CFR 21 Part 11 · FDA Compliance · Electronic Records

CFR 21 Part 11: Electronic Records & Signatures with AI

CFR 21 Part 11 regulates electronic signatures and records in pharmaceuticals and medical devices. IgeraIndustria helps with validation, audit trails, user access control, and complete FDA compliance.

Part 11

FDA regulation for electronic signatures and records in pharma and medical devices. Mandatory for FDA-regulated submissions.

Part 107

Modernized alternative (2023). Risk-based approach, less prescriptive. Both Part 11 and 107 now accepted by FDA.

IQ/OQ/PQ

System validation required: Installation, Operational, Performance qualification. Documentation must be retained for FDA inspection.

Instant guidance on CFR 21 Part 11 compliance

Electronic Signature Requirements

Unique authentication methods (username/password + secondary factor), non-repudiation, secure/auditable systems. Digital certificate and time-stamping requirements.

Audit Trail Documentation

Complete record of who created/modified data, when, and why. Secure, non-erasable logs. Independent review capability. Retention requirements and searchability.

User Access Control

Unique login credentials per user, role-based access, password policies, periodic review, disabled accounts after inactivity, login/logout audit trails.

System Validation (IQ/OQ/PQ)

Installation Qualification verification, Operational Qualification testing, Performance Qualification with real data. Complete validation documentation required.

Electronic Record Controls

Data integrity protection (encryption, checksums), access restrictions, backup/disaster recovery procedures, archive system qualification and retention policies.

Compliance & FDA Inspection

Common 483 observations (inadequate audit trails, shared logins, missing validation), remediation strategies, documentation retention, training requirements.

Frequently Asked Questions — CFR 21 Part 11

What is an electronic signature under CFR 21 Part 11?

An electronic signature under Part 11 is a digital representation of a person's hand-written signature with the same legal standing. It must be: (1) unique to the signer; (2) difficult to forge or alter; (3) permanently linked to the record. Methods include password + username, biometric (fingerprint), digital certificates, or hybrid approaches. Part 11 requires authentication (who you are) and non-repudiation (cannot deny signing). A simple password alone is insufficient; must include secondary authentication (time-stamping, audit trail) or qualify as "secure electronic signature" (e.g., PKI digital certificates).

What is the difference between Part 11 and Part 107 (Part 11 Alternative Approach)?

CFR Part 107 (2023) is the FDA's modernized alternative to Part 11 for electronic records. Part 107 requires: (1) Secure, auditable systems; (2) Electronic signatures equivalent to handwritten; (3) Audit trail requirements (what, who, when, why); (4) Data integrity controls. Part 107 is less prescriptive than Part 11 (no mandate for specific technologies like digital certificates); allows risk-based approach. Part 11 is still active and required for FDA-regulated submissions. Most companies use Part 11 compliance as baseline; Part 107 acceptance is emerging. Part 11 is more prescriptive; Part 107 more flexible.

What audit trail requirements does Part 11 mandate?

Part 11 audit trails must record: (1) Identity of person creating/modifying record; (2) Date and time of creation/modification; (3) Nature of change (what was changed); (4) Reason for change (why changed); (5) All modification records retained. Audit trails must be: electronically secured, non-erasable (cannot be overwritten), and independently reviewable. For critical records (batch records, deviation reports, stability data), a complete audit trail from creation to archival is required. System downtime or audit trail gap requires investigation and documentation.

What are the user access control and authentication requirements?

Part 11 requires: (1) Unique login credentials for each user (no shared logins); (2) Password requirements (minimum 8 characters, complexity rules, periodic change); (3) Role-based access control (user can access only functions relevant to role); (4) System-enforced access controls (no ability to override); (5) Periodic review of user access rights (at least annually); (6) Disabled accounts after inactivity (typically 90 days); (7) Audit trail of login/logout events. Users must be trained on security responsibilities. System must prevent unauthorized access to critical functions.

What is system validation under Part 11?

System validation (IQ/OQ/PQ) is required to prove that electronic systems meet intended use: (1) Installation Qualification (IQ): verify system is correctly installed and components function. (2) Operational Qualification (OQ): verify system performs intended functions under controlled conditions. (3) Performance Qualification (PQ): verify system performs reliably under actual operating conditions with real data. Validation documentation includes: user requirements, design specifications, test protocols, test results, and final validation report. Critical systems require re-validation after major updates. Validation must be documented and retained for FDA inspection.

What records must be maintained under Part 11?

Part 11-compliant records include: (1) Batch records (raw materials, processing, testing); (2) Deviation reports; (3) Stability test data; (4) Analytical results; (5) Manufacturing change records; (6) Validation reports; (7) Equipment maintenance records; (8) Training records; (9) Audit trail logs. Records must be: (1) Secure (encrypted, access-controlled); (2) Retained per retention requirements (typically 3 years post-expiry for drugs, lifetime for implants); (3) Retrievable and legible (searchable, not just archived images); (4) Backed up regularly (minimum weekly). Electronic archive systems must be qualified and validated.

What are common Part 11 compliance failures in FDA inspections?

Common 483 observations: (1) Inadequate audit trails (missing who/why/when information); (2) Shared logins or weak password controls; (3) No system access review/enforcement; (4) Missing validation documentation (IQ/OQ/PQ incomplete); (5) Inadequate data backup/disaster recovery procedures; (6) Electronic records without encryption or access controls; (7) System downtime without investigation/documentation; (8) No training records on electronic system use; (9) Untimely/incomplete corrective actions for audit trail gaps. FDA expects systematic, documented compliance; ad-hoc approaches fail inspection.

What is the difference between electronic signatures and electronic records?

Electronic records are the data/documents stored digitally (batch records, test results, deviation reports). Electronic signatures are the digital authentication appended to records (I certify, I approve). Part 11 covers both: Records must have integrity controls (audit trail, encryption, access control). Signatures must have authentication/non-repudiation (unique ID, difficult to forge, linked to record). A record can exist without signature (raw data, observations), but critical decisions (approvals, releases) require electronic signatures. System must enforce that signed records cannot be modified without additional audit trail entry.

Achieve CFR 21 Part 11 compliance with AI. Start today.

Start free trial