21 CFR Part 11

Protect & secure digital records & signatures

21 CFR Part 11 Requirements.

cGMP mandates that a history of all significant printed production parameters is retained.  21 CFR Part 11, details the mandated requirements for all such data produced electronically.

21 CFR Part 11 was not among the earliest of quality related regulations imposed on the drug and medical device manufacturing industries.  That honor was bestowed on the compulsory retention of samples of every batch of production along with all the individual critical manufacturing records of these batches.  This meant all process manufacturing equipment had to be equipped with sensors that would record each of the critical process parameters.  These 21 CFR Part 11 records were mainly created by the use of chart recorders and the final chart recorder log sheet became one of the main critical records of manufacture.  So your retention production records would include all these machine log sheets along with the process instructions (SOP’s) the operators worked to; and the certification records of the individual batch raw materials. All these records were required to be stored in accordance with 21 CFR Part 11 requirements.

Most of these log sheets were issued with part numbers and individual serial numbers and were; as blank sheets, treated as, 21 CFR Part 11 controlled documents.  After use they were signed off by the operator, their supervisor and usually QA, prior to being accepted as an official production record.  This rendered these documents as fairly robust records of production.  Illicit alterations were quite easy to spot - inks dried differently - hand writing varied enormously - access to the documents was controlled and all corrections or alterations needed a supervisors counter signature. That was the situation for many years and where someone did try to make illegal alterations it was usually quickly recognized as such.

Through the eighties and nineties the progressive introduction and use of computer controlled and computer managed equipment meant that 21 CFR Part 11 records were being produced electronically and held in volatile memories; ready for downloading into a hard copy format that would act as the requisite record.  It was quickly recognize by the regulators that this record was not secure, as the data was open to adulteration all the time it was held in the volatile memory and even after it was printed out into hard copy.  The robustness of the production record had been lost and the requirement for a more secure way of obtaining and storing cGMP mandated data had arrived. Therefore the record must be immediately printed out in hard copy that is designed to be as robust as the original record, or it must be retained in a protected memory that has been designed to be compliant with the requirements of 21 CFR Part 11.

So the whole intention of 21 CFR Part 11 is to ensure that the predicated retention records are held in a format and system that renders unauthorized editing and deletion to impossible.  Further requirements mandate security of  access to the records and a bibliography of amendments

21 CFR Part 11 Procurement Initiation

The security and integrity of all cGMP mandated data is detailed in 21 CFR Part 11.

The procurement process normally starts with the production of a documented requirement or group of requirements. For existing facilities this should take the form of a Change Request (CR). As soon as management has agreed to proceed with the CR, approval should be issued to produce a Validation Online Plan (VP). This plan must be all encompassing. It must give assurance that all aspects of the proposed CR have been studied and the CR impact on existing facilities, utilities, product, personnel and 21 CFR Part 11 requirements have been defined and incorporated. 

A fully detailed User Requirements Specification (URS) can now be authored reviewed and published. Since developing the URS may raise problems that could not be anticipated when the VP was raised; a VP review is required to ensure all aspects of the final approved URS are fully catered for.

With the URS defined and the Validation Plan (VP) in development Validation Risk Assessment (VRA) must be authored and executed to establish the scope and depth of validation that is appropriate for this equipment. This information must be published in the VP and used as the authority for all protocol development Functional Specifications (FS) and or Design Specification (DS), are available they should be reviewed and referenced in the VP. Where these documents are not available a DS or FS may have to be retrospectively developed.

When the DS or FS that is to be used are defined, a approved Design Qualification (DQ). The execution of this DQ must verify that the proposed design will;

  • Perform as specified in the URS.
  • Conform to all mandated cGMP requirements.
  • Operate in a manner safe to the product, and the operations staff.

The installation of each validatable item and or system must be subjected to, and satisfy, a approved Installation Qualification (IQ) protocol. Details of the scope of the IQ, responsibilities for generating, reviewing and approving of this Validation Online document must all be documented in the VP.

When the requirements of the 21 CFR Part 11 Installation Qualification protocol have been satisfied, all aspects of the operational capabilities of each system must be fully challenged and verified by the execution of a approved Operational Qualification OQ) protocol. As with the IQ; OQ scope and details of the persons responsible for generating, reviewing and approving of this document will be documented in the VP.

As soon as 21 CFR Part 11 protocols; compliance with 21 CFR Part 11 requirements (usually included in the OQ) and have been been reviewed and approved, a approved Performance Qualification (P1Q) protocol or Process Qualification P2Q) (this requirement will be documented in the VP) must be issued for execution. The execution of this PQ must verify that the system performance requirements, as specified in the URS; including 21 CFR Part 11 compliance, have been achieved, and that the system operates in a manner safe to the product and production personnel.

If there are predicate rules that require a

signature to be applied, and this signature is

applied electronically or digitally, then 21 cfr part 11

controls must be applied.

Just what does 21 CFR Part 11 apply to?  It has become obvious to all persons who use any IT facility that electronic data is extremely easy and simple to manipulate and or corrupt; either knowingly or unknowingly. The regulations contained within protects predicate rule information from such corruption, and gives assurance of the data integrity.

21 CFR Part11 and Protocols.

Validation online protocols such as DQ, IQ, OQ, PQ, along with the associated VMP, URS, VRA, and VP are usually written and reviewed electronically, however they are completed by hand and are manually signed and reviewed, and as such are not subject to 21 CFR Part 11 Review.

On the 21st of October 2005 the US Federal Court decision against FDA in the Utah Medical case. Once and for all affirmed (among other things) that FDA may not adopt "industry standards" as "current" Good Manufacturing Practices (cGMP's) by fiat or Guidance. In order to be an action-able item, a practice or procedure requirement must be specifically mandated within CFR's.......Actual Court Case.Your Hover Marquee Text

21 CFR Part 11 compliance.

One of three approaches can be used by organizations to address the on-going 21 CFR Part 11 compliance requirements throughout the pharmaceutical and medical devices industries.


The regulation still permits the full submission of paper-based documentation. The issues with this approach include high costs, decreased quality, information storage availability, information retrieval ability, and the general portability of information.

Partial Electronic.

The regulation allows for the electronic records to be stored as equivalent to paper records with handwritten signatures executed. This approach still requires a large amount of printed documentation that carries the same risks and challenges as a full-paper approach, mentioned above, regarding compliance with the regulation.


This is the real intent of the 21 CFR Part 11 regulatory requirements. This approach increases product quality, saves money with automation of processes, establishes easy data storage and retrieval, provides ease data analysis and reporting, increases the portability of information, and diminishes or eliminates human error.

21 CFR Part 11 Electronic Records & Signatures.

Regulatory 21 CFR Part 11 Review, states that "the regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and hand-written signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and hand-written signatures executed on paper".

21 CFR Part 11 Reviews.

21 CFR Part 11, Records that are required to be maintained under predicate rules, that are maintained in electronic format.

A 21 CFR Part 11 review is implemented through a combination of compliant software, corporate policy and / or procedures. However the regulations are implemented, they must be accompanied by supporting documentation. The implementation of any FDA  compliant system, whether software, policy or procedure oriented, is not valid without this documentation.

Data contained in documentation such as, the Installation Qualification (IQ), the Operational Qualification (OQ), the Validation Plan and Master Plan (VP & VMP), the Validation-risk-assessment (VRA), the Vendor Audit (VA), the Performance Qualification (P1Q), the Process Qualification (P2Q), the User Requirements Specification (URS), and Standard Operating Procedure (SOP) are normally held in hard copy and not considered as having to be 21 CFR Part 11 compliant.

Software systems used to implement the FDA regulations are the core component of a compliant system. Development of the software must be specifically aimed at satisfying the regulations’ requirements.

FDA specific features must include:-

  • Secure audit log of all user activity and system data.
  • Unique electronic signatures; two distinct components.
  • Automatic signature and record linking.
  • Password ageing.
  • Control of unauthorized access attempts.
  • Version control of electronic documents.
  • Data archiving and retrieval.
  • Accurate time and date stamping.

21 CFR PART 11

Validation Master Plan (Issue 8) -- $115.00

All you need to do is follow the prompts in the attached SOP.  They will take you through the completion process section, by section.  At the end of this process your generic document has progressed into a detailed, referenced, bespoke company document.  The document follows our three level URS system that ensures functionality traceability from the URS to the various testing protocols.  A great document to author and use.  This document interfaces with our Validation Risk Assessment  (VRA), Validation Online Project Plan (VP), User Requirements Specification (URS), giving a seamless flow from your VMP through the VP - IQ - OQ - PQ, while integrating flawlessly with the URS - DQ - VRA and verification of 21 CFR Part 11 compliance.


Validation Plan (Issue 10) -- $93.00

The Validation Plan (VP), is the starting point for any validation Online task, and the most important validation document. It improves validation efficiency greatly by forcing all concerned to document, review, and discuss, the proposed methods and allotted responsibilities. It is a mandated document with regulators and auditors.

While in the past validation was more focused on functions of procedures, recently the focus has progressed into infrastructure, networked systems and on security, authenticity and integrity of data acquired and evaluated by systems and data security, i.e. compliance with 21 CFR Part 11.

  Validation Risk Assessment (Issue 11)  $125.00

This is a robust and simple to execute document, one that will lead you through the process and deliver a result that can be used as the foundation for your validation activities. The VRA now includes the assessment table for categorizing and documenting the new 21 CFR Part 11 guidance ruling on what predicate data must be stored in a Part compliant system, along with the new broadsheet to establish your new database of 21 CFR Part 11 records. (now mandatory).


User Requirements Specification (Issue 8)  $115.00

This document was designed to be used as a live document up until the DQ is completed and approved.  It uses three levels of URS, URS Level 1, 2 and 3, and is the only URS to guarantee traceability from the URS through to the final PQ and OQ functionality testing.  A mandatory requirement for Full Life Cycle Validation of computer systems that are the subject of predicate rules such as 21 CFR Part 11 compliance.  It can be used on mechanical, electrical and software controlled, monitored or driven systems


Installation Qualification.  (Issue 9.) -- $115.00

The SOP used to generate this IQ, takes you through the process line by line, chapter by chapter. It really is unique to find a SOP document so easy to use, all the work is done for you. All the documents are detailed, all the drawings listed and all the checks and tests detailed. The final product is a professional and comprehensive Installation Qualification Protocol from Validation Online. One that you can produce in less than 60 minutes and that includes 21 CFR Part 11 verification. Yes, think about it, we all know how long producing IQ documents has taken in the past. There is now no reason for not being able to produce 4 to 8, IQ protocols per 8 hour day.


Operational Qualification, (Issue 10.) -- $115.00

You will find the step by step attached SOP delightfully simple and straightforward to use, as it takes you through the process of customization of your Operational Qualification Protocol template. Following the attached SOP will quickly and smoothly convert your template into an equipment specific Operational Qualification Protocol. The OQ template comes complete with all the standard test scripts, more specialist test scripts including 21 CFR Part  11 compliance. These can easily be pasted into the standard OQ, allowing you to quickly build your own fully detailed and referenced company bespoke Operational Qualification Protocol.