Electronic records with tamper-proof chain meet 21 CFR Part 11 requirements.
Every agent action timestamped, signed, and hash-chained. Export for inspectors.
Telegram or SSH. Real-time compliance status via OpenClaw gateway.
21 CFR Part 11 Audit Trail for AI Agents
Deploy AI agents in FDA-regulated environments with audit trail evidence that meets 21 CFR Part 11 requirements. The osModa tamper-evident ledger provides attribution, timestamping, change control, and tamper detection through SHA-256 hash chain verification. Evidence generation for pharmaceutical, life sciences, and medical device AI automation.
21 CFR Part 11 was originally published in 1997 to establish criteria for electronic records to be considered equivalent to paper records. Nearly three decades later, the regulation remains the foundation for electronic records compliance in FDA-regulated industries. In 2026, the application of Part 11 to AI systems has become a critical concern. The FDA's Center for Drug Evaluation and Research (CDER) and Center for Biologics Evaluation and Research (CBER) have both published guidance addressing AI/ML systems in GxP contexts, emphasizing that autonomous AI systems must maintain the same audit trail standards as traditional computerized systems. When an AI agent operates in a validated pharmaceutical manufacturing environment, every action it takes must be attributable, timestamped, and tamper-evident.
The challenge for AI agents in Part 11 environments is the volume and autonomy of their actions. A traditional computerized system might generate dozens of audit trail entries per day from human operators. An AI agent can generate thousands of entries per hour through autonomous tool calls, API interactions, and data processing operations. Standard audit trail systems were not designed for this throughput. osModa's Rust-based audit writer handles high-frequency audit events with microsecond-level hashing performance and zero garbage collection pauses, ensuring that audit trail completeness does not compromise system performance in production pharmaceutical environments.
TL;DR
- • osModa generates 21 CFR Part 11 audit trail evidence -- attribution, timestamps, change control, and tamper detection
- • The Rust audit writer handles thousands of entries per hour with microsecond hashing, built for AI agent throughput
- • NixOS declarative config provides system validation and change control evidence for 11.10(a) and 11.10(e)
- • FDA inspectors can independently verify hash chain integrity using standard SHA-256 tools -- no proprietary software needed
- • Applicable to pharma manufacturing QC, clinical trial data, regulatory submissions, and pharmacovigilance use cases
Part 11 Requirements and osModa Evidence
21 CFR Part 11 Subpart B (11.10) defines requirements for closed systems. Here is how each relevant requirement maps to osModa capabilities.
11.10(a): System Validation
Part 11 requires systems to be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. osModa supports validation through: NixOS declarative configuration that makes system state fully reproducible and verifiable; 136 tests in CI that validate all 66 built-in tools; SHA-256 hash chain that enables discernment of altered records; and open source code that allows complete inspection during validation activities. The validation itself is your organization's responsibility, but osModa provides a validatable system.
11.10(d): Limited System Access
Part 11 requires limiting system access to authorized individuals. osModa provides dedicated servers (no multi-tenancy), SSH key-based authentication, NixOS-defined user permissions, and agent identity verification through the supervisor daemon. Every access event -- login, logout, command execution, secrets retrieval -- is recorded in the tamper-evident ledger with the actor identity and timestamp.
11.10(e): Audit Trail
This is the core audit trail requirement. Part 11 mandates computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trail entries must not obscure previously recorded information and must be retained for at least as long as the subject electronic records. The osModa ledger satisfies every element: computer-generated (by the Rust audit writer daemon), time-stamped (UTC nanosecond precision), independently recording (platform-level capture), non-obscuring (append-only with hash chain), and retainable (configurable retention with archival export).
11.10(g): Authority Checks
Part 11 requires authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or device input/output, alter a record, or perform the operation at hand. osModa's NixOS configuration defines permissions at the system level. The supervisor daemon controls which agents can access which tools. Every permission check is logged. Failed authorization attempts are recorded with full context.
11.10(k)(2): Document Control
Part 11 requires adequate controls for the distribution, access to, and use of documentation for system operation and maintenance. NixOS declarative configuration serves as the system's operational documentation -- the configuration IS the documentation, and it is versioned through NixOS generations. Every generation switch is recorded in the audit ledger. This creates a complete history of system documentation changes that is automatically generated and tamper-evident.
Pharmaceutical and Life Sciences AI Use Cases
AI agents are being deployed across FDA-regulated industries. Each context has specific Part 11 implications that osModa's audit trail addresses.
Manufacturing Quality Control
AI agents monitoring production lines, analyzing quality data, and triggering deviations must maintain Part 11 compliant audit trails. Every analysis, decision, and action the agent takes is recorded with attribution and timestamp. Batch records that incorporate AI-generated data maintain their Part 11 compliance because the AI's contribution is fully auditable.
Clinical Trial Data Management
AI agents processing clinical trial data -- site monitoring, data reconciliation, safety signal detection -- operate under strict Part 11 requirements. The audit ledger records every data access, transformation, and output with the granularity FDA auditors expect. The hash chain ensures that trial data processing records cannot be retroactively modified.
Regulatory Submissions
AI agents assisting with regulatory submission preparation (CTD compilation, document formatting, cross-reference checking) must maintain Part 11 compliant records of their contributions. The audit trail shows exactly which documents the agent accessed, what modifications it made, and when, providing clear traceability for submission reviews.
Pharmacovigilance
AI agents monitoring adverse event reports, performing signal detection, and generating safety assessments handle critical patient safety data. Part 11 compliance for these records is non-negotiable. The osModa audit trail provides the evidence that every adverse event processing action was recorded, attributed, and preserved with cryptographic integrity.
FDA Inspection Readiness
When the FDA inspects your AI agent systems, they will look for evidence of Part 11 compliance. Here is what osModa provides for common inspection scenarios.
Audit Trail Review
FDA inspectors will request to see the audit trail for specific records or time periods. The osModa ledger export provides a complete, structured, hash-verified record that the inspector can review. The export format includes human-readable descriptions alongside the technical data. The hash chain allows the inspector to verify that no records have been modified since their creation -- a level of assurance that paper-based or standard electronic audit trails cannot provide.
Change Control Verification
Inspectors will ask how system changes are controlled and documented. NixOS atomic deployments mean every system change is a discrete, documented generation switch. The audit ledger records the before and after configuration, the change timestamp, and who initiated the change. Failed changes are automatically rolled back and logged. This creates a change control record that is automatically generated and tamper-proof.
Access Control Documentation
Inspectors will review how system access is limited to authorized individuals. The NixOS configuration defines authorized users and permissions (the configuration IS the documentation). The audit ledger records every access event. Together, they demonstrate that access controls are defined, implemented, and monitored. The dedicated server architecture eliminates multi-tenant access concerns.
Frequently Asked Questions
Does osModa provide 21 CFR Part 11 certification?
No. 21 CFR Part 11 is not a certification -- it is a regulation that defines requirements for electronic records and electronic signatures. Compliance is demonstrated during FDA inspections or audits. osModa generates the audit trail evidence that supports your Part 11 compliance posture. The tamper-evident ledger with SHA-256 hash chaining addresses the core Part 11 requirements: attribution, timestamps, reason for change, and tamper detection.
What are the key 21 CFR Part 11 requirements for AI agent audit trails?
The key requirements under 11.10(e) are: audit trails must record the date and time of operator entries; audit trails must record the identity of the person making the entry; original entries must not be obscured by changes; and audit trails must be retained for a period at least as long as required for the subject electronic records. osModa's tamper-evident ledger satisfies all four requirements with cryptographic verification.
How does osModa handle the 'attribution' requirement?
Every audit ledger entry includes the actor identity: the specific agent ID, user SSH session, or system daemon that initiated the action. For AI agents, the actor is the agent's unique identifier as registered with the supervisor daemon. For human operators, the actor is their SSH key identity. This attribution chain is sealed in the hash chain and cannot be modified after the fact.
What about electronic signatures under Part 11?
osModa does not provide electronic signature functionality as defined in 21 CFR Part 11 Subpart C. Electronic signatures require specific controls around signature components, non-repudiation, and signature/record binding. If your workflow requires electronic signatures, you would integrate a dedicated e-signature system. osModa provides the audit trail infrastructure that complements electronic signature systems.
Can FDA inspectors verify the integrity of the audit trail?
Yes. The SHA-256 hash chain can be independently verified using standard cryptographic tools. No osModa-specific software is required. During an inspection, the FDA auditor can verify that no records have been modified by recomputing the hash chain. The verification process is documented in the export package and uses widely-available SHA-256 implementations.
How does NixOS relate to Part 11 compliance?
NixOS declarative configuration provides a strong foundation for the 'closed system' controls in 11.10. The system configuration is fully defined, versioned, and auditable. Every configuration change is a discrete generation switch recorded in the audit ledger. This makes it straightforward to demonstrate that the system was in a known, validated state at any point in time -- a key concern during FDA inspections.
What is the retention period for Part 11 audit trails?
Under 11.10(e), audit trails must be retained for a period at least as long as required for the subject electronic records. In pharmaceutical contexts, this can range from years to decades depending on the record type (batch records, clinical trial data, regulatory submissions). The osModa audit ledger retains all entries by default. You can configure long-term archival exports with full hash chain preservation for extended retention periods.
Is osModa suitable for GxP environments?
osModa provides infrastructure-level audit trails that support GxP compliance requirements. The tamper-evident ledger, NixOS configuration management, and access controls generate evidence relevant to GMP, GLP, and GCP contexts. However, GxP compliance also requires validated workflows, SOPs, training documentation, and quality management systems that are outside osModa's scope. osModa is one component of a GxP-compliant technology stack.
Deploy AI Agents with Part 11 Audit Trails
Every osModa plan includes the tamper-evident audit ledger with 21 CFR Part 11 evidence generation. From $14.99/month.
Last updated: March 2026