Electronic Signatures for Lab Animal Records:
21 CFR Part 11 Guide

What is 21 CFR Part 11?

21 CFR Part 11 is the FDA regulation that establishes criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. It applies to all FDA-regulated industries, including pharmaceutical, biotechnology, and medical device companies conducting laboratory animal research.

Non-compliance can result in FDA warning letters, data rejection during regulatory submissions, and compromised study integrity. Implementing Part 11 compliance from the start is far less costly than retrofitting it later.

The regulation has three main sections you need to understand:

• General Provisions (11.1-11.3): Scope, implementation, and definitions. Part 11 applies when you use electronic records in lieu of paper records required by FDA regulations.
• Electronic Records (11.10): Requirements for closed systems including validation, audit trails, access controls, authority checks, and record protection.
• Electronic Signatures (11.50-11.100): Requirements for signature manifestations, signature/record linking, and controls for identification codes/passwords.

Access controls are the foundation of Part 11 compliance. Your system must:

• Unique user IDs: Every user must have a unique identifier. No shared or generic accounts are permitted.
• Password policies: Enforce minimum complexity, periodic expiration, and lockout after failed attempts.
• Role-based access: Users can only perform actions authorized for their assigned role (e.g., technicians can enter data, PIs can sign records, administrators can configure the system).
• Session management: Automatic logout after inactivity. No concurrent sessions from multiple devices.
• Authority checks: Verify that only authorized individuals can sign records, modify data, or access specific functions.

Audit trails are required under 21 CFR 11.10(e). Each audit trail entry must capture:

• Who: The unique user ID of the person who created, modified, or deleted the record
• What: The specific data that was changed (old value and new value)
• When: Computer-generated timestamp (not user-entered) in a consistent format
• Why: The reason for the change (user-provided or system-generated)

Critical requirements for audit trails:

• Audit trails must be computer-generated and independent of the user
• Audit trails cannot be modified or disabled by any user, including administrators
• Audit trails must be retained for the same period as the associated record
• Audit trails must be available for FDA review upon request

Under 21 CFR 11.50, each electronic signature must include:

• Printed name: The full name of the signer as it appears in their user profile
• Date and time: The exact date and time the signature was executed (system-generated, not user-entered)
• Meaning of signature: What the signature represents, such as "reviewed by," "approved by," "authored by," or "responsibility for"

Additionally, under 21 CFR 11.70, electronic signatures must be linked to their respective electronic records so that signatures cannot be excised, copied, or transferred to falsify a record.

21 CFR 11.10(a) requires that you validate computer systems to ensure accuracy, reliability, and consistent intended performance. Validation follows a standard lifecycle:

• Installation Qualification (IQ): Verify that the system is installed correctly in the intended environment (hardware, software, network configuration).
• Operational Qualification (OQ): Test all system functions against predefined specifications. Verify access controls, audit trails, signature functionality, and data integrity.
• Performance Qualification (PQ): Test the system under real-world conditions with actual users and data. Confirm that the system performs as intended in the production environment.

Maintain validation documentation including test protocols, test results, deviation reports, and final validation reports. Revalidation is required when the system is modified or upgraded.

Under 21 CFR 11.10(k), you must establish and maintain policies that hold individuals accountable for actions initiated under their electronic signatures. Training must cover:

• Legal significance: Explain that electronic signatures are legally equivalent to handwritten signatures under federal law
• Accountability: Users are responsible for all actions performed under their credentials
• Password management: Requirements for password complexity, expiration, and the prohibition of sharing credentials
• Signature meaning: Train users to understand what each signature type means (review, approval, authorship)
• Incident reporting: Users must immediately report compromised credentials or suspected unauthorized access

Document all training with signed acknowledgment forms (electronic or paper) and maintain training records for the duration of the employee's involvement plus the retention period.

21 CFR 11.10(c) requires procedures and controls to ensure data protection and availability:

• Regular backups: Implement automated backup schedules with verified integrity checks
• Recovery testing: Test backup restoration at least annually to verify recoverability
• Disaster recovery: Maintain a documented disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
• Media migration: When systems are upgraded or decommissioned, migrate records to the new system while preserving audit trails and signatures
• Retention compliance: Ensure records remain accessible for the full retention period required by the applicable FDA regulation

Frequently Asked Questions