|

21 CFR Part 11 Compliance and Checklist

1. Purpose and Scope

This article defines how computerized systems achieve and maintain compliance with 21 CFR Part 11. It establishes expectations for electronic records and signatures used in GxP activities and provides a structured checklist and remediation approach to support validation, assessment, and audit readiness.

Scope includes all systems that create, modify, maintain, archive, retrieve, or transmit regulated records, as well as systems implementing electronic signatures.

2. Regulatory Framework

21 CFR Part 11 defines the criteria under which electronic records and electronic signatures are considered equivalent to paper records and handwritten signatures. It operates in conjunction with predicate rules such as 21 CFR Part 211, which define what records are required and how they are used.

Part 11 focuses on trustworthiness, reliability, and traceability of electronic records rather than prescribing specific technologies.

The diagram below shows how Part 11 requirements are translated into structured control domains and implemented within computerized systems. It illustrates the relationship between regulatory expectations, defined control areas, and their realization through system configuration, procedures, and user responsibilities. Each control domain corresponds to specific Part 11 requirements such as validation, access control, audit trails, and electronic signatures, demonstrating how regulatory clauses are operationalized into enforceable system controls.

Layered model showing regulatory requirements, control domains, and system implementation with data integrity applied across all layers

3. Applicability and System Identification

3.1 Determining Applicability

Part 11 applies when:

  • records required by predicate rules are maintained electronically
  • electronic signatures are used in place of handwritten signatures

Applicability must be documented based on intended use and regulatory impact.

3.2 Non-Applicable Systems

Systems that do not store official GxP records or do not use electronic signatures may not require full Part 11 controls, but this must be justified.

4. System Validation Requirements

Systems must be validated to ensure:

  • accuracy and reliability of data
  • consistent intended performance
  • ability to detect invalid or altered records

Validation must include testing of Part 11 controls such as audit trails, security, and signature functionality under normal and challenge conditions.

5. Electronic Records Controls

Electronic records must be controlled throughout their lifecycle to ensure integrity and traceability.

  • Secure, computer-generated audit trails
    • Systems automatically record creation, modification, and deletion events
    • Each entry includes user identification, date and time stamp, and action performed
    • Audit trails are protected from alteration
  • Record protection and integrity
    • Records are protected from unauthorized modification or deletion
    • Systems prevent overwriting of original data
    • Changes are additive and traceable
  • Accurate and complete copies
    • Systems generate complete and accurate copies in electronic and human-readable formats
    • Metadata, audit trails, and context are preserved
  • Authority checks
    • Only authorized users can perform defined actions
    • Permissions are role-based and enforced by the system
  • Operational system checks
    • Systems enforce correct sequencing of steps
    • Workflow prevents bypassing required process steps
  • Device checks where applicable
    • Only authorized devices can input or modify data
    • Controls prevent unauthorized data injection

6. Electronic Signatures Requirements

Electronic signatures must be attributable, secure, and legally binding.

  • Uniqueness and identity control
    • Each signature is uniquely assigned to an individual
    • Identity is verified before issuance
    • Credentials are not shared
  • Signature components
    • Printed name of signer is captured
    • Date and time of signing are recorded
    • Meaning of signature such as approval or review is defined
  • Signature linking
    • Signature is permanently linked to the associated record
    • Signature cannot be copied or reassigned
  • Authentication controls
    • Signing requires secure authentication
    • Re-entry of credentials is required at time of signing where applicable
  • Non-repudiation
    • Controls prevent denial of signed actions
    • Signature activity is traceable through audit trails
  • Signature lifecycle control
    • Procedures define issuance, maintenance, and revocation
    • Role changes and termination are managed

7. Security and Access Control

Access to systems must be restricted to authorized individuals.

  • unique user identification
  • role-based permissions
  • segregation of duties
  • account lockout and inactivity controls
  • periodic review of user access

8. Audit Trails and Record Traceability

Audit trails provide the primary mechanism for detecting and reconstructing data changes.

  • Automatic capture of events
    • All relevant actions including creation, modification, deletion, and approval are recorded
    • Logging is system-enforced and cannot be disabled by users
  • User identification and time stamping
    • Each entry identifies the user who performed the action
    • Secure system-generated timestamps are used
  • Preservation of original data
    • Original values are retained when changes occur
    • New values are recorded alongside original values
  • Reason for change
    • Systems require entry of a reason for change where applicable
    • Reason supports investigation and traceability
  • Protection from alteration
    • Audit trails cannot be modified or deleted
    • Administrative access does not allow alteration of audit trail content
  • Audit trail review process
    • Procedures define frequency and responsibility for review
    • Reviews focus on detection of unauthorized or unexpected changes
  • Traceability across lifecycle
    • Full history of each record can be reconstructed
    • Linkage exists between data entry, modification, and approval

9. Paper Records and Hybrid Systems

9.1 Paper Records

Paper records remain acceptable if:

  • they are the official record
  • they are controlled, reviewed, and archived in accordance with predicate rules
  • electronic systems do not replace or alter the official record

9.2 Hybrid Systems

Hybrid systems combine electronic data generation with paper record retention.

  • Risks
    • mismatch between electronic data and paper printouts
    • loss of metadata and audit trail information
    • uncontrolled transcription or manual transfer
  • Required controls
    • clear definition of the official record
    • reconciliation between electronic and paper records
    • retention of electronic data where required for traceability

10. Part 11 Compliance Checklist

This checklist is based on the requirements of 21 CFR Part 11. The full regulation is available at: https://www.ecfr.gov/current/title-21/part-11

Each checklist item should be assessed against the specific clauses of Part 11 and supported by documented evidence during validation, periodic review, or audit.

10.1 Applicability

  • documented assessment of Part 11 applicability
    • determination that the system creates, modifies, or maintains records required by predicate rules
    • reference: §11.1 Scope
  • justification for inclusion or exclusion of controls
    • documented rationale for whether Part 11 requirements apply
    • reference: §11.1 and FDA Part 11 Scope and Application guidance

10.2 Validation

  • intended use and requirements defined
    • system intended use documented and aligned with regulatory requirements
    • reference: §11.10(a)
  • risk assessment performed
    • risk-based approach used to define validation scope and control depth
    • reference: §11.10(a)
  • validation protocols executed and approved
    • documented evidence of testing demonstrating system performs as intended
    • reference: §11.10(a)
  • Part 11 controls tested and verified
    • verification of audit trails, security, and electronic signatures
    • reference: §11.10(a), §11.10(d), §11.200

10.3 Electronic Records

  • records are complete, accurate, and attributable
    • records include all required data and metadata
    • reference: §11.10(b), §11.10(e)
  • audit trails are enabled and capture required events
    • system records creation, modification, and deletion events
    • reference: §11.10(e)
  • records are protected from unauthorized change
    • controls prevent overwriting or deletion without traceability
    • reference: §11.10(c)

10.4 Electronic Signatures

  • unique user identity enforced
    • each user has a unique identification and authentication method
    • reference: §11.100(a), §11.300
  • signature components captured
    • printed name, date/time, and meaning of signature are recorded
    • reference: §11.50(a)
  • signatures linked to records
    • signatures cannot be excised, copied, or transferred
    • reference: §11.70

10.5 Access Control

  • unique user IDs implemented
    • system enforces unique identification for each individual
    • reference: §11.10(d), §11.300
  • role-based access enforced
    • system restricts actions based on authorized roles
    • reference: §11.10(g)
  • periodic access review performed
    • user access is reviewed and maintained according to responsibilities
    • reference: §11.10(d), §11.10(g)

10.6 Audit Trails

  • audit trails capture all required events
    • secure, computer-generated, time-stamped audit trails implemented
    • reference: §11.10(e)
  • original data is preserved
    • previous values retained and not overwritten
    • reference: §11.10(e)
  • audit trail review is documented
    • procedures define review process and evidence of review is maintained
    • reference: §11.10(e), §11.10(k)

10.7 Data Retention

  • retention periods defined
    • retention aligned with predicate rules and business requirements
    • reference: §11.10(c)
  • records are retrievable and readable
    • ability to generate accurate and complete copies in human-readable form
    • reference: §11.10(b)
  • archival processes are controlled
    • archived records remain accessible and protected
    • reference: §11.10(c)

10.8 Backup and Recovery

  • backup procedures defined and executed
    • protection of records to enable accurate and complete reconstruction
    • reference: §11.10(c)
  • restore capability verified
    • testing demonstrates ability to recover records without loss of integrity
    • reference: §11.10(c)

10.9 Procedures and Training

  • SOPs established for system controls
    • written procedures for system operation, security, and control
    • reference: §11.10(k), §11.10(j)
  • personnel are trained and qualified
    • individuals have education, training, and experience for assigned tasks
    • reference: §11.10(i)

The diagram below illustrates the process used to determine Part 11 applicability, assess system compliance, and manage remediation where gaps are identified. It shows how systems move from initial assessment through validation, compliance decision, and corrective actions when required.

Workflow showing Part 11 applicability assessment, validation and control evaluation, compliance decision, and remediation loop leading to re-assessment

11. Remediation Strategy

Part 11 non-compliance must be addressed through a structured and documented remediation process. The objective is to restore control over electronic records and signatures, eliminate data integrity risks, and demonstrate that the system operates in a compliant and validated state. Remediation must be risk-based, traceable, and executed under formal quality system controls.

11.1 Gap Assessment

A formal assessment must be performed to determine the current state of compliance against 21 CFR Part 11 requirements.

  • comparison of system controls against Part 11 requirements
    • evaluation of existing technical and procedural controls against regulatory expectations
    • identification of missing controls, improperly configured controls, or uncontrolled processes
  • identification of gaps and deficiencies
    • classification of gaps such as absence of audit trails, weak access control, or inadequate signature controls
    • differentiation between configuration issues and fundamental system limitations
  • documentation of impact
    • assessment of which records, processes, and decisions are affected
    • determination of whether data integrity may have been compromised

11.2 Risk Evaluation

Each identified gap must be evaluated to determine its impact on product quality, patient safety, and regulatory compliance.

  • assessment of data integrity impact
    • evaluation of potential for data manipulation, loss, or lack of traceability
    • identification of affected critical data elements and processes
  • prioritization based on risk
    • ranking of gaps based on severity, likelihood, and detectability
    • prioritization of remediation activities for high-risk conditions affecting release decisions or critical records

11.3 Remediation Planning

A formal remediation plan must be developed to address identified gaps in a controlled manner.

  • definition of corrective actions
    • specification of required actions such as system reconfiguration, procedural updates, or system replacement
    • inclusion of interim controls where immediate correction is not feasible
  • assignment of responsibilities and timelines
    • designation of accountable individuals for each action
    • establishment of realistic timelines based on risk and operational impact

11.4 Implementation

Remediation actions must be executed under change control to ensure traceability and control.

  • execution of corrective actions under change control
    • implementation of system changes through approved change management processes
    • documentation of configuration updates and procedural changes
  • update of system configuration and procedures
    • alignment of system settings with Part 11 requirements
    • revision of SOPs to reflect updated controls and practices

11.5 Verification

All remediation activities must be verified to confirm that controls are effective.

  • re-testing of affected controls
    • execution of targeted testing for audit trails, access control, and electronic signatures
    • challenge testing to confirm that controls prevent unauthorized actions
  • confirmation of effectiveness
    • objective evidence demonstrating that gaps have been closed
    • verification that the system operates as intended under normal and abnormal conditions

11.6 Documentation

Remediation must be supported by complete and auditable documentation.

  • remediation plan and report
    • documented plan outlining scope, actions, responsibilities, and timelines
    • final report summarizing execution and outcomes
  • evidence of implemented changes
    • configuration records, test results, and updated procedures
    • linkage between identified gaps and implemented corrective actions
  • justification of residual risk
    • documented rationale for any remaining limitations
    • confirmation that residual risks are acceptable and controlled

Remediation is complete only when all critical gaps are resolved, controls are verified, and the system can be demonstrated to meet Part 11 expectations.