21 CFR Part 11 Compliance

Electronic records and signatures under 21 CFR Part 11

For FDA-regulated clinical trials: audit trail, electronic signatures, access controls, and system validation. How Trialinx meets each subsection.

21 CFR Part 11 — Electronic Records; Electronic Signatures · Estados Unidos (global FDA)

What is 21 CFR Part 11

21 CFR Part 11 is the FDA regulation that sets criteria for electronic records and electronic signatures to be equivalent to paper records and handwritten signatures in FDA-regulated contexts like clinical trials, pharmaceutical manufacturing, and medical devices.

Since 2003 FDA has applied a risk-based approach (Scope and Application Guidance), meaning Part 11 applies to systems producing records required by predicate rules (21 CFR 312, 812, etc.). For modern EDCs this means audit trail, access controls, electronic signatures, and validation.

Applicable subsections

§11.10(a) — Validation

The system must be validated to ensure accuracy, reliability, and consistency of electronic records.

§11.10(b) — Ability to generate copies

The system must generate accurate copies of electronic records in both human-readable and electronic inspection-ready formats.

§11.10(c) — Records protection

Records must be protected to enable accurate retrieval throughout the retention period.

§11.10(d) — Access limitation

System access must be limited to authorized individuals through technical controls.

§11.10(e) — Audit trail

Secure, computer-generated, timestamped audit trail recording creations, modifications, and deletions without overwriting previous information.

§11.200 — Electronic signatures

Signatures bound to the signer (non-reusable), with at least two identification components and timestamps.

How Trialinx meets it

✓Secure audit trail with 7 datapoints, UTC timestamps, indefinite retention — §11.10(e)
✓CSV/JSON audit trail export, human-readable — §11.10(b)
✓Old and new values kept on every modification (no overwrite) — §11.10(e)
✓Role-based access with optional 2FA authentication — §11.10(d) + §11.10(g)
✓System validation documentation available for sponsors (Institutional) — §11.10(a)
✓Dual-component electronic signature capability (password + 2FA) on critical endpoints in Institutional tier — §11.200
✓Segregation of duties on published form changes (any change = new version) — §11.10(h)
✓Records protected and retrievable with indefinite retention — §11.10(c)

Shared responsibility

Part 11 compliance requires both a capable system and an organization that uses it correctly. Trialinx provides the technical capabilities. The sponsor / investigator is responsible for:

•Conducting a risk assessment on which records fall under Part 11 scope
•Documenting SOPs for system use
•Training staff on electronic signatures and responsibilities
•Completing use-specific qualification / validation (IQ/OQ/PQ) if required
•Maintaining signature credential integrity (no sharing)
•Archiving records after study closure per their policy

Frequently asked questions

Is Trialinx 'validated' for Part 11?

Trialinx is developed under a software validation lifecycle with automated testing and documented change reviews. For full compliance on a specific study, sponsors can request a validation package (Institutional).

Is biometric electronic signature supported?

We currently support dual-component electronic signatures (password + 2FA). We don't use in-browser biometrics. Qualified electronic signatures can be integrated for specific Institutional cases.

Can administrators modify the audit trail?

No. The audit trail is append-only. Neither admins nor the study owner can edit or delete existing entries. Corrections are made by creating new entries that reference the original.

What if the study is under EMA instead of FDA?

The same technical safeguards cover the equivalent requirements of EudraLex Annex 11 (EU GMP) and ICH E6(R2). The main differences are documentation and terminology.

Official resources

Need the package for your ethics committee or DPO?

Request documentation