21 CFR Part 11 Requirements [Explained]

The FDA 21 CFR Part 11 was established by the US Food and Drug Administration (FDA) to ensure the authenticity, integrity, and confidentiality of electronic records and electronic signatures.

This part of the regulation governs how electronic records and signatures are managed and utilized to ensure data integrity in Life Science industries, such as pharmaceuticals, medical devices, biotechnological, and other FDA-regulated industries.

One way for Life Science companies to comply with 21 CFR Part 11 is to adopt a compliant Document Management System (DMS) or electronic Quality Management System (eQMS), such as SimplerQMS.

In this article, we will discuss the different parts and requirements of the 21 CFR Part 11, as well as the key benefits of compliant systems. Furthermore, we will explain how SimplerQMS complies with these requirements.

SimplerQMS offers 21 CFR Part 11 compliant QMS software designed for Life Science companies. Book a demo today to see how our eQMS can help streamline your company’s quality management and compliance efforts.

Jump to the specific topics covered in this article:

• Introduction to 21 CFR Part 11 Requirements
• Different Parts of 21 CFR Part 11
• What Are the Requirements of 21 CFR Part 11?
• Key Requirements of a 21 CFR Part 11 Compliant System
• What Are the Key Benefits of Using a 21 CFR Part 11 Compliant System?
• How Does SimplerQMS Comply With 21 CFR Part 11 Requirements?

Introduction to 21 CFR Part 11 Requirements

The FDA 21 CFR Part 11 requirements apply to companies operating in FDA-regulated industries using electronic records and electronic signatures (eSignatures). In the Life Sciences, those include pharmaceutical, biotechnological, medical device, and other industries.

The purpose of these requirements is to ensure that electronic records and electronic signatures are just as trustworthy and reliable as paper records and handwritten signatures. These requirements are designed to ensure data integrity, security, and reliability in electronic records and signatures.

Electronic records are defined in 21 CFR 11.3(b)(6) as any information in digital form handled by a computer system.

This means that not only text documents are in scope but also the following information assets:

• Images
• Sound files
• Videos
• Test records
• Source code
• Spreadsheets

The FDA defines electronic signatures as any symbols an individual has approved as the legal equivalent of their handwritten signature as per 21 CFR 11.3(b)(7).

Compliance with 21 CFR Part 11 is essential for companies within FDA-regulated industries. Since nonconformances can result in serious consequences, including warnings, monetary penalties, product recalls, etc.

By ensuring compliance with 21 CFR Part 11, companies can maintain the authenticity, integrity, and, when appropriate, the confidentiality of their data.

Different Parts of 21 CFR Part 11

The FDA 21 CFR Part 11 is divided into three subparts, each addressing a different aspect of electronic records and signatures.

Below is a brief explanation of each subpart.

• Subpart A – General Provisions: This subpart outlines the scope and applicability of 21 CFR Part 11, as well as the definitions of key terms used throughout the regulations.
• Subpart B – Electronic Records: This subpart establishes requirements for the creation, modification, and maintenance of electronic records, including guidelines for data security, audit trails, and electronic signatures.
• Subpart C – Electronic Signatures: This subpart guides the use of electronic signatures, including the requirements for their use and how to control identification codes and passwords.

What Are the Requirements of 21 CFR Part 11?

The 21 CFR Part 11 requirements outline criteria for electronic records, electronic signatures, and handwritten signatures on electronic records to be considered trustworthy, reliable, and comparable to paper records and signatures on paper.

In this section, we will examine the key requirement of 21 CFR Part 11 and highlight the most important points.

21 CFR Part 11 Subpart A – General Provisions

Subpart A provides an overview of the requirements that companies using electronic records and signatures must meet to comply with these regulations.

Section 11.1 Scope

Section 11.1 Scope states that the FDA considers electronic records and signatures trustworthy, reliable, and equivalent to paper records and handwritten signatures.

This regulation applies to electronic records created, handled, and archived under any records requirements set forth by FDA. And records that meet the requirements of this part can be used instead of paper records unless paper records are specifically required.

Computer systems, controls, and documentation maintained under 21 CFR Part 11 must be available for FDA inspection.

Section 11.2 Implementation

Companies can use electronic records and electronic signatures as a substitute for paper records or handwritten signatures if they comply with Part 11 requirements.

Section 11.3 Definition

The FDA defines specific terms used in Part 11 for better understanding.

• Act: Federal Food, Drug, and Cosmetic Act.
• Agency: Food and Drug Administration (FDA).
• Biometrics: Method of verifying an individual’s identity based on unique physical features or repetitive action.
• Closed system: Environment where responsible persons for the electronic records control access to the system.
• Digital signature: Electronic signature based on cryptography, using computer science rules and parameters to convert signature information into a code.
• Electronic record: Any digital form of information representation created, modified, maintained, archived, retrieved, or distributed by a computer system.
• Electronic signature: Computer data of symbols authorized by an individual to be the legally binding equivalent of a handwritten signature.
• Handwritten signature: Scripted name or legal mark of an individual used to authenticate records.
• Open system: Environment where responsible persons for the electronic records do not control system access.

21 CFR Part 11 Subpart B – Electronic Records

Subpart B outlines the specific controls required for closed and open systems, as well as the necessary signature manifestations and linking.

Section 11.10 Controls for Closed Systems

Companies using closed systems must have controls and procedures to ensure electronic records’ authenticity, integrity, and, when appropriate, confidentiality.

These procedures and controls must include the following:

• Validate systems to ensure accuracy, reliability, and consistent performance.
• Produce complete and accurate copies of records for review and copying by the FDA.
• Retrieve records accurately and easily throughout the retention period.
• Limit system access to authorized personnel.
• Secure, computer-generated, and time-stamped audit trails.
• Operational system checks to enforce the correct sequence of steps and events.
• Authority checks to ensure only authorized individuals have access to the system, can electronically sign records, alter records, or perform the operation at hand.
• Device checks to verify the source of data input or operational instruction.
• Train the personnel who use electronic records and signature systems.
• Written policies that hold individuals accountable and responsible for actions under their electronic signatures.
• Controls over systems documentation, including adequate distribution, access, and use of system operation and maintenance documents.

Section 11.30 Controls for Open Systems

The same requirements for closed systems apply to open electronic systems, with additional security measures, such as digital signature standards and data encryption.

Section 11.50 Signature Manifestations

Electronic signatures must include an individual’s name, date, time, and meaning of the signature.

Section 11.70 Signature and Record Linking

An electronic signature must be associated with its respective electronic record. This ensures that the signature cannot be separated from the record to be falsified.

21 CFR Part 11 Subpart C – Electronic Signatures

Subpart C specifies the requirements for electronic signature components and controls, as well as controls for identification codes and passwords.

Section 11.100 General Requirements

This section sets forth the requirements to ensure the identity of users and certify their signatures.

General requirements include:

• Unique electronic signatures to each individual that cannot be reused or reassigned.
• Companies must verify the identity of individuals before assigning electronic signatures.
• Users of electronic signatures must certify to the FDA that their electronic signatures are the legal equivalent of traditional handwritten signatures.

Section 11.200 Electronic Signature Components and Controls

There should be at least two identification components, such as an identification code and password.

Electronic signatures must only be used by their genuine owners and administered, so the system should require an identification code and password when a user signs a record for the first time.

Users can use only one signature control component for subsequent signings during single system access. However, all electronic signature components should be used for each signing that is not performed during single system access.

Section 11.300 Controls for Identification Codes and Passwords

Companies using electronic signatures with identification codes and passwords must have controls to ensure security and integrity.

These controls include ways to:

• Ensure each user has a unique identification code and password combination without duplication.
• Periodically review and update identification code and password issuances, preventing password aging.
• Deactivate and replace lost, stolen, or potentially compromised devices containing identification codes or password information.
• Prevent unauthorized use of passwords and identification codes with transaction safeguards.
• Detect and report any unauthorized use attempts to the security unit and, if necessary, to management.
• Test devices periodically to ensure they work correctly and have not been altered.

Key Requirements of a 21 CFR Part 11 Compliant System

In this section, we will discuss the key requirements that a 21 CFR Part 11 compliant system must meet to achieve compliance.

While this article covers some of the 21 CFR Part 11 software requirements, it is not an exhaustive list.

Overall, the 21 CFR Part 11 compliant system should be able to ensure the authenticity, integrity, trustworthiness, and reliability of electronic records and signatures.

Read on to learn about the key requirements.

System Validation

Companies must validate their systems to ensure accuracy, reliability, consistent intended performance, and the ability to identify invalid or altered records, as stated in 21 CFR 11.10(a).

When implementing a new system or upgrading an existing one, it is important to take into account computer system validation.

This means that regular system software validation checks must be conducted, ensuring that all elements of your system work as intended. Additionally, you must record validation testing results.

Undertaking software validation can be a daunting task for Life Science companies, especially considering that it may not align with their core expertise.

At SimplerQMS, we alleviate this concern by providing a fully validated solution according to ISPE GAMP5.

This means that we take care of all the software validation for you without any additional expenses, resources, or time commitments on your part.

The software is regularly revalidated every time a new version is released or standard updates are applied, eliminating the need for our customers to conduct validation activities.

You can read our article to understand more about QMS software validation and when it is needed.

Record Generation

Section 21 CFR 11.10(b) specifies that compliant systems must be able to generate accurate and complete copies of records for inspection, review, and copying by the FDA.

A compliant system should have the capability to generate and export copies of stored records within the system.

Moreover, it should also be able to provide both electronic copies and paper copies or printouts.

For a more in-depth explanation of requirements for electronic records, please refer to our 21 CFR Part 11 compliant electronic records guide.

Audit Trails

As outlined in 21 CFR 11.10(e), the system should be able to create a secure audit trail that chronologically documents any changes made to electronic records.

Audit trails provide evidence, enabling companies to track any modifications made to electronic records, including who made the changes, when they made them, and what they changed.

For example, in the SimplerQMS software, any record creation, modification, or retiring is automatically stored in a history file. This file cannot be modified by users and is retained for as long as necessary.

Here, we briefly discussed audit trails. If you want to learn more, please read the full article about the 21 CFR Part 11 audit trail requirements.

Operational Controls

As per 21 CFR 11.10(f), the system should have operational checks designed to verify and ensure that the sequence of events is followed correctly. As a result, it eliminates the possibility of errors or fraudulent activities in electronic records.

21 CFR Part 11 compliant software should enable monitoring and controlling procedures through the phase-gate process. This workflow ensures that appropriate personnel create, review, and approve records.

The illustration above shows key steps in the quality document creation and approval workflow within SimplerQMS software.

This process is done through an automated workflow, where documents move from one phase to another in a specific order.

In this example, the document cannot be edited after approval. In case a change is needed, a change request must be created.

Security Controls

As per 21 CFR 11.10(g), systems should have authority checks to ensure that only authorized individuals can:

• Use the system functions
• Electronically sign a record
• Access the computer system input or output device
• Modify a record
• Perform assigned tasks in the system.

To ensure secure authentication and authorization, SimplerQMS integrates with Microsoft Entra ID (previously known as Microsoft Azure Active Directory), controlling user access to the system.

We establish a clear one-to-one relationship between authorized individuals and their login accounts by providing unique identification codes and password combinations. This approach guarantees that each employee has only one user account, promoting system security and user accountability.

Check out our article dedicated to 21 CFR Part 11 password requirements to learn more about controls for identification codes and passwords.

Personnel Training

21 CFR Part 11.10(i) emphasizes the importance of ensuring that all system users have the necessary education, training, and experience to carry out their designated tasks effectively.

This means that each system user should be trained to perform their assigned tasks. Furthermore, training should be well documented, allowing auditors to review the operational audit trail and cross-reference with training logs.

At SimplerQMS, we provide a comprehensive training program for utilizing the electronic record and signature system.

Upon successful completion of the training, we issue training certificates as proof of qualification.

This helps ensure that all users are aware of how to use the system to perform their assigned tasks confidently.

Electronic Signatures

As specified in 21 CFR 11.50, the system should capture signature information associated with the signing.

A compliant electronic signature must contain the following elements:

• The printed name of the signer
• The date and time when the signature was executed
• The meaning associated with the signature

Furthermore, electronic signatures and handwritten signatures on electronic records must be securely linked to their corresponding records as outlined in 21 CFR 11.70. This prevents anyone from removing, copying, or transferring the signature to fake a record.

For a more detailed explanation of electronic signatures, please refer to our 21 CFR Part 11 compliant electronic signatures guide.

What Are the Key Benefits of Using a 21 CFR Part 11 Compliant System?

Using a 21 CFR Part 11 compliant system offers numerous benefits.

Below are some key benefits you can expect.

Improves Data Integrity

A 21 CFR Part 11 compliant system ensures the integrity of electronic records, reducing the risk of data tampering, loss, or unauthorized modifications. This promotes accurate and reliable data throughout the record lifecycle.

Regulatory Compliance

Companies can ensure they meet the 21 CFR Part 11 requirements for electronic recordkeeping and eSignatures, mitigating the risk of regulatory action.

Curious about the common FDA regulatory actions?

Check out our article on 21 CFR Part 11 noncompliances to find out the most common compliance issues, how to avoid them, and possible FDA enforcement actions in case of major non-compliances.

More Efficient Workflow Processes

Electronic recordkeeping workflow and electronic signature processes become more streamlined. This reduces the time, resources, and manual effort, enabling companies to achieve operational excellence.

Streamlined Collaboration

A compliant system enables secure electronic collaboration and remote access.

It supports collaboration and information sharing among authorized users across departments and locations. The system ensures a controlled environment for project collaboration and information exchange.

Improved Auditability

Electronic records and signatures can be easily tracked in time-stamped and computer-generated audit trails, reducing the risk of errors in the documentation. This enables traceability and accountability and facilitates accurate investigation if necessary.

Increased Security

The regulatory requirements emphasize robust security measures, including access controls, user authentication, and data encryption. A compliant system helps protect sensitive information from unauthorized access, ensuring data confidentiality.

Simplified Recordkeeping

A compliant document management system eliminates the need for paper-based records, reducing storage costs. Electronic records can be easily managed, accessed, and retrieved when required, improving data accessibility and long-term retention.

How Does SimplerQMS Comply With 21 CFR Part 11 Requirements?

The most straightforward approach to achieving compliance with 21 CFR Part 11 is implementing a system compliant with 21 CFR Part 11, out-of-the-box, like SimplerQMS.

SimplerQMS complies with all requirements of the 21 CFR Part 11. Here are some of its key capabilities that help achieve compliance.

Electronic Signatures

SimplerQMS provides 21 CFR Part 11 compliant electronic signatures. Signatures are linked to their respective records, ensuring they cannot be excised, copied, or transferred to falsify an electronic record.

The video below shows an example of how 21 CFR Part 11-compliant electronic signatures and automated workflows work in SimplerQMS.

Audit Trails

The SimplerQMS system maintains detailed audit trails that capture all user actions in electronic records.

The system logs all record creation, modification, archiving, and access activities.

Audit trails are time-stamped and cannot be modified.

System Access Controls

Our software includes appropriate system access controls, such as user authentication, password controls, and role-based access. This ensures that only authorized individuals have access to electronic records and signatures.

Record Retention

The software enables records to be retained in a secure and cloud-based system for the required period.

This allows records to be always readily accessible from anywhere.

System Training

SimplerQMS provides customer training to ensure proficient usage of our software. We provide comprehensive implementation training for all QMS modules.

Customers have the flexibility to request additional training or refresher sessions as needed. Initially, training takes place in a dedicated environment, allowing users to gain confidence before transitioning to the actual company’s software environment.

In addition, companies can streamline their own training. We offer a training management module that facilitates efficient employee training, including onboarding new team members. With features such as training assignments, notifications, reminders, and the ability to create quizzes, our platform empowers you to manage and assess training effectiveness effectively.

Secure Data Storage

SimplerQMS provides secure data storage capabilities that comply with 21 CFR Part 11. The software ensures that all electronic records are stored securely and protected, with access restricted to authorized personnel only.

Controlled Document Management

The system offers a streamlined solution for managing controlled documents. It allows users to manage document versions, access, and distribution easily.

SimplerQMS is more than a 21 CFR Part 11 compliant system.

We provide a complete eQMS software solution designed for Life Sciences. SimplerQMS offers all QMS modules, such as document management, change control, employee training, CAPA management, audit management, and much more.

By using SimplerQMS, Life Science companies can streamline quality management processes, comply with 21 CFR Part 11, and simplify the journey towards compliance with many other Life Science requirements, such as ISO 13458, GxP, ISO 9001, FDA 21 CFR Part 210, 211, and 820, ICH Q10, EU MDR and IVDR, and others.

If you are considering implementing an eQMS solution but need assistance understanding its benefits, we recommend downloading our eQMS Business Case template.

This tool offers a framework for assessing the value of an eQMS specifically for your company. It can support you in presenting your findings to management.

By constructing a comprehensive business case, you can identify the potential return on investment (ROI), cost savings, increased efficiency, and compliance with regulations like 21 CFR Part 11.

Final Thoughts

The 21 CFR Part 11, enforced by the FDA, establishes electronic records and signature requirements. Its purpose is to ensure the trustworthiness and reliability of such records and signatures.

Life Science companies adopt document management and QMS software solutions that comply with 21 CFR Part 11 requirements to ensure compliance.

SimplerQMS stands out by providing a cutting-edge QMS software solution with robust document management capabilities that fully complies with 21 CFR Part 11.

We invite you to book a free demo with one of our experts to see how SimplerQMS can ensure compliance with 21 CFR Part 11 and streamline your quality management processes.