Audit Trail vs. Change Log: Why the Difference Matters to the FDA
Your manufacturing software has a "history" feature. When someone edits a formulation, changes an ingredient quantity, or updates a batch record, you can see a list of changes. You call it an audit trail.
The FDA may disagree.
The distinction between a change log and a true audit trail under 21 CFR Part 11 is one of the most misunderstood compliance concepts in manufacturing software. Many systems provide change history — a record of what changed and when. Far fewer provide what the FDA actually requires: an independently generated, tamper-evident, permanent record that captures not just what changed, but who changed it, when, why, and what the previous value was.
If your "audit trail" is really a change log, you may discover the difference during an FDA inspection — which is the worst possible time to learn it.
What the FDA Requires: 21 CFR Part 11, Section 11.10(e)
The regulation is specific. Section 11.10(e) requires:
"Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
Let us break down every requirement in that single paragraph, because each phrase matters:
"Secure"
The audit trail must be protected from unauthorized access, modification, or deletion. If anyone — including system administrators — can edit or delete audit trail entries, it is not secure.
"Computer-generated"
The audit trail must be created automatically by the system, not manually entered by users. When a user changes a formulation, the system generates the audit entry — the user does not write it.
"Time-stamped"
Every entry must include the date and time, generated by the system clock (not entered by the user). The timestamp must be accurate and cannot be manipulated.
"Independently record"
The audit trail operates independently from the user's actions. The user cannot choose whether an action is recorded. They cannot control what information is captured. The audit trail records everything automatically, without user intervention.
"Date and time of operator entries and actions"
Every creation, modification, and deletion is recorded — not just the final state, but every intermediate action. If a user changes an ingredient quantity three times, all three changes appear in the audit trail.
"Create, modify, or delete"
All three actions must be captured. Many change logs only capture modifications. Creating a new record and deleting a record are equally important audit events.
"Shall not obscure previously recorded information"
This is the critical difference between an audit trail and a change log. When a record is modified, the previous value must remain visible. The audit trail does not replace old information with new information — it preserves both, showing the complete history of the record from creation to current state.
"Retained for a period at least as long as that required for the subject electronic records"
If your batch records must be retained for three years, your audit trail for those batch records must also be retained for at least three years. The audit trail has the same retention requirements as the records it protects.
"Available for agency review and copying"
The FDA must be able to review your audit trail during an inspection and obtain copies. If your audit trail is buried in a database that requires developer access to query, it does not meet this requirement. The audit trail must be accessible to authorized reviewers through the normal system interface.
Change Log vs. Audit Trail: The Practical Differences
What a typical change log provides:
| Timestamp | User | Field | New Value |
|---|---|---|---|
| 2026-02-15 10:30 | jsmith | Quantity | 500g |
| 2026-02-15 11:45 | jsmith | Quantity | 450g |
This tells you that jsmith changed the quantity to 500g, then later changed it to 450g. But it does not tell you:
- What was the quantity before jsmith changed it to 500g?
- Was the original record also created by jsmith?
- Can jsmith (or an administrator) edit or delete these change log entries?
- Was this change log generated automatically, or was it manually entered?
What a compliant audit trail provides:
| Timestamp (system-generated) | User | Action | Field | Previous Value | New Value |
|---|---|---|---|---|---|
| 2026-02-15 09:00:00.000 | mjones | CREATE | Record | — | Created formulation "Vitamin D3 1000IU" |
| 2026-02-15 10:30:15.234 | jsmith | MODIFY | Quantity | 400g | 500g |
| 2026-02-15 11:45:02.891 | jsmith | MODIFY | Quantity | 500g | 450g |
This tells you:
- mjones created the original record at 9:00 AM with a quantity of 400g
- jsmith changed it from 400g to 500g at 10:30 AM
- jsmith changed it again from 500g to 450g at 11:45 AM
- Every entry was system-generated with precise timestamps
- No entry can be modified or deleted
The Five Tests of a True Audit Trail
Use these tests to evaluate whether your system provides a genuine 21 CFR Part 11 audit trail or just a change log:
Test 1: Immutability
Question: Can anyone — including system administrators, database administrators, or developers — modify or delete audit trail entries through the application?
Audit trail: No. Audit entries are write-once. They cannot be modified, deleted, or overwritten by any user at any access level through normal system operation.
Change log: Often yes. Administrators may have the ability to "clean up" log entries, delete old records, or modify entries through database access.
Test 2: Completeness
Question: Does the system capture creates, modifications, AND deletions? Does it capture every field change, or only selected fields?
Audit trail: Captures all three action types across all regulated fields. Nothing is excluded from audit coverage.
Change log: Often captures only modifications. Record creation and deletion may not be logged. Some fields may be excluded from change tracking.
Test 3: Previous Values
Question: When a value is changed, is the previous value preserved in the audit record?
Audit trail: Yes. Every modification shows both the old value and the new value, so the complete history of any field can be reconstructed from creation to current state.
Change log: Often only records the new value. Previous values are overwritten and lost.
Test 4: Independent Generation
Question: Is the audit record generated automatically by the system, or does it depend on user input or developer implementation?
Audit trail: Fully automatic. The user cannot prevent an audit entry from being created, cannot control what information is captured, and cannot choose which actions are logged.
Change log: May depend on developer implementation — only changes that developers specifically coded to log will appear. New features or fields added later may not have change tracking.
Test 5: Accessibility
Question: Can authorized reviewers (including FDA inspectors) view the audit trail through the normal system interface without requiring technical assistance?
Audit trail: Yes. Audit trail data is viewable through the application interface, filterable by date, user, record type, and action. Reports can be generated and exported.
Change log: May require database queries, developer assistance, or specialized tools to access and interpret.
Common FDA Inspection Findings
Finding: "Audit trail can be disabled or modified by administrators"
If your system allows administrators to turn off audit logging, clear audit logs, or edit audit entries, an inspector will cite this as a Part 11 deficiency. The audit trail must be always on, for all users, with no override capability.
Finding: "Audit trail does not capture previous values"
Systems that log "User X changed field Y to value Z" without recording what field Y contained before the change fail the "shall not obscure previously recorded information" requirement. The FDA needs to see the before-and-after to understand the significance of a change.
Finding: "Audit trail does not capture record deletions"
If a record can be deleted from the system without an audit entry recording who deleted it, when, and what the record contained, the audit trail is incomplete. This is why many compliant systems use soft deletion — the record is marked as deleted rather than physically removed, preserving both the record and the audit trail.
Finding: "Audit trail timestamps can be manipulated"
If users can change the system clock or if timestamps are generated client-side (from the user's browser or computer rather than the server), timestamps are unreliable. System-generated, server-side timestamps are required.
Finding: "No audit trail for electronic signatures"
Electronic signature events — who signed, what they signed, when they signed, and the meaning of the signature — must appear in the audit trail. If signature events are recorded separately from the main audit trail, or not recorded at all, this is a deficiency.
Why This Matters Beyond Inspections
A true audit trail is not just a regulatory requirement — it is an operational asset:
Dispute resolution — When a customer claims they received the wrong product or a supplier disputes a quality rejection, the audit trail provides an authoritative record of what happened and who was responsible.
Root cause investigation — When a quality issue is identified, the audit trail shows the complete history of every change to the formulation, process, or specification that might have contributed.
Training and accountability — When the audit trail shows who made every change, people are more careful about the changes they make. This is not about blame — it is about professional accountability that raises the quality of everyone's work.
Legal defensibility — In product liability situations, a complete, immutable audit trail demonstrates that your company maintained proper controls and documentation. The absence of a reliable audit trail can be used to argue that your quality system was inadequate.
How Batch Buddy Implements a True Audit Trail
Batch Buddy's audit trail was designed to meet every requirement of 21 CFR Part 11, Section 11.10(e):
Immutable entries — Audit trail entries are write-once. They cannot be modified, deleted, or overwritten by any user, including administrators. Once an action is logged, the record is permanent.
Complete coverage — Every create, modify, and delete action across formulations, ingredients, batch records, and quality decisions is captured automatically. No actions are excluded from audit coverage.
Previous value preservation — Every modification records both the old value and the new value. The complete history of any record can be reconstructed from its creation to its current state.
System-generated timestamps — All timestamps are generated server-side at the moment of the action. Users cannot influence or manipulate the timestamp.
Independent operation — The audit trail operates automatically without user intervention. Users cannot disable logging, skip entries, or choose what gets recorded.
Accessible review — Audit trail data is accessible through the application interface to authorized users. Entries can be filtered, reviewed, and exported for FDA inspection purposes.
Soft deletion — When records are deleted, they are soft-deleted (marked as inactive) rather than physically removed. The original record and all of its audit history are preserved, meeting the requirement that deletions not obscure previously recorded information.
Electronic signature logging — All electronic signature events are captured in the audit trail with signer identity, timestamp, and signature meaning.
The Bottom Line
The difference between a change log and a true audit trail is the difference between "we track some changes" and "we can prove the complete, unaltered history of every record in our system." The FDA does not care what you call your system — they care whether it meets the requirements of 21 CFR Part 11.
If your current system fails any of the five tests outlined above, you do not have a compliant audit trail. You have a change log with a misleading name. And the time to fix that is before your next inspection, not during it.
Review your system honestly. Test it against the five criteria. And if it falls short, upgrade to a system that provides the immutable, complete, independently generated audit trail that Part 11 requires — and that your quality system deserves.