released for distribution, the acceptance records (inspection and test results), the primary identification label and labeling used, unique device identifier or other identification, and the name of the person authorizing release for distribution.

Traceability during adverse events: The audit trail function of DHRs is most critical during product complaints and recalls. When a complaint involves a specific device unit or lot, the DHR for that unit must provide complete traceability: what materials were used, what process parameters were applied, what inspection results were recorded, and who authorized release. DHRs that are incomplete or that cannot be retrieved efficiently are a significant liability in complaint investigations and recall situations.

Electronic DHRs in manufacturing execution systems (MES) or ERP systems must meet Part 11 requirements if they constitute electronic records used to satisfy FDA recordkeeping requirements. Hybrid systems — where some DHR data is electronic and some is paper — are common and acceptable, but the interface between electronic and paper portions must be controlled and the audit trail must be continuous.

Audit Trail Review During FDA Inspections

FDA investigators conducting for-cause or surveillance inspections of medical device manufacturers routinely request audit trail data. Knowing what investigators look for allows you to maintain systems and records that will withstand inspection scrutiny.

CAPA audit trail requests: For complaint and CAPA records, FDA investigators will review the audit trail to verify that investigation records were not modified after the fact. Backdated entries, entries with modification timestamps that postdate the claimed investigation date, and records where the audit trail shows the original entry was deleted and replaced are all red flags that will generate significant observations.

Electronic signature audit trails: For records requiring signatures under 21 CFR Part 11, investigators verify that electronic signature audit trails link the signature to the signer's identity, that the signature was applied at the time of the action (not added after the fact), and that the system does not allow signatures to be applied by anyone other than the identified signer.

System access controls: Audit trails are only meaningful if access to the system is controlled and individual accounts are not shared. FDA investigators may ask for access control records to verify that your audit trail data accurately identifies the specific individual responsible for each action. Shared accounts or generic login credentials undermine the integrity of any audit trail.

Retention and availability: Audit trail records must be retained for the same duration as the records they support. For records required to be retained for the useful life of the device or 2 years from release (whichever is longer), the associated audit trails must be retained for the same period and must be accessible and readable throughout that period.