Skip to main content
Skip table of contents

FDA 21 CFR Part 11

Purpose

To ensure electronic records and electronic signatures are trustworthy, reliable, and equivalent to paper records and handwritten signatures in FDA-regulated environments.

Key Requirements for Compliance

Category

What Circularo must demonstrate

System Validation

Documented proof that the system works as intended and produces accurate, reliable results.

Electronic Signatures

Must be unique to each user, verifiable, and linked to the signed record. Signature/approval meaning (e.g., “approval,” “review”) must be captured.

User Authentication

Unique user IDs and secure passwords; multi-factor authentication recommended.

Audit Trails

Secure, computer-generated audit trails tracking the creation, modification, or deletion of records, with date/time stamps.

Record Protection

Records must be readable, retrievable, and protected from alteration throughout the retention period.

Operational Controls

Procedures for system access, revision control, data backup, and authority checks.

Training & Policies

Documented training for users, written policies stating that electronic signatures are legally binding.

Who Audits 21 CFR Part 11 Compliance

  • The FDA (U.S. Food and Drug Administration) is the primary enforcement body.

  • It audits regulated companies (pharma, biotech, medical device manufacturers), not typically the software vendor directly.

  • However, those companies are required to ensure that any third-party system (like Circularo) is validated and compliant, which means they may audit the vendor as part of their supplier qualification process.

There is no “Part 11 certificate” issued by the FDA.
Compliance is demonstrated through documentation, validation records, and system controls..

Typical Vendor Documentation for Compliance

To support client audits and regulatory requirements, Circularo can provide or facilitate:

  • System Validation Package (IQ/OQ/PQ or equivalent validation evidence)

  • Technical & Security Overview

  • Audit Trail Samples

  • Data Retention & Backup Policy

  • Access Control & Authentication Policy

  • Change Control Procedures

  • Training & SOP Documentation

  • Statement of Compliance (Part 11 alignment)

Annex 11 & 21 CFR Part 11 Compliance Mapping for Circularo

Compliance Area

How Circularo Demonstrates Compliance

Applicable Regulation(s)

  1. System Validation (IQ/OQ/PQ)

Validation documentation confirming installation (IQ), operational (OQ), and performance (PQ) requirements are met. Includes functional tests, electronic signature validation, and audit-trail verification.

Annex 11 §4

  1. Access Control & Authentication

Role-based access, secure login with unique user IDs, password complexity rules, optional MFA, session-timeout policies, and revocation controls.

Annex 11 §12

  1. Audit Trails

Immutable, time-stamped logs automatically recording all key user and system actions (sign, modify, delete, export). Audit data is tamper-evident and exportable for inspection.

Annex 11 §9

  1. Electronic Signatures

Signatures uniquely linked to individual users and bound to signed content via cryptographic hash; capture of signer identity, date/time, and intent (“Approved”, “Reviewed”, etc.).

Annex 11 §14

  1. Record Protection & Integrity

Encrypted storage, version control, checksums, and restricted deletion rights ensure authenticity and long-term readability of records.

Annex 11 §8

  1. System Security & Data Privacy

HTTPS/TLS encryption in transit, AES encryption at rest, access logging, periodic vulnerability scans, and GDPR-compliant processing.

Annex 11 §7

  1. Change Control & Configuration Management

Formal change-management process; all configuration or feature changes are documented, tested, and approved before release.

Annex 11 §1–2

  1. Training & SOPs

Documented procedures for validation, security, backup, and incident response; staff training records maintained to ensure competence.

Annex 11 §2

  1. Vendor & Supplier Qualification

Circularo provides quality documentation and security policies for customer supplier-qualification or vendor-audit programs.

Annex 11 §3

10. Audit & Inspection Support

Platform offers exportable logs, configuration documentation, and validation evidence to support client GMP/FDA audits.

Annex 11 §9–14

11. Electronic Record Retention & Retrieval

Archived documents remain retrievable and readable for the full retention period defined by the customer; integrity verification ensures authenticity.

Annex 11 §8

12. Statement of Compliance

Vendor can issue a signed statement summarizing adherence to Annex 11 and 21 CFR Part 11 principles; supports clients’ validation packages.

Annex 11

Auditing & Certification

Regulation

Primary Audit/Inspection Body

Audit Approach

EU Annex 11

EU GMP authorities - e.g. EMA, MHRA, BfArM, AIFA

Verified during GMP inspections of pharma manufacturers; vendor audited by client QA/compliance teams. No central certificate issued.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close