If you manufacture medical devices, pharmaceuticals, or any product regulated by the FDA, your calibration records are subject to 21 CFR Part 11. This regulation governs electronic records and electronic signatures, and it has direct implications for how you create, store, modify, and retrieve calibration data.
Most quality managers in FDA-regulated environments understand Part 11 in the context of batch records, CAPA documentation, or design history files. Calibration records tend to get less attention — until an FDA inspector asks to see your audit trail for a calibration result that was edited six months ago, and you realise your system doesn't have one.
This post explains how Part 11 applies specifically to calibration records, what FDA inspectors actually look for, and where manufacturers most commonly fall short.
What 21 CFR Part 11 Actually Requires
Part 11 was established in 1997 to define the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. The regulation applies whenever you use electronic systems to create, modify, maintain, archive, retrieve, or transmit records that are required by FDA regulations.
Calibration records fall squarely within scope. Under 21 CFR Part 820 (the Quality System Regulation for medical devices), section 820.72 requires that each manufacturer ensure that all inspection, measuring, and test equipment is suitable for its intended purposes and is capable of producing valid results. Calibration records are the evidence that this requirement is met.
When those records are managed electronically — in a calibration management system, a database, or even a structured spreadsheet — Part 11 requirements apply.
The Core Requirements
Part 11 breaks down into requirements for closed systems (systems where access is controlled by the organisation responsible for the content), open systems (where access is not similarly controlled), and electronic signatures.
For calibration records in a manufacturing environment, you're almost always dealing with a closed system. The key requirements are validation, audit trails, access controls, and electronic signatures.
Validation means demonstrating that your electronic system does what it's supposed to do. If your calibration management software records calibration dates, generates due date alerts, and stores certificates, you need evidence that these functions work correctly and consistently.
Audit trails are the requirement that trips up the most manufacturers. Part 11 requires computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The audit trail must be retained for a period at least as long as the records it relates to, and it must be available for FDA review and copying.
For calibration records specifically, this means every change to a calibration result, instrument status, calibration date, or any other record field must be captured with who made the change, when they made it, what the previous value was, and what the new value is.
Access controls require that only authorised individuals can use the system, electronically sign records, or modify records. The system must limit access based on operational authority — a technician who performs calibrations shouldn't necessarily have the ability to modify calibration acceptance criteria, for example.
Electronic signatures under Part 11 must be unique to one individual and not reused by or reassigned to anyone else. When used, they must include the printed name of the signer, the date and time of signing, and the meaning of the signature (such as review, approval, or responsibility).
How This Applies to Calibration Specifically
Calibration Results and As-Found/As-Left Data
When an instrument is calibrated, the laboratory or technician records as-found data (the instrument's condition before adjustment) and as-left data (the condition after any adjustments). Under Part 11, if these records are electronic, they must be protected from unauthorised modification and any changes must be captured in the audit trail.
This creates a specific challenge for manufacturers using spreadsheets or basic databases for calibration tracking. Excel has no built-in audit trail. If someone changes a calibration result — whether intentionally or accidentally — there's no system-generated record of what was changed, by whom, or when. That gap is a significant Part 11 exposure.
Calibration Schedules and Due Dates
Your calibration schedule is a quality record. If it's managed electronically, Part 11 applies. When a calibration due date is changed — because the interval was adjusted, because the instrument was returned early, or because someone simply updated the schedule — that change needs to be logged.
FDA inspectors understand that calibration schedules change. What they look for is evidence that changes are controlled, documented, and traceable. An unexplained change to a calibration due date, without an audit trail showing who made it and why, raises immediate questions about data integrity.
Out-of-Tolerance Events
When an instrument is found out of tolerance during calibration, the subsequent investigation and impact assessment generate records that are critical from both a quality and regulatory perspective. Under Part 820.72, you must assess the impact on product that was measured with the out-of-tolerance instrument.
These records — the OOT finding, the impact assessment, the disposition of affected product — are high-value targets during FDA inspections. If they're managed electronically, Part 11's audit trail requirements apply with particular force. The ability to demonstrate that an OOT event was systematically investigated and documented, with a complete audit trail, is the difference between a smooth inspection and a 483 observation.
Calibration Certificates
If you store calibration certificates electronically (as most manufacturers now do), the storage system must ensure that the records are accessible, retrievable, and haven't been altered. Part 11 doesn't require that certificates themselves be electronic — a scanned PDF of a paper certificate is fine. But the system you use to store, organise, and retrieve those certificates is subject to Part 11 if it's electronic.
What FDA Inspectors Actually Look For
FDA inspectors conducting Quality System inspections don't audit Part 11 compliance as a standalone exercise. They examine Part 11 compliance in the context of the records they're reviewing. When they pull calibration records, they're simultaneously assessing whether the calibration program meets 820.72 requirements and whether the electronic systems supporting those records meet Part 11.
The Records Request
A typical inspection scenario: the inspector selects a production instrument from the floor, asks for its calibration history, and then follows the trail. They'll look at the current calibration certificate, the previous certificate, the calibration schedule, any OOT events, and the corrective actions taken.
Throughout this exercise, they're looking at whether records are readily retrievable (if it takes 20 minutes to find a certificate, that's a concern), whether the records are complete and consistent, whether there's an audit trail for any changes to calibration data, and whether access controls are in place to prevent unauthorised modifications.
Common 483 Observations
The most common Part 11-related calibration findings in FDA Warning Letters and 483 observations include failure to maintain adequate audit trails for electronic calibration records, failure to validate computerised systems used for calibration management, inadequate access controls allowing unauthorised modification of calibration data, and failure to maintain calibration records that are readily retrievable.
These aren't hypothetical risks. FDA regularly cites calibration record deficiencies in enforcement actions, particularly in the medical device space where 820.72 compliance is a standard inspection focus.
The Spreadsheet Problem
Many small and mid-sized manufacturers still manage calibration in Excel or Google Sheets. For Part 11 purposes, this creates several specific problems.
Spreadsheets lack native audit trails. You can enable track changes, but this is trivially easy to circumvent and doesn't meet Part 11's requirement for computer-generated, time-stamped audit trails. Spreadsheets lack granular access controls. You can password-protect a file, but you can't restrict specific users from modifying specific fields. Data integrity in spreadsheets depends entirely on user discipline. A mistyped formula, a copy-paste error, or an accidental deletion has no safety net.
For companies operating under FDA oversight, spreadsheet-based calibration management isn't just inefficient — it's a regulatory risk. Every inspection is an opportunity for this risk to materialise.
The transition away from spreadsheets is driven by practical concerns for most manufacturers. For FDA-regulated companies, there's an additional regulatory imperative that makes the case harder to defer.
ALCOA+ and Calibration Data Integrity
FDA's expectations around data integrity are increasingly framed through the ALCOA+ principles: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available.
Applied to calibration records, ALCOA+ means every calibration entry must be attributable to a specific person, records must be clear and permanently readable, calibration data must be recorded at the time of the activity, original records must be preserved, results must accurately reflect what was measured, records must be complete with no gaps or missing data points, data must be consistent across related records, records must be durable and maintained for their required retention period, and records must be accessible when needed.
A purpose-built calibration management system that enforces these principles through its design — mandatory fields, automatic timestamps, audit trails, access controls — makes ALCOA+ compliance a natural outcome of daily work rather than an extra layer of administrative effort.
Part 820.72: The Calibration-Specific Requirements
While Part 11 governs how electronic records are managed, Part 820.72 specifies what calibration records must contain. The two work together. Part 820.72 requirements include written procedures for calibration activities, calibration records that include the instrument identification, calibration date, the individual who performed the calibration, and the results, documentation of calibration standards and their traceability, defined calibration intervals with documented rationale, and procedures for handling out-of-tolerance instruments including impact assessment.
When these records are maintained electronically, every requirement in 820.72 is also subject to Part 11's controls around audit trails, access, and validation.
Building a Compliant Calibration System
If you're currently managing calibration in a way that doesn't fully satisfy Part 11 — and if you're using spreadsheets, it almost certainly doesn't — here's a practical approach to closing the gap.
Start with a gap assessment. Map your current calibration process against Part 11's specific requirements: audit trails, access controls, validation, and electronic signatures. Document where gaps exist. This assessment itself becomes valuable evidence of your commitment to compliance.
Evaluate purpose-built systems. A calibration management system designed for regulated environments should provide Part 11 compliance as a baseline feature, not an add-on. Look for automated audit trails that capture every change, role-based access controls, electronic signature capabilities, and validation documentation packages.
Plan your migration carefully. Moving from spreadsheets to a validated system requires data migration, user training, and a parallel running period to verify the new system against existing processes. Factor in time for IQ/OQ/PQ (Installation Qualification, Operational Qualification, Performance Qualification) if your quality system requires it.
How Scopax Supports Part 11 Compliance
Scopax was designed with regulatory requirements in mind from day one. The platform provides a complete audit trail for every calibration record. Every change — to a calibration result, a due date, an instrument status, a certificate link — is automatically logged with the user, timestamp, previous value, and new value. This audit trail is immutable and available for inspection at any time.
Role-based access controls ensure that users can only perform actions appropriate to their role. Calibration technicians can record results. Quality managers can approve them. Administrators can configure the system. These permissions are enforced by the platform, not by user discipline.
When an out-of-tolerance event occurs, Scopax's mandatory OOT workflow requires documentation of the impact assessment before the event can be closed. This directly addresses the 820.72 requirement for assessing the impact of out-of-tolerance instruments on product quality — and the complete audit trail provides the Part 11 evidence that the process was followed.
The built-in audit pack generator produces inspection-ready documentation that includes certificates, calibration histories, OOT investigations, and traceability records — all with their associated audit trails. When an FDA inspector requests records, you're not assembling evidence from multiple sources. You're generating a comprehensive report in seconds.
If you're preparing for an FDA inspection and want to assess your calibration system's readiness, the audit readiness checklist maps your current process against regulatory requirements. Or book a walkthrough and we'll show you how Scopax handles Part 11 compliance in practice.