CFR 21 Pt 11 audit trails


I’m currently working on the specs for CFR 21 Part 11 assistance within our SCADA package.

Currently our audit trails and event logs are not tamper proof so we need to change the way these are logged.

We have chosen to output the logs to a Microsoft Access MDB file auto generating a password for writing within our software so no one else can write to it. Any other access is read only and only our software will know how to write.

This is much easier to implement for us as we don’t ship any database server with our package and most users wouldn’t want the bulk of installing SQL server onto their PCs - especially as one of our core markets is IPCs which don’t have much storage.

So the question is, is it acceptable to use MS Access MDB files for secure storage of the logs as far as CFR 21 part 11 is concerned?

Hope you can help

Best Regards


MS Access is not a professional database, and as such has some “weeknesses” (stability, performance, security settings) in comparison to SQL or Oracle. However, in this certain case I believe it is possible to configure MS Access and its environment (OS authorization, access to folders…) in such a way, that together with relevant SOP’s it would guarantee full compliance with 21CFR11.


For your case, Microsoft Access database can be used when provided with sufficient safety measures like

  1. database must have a password to open and it should be known only to the vendor
  2. database must be kept in a secured folder so that user cannot delete the .mdb file
  3. data size is less, as mdb cannot handle huge data like oracle, SQL server etc.,
  4. regular backup of the database is taken through an automated backup mechanism