Overview of 21 CFR Part 11 Validation

What is 21 CFR Part 11?

21 CFR Part 11 outlines the federal requirements that help to ensure that electronic records are trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. 

If sponsors or the FDA have questions on Part 11 compliance of any UCSD systems or applications, researchers should contact the Compliance Advisory Services.

Does 21 CFR Part 11 apply to me?

The first step in becoming compliant with the regulations is to determine whether or not you are required to be compliant. The following questions can help lead to the determination:

  1. Is your clinical trial conducted under an approved IND?
  2. Is your clinical trial conducted under an approved IDE?
  3. Does your grant specify that your computer systems must comply with 21 CFR Part 11 or similar requirements?

If you answered yes to any of these questions, your electronic systems of record that are being used to meet predicate rules are required to comply with 21 CFR Part 11.

The second step of the process is to identify the computer systems you are using in your clinical trial.

Addressing the following can help identify all of the computer systems associated with your trial:

  1. Are you using an outside laboratory for laboratory analysis?
  2. If so, is the laboratory accredited?
    • If the laboratory is not accredited, assurance should be required in regard to the data quality
  3. Are you using a UCSD laboratory for analysis?
    • If yes, the instruments being used should be compliant
  4. Are you entering data directly into an electronic database?
    • If yes, the database must be compliant
  5. Are you entering data (from paper) into an electronic database?
  6. Are you using electronic logs?
    • If yes, then the logs must be compliant

Please Note: Not validating your electronic system(s) of record may result in regulatory citations. If you have any questions or concerns about your system, it is highly recommended that you contact the Compliance Advisory Services for assistance.

Last updated: 20 Mar 2019

What software features are necessary to be 21 CFR Part 11 compliant?


  • Define which individuals shall have access to the software - a current list shall always be available
  • Define what the user roles are for the software (i.e. administrator, data entry, approver, etc.) and what each role can do
  • Access to software shall require each user to have a unique username and password
  • A defined number of incorrect login attempts shall lock the user from the software
  • A defined time of inactivity shall lock the software for a given user

Audit Trails

An audit trail shall be implemented that allows a means to reconstruct data modification.

The audit trail shall include: the name of the user that made the entry, what was changed (not obscuring the original value), the date and time of change and the reason for change.

Electronic Signatures/Digital Signatures

If electronic signatures will be used, they must include the following:

  1. Name of signer
  2. Time and Date of signature
  3. Meaning of signature

Note: An electronic signature consists of two components: id code (username) and password.  This is different than the initial login to the software.


Users must have the ability to obtain meaningful data from the software.

Software Workflow

The software shall be designed in such a way that a logical process workflow is incorporated (i.e. you are unable to approve until all required pieces are completed).

Record Protection

Data must be backed up on a regular basis

Standard Operating Procedures

  1. Standard Operating Procedures ensure the consistent use of the software
  2. Procedures should be developed on how the software will be used for a specific task
  3. Procedures shall also be developed for administrative functions of the software: how to add users, etc.
  4. Procedures should also be developed for activities that happen outside of the software in order to ensure the most accurate data


Training should be documented to verify that only trained individuals are using the software.


A quality validation methodology shall be used to ensure the system (software, people, etc) is performing as intended.  It is important to understand that you are validating a SYSTEM and not just the software.

If you have any questions or concerns about your system, it is highly recommended that you contact Compliance Advisory Services for assistance.
Last updated: 20 Mar 2019

Information and Tools for Validating a System

Validation Plan

The Validation Plan is a document that outlines the process that will be used for validating a specific system. The plan will discuss the specific risk of the system and outline the documents that will be written (how many SOPs). Example template

Functional Requirements

These documents will outline the specific requirements of a system. Typical items covered in a Functional Requirements documents are: User Roles, User Access, Process Workflow and 21 CFR Part 11 Requirements (Audit Trail, Electronic Signature). Example template

These documents are crucial to a successful system validation. Requirements must be written concisely represented. The example below uses content for an Audit Log:

Audit Log report

  •  User that made the change
  •  Reason for change
  •  Previous Value
  •  New Value
  •  Date/Time of Change

Server Requirements

This document will outline the necessary hardware and architecture for a system.

Design/Configuration Document

A Design/Configuration Document will outline how the specific software was designed and include any specific configuration. Example template

Installation Qualification

Installation Qualification verifies Server Requirements were met and also verifies the Design/Configuration of the software. Example template

Operational/Performance Qualification

This document "tests" the Functional Requirements document. It will include challenge testing. It is important to ensure all error messages display as necessary. This testing also ensures the workflow is as intended. Example template

Final Validation Report

The Final Validation Report summarizes the testing (including deviations) and is used to release the software for production use. Example template

Change Control

After validation has been completed, all changes to the system must be maintained through a change control process. Here are example templates of information necessary for a compliant change control process:

More references for validating systems and 21 CFR Part 11

If you have any questions or concerns about your system, it is highly recommended that you contact Compliance Advisory Services for assistance.

Last updated: 20 Mar 2019

Related Tools, Guidance and Templates

If you have any questions or concerns about your system, it is highly recommended that you contact Compliance Advisory Services for assistance.
Last updated: 20 Mar 2019
Last updated: 20 Mar 2019