FDA 21 CFR Part 11 Checker
FDA 21 CFR Part 11 establishes requirements for electronic records and electronic signatures in FDA-regulated industries. This tool evaluates your compliance across electronic signatures, audit trails, system validation, access controls, and record retention to ensure your systems meet FDA requirements.
Progress: 0/23
Electronic Signatures
0/5Audit Trails
0/5System Validation
0/5Access Controls
0/5Record Retention & Integrity
0/3Electronic Signatures
Assessment of electronic signature uniqueness, authentication, and linkage requirements.
Q1
Are electronic signatures in your system uniquely tied to a single individual and never shared, reused, or reassigned to another person?
Q2
Before a user executes an electronic signature, does the system require entry of both a unique user ID and a password (or biometric) at the time of signing?
Q3
Does each electronic signature record include the printed name of the signer, the date and time of signing, and the meaning of the signature (e.g., approval, review, authorship)?
Q4
Are electronic signatures permanently linked to their respective electronic records such that the signature cannot be copied, detached, or transferred to falsify another record?
Q5
For non-biometric signatures, do you require at least two distinct identification components, with continuous session signing using at least one component per subsequent signature?
VertiComply
Build HIPAA-compliant healthcare applications with AI-powered code generation.
Product
Features
Pricing
Tools
Company
About
Blog
Contact
Legal
Privacy
Terms
Compliance
© 2026 VertiComply. All rights reserved.
Built for HIPAA + SOC 2 Type II
About the FDA CFR 11 Compliance Checker
The FDA 21 CFR Part 11 Compliance Checker evaluates electronic records and electronic signatures controls per 21 CFR Part 11, applicable to FDA-regulated software systems used in pharmaceutical, biotech, medical device, and clinical research contexts. The 23 questions cover the four pillars of Part 11: predicate rule compliance, electronic records integrity, electronic signatures, and audit trails. Part 11 is risk-based: FDA's 2003 guidance clarified that the agency exercises enforcement discretion based on the criticality of the system to product quality and safety. The score reflects the controls FDA inspectors most consistently cite in 483 observations and warning letters — open systems lacking encryption, inadequate audit trails, and insufficient validation account for the majority of Part 11 findings.
What this FDA CFR 11 assessment covers
The 23-question assessment scores 100 points across 5 weighted categories. Each category reflects a distinct FDA CFR 11 control domain.
Electronic Signatures · 22 pts · 5 questions
Assessment of electronic signature uniqueness, authentication, and linkage requirements.
Audit Trails · 24 pts · 5 questions
Evaluation of computer-generated audit trail completeness, independence, and retention.
System Validation · 22 pts · 5 questions
Assessment of computerized system validation documentation and change control.
Access Controls · 18 pts · 5 questions
Evaluation of authority checks, user management, and system administration controls.
Record Retention & Integrity · 14 pts · 3 questions
Assessment of electronic record preservation, retrievability, and integrity controls.
Common FDA CFR 11 compliance gaps
The patterns we see most frequently in FDA CFR 11 self-assessments and remediation work. Each is the kind of finding an auditor flags first.
Validation is incomplete or undocumented. Part 11 requires software validation to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Validation deliverables include user requirements, functional and design specifications, test protocols, and traceability matrices. Most teams have testing but not Part 11-grade validation evidence.
Audit trail is missing user identity. The audit trail must capture who did what, when, on which record. 'User' captured as a service account or shared login fails the requirement. Every entry must trace to a named individual with their unique electronic signature.
Electronic signatures are not bound to the record. § 11.70 requires the signature to be linked to the electronic record such that it cannot be excised, copied, or transferred to falsify a different record. Many systems treat signatures as separate audit log entries rather than as cryptographically bound to the signed record.
Open system encryption is missing. § 11.30 requires open systems (where access is not controlled by the persons responsible for the content) to use encryption and digital signatures to ensure record authenticity. Cloud-hosted systems with broad access policies often qualify as open systems but lack the corresponding controls.
Training records don't tie to signature use. § 11.10(i) and § 11.300 require persons using electronic signatures to be trained, with documented training records. The training must cover Part 11 specifically — generic onboarding training does not satisfy the standard.
Password policies fall below FDA expectations. While Part 11 doesn't specify password complexity, FDA inspectors expect enforcement consistent with current industry best practice. Static passwords without periodic change, no length minimum, or no complexity requirements draw observations.
Change control over the system itself is weak. Part 11 systems must operate under documented change control. Hotfixes deployed without validation, configuration changes made without approval, or version upgrades without revalidation all surface in inspections.
What to do with your FDA CFR 11 results
Your score is a starting point — these are the steps that convert the assessment into actionable remediation.
Run a Part 11 applicability assessment. Not every electronic record is subject to Part 11 — only those required by a predicate rule (the underlying FDA regulation governing the activity). Map which records and signatures are in scope before designing controls.
Establish or refresh your validation master plan. The plan governs how every Part 11 system in your environment is validated, revalidated after change, and decommissioned. It's the document FDA asks for first in a Part 11 inspection.
Implement attributable, contemporaneous, original, accurate, and legible (ALCOA+) audit trails. The ALCOA+ principles guide what good audit trails look like in regulated environments: complete, consistent, enduring, and available.
Inventory open vs. closed systems. Classify each Part 11 system and apply the corresponding controls. Misclassification (treating an open system as closed) is a common FDA observation.
Build a 21 CFR Part 11 training program with documented attestations. Annual refresher; role-specific content for users vs. administrators; documented per-individual completion.
FDA CFR 11 compliance FAQ
What is 21 CFR Part 11 and who must comply?
21 CFR Part 11 governs electronic records and electronic signatures for FDA-regulated activities — pharmaceutical manufacturing, clinical trials, medical device design controls, drug safety records, and similar contexts where electronic records replace paper records required by an FDA predicate rule. The applicability test is whether a predicate rule requires the record; Part 11 itself does not create record-keeping requirements.
Does Part 11 apply to clinical research software?
Yes, where the system creates, modifies, maintains, archives, retrieves, or transmits records required by clinical research regulations (21 CFR Parts 312, 812, 50, 56, 11). Electronic data capture (EDC), eTMF, eConsent, and eSource systems all typically fall under Part 11. The FDA's eSource guidance reinforces this.
How does Part 11 interact with HIPAA?
They govern different things and frequently apply simultaneously. HIPAA governs the confidentiality of PHI; Part 11 governs the integrity and authenticity of electronic records and signatures for FDA-regulated purposes. A clinical trial system handling patient health data complies with both. The controls overlap (access controls, audit logs, encryption) but the underlying requirements differ.
What's the difference between closed and open Part 11 systems?
A closed system is one where system access is controlled by persons responsible for the content of the electronic records. An open system is one where access is not so controlled (cloud systems with broad access, public-facing portals). Open systems require additional controls — encryption and digital signatures to ensure authenticity, integrity, and confidentiality (§ 11.30).
Can SaaS products be Part 11 compliant?
Yes, but the SaaS vendor and the regulated customer share responsibility. The vendor delivers a Part 11-capable system; the customer is responsible for validation in their specific context, user access management, signature use, and training. Vendor 'Part 11 compliance' is a precondition for customer compliance, not a substitute.
What are the most common FDA observations on Part 11?
Inadequate audit trails (missing data, missing user attribution, alterable), insufficient validation evidence, inadequate access controls, unaddressed Part 11 in third-party systems, and missing or weak change control on the system itself. The FDA's publicly available 483 observations and warning letters document the same recurring failure modes across the industry.
Build it instead of buying it
Generate a FDA CFR 11-compliant healthcare app with the controls built in
VertiComply generates production-ready healthcare applications with FDA CFR 11 controls scaffolded from the first commit — no add-on tier, no platform lock-in, code exported to your GitHub.
Start free