Skip to main content
All CollectionsIT & Security
Title 21 CFR Part 11 Response
Title 21 CFR Part 11 Response response to Title 21 CFR Part 11 Compliance

Daniel Summers avatar
Written by Daniel Summers
Updated over a week ago


This document outlines Electronic Lab Logs' response to Title 21 CFR Part 11 compliance and how different sections of the FDA's regulations are satisfied in our software platform,

What is Title 21 CFR Part 11?

Title 21 CFR Part 11 is the section of the Code of Federal Regulations (CFR) that deals with Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. It defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

What does it mean?

Organizations like pharmaceutical, medical supply and healthcare providers that fall under the 21 CFR Part 11 guidelines need to take extra precautions when using a software platform to disseminate information. Part 11 requires that both procedural controls (e.g. notification, training, SOPs, administration), and administrative controls are put in place by the user, in addition to the technical controls that a vendor can offer.

What does Electronic Lab Logs do to comply with Title 21 CFR Part 11?

The Electronic Lab Logs team has the technology, software, and expertise to ensure all Clients remain in compliance with Title 21 CFR Part 11 using our software platform. Our platform will allow you to continue to stay within the guidelines with no interruptions to your Quality Processes.


Requirement Feature

11.10 (b)

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. presents standard and custom reports in both screen and downloadable form. Downloaded reports are available as a PDF export.

11.10 (d)

Limiting system access to authorized individuals.

Access to all parts of the application is controlled by username and password. Each account has roles and permissions that limit the functions and data the account can access. allows for additional security tailored for the Title 21 CFR Part 11 environment. These settings will allow Administrators to enforce that only authenticated users are able to log data (no anonymous Logger accounts), requirements for strong passwords and expiring passwords. This enhanced security also allows for: automatic account locking for multiple failed attempts, and; recording of IP addresses for all accesses.

11.10 (e)

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. records everything to a log, including: a record of each action, when each action occurred, and who committed the action. Clients can also set up multi-factor authentication to increase the security requirements.

11.10 (f)

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. controls each procedure, for setting up, adding, and changing any Client data. Only internal users that have been trained on the process are given access to these controls.

11.10 (g)

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Users and Administrators are created only after training has been completed. When a user is created, that user has no access to any data. Administrators are required to add the access levels to each user after creation and those settings can not be modified by any user that does not have Administrator privileges. Additionally each Client has a unique and separate database so there is no way to access other data from other Client databases.

11.10 (h) (1)

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. will not accept connections without an authentication layer, and therefore will not accept commands or data, from unauthenticated sources, or from authenticated sources where the IP address of a command does not match the originally authenticated access for a given session. Additionally, will only communicate over HTTPS, which prevents a third party from modifying data being transmitted.

11.50 (a) (1), (2), (3)

Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

(1) The printed name of the signer;

(2) The date and time when the signature was executed; and

(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. stores all electronic signatures for every report with this information along with the full name, authentication credentials used, and user ID of the signatory.

11.50 (b)

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The three signature items are included in all audit trail reports.

11.70 (a)

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Electronic signatures require password entry and are included with the records throughout the system. Once the report has been signed, the data is locked and can no longer be modified by any user.

11.100 (a)

Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

Uniqueness of username and password is enforced by the system. This uniqueness survives even after the expiration of an account. Inactive accounts and their records are never removed from the system.

11.200 (a) (1)

Employ at least two distinct identification components such as an identification code and password. employs username and password protection, and enforces that the authenticated session maintains the continuity of IP address. Additional multi-factor authentication controls can be added to enforce further strengthening.

11.200 (a) (1) (i)

The system requires the use of all electronic signature components for the first signing during a single continuous period of controlled system access.

All authenticated session are per confined to the browser window. Closing a window terminates the session and authentication is required even if the timeout has not yet occurred. Additionally, the session timeouts default to 15 minutes.

11.200 (a) (1) (i)

The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component.

The system will continue to use the originating IP of each request after the first to maintain security of the session.

11.200 (a) (1) (i)

The system shall ensure users are timed out during periods of specified inactivity. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

Time out in a 21 CFR Part 11 environment is enforced after 15 minutes of inactivity.

11.200 (a) (1) (ii)

When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components

All signing must be executed during a continuous period of controlled system access.

11.200 (a) (3)

Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

Sharing electronic signatures and/or authentication credentials is not permitted.

11.300 (a)

Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

The system will not allow duplication. Two hashes of both the username and password are kept for comparison purposes to maintain integrity without storing actual information unencrypted.

11.300 (b)

Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

The system can be setup to enforce password expirations that match the length of time set by the Client internal SOPs.

11.300 (d)

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. uses intrusion detection to identify fraudulent transactions, including: multiple failed attempts at log in; log in from a large number of IP addresses, and; unusual activity in an account. The system will notify any Client of suspicious account activity. This notification, the Client's response and any necessary corrective actions are stored in Electronic Lab Logs' internal ticketing system.

11.300 (d)

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

Administrators are notified of all attempts to log in with a valid username and failed multiple logons that are flagged as suspicious.

Helpful References

FDA Regulations Database

Did this answer your question?