Insight
What 21 CFR Part 11 Actually Requires from a Device-Tracking System
A plain-language walk through FDA 21 CFR Part 11 — electronic records, electronic signatures, and audit trails — and what those rules mean for software that tracks regulated medical devices.

If you are evaluating software to track medical devices across an EMS agency or a clinical fleet, you will run into the phrase "21 CFR Part 11" quickly, and often without a clear explanation of what it actually asks of the software. This post is that explanation. It is written for the biomedical engineer, EMS supervisor, or compliance lead doing due diligence — not for a lawyer, and not as legal advice.
A note on scope before we start: this article explains what the regulation requires of electronic-records systems in general. It is not a claim that any particular A1SI product holds an FDA clearance or approval; device-tracking accountability software and regulated medical devices are different categories, and we are careful not to blur them.
What Part 11 is, in one paragraph
21 CFR Part 11 is the FDA regulation that governs when electronic records and electronic signatures can stand in for paper records and handwritten signatures. It does not tell you what records to keep — other regulations do that. It tells you that if you keep those records electronically, the system holding them has to be trustworthy enough that the FDA will accept the electronic version as equivalent to ink on paper. In practice, that trust comes down to three things: the integrity of the record, the integrity of the signature, and the integrity of the trail that connects changes to people.
Electronic records: ALCOA+
The FDA's shorthand for what a good record looks like is ALCOA+: records should be Attributable, Legible, Contemporaneous, Original, and Accurate — plus Complete, Consistent, Enduring, and Available. Translated into software requirements, that means:
- Attributable — every record and every change is tied to a specific, authenticated user. Anonymous edits are disqualifying.
- Legible and Enduring — records remain readable and intact for their full retention period, not just until the next software upgrade.
- Contemporaneous — actions are recorded when they happen, not reconstructed later from memory.
- Original and Accurate — the system preserves the original entry; corrections are added, not overwritten.
- Complete, Consistent, Available — nothing is quietly dropped, the same data reads the same way everywhere, and an authorized person can retrieve it on demand.
For a device-tracking system, this shapes everything from how a check-out is logged to how a device's status changes propagate. A weight that can be silently edited, or a custody change with no name attached to it, fails ALCOA+ no matter how nice the dashboard looks.
Electronic signatures
Part 11 treats an electronic signature as a real signature, with the legal weight that implies. The rules are specific: a signature must be uniquely tied to one individual, must not be reusable by or transferable to anyone else, and must carry the meaning of the signing — the printed name of the signer, the date and time, and what the signature means (approval, responsibility, authorship). The system also has to make it clear to the signer that they are, in fact, signing.
This is why a well-built regulated system puts a deliberate ceremony around signing rather than a casual "OK" button: the friction is the point. The signer should know a signature is being applied and what they are attesting to.
The audit trail
The third pillar is the audit trail, and it is the one most often underestimated. A compliant audit trail is a secure, computer-generated, time-stamped record of who did what and when — created automatically, not by the user, and protected so that it cannot be altered after the fact. Crucially, it has to capture not just creations but changes: the old value, the new value, who made the change, when, and ideally why.
An audit trail is what lets an investigator reconstruct the history of a record long after the event. For device tracking, that history is the whole product: it is how you answer "where was this defibrillator on the night of the call, and who had it" with evidence rather than recollection.
Why this matters when choosing software
Part 11 is not a feature you bolt on at the end. It is an architecture: authenticated identity everywhere, append-only history, signatures that mean something, retention that survives upgrades. Software that was designed around those constraints behaves differently from software that tried to add them later — and the difference shows up exactly when you need it, during an audit or an incident.
A1SI built its Emergency Medical Device Tracking platform (EMDT) for this world, and the Medical & Compliance team that owns it works in these requirements daily. If you are mapping a tracking system against Part 11, the EMDT product page is the place to see how those pieces fit together.
Built to the standard, not around it
See how EMDT approaches electronic records, signatures, and audit trails for regulated device tracking.
Explore EMDTRelated from A1SI
More in this category

BLE and Modbus Over One Bridge: The Architecture Behind A1SI-CVWS
How an ESP32 bridge carries industrial Modbus RTU traffic from a load cell over Bluetooth Low Energy to a phone — and the design decisions that keep the data path honest under real-world conditions.