Build an audit-trail capture and export integration for an EDC system compliant with 21 CFR Part 11 Section 11.10(e)

Verified steps

1. Confirm the EDC system generates a secure, computer-generated, time-stamped audit trail that captures: the date and time of each entry, the identity of the operator, and the original value, new value, and reason for change for any modification or deletion per 21 CFR 11.10(e)
2. Export audit trail records via the EDC's API (e.g., Medidata RWS /datasets/audits, REDCap logging endpoint, or Veeva Vault audit log query) on a defined schedule and store in an immutable audit repository
3. Validate that the audit trail records cannot be modified or deleted from outside the system: test that direct database access does not bypass the audit trail and document results in computer system validation (CSV) records
4. Implement retention logic to maintain audit trail data for at least as long as the electronic records they cover, as required by 21 CFR 11.10(e); map retention periods to the applicable predicate rule (e.g., 21 CFR 312.57 requires IND records for 2 years post-marketing approval)
5. Generate a periodic audit trail review report that flags any record changes lacking a documented reason or made outside study hours, and route the report to the data manager for review
6. Document the audit trail configuration in the system validation plan and include audit trail test cases in the validation test scripts to satisfy FDA inspection expectations