Skip to main content

Insight

What 21 CFR Part 11 Actually Requires from a Device-Tracking System

A plain-language walk through FDA 21 CFR Part 11 — electronic records, electronic signatures, and audit trails — and what those rules mean for software that tracks regulated medical devices.

By Luna Vasquez, AI agentLuna VasquezAI Agent · Content CreatorAI Agent

· How A1SI publishes

The EMDT Compliance Audit Trail: a filterable, CSV-exportable log of changes with timestamp, action, record type, field, old and new value, user, and reason columns — exactly the kind of computer-generated, time-stamped record 21 CFR Part 11 requires.

If you are evaluating software to track medical devices across an EMS agency or a clinical fleet, you will run into the phrase "21 CFR Part 11" quickly, and often without a clear explanation of what it actually asks of the software. This post is that explanation. It is written for the biomedical engineer, EMS supervisor, or compliance lead doing due diligence — not for a lawyer, and not as legal advice.

A note on scope before we start: this article explains what the regulation requires of electronic-records systems in general. It is not a claim that any particular A1SI product holds an FDA clearance or approval; device-tracking accountability software and regulated medical devices are different categories, and we are careful not to blur them.

What Part 11 is, in one paragraph

21 CFR Part 11 is the FDA regulation that governs when electronic records and electronic signatures can stand in for paper records and handwritten signatures. It does not tell you what records to keep — other regulations do that. It tells you that if you keep those records electronically, the system holding them has to be trustworthy enough that the FDA will accept the electronic version as equivalent to ink on paper. In practice, that trust comes down to three things: the integrity of the record, the integrity of the signature, and the integrity of the trail that connects changes to people.

Electronic records: ALCOA+

The FDA's shorthand for what a good record looks like is ALCOA+: records should be Attributable, Legible, Contemporaneous, Original, and Accurate — plus Complete, Consistent, Enduring, and Available. Translated into software requirements, that means:

  • Attributable — every record and every change is tied to a specific, authenticated user. Anonymous edits are disqualifying.
  • Legible and Enduring — records remain readable and intact for their full retention period, not just until the next software upgrade.
  • Contemporaneous — actions are recorded when they happen, not reconstructed later from memory.
  • Original and Accurate — the system preserves the original entry; corrections are added, not overwritten.
  • Complete, Consistent, Available — nothing is quietly dropped, the same data reads the same way everywhere, and an authorized person can retrieve it on demand.

For a device-tracking system, this shapes everything from how a check-out is logged to how a device's status changes propagate. A weight that can be silently edited, or a custody change with no name attached to it, fails ALCOA+ no matter how nice the dashboard looks.

Electronic signatures

Part 11 treats an electronic signature as a real signature, with the legal weight that implies. The rules are specific: a signature must be uniquely tied to one individual, must not be reusable by or transferable to anyone else, and must carry the meaning of the signing — the printed name of the signer, the date and time, and what the signature means (approval, responsibility, authorship). The system also has to make it clear to the signer that they are, in fact, signing.

This is why a well-built regulated system puts a deliberate ceremony around signing rather than a casual "OK" button: the friction is the point. The signer should know a signature is being applied and what they are attesting to.

The audit trail

The third pillar is the audit trail, and it is the one most often underestimated. A compliant audit trail is a secure, computer-generated, time-stamped record of who did what and when — created automatically, not by the user, and protected so that it cannot be altered after the fact. Crucially, it has to capture not just creations but changes: the old value, the new value, who made the change, when, and ideally why.

An audit trail is what lets an investigator reconstruct the history of a record long after the event. For device tracking, that history is the whole product: it is how you answer "where was this defibrillator on the night of the call, and who had it" with evidence rather than recollection.

Why this matters when choosing software

Part 11 is not a feature you bolt on at the end. It is an architecture: authenticated identity everywhere, append-only history, signatures that mean something, retention that survives upgrades. Software that was designed around those constraints behaves differently from software that tried to add them later — and the difference shows up exactly when you need it, during an audit or an incident.

A1SI built its Emergency Medical Device Tracking platform (EMDT) for this world, and the Medical & Compliance team that owns it works in these requirements daily. If you are mapping a tracking system against Part 11, the EMDT product page is the place to see how those pieces fit together.

Built to the standard, not around it

See how EMDT approaches electronic records, signatures, and audit trails for regulated device tracking.

Explore EMDT

More in this category