21 CFR Part 11 Compliant Software Development

Building Software That Meets FDA Electronic Records Requirements

21 CFR Part 11 is the FDA regulation governing electronic records and electronic signatures in the pharmaceutical, biotech, and medical device industries. First published in the Federal Register on March 20, 1997, it established the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. For any organization developing or deploying computerized systems that create, modify, maintain, archive, retrieve, or transmit records required under any FDA predicate rule, Part 11 compliance is not optional. It is the regulatory foundation upon which all GxP software systems must be built.

The regulation comprises three subparts. Subpart A (General Provisions) defines the scope and applicability of the regulation. Subpart B (Electronic Records) specifies the controls required for closed and open systems. Subpart C (Electronic Signatures) details requirements for electronic signatures and their components. Together, these subparts create a comprehensive framework that dictates how pharmaceutical software must handle data creation, modification, storage, retrieval, and authentication. Our software development practice is built from the ground up to satisfy every technical requirement of this regulation while also addressing the broader data integrity expectations from the FDA's Data Integrity and Compliance guidance, EU Annex 11, and international regulatory expectations.

The consequences of non-compliance are severe and well-documented. The FDA's warning letter database contains hundreds of citations related to electronic records and data integrity failures. Form 483 observations for data integrity issues have increased dramatically over the past decade, reflecting the FDA's intensified focus on electronic systems. Organizations that fail to implement proper Part 11 controls risk regulatory action that can delay product approvals, halt manufacturing operations, and damage market reputation. Building compliance into the software architecture from inception is orders of magnitude more cost-effective than remediating non-compliant systems after deployment.

Section 11.10 -- Controls for Closed Systems

Section 11.10 is the core of Part 11, establishing the baseline controls that every closed system must implement. A closed system is one where access is controlled by the persons responsible for the content of electronic records on that system. Most pharmaceutical software systems qualify as closed systems. The regulation specifies eleven distinct control requirements:

• 11.10(a) -- System validation: Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. In practice, this means every Part 11 system requires a validation plan, documented requirements, executed test protocols (IQ/OQ/PQ or equivalent under CSA), and a validation summary report. We build our systems with automated regression testing that can be executed as part of ongoing validation.
• 11.10(b) -- Generating accurate and complete copies: The system must be able to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency. We implement export functionality that produces PDF reports, CSV data extracts, and structured XML/JSON outputs that include all metadata, audit trail entries, and electronic signature information.
• 11.10(c) -- Record protection: Records must be protected throughout their required retention period to enable accurate and ready retrieval. This requires database-level encryption at rest, backup and disaster recovery procedures with tested restoration, and data archival strategies that account for technology obsolescence.
• 11.10(d) -- System access limitation: Access must be limited to authorized individuals. We implement role-based access control (RBAC) with the principle of least privilege, mandatory authentication before any system interaction, automatic session timeout, account lockout after failed authentication attempts, and formal user provisioning and deprovisioning workflows that require quality unit approval.
• 11.10(e) -- Audit trails: Computer-generated, time-stamped audit trails must independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trail information must not obscure previously recorded information, must be retained for a period at least as long as the subject electronic records, and must be available for agency review and copying. Our audit trail implementation uses immutable append-only storage with cryptographic integrity verification.
• 11.10(f) -- Operational system checks: The system must use operational checks to enforce permitted sequencing of steps and events. We implement workflow engines that enforce defined business processes, prevent out-of-sequence operations, and require prerequisite conditions before allowing progression through regulated workflows.
• 11.10(g) -- Authority checks: The system must use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
• 11.10(h) -- Device checks: Use of device checks to determine validity of data input sources or operational instruction sources. For systems with instrument integration, we implement device identification, calibration status verification, and data source authentication.
• 11.10(i) -- Personnel training: Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. We build training acknowledgment tracking and competency verification directly into our systems.
• 11.10(j) -- Written policies: Establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures. We provide SOP templates and policy frameworks as part of every system deployment.
• 11.10(k) -- Documentation controls: Use of appropriate controls over systems documentation including adequate controls for distribution, access, and use of documentation for system operation and maintenance.

Sections 11.100, 11.200, 11.300 -- Electronic Signature Controls

Section 11.100 establishes general requirements: each electronic signature must be unique to one individual and not reused by or reassigned to anyone else. Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, the organization must verify the identity of the individual.

Section 11.200 specifies that non-biometric electronic signatures must employ at least two distinct identification components (such as an identification code and password), that the first use in a continuous session must use both components, and that all subsequent uses may use one component. It also requires that the identification code and password issuance be periodically checked, recalled, or revised.

Section 11.300 provides controls for identification codes and passwords: they must be maintained with uniqueness so no two individuals share the same combination, they must be periodically revised, and procedures must be in place for electronically deauthorizing lost or compromised credentials and for detecting unauthorized use. We implement all of these through our identity management module with enforced password complexity, expiration policies, multi-factor authentication options, and real-time anomaly detection for unusual authentication patterns.

Computer Software Assurance: The Modern Approach to GxP Validation

The FDA's Computer Software Assurance (CSA) guidance, first issued as a draft in September 2022 and finalized in September 2024, represents a fundamental shift in how the agency expects regulated organizations to validate computerized systems. Moving away from the documentation-heavy approach of the 2002 General Principles of Software Validation, CSA emphasizes risk-based testing, critical thinking, and assurance activities proportional to the risk the software poses to patient safety and product quality.

The core principle of CSA is that validation effort should be commensurate with risk. Software features that directly affect patient safety, product quality, or data integrity (GxP-critical functions) warrant rigorous, documented testing including scripted test protocols with pre-defined expected results and acceptance criteria. Lower-risk features that support operational efficiency but do not directly impact GxP outcomes can be assured through unscripted testing approaches such as exploratory testing, ad hoc testing, or error guessing. This risk stratification, aligned with ISPE GAMP 5 Second Edition risk assessment methodologies and ICH Q9(R1) quality risk management principles, can reduce validation timelines by 40-60% while actually improving the quality of testing.

Our development methodology integrates CSA principles from project inception. During the requirements phase, we conduct a risk assessment that classifies each requirement as high, medium, or low impact to GxP. This classification drives the testing strategy: high-impact requirements receive scripted protocol testing with formal deviation management, medium-impact requirements receive a combination of scripted and unscripted testing, and low-impact requirements are addressed through unscripted exploratory testing. This approach is fully consistent with PIC/S PI 011-3 guidance on computerized systems in GxP environments and the ISPE GAMP Records and Data Integrity Guide.

Your Part 11 Compliance Lead

Adrien Laurent, Founder & Principal Engineer

• 25+ years of enterprise software development in regulated industries
• Deep expertise in 21 CFR Part 11, EU Annex 11, and GAMP 5 validation
• Specializes in audit trail architecture, electronic signatures, and data integrity controls
• Builds GxP-compliant software systems for pharmaceutical and biotech companies daily

Cloud Qualification for GxP Systems

The migration of GxP systems to cloud infrastructure introduces additional qualification requirements beyond traditional on-premise validation. Cloud service providers (CSPs) operate on a shared responsibility model where the provider is responsible for the security and availability of the cloud infrastructure, while the regulated organization retains responsibility for the compliance of the application and data.

Our cloud qualification process begins with a CSP assessment that evaluates the provider against pharmaceutical industry requirements. We verify that the CSP maintains current ISO 27001 certification for information security management, SOC 2 Type II attestation covering security, availability, processing integrity, confidentiality, and privacy, and CSA STAR registration demonstrating cloud-specific security controls.

The qualification protocol documents the CSP assessment findings, maps each Part 11 requirement to the responsible party (CSP or customer), verifies that CSP-managed controls are independently audited, and establishes ongoing monitoring procedures. Encryption requirements for open systems under Section 11.30 are satisfied through TLS 1.3 for data in transit and AES-256 for data at rest, with customer-managed encryption keys where required for maximum control.

For organizations operating under multiple regulatory frameworks, we ensure cloud deployments simultaneously satisfy EU Annex 11 requirements, MHRA expectations for data hosted by third parties, and ICH Q10 pharmaceutical quality system requirements.

Data Migration Under Part 11: Maintaining Compliance During System Transitions

Migrating data between pharmaceutical systems is one of the most risk-laden activities in IT, and doing so while maintaining Part 11 compliance requires a rigorous, validated approach. Data migration is not simply an IT project; it is a regulated activity that must be planned, executed, documented, and verified with the same rigor as any other GxP process. The ISPE GAMP 5 framework provides guidance on data migration within the context of system lifecycle management, and the GAMP Records and Data Integrity Guide specifically addresses the requirements for maintaining data integrity during migration.

Our data migration methodology follows a structured protocol that begins with a comprehensive data inventory. We catalog every data element in the source system, including records, metadata, audit trail data, electronic signatures, and system configuration data. A data mapping document specifies how each source element maps to the target system, identifying any transformations, format changes, or structural differences.

Migration validation includes multiple verification activities. Automated record count reconciliation confirms that all records were transferred. Field-level data comparison using cryptographic checksums verifies data integrity at the individual value level. Referential integrity verification confirms that relationships between records are preserved. Audit trail continuity verification ensures that the historical record of data changes is maintained. Electronic signature linkage confirmation verifies that signed records remain properly linked to their signatures in the target system.

Legacy data presents a particular challenge. When a source system is being retired but its data must remain accessible for the full predicate rule retention period, organizations have several options: migrating all data to the new system, maintaining the legacy system in a read-only state, or creating a qualified data archive. We assess each situation and recommend the approach that best balances compliance risk, cost, and operational needs, always ensuring that the chosen approach satisfies the record protection and retrieval requirements of Section 11.10(c).

Periodic Review and System Retirement

Validation is not a one-time event. Maintaining the validated state of a Part 11 system requires ongoing periodic review activities that verify the system continues to operate as intended and that all compliance controls remain effective. The ISPE GAMP 5 Second Edition recommends periodic reviews at least annually for GxP-critical systems, with the frequency determined by the system's risk classification. EU Annex 11 Section 11 explicitly requires periodic evaluation to confirm that systems remain in a validated state.

We build periodic review capabilities directly into our systems. Automated compliance dashboards provide real-time visibility into the health of all Part 11 controls. Specific review activities include: user access review (verifying that all active accounts are appropriate), audit trail integrity verification (confirming that audit trail records have not been tampered with using cryptographic checksums), backup and restore testing (executing and documenting a test restoration from backup media), change control review, security incident review, performance review, and environmental review.

When a system reaches end of life, a formal decommissioning protocol ensures that data integrity is maintained through the transition. The decommissioning process includes data disposition planning, data migration or archival execution per validated protocols, verification that archived data remains accessible and readable, formal documentation of the retirement decision and approval by the quality unit, and removal of all system access. Records subject to 21 CFR 211.180 must be retained for at least one year after the expiration date of the last batch manufactured under those records, which can extend decades beyond system retirement.