Inferensys

Glossary

21 CFR Part 11

The FDA regulation that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
ELECTRONIC RECORDS AND SIGNATURES

What is 21 CFR Part 11?

The FDA regulation establishing criteria for trustworthy electronic records and signatures in regulated environments.

21 CFR Part 11 is the FDA regulation that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. It applies to all FDA-regulated industries, including pharmaceutical and medical device manufacturers, defining the technical and procedural controls required when using electronic systems in place of paper documentation.

Compliance requires audit trails that securely record operator entries and actions, authority checks to ensure only authorized individuals access the system, and device checks to validate data input. For Software as a Medical Device (SaMD) and diagnostic AI platforms, Part 11 compliance is integral to the Quality Management System (QMS), ensuring that clinical validation data and design history files maintain legal standing.

REGULATORY COMPLIANCE

Frequently Asked Questions

Clear answers to the most common questions about 21 CFR Part 11 compliance for software as a medical device and diagnostic AI systems.

21 CFR Part 11 is the FDA regulation that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. For Software as a Medical Device (SaMD), this regulation applies whenever the software creates, modifies, maintains, archives, retrieves, or transmits electronic records that are required by FDA predicate rules—such as the Quality System Regulation (21 CFR Part 820). Diagnostic AI systems that generate patient reports, log algorithmic outputs, or capture clinician electronic signatures must implement audit trails, authority checks, and device checks to ensure data integrity. The regulation does not mandate specific technologies but requires that closed systems (those controlled by the same entity) implement procedural controls, while open systems (those exchanging data across organizational boundaries) add encryption and digital signature standards.

ELECTRONIC RECORDS IN REGULATED SOFTWARE

How 21 CFR Part 11 Controls Apply to SaMD

21 CFR Part 11 establishes the FDA's criteria for accepting electronic records and signatures as equivalent to paper records, directly impacting the design of audit trails and access controls in Software as a Medical Device.

For Software as a Medical Device (SaMD), Part 11 compliance mandates that all electronic records created, modified, or stored by the software must be demonstrably trustworthy. This requires implementing technical controls such as unique user identification, authority checks, and secure, computer-generated, time-stamped audit trails that independently record the date, time, and operator of every entry or action that creates or alters a regulated record.

The regulation also governs the application of electronic signatures, requiring that they be linked to their respective records to prevent falsification. In a SaMD context, this means the software architecture must include device checks to validate the source of data input and operational system checks to enforce permitted sequencing of steps, ensuring that a diagnostic output or clinical decision support log cannot be repudiated or altered without detection.

Electronic Records & Signatures

Core Requirements of 21 CFR Part 11

The foundational regulation establishing the criteria under which the FDA considers electronic records and signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.

01

System Validation

Establish documented evidence providing a high degree of assurance that a system consistently produces results meeting predetermined specifications. This is not a one-time event but an ongoing process.

  • Objective: Prove the system is fit for its intended use in a production environment.
  • Key Activities: Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
  • Requirement: Validation must occur before the system is used to process regulated records.
02

Audit Trails

Secure, computer-generated, time-stamped electronic records that independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

  • Immutability: Audit trail records cannot be modified or deleted by the operator.
  • Granularity: Must capture the who, what, and when of every data change, including the original value and the new value.
  • Retention: Audit trails must be retained for at least as long as the associated electronic records are required.
03

Operational & Authority Checks

Implement technical and procedural controls to limit system access to authorized individuals and ensure that only qualified personnel perform specific actions.

  • Access Control: Use unique user IDs and password/PIN combinations or biometric verification.
  • Authority Levels: Define roles and privileges to segregate duties (e.g., a technician who runs a test cannot also approve the result).
  • Device Checks: Validate the source of data input (e.g., a specific instrument) to ensure data integrity from the point of origin.
04

Device & Terminal Checks

The system must be able to determine the validity of the source of data input. This ensures data integrity from the moment of acquisition.

  • Instrument Authentication: The system verifies that data is being received from a legitimate, authorized laboratory instrument or terminal.
  • Data Integrity: Prevents unauthorized or uncalibrated devices from injecting data into the regulated record system.
  • Context: This is critical for SaMD that ingests data directly from DICOM modalities or laboratory information systems.
05

Electronic Signature Manifestations

Electronic signatures must be linked to their respective electronic records in a way that prevents removal, copying, or transfer to falsify a record.

  • Non-Repudiation: The signature must be unique to one individual and not reusable by anyone else.
  • Display Requirements: Any human-readable form of the record (e.g., a printed report) must clearly display the signer's printed name, the date/time of signing, and the meaning of the signature (e.g., review, approval, authorship).
  • Biometric Option: A method of verification based on the measurement of a unique physical characteristic (e.g., fingerprint, retinal scan) is explicitly permitted.
06

Record Retention & Availability

Persons must retain electronic records in a manner that protects them for the entirety of their required retention period and ensures they are readily available for FDA inspection.

  • Instant Retrieval: Records must be retrievable in both human-readable and electronic form suitable for FDA review and copying.
  • Data Integrity: The storage system must protect records from alteration, degradation, or loss through hardware failures or software obsolescence.
  • Archival Strategy: This often requires a formal data migration and backup strategy to ensure long-term readability, especially for proprietary medical image formats.
REGULATORY COMPARISON

21 CFR Part 11 vs. EU Annex 11

A comparison of the FDA and EU requirements for electronic records and electronic signatures in regulated GxP environments.

Feature21 CFR Part 11EU Annex 11Both

Jurisdiction

United States (FDA)

European Union (EMA)

Scope

Electronic records and signatures

Computerized systems in GxP

Risk-based validation required

Audit trail for data changes

Electronic signature legally binding

Periodic system review mandated

Supplier/service provider oversight

Data archival and retrieval requirements

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.