Contact Support

FDA Title 21 CFR

FDA 21 CFR Part 11 allows Medical Device and Life Science organizations to use electronic records and signatures in place of paper.

The regulation applies to all aspects of the research, clinical study, maintenance, manufacturing, and distribution of medical products, and covers:

  • Required records that are maintained in electronic format in place of paper format
  • Required records that are maintained in electronic format in addition to paper format, and that are relied on to perform regulated activities
  • Records submitted to FDA in electronic format
  • Electronic signatures that are intended to be the equivalent of handwritten signatures

To meet these regulations, companies turn to software to help bridge the gap. But a piece of software by itself cannot be compliant. Any critical software must be supported by a properly conceived and performed validation project, normally following GMP.

FDA 21 CFR Part 11 helps organizations reduce the cost of managing and documenting their entire labeling life-cycle, from routing and approval workflow, version control and comparison, to audit trails and reports.

By becoming FDA 21 CFR Part 11 compliant, manufacturers will benefit from:

  • Reduced costs by removing manual and paper processes whilst improving workflow processes
  • Improved traceability – electronic records are simpler for gathering, filtering, and presenting information for internal use or FDA audits
  • The ability to print, reprint and reconcile labels at any time
  • Stronger controls over users’ ability to design, amend and approve labels
  • Better management of global data including product data, symbols, graphics, and languages




Frequently Asked Questions to the FDA on CFR Part 11 Compliance

Can a vendor guarantee compliant software for Part 11?

It is not possible for any vendor to offer a turnkey ‘Part 11 compliant system’. Any vendor who makes such a claim is incorrect. Part 11 requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place by the user in addition to the technical controls that the vendor can offer. At best, the vendor can offer an application containing the required technical elements of a compliant system.

Does Part 11 apply to electronic systems that can print records but do not have a durable storage media (i.e. flash memory or memory buffer, etc.)?

The question is really not that much for the storage media, it’s more whether the operator can manipulate the data before they are printed. The real problem is that most of this equipment does not have functions required by part 11.

What is the definition of hybrid system? Could you give an example of one?

A ‘Hybrid System’ is defined as an environment consisting of both Electronic and Paper-based Records (Frequently Characterized by Handwritten Signatures Executed on Paper). A very common example of a Hybrid System is one in which the system user generates an electronic record using a computer-based system (e-batch records, analytical instruments, etc.) and then is required to sign that record as per the Predicate Rules (GLP, GMP. GCP). However, the system does not have an electronic signature option, so the user has to print out the report and sign the paper copy. Now he has an electronic record and a paper/handwritten signature. The ‘system’ has an electronic and a paper component, hence the term, hybrid.

If using a ‘hybrid system’ approach to e-signatures, how do you link the handwritten signature to the e-record?

Since Part 11 does not require that electronic records be signed using electronic signatures, e-records may be signed with handwritten signatures that are applied to electronic records or handwritten signatures that are applied to a piece of paper. If the handwritten signature is applied to a piece of paper, it must link to the electronic record. The FDA will publish guidance on how to achieve this link in the future, but for now it is suggested that you include in the paper as much information as possible to accurately identify the unique electronic record (e.g., at least file name, size in bytes, creation date and a hash or checksum value.) Hoverer, the master record is still the electronic record. Thus, signing a printout of an electronic record does not exempt the electronic record from Part 11 compliance.

What are some examples of audio data that may be captured in the Pharmaceutical Industry? Specific Examples?

Audio recordings of regulated patient information or experimental observations are infrequent, but sometimes acquired. Also, audio conferences discussing projects, reports, data are common in the pharma industry. If the data therein is required to be maintained by predicate rules, and the audio file is saved to durable media, Part 11 would apply.

I keep electronic records but have signatures on paper (hybrid systems). Is there a deadline for converting to electronic signatures?

No. There is no deadline for converting to electronic signatures. Having handwritten signatures on paper is acceptable if signature are linked to electronic records so signers cannot repudiate records.

When does an audit trail begin?

Audit Trail initiation requirements differ for data vs. textual materials. For data: If you are generating, retaining, importing or exporting any electronic data, the Audit Trail begins from the instant the data hits the durable media. For textual documents: if the document is subject to approval and review, the Audit Trail begins upon approval and release of the document.

Should execution of a signature be audit trailed?

Yes, execution of a signature must be audit trailed.

Are e-mails controlled documents?

If the text in an email supports such activities as change control approvals or failure investigations, then the e-mails have to be managed in a compliant way.

Can a single restricted login suffice as an electronic signature?

No. The operator has to indicate intent when signing something, and he has to re-enter the user ID/password (shows awareness that he is executing a signature) and give the meaning for the e-sig. To support this, Part 11 §11.50, states that signed e-records shall contain information associated with the signing that indicates the printed name of the signer, the date/time, and the meaning, and that these items shall be included in any human readable form of the record.

When are e-signatures required?

The predicate rules mandate when a regulated document needs to be signed.

Should a company individually certify that every associate’s electronic signature is legally binding?

No. The required one-time e-sig certification is for an organization as a whole. Its intent is to certify that a company recognizes that its e-signatures are equivalent to their hand-written signatures.

FDA has issued a new guideline on date and time. It is not mandatory that it is local?

You are correct. The just-released draft Guidance Document on Time Stamps for E-Records and E-Sigs can be found here.

The Agency has reconsidered their position on local date and time stamp requirements. The draft guidance document reflects their current thinking, and supersedes the position in comment #101 of the Rule with respect to the time zone that should be recorded. The document states, “You should implement time stamps with a clear understanding of what time zone reference you use. Systems documentation should explain time zone references as well as zone acronyms or other naming conventions.”

Does outsourcing of a computer make a system an open system? Additionally would the external access of an external vendor for maintenance work (e.g. using a modem) to a computer system make that an open system?

According to the Rule, the definition of closed system is “an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.” The agency agrees that the most important factor in classifying a system as closed or open is whether the persons responsible for the content of the electronic records control access to the system containing those records. A system is closed if persons responsible for the content of the records control access. If those persons do not control such access, then the system is open because the records may be read, modified, or compromised by others to the possible detriment of the persons responsible for record content. Hence, those responsible for the records would need to take appropriate additional measures in an open system to protect those records from being read, modified, destroyed, or otherwise compromised by unauthorized and potentially unknown parties.

What do you mean by linking e-records to e-signatures?

Part 11 Sec. 11.70 states that electronic signatures and handwritten signatures executed to electronic records must be linked (i.e. verifiably bound) to their respective records to ensure that signatures could not be excised, copied, or otherwise transferred to falsify another electronic record. The agency does not, however, intend to mandate use of any particular ‘linking’ technology. FDA recognizes that, because it is relatively easy to copy an electronic signature to another electronic record and thus compromise or falsify that record, a technology-based link is necessary. The agency does not believe that procedural or administrative controls alone are sufficient to ensure that objective because such controls could be more easily circumvented than a straightforward technology based approach.

Can you share a sample FDA Warning Letter, or is that proprietary information?

The FDA Warning Letters can be found on he FDA web site at The letters are considered public information.

What is ‘grand fathering’?

“Grand fathering” simply means the possibility that the rule may not apply to any system in existence before the rule came into effect. Part 11 does not allow for grandfathering of legacy systems. Therefore, systems installed before August 20, 1997 must be made compliant or replaced.

What is GxP?

This refers to the “Good Practices” whose rulings are observed within the pharmaceutical industry. These are Good Laboratory Practice (GLP), Good Automated Manufacturing Practice (GAMP), Good Manufacturing Practice (GMP) and Good Clinical Practice (GCP). The ‘x’ is merely a placeholder.

What is a ‘Predicate Rule’?

Any requirements set forth in the Act (Federal Food, Drug and Cosmetic Act), the PHS Act (Public Health Service Act), or any FDA regulation (GxP: GLP, GMP, GCP, etc.). The predicate rules mandate what records must be maintained; the content of records; whether signatures are required; how long records must be maintained, etc. If there is no FDA requirement that a particular record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.

Are HIPAA regulations considered a predicate rule with regard to medical records maintained electronically?

See above.

How can you make sure that e-records are still readable throughout the retention period (with focus on the formats)? Currently mostly proprietary formats are in use (e.g. in the lab area) and the possibility to read these formats in a few years is difficult (especially if the vendor is changed). Printing or converting into PDF or similar is only a partly solution. ‘What would/could be a long-term solution here?

There are several possible solutions being considered for long-term data re-processability. They include data migration, data emulation and system ‘Time Capsules”. As of today, there are no set standards, or widely accepted procedures to ensure long-term data viability.

What is ‘metadata’?

Literally, it can be defined as ‘data about data’. In practical terms, the types of metadata that can be associated with an electronic record may include: details of the record’s creation, author, creation date, ownership, searchable keywords that can be used to classify the document, details of the type of data found in the document, and the relationships between different data components. Metadata must be stored as an integral part of the electronic document it describes.

If you use Electronic Signatures, do you have to comply with Electronic Record Requirements?

Use of Electronic Signatures implies that your system is an Electronic Record system and, therefore, must be in compliance with all provisions of 21 CFR Part 11.

Do you have a format or example for the certification for e-signatures that a company can send to the FDA?

For the exact wording for the e-sig certification, please consult the FDA website at One can also find wording for the certification in the preamble of the final Rule. The response to comment #120 is “…The final rule instructs persons to send certifications to FDA’s Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. Persons outside the United States may send their certifications to the same office. The agency offers, as guidance, an example of an acceptable Sec. 11.100(c) certification: Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of organization] intends that all electronic signatures executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures.”

Which kind of media (CD Roms, WORMs, etc.) can be considered “21CFRPart11 compliant” from point of view of good retention period?

In an effort to remain technologically neutral, the FDA does not specify the kind of media that one must use for archiving. There are studies currently underway from independent sources that are trying to test the ‘lifetime’ of such media as CD ROM, although there is no set standard lifetime for such media. Some companies are doing their own tests on media lifetime.

What are some examples of audio data that may be captured in the Pharmaceutical Industry? Specific Examples?

Audio recordings of regulated patient information or experimental observations are infrequent, but sometimes acquired. Also, audio conferences discussing projects, reports, data are common in the pharma industry. If the data therein is required to be maintained by predicate rules, and the audio file is saved to durable media, Part 11 would apply.

How do you recommend handling CROs and vendors in a timely basis?

The data that a CRO generates is ultimately the responsibility of the company that hires the CRO to do the research. That company must be on top of the CRO, their record keeping practices and their adherence to GxP. If a CRO is sending results back to the study sponsor, a compliant, secure, closed system is best to use. Just like with vendors, it is wise to audit the CROs and the vendors to make sure that they are up on their Part 11 (and GxP compliance).

What must a vendor do to claim that their hardware and software are ‘compliant’ with 21 CFR Part 11?

No vendor can claim that his or her software products are certified Part 11 compliant. A vendor, instead, can say that he has all of the Technical Controls for 21 CFR Part 11 compliance built in to his product. Remember, it is the responsibility of the user to implement the Procedural and Administrative (and correctly and consistently) Controls along with using products with the correct Technical Controls for overall Part 11 compliance.

Does Part 11 apply to instruments themselves that are not connected to computers but that have microprocessors within?

If such a system does not generate electronic records according to the definition of e-records in Part 11 (data starting its life written to durable media), and/or these e-records are not subject to the GxP regulations, then Part 11 does not apply.

Are electronic signatures always required on the creation of electronic records?

The ‘Predicate Rules’ (GxP) regulations determine what records must be signed, not Part 11. Not all e-records need to be signed. Check your predicate rules for what records must be signed, when and by whom.

Is a ‘Gap Analysis’ a necessary step to become 21 CFR Part11 compliant?

A Gap Analysis is not a specified requirement of Part 11, however, during the process of becoming Part 11 compliant, most firms undergo a Gap Analysis as part of their assessment/remediation phase.

If a GLP computer is in a lab with physical access control to the doors to the lab, but the application software on that lab computer has no logical access control, does this system comply with Part 11?

No. This is because there would be no way to control access to the system itself. There would be no record of who actually logged onto the system and when.

What are the expected means for reporting attempts at forging electronic signatures?

Although it is not specified in Part 11, most software programs that execute e-sigs and that have notification capabilities report attempts via an email notice to a database administrator.

What is an appropriate audit trail for an Excel Spreadsheet? Some indicate you should track every single cell change and others say it should be tracked the same way a document management system would do it (track final versions only, intermediate drafts don’t count only after all changes have been made and approved)?

The audit trail for Excel should capture changes to both the data and to formulas. Things like formatting changes (alignment/font) to cells do not have to be audit trailed.

Please further elaborate/define “Hashing”

Hashing can be used for accessing data or for data security. A hash is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they’re used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they’re the same, there is a very high probability that the message was transmitted intact.

In Part 11.300, controls for identification codes/passwords usage is listed under Subpart C — Electronic Signatures. Are these requirements only applicable if your system is utilizing e-signatures? It seems that these should be applicable to any system with e-records.

The controls for password/user ID usage apply across the board for ERES systems. They apply to the proper management of electronic records in addition to executing compliant electronic signatures.

Given the fact that most of the systems needing to be complaint are usually found not to be compliant and are usually replaced, does it make sense to do a gap analysis or go directly to remediation?

Some feel that since most systems that have been assessed by gap analyses in the past have turned out to be non-compliant with Part 11, it would save time and money to not do a gap analysis. Like all compliance decisions that an organization must make, this is a personal one. The overall goal is to achieve compliance with Part 11 for applicable systems in order to provide reliability and trustworthiness for the ERES generated/managed by those systems. How you get there is not regulated. Perhaps future FDA Part11 guidance documents will comment on the ‘no gap analysis’ methodology??

Is an audit of a vendor enough to ensure that the technical controls (in their product) are all present and compliant?

In addition to a vendor audit, one must scrutinize the product itself and its implementation in your facility. Do not forget that validation of the applicable systems in your own environment is the user responsibility (not to mention implementing the procedural and administrative controls for complete adherence to Part 11.)

Could you define and provide examples of systems that are critical to “data integrity”?

For Part 11, data integrity is related to the trustworthiness of the electronic records generated/managed by critical systems. The FDA is most concerned about systems that are involved with drug distribution, drug approval, manufacturing and quality assurance because these systems pose the most risk in terms of product quality and/or public safety.

Technical solutions may take sometime to implement, what is FDA position on timelines?

There is no fixed date for complete remediation. The Agency had stated often that they would take enforcement discretion if an organization takes the appropriate steps to put a plan in place that addresses what systems need to be compliant and what the firm will do to get the systems there. These plans must include all applicable systems, be detailed and have reasonable timelines and hold persons responsible for implementing those plans. Check out the FDA’s “Enforcement Policy: Electronic Records; Electronic Signatures-Compliance Policy Guide; Guidance for FDA Personnel” from 1999 ( if you want more information on enforcement.

What type of ‘reporting’ capability on audit trail data should be supported?

According to Part 11 §11.10 (e) audit trails must be secure, computer-generated and time-stamped to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Audit trails should say ‘who did what to your records and when (why for GLP)’. Part 11 does not specify the format for audit trials. This should be discussed in a forthcoming FDA guidance document for Part 11 audit trails.

For clinical data management systems, where does the audit trail begin…. after first entry or after the data has been verified and uploaded to the data management system?

The latter. Clinical research organizations are mandated to comply with 21 CFR Part 11, which requires tracking the activity and ownership of electronic clinical data in audit trails. If you are using Remote Data Entry (RDE) software for data entry, or especially a Web-based RDE, you need to exercise due diligence to protect your data from inadvertent or malicious changes.

How does the digital signature verify that the document hasn’t been altered after signing?

A digital signature is computed using a set of rules and a mathematical algorithm such that the identity of the signatory and integrity of the data can be verified. Signature generation makes use of a private key to generate a digital signature. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. Public keys are obviously known to the public, while private keys are never shared. Anyone can verify the signature of a user by employing that user’s public key. Only the possessor of the user’s private key can perform signature generation. A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest. The message digest is then incorporated into the mathematical algorithm to generate the digital signature. The digital signature is sent to the intended verifier along with the signed message. The verifier of the message and signature verifies the signature by using the sender’s public key. The same hash function must also be used in the verification process. The hash function is specified in a separate standard.

For an HPLC system, are the parameters entered for a chromatographic run considered an electronic record?

For an analytical instrument, any information that is captured by a computerized workstation is considered either data or metadata. (Metadata is described as data-about-data. It’s what puts the real data into logical context.) The second that any information hits the ‘durable media’ it then becomes an electronic record. Parameters that are typically captured by an HPLC system (i.e. flow rate, sample lot #, etc.) are considered metadata. This information should be saved and protected as part of the official electronic record.

Make Pragmatyxs Your
Trusted Advisor

Contact us today at