FDA 21 CFR Part 11 governs electronic records and electronic signatures in FDA-regulated environments — pharmaceuticals, medical devices, and biologics. Because calibration records for production and quality-control equipment are part of the quality system (21 CFR 820.72 for devices, 21 CFR Part 211 for drugs), they fall under Part 11 whenever they are kept electronically. Part 11 then requires the system to protect the authenticity, integrity, and where appropriate the confidentiality of those records through: secure, computer-generated, time-stamped audit trails; access controls that limit use to authorized individuals; the ability to generate accurate and complete copies for FDA inspection; system validation; and electronic signatures that are uniquely attributable to one individual and permanently linked to their records. Part 11 compliance is a shared responsibility — the software must provide the controls, and the organization must validate and operate them correctly.
Part 11.10(e) requires secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Crucially, the audit trail must not obscure previously recorded information — prior values must remain visible, not overwritten — and it must be retained for at least as long as the underlying record and be available for FDA review. For calibration, this means every change to a calibration result, due date, or status is captured with who made it, what changed, and when.
The system must limit access to authorized individuals (11.10(d)) and use authority checks to ensure that only authorized people can use the system, electronically sign records, or alter records (11.10(g)). In a calibration context this maps to role-based access control: a technician may record results, but only an authorized approver can release a certificate or change an interval, and the system enforces those boundaries rather than relying on policy alone.
Electronic signatures used on calibration records must be unique to one individual and never reused or reassigned (11.100), and signed electronic records must display the printed name of the signer, the date and time of signing, and the meaning of the signature, such as review or approval (11.50). The signature must be permanently linked to its record so it cannot be cut, copied, or transferred to falsify another record (11.70).
Part 11 requires that the system be validated to ensure accuracy, reliability, and consistent intended performance (11.10(a)); that it can generate accurate and complete copies of records in both human-readable and electronic form suitable for FDA inspection (11.10(b)); and that records be protected to enable accurate and ready retrieval throughout their retention period (11.10(c)). A calibration system therefore needs reliable export and a tamper-evident store, not just a database.
CalibrationOS provides the technical controls Part 11 expects: a SHA-256 hash-chained, tamper-evident audit trail where each entry links to the previous hash so prior values cannot be silently altered; role-based access control with authority checks on signing and record changes; electronic signatures bound to the record with signer, timestamp, and meaning; and complete human-readable and electronic exports for inspection. The organization remains responsible for validating its specific implementation and use.
Yes, when calibration records for production or quality equipment are kept electronically. Calibration records are part of the device or drug quality system (21 CFR 820.72 or Part 211), so electronic versions fall under Part 11's requirements for records and signatures.
Section 11.10(e) requires a secure, computer-generated, time-stamped audit trail recording the creation, modification, and deletion of records with operator, action, and time. It must not obscure prior values and must be retained at least as long as the record and available for FDA review.
It must be unique to one individual and never reused (11.100), display the signer's printed name, date/time, and meaning on the signed record (11.50), and be permanently linked to that record so it cannot be transferred to falsify another (11.70).
No. Software can provide the required controls — audit trails, access control, electronic signatures, validated exports — but Part 11 compliance is a shared responsibility. The organization must validate the system for its intended use and operate the controls correctly.
21 CFR 820.72 (Inspection, measuring, and test equipment) requires medical-device makers to ensure equipment is calibrated, inspected, and maintained with records. When those records are electronic, Part 11 governs their integrity, audit trail, and signatures.
This article is licensed CC BY-SA 4.0. Share, adapt, and reuse with attribution to calibrationos.com/learn/fda-21-cfr-part-11-calibration-records.
Get expert insights on compliance, uncertainty, and measurement best practices.
Start managing calibrations in minutes. Free plan with 25 assets — no credit card.
Get Started Free