21 CFR PART 11 · FDA · ELECTRONIC RECORDS

21 CFR Part 11: Electronic Records and Signatures for FDA Compliance

The FDA regulation governing computerised systems in pharmaceuticals, medical devices and biotech exporting to the USA. IgeraIndustria answers on audit trails, CSV, electronic signatures and access controls with exact requirement citations.

11.10(e)

Section of 21 CFR Part 11 governing automatic audit trails. The requirement most frequently inspected by the FDA.

CSV

Computer System Validation: mandatory for all systems managing FDA-regulated electronic records.

Annex 11

European equivalent of 21 CFR Part 11 under EU GMP. Both regulations must be met when exporting to EU and USA.

Frequently asked questions — 21 CFR Part 11

Which companies does 21 CFR Part 11 apply to?

21 CFR Part 11 applies to all FDA-regulated companies that use electronic systems to create, modify, maintain, archive, retrieve or transmit electronic records that the FDA requires to be maintained (per other parts of the CFR). This includes: pharmaceutical manufacturers (21 CFR Parts 210/211 GMP), medical device manufacturers (21 CFR Part 820 QSR), clinical laboratories, clinical trial investigators (21 CFR Parts 312/812), and food companies (21 CFR Part 110). If a company uses computerised systems for its GxP records, 21 CFR Part 11 applies.

What is an audit trail and what must it record?

The audit trail is the chronological record of all actions performed on an electronic record. Per 21 CFR Part 11.10(e), the audit trail must record: date and time of the action (secure, unalterable timestamp), identification of the operator who performed the action, description of the change made (previous and new value), and reason for the change where applicable. The audit trail must be generated automatically by the system (cannot be entered manually), protected from modification and deletion, and available for review in human-readable text. It is the requirement most frequently inspected by the FDA during Form 483 inspections of computerised systems.

What is CSV (Computer System Validation) and when is it mandatory?

CSV (Computer System Validation) is the documented process of verifying that a computerised system does exactly what it is supposed to do, consistently and reproducibly. It is mandatory for all systems that create or manage electronic records regulated by the FDA (LIMS, ERP, MES, SCADA, HPLC systems, etc.). The validation process includes: user requirements specification (URS), functional specification (FS), technical design, system IQ/OQ/PQ, and maintenance of the validated state upon changes. The FDA can reject data generated by unvalidated systems during an inspection or dossier review.

What is the difference between electronic signature and digital signature in 21 CFR Part 11?

21 CFR Part 11 defines an electronic signature as any combination of letters, characters or symbols executed or adopted by a person as the legal equivalent of their handwritten signature. This includes both simple electronic signatures (user ID/password combination with confirmation checkbox) and digital signatures (based on public key cryptography). The regulation does not require all signatures to be cryptographic: it accepts a combination of unique user ID and password as a valid electronic signature, provided all controls in section 11.100 are met (uniqueness, identity verification, non-repudiation) and the system records each signature use in the audit trail with a timestamp and the meaning of the signature.

Query 21 CFR Part 11 with regulatory AI. Start today.

Start free trial