← Frameworks / Health Regulation

FDA 21 CFR Part 11 — Electronic Records; Electronic Signatures

US federal regulation establishing criteria for acceptance of electronic records and electronic signatures by the FDA. 30 requirements across electronic records (validation, audit trails, system access controls, authority checks, device checks, education and training, documentation, open and closed system controls), electronic signatures (uniqueness, identity verification, signature manifestations, signature/record linking), and biometric and non-biometric authentication controls. Applies to all FDA-regulated industries including pharmaceuticals, medical devices, biologics, and food.

Clauses: 30

Avg Coverage: 73.0%

Publisher: U.S. Food and Drug Administration (FDA) Version: 1997 (updated guidance 2003)

FDA 21 CFR Part 11 → SP 800-53 SP 800-53 → FDA 21 CFR Part 11 Coverage Analysis

Clause	Title	SP 800-53 Controls
§11.1	Scope	PL-02 PM-01 PM-11 RA-02
§11.2	Implementation — Risk-Based Approach	RA-01 RA-02 RA-03 RA-07 PM-09 PM-11
§11.3	Definitions — Electronic Record, Electronic Signature, Digital Signature
§11.10(a)	Closed Systems — Validation of Systems	SA-03 SA-08 SA-10 SA-11 SA-15 SA-17 CA-02 CA-07 CM-04 SI-06
§11.10(b)	Closed Systems — Generating Accurate and Complete Copies	CP-09 SI-07 AU-09 AU-11 SC-28
§11.10(c)	Closed Systems — Protection of Records for Accurate and Ready Retrieval	CP-09 CP-06 CP-10 SC-28 MP-04 SI-12 AU-11
§11.10(d)	Closed Systems — Limiting System Access to Authorised Individuals	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-11 AC-12 IA-01 IA-02 IA-04 IA-05
§11.10(e)	Closed Systems — Secure, Computer-Generated, Time-Stamped Audit Trails	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-14
§11.10(f)	Closed Systems — Use of Operational System Checks	SI-07 SI-10 CM-02 CM-06 CM-07 SA-11
§11.10(g)	Closed Systems — Use of Authority Checks	AC-02 AC-03 AC-05 AC-06 AC-16 AC-24
§11.10(h)	Closed Systems — Use of Device Checks	IA-03 IA-09 PE-20 CM-08 AC-19
§11.10(i)	Closed Systems — Trained Personnel	AT-01 AT-02 AT-03 AT-04 PS-01 PS-02 PS-03
§11.10(j)	Closed Systems — Written Policies for Electronic Signature Accountability	PL-01 PL-02 PL-04 PS-06 PS-08
§11.10(k)	Closed Systems — Controls Over Systems Documentation	SA-05 CM-03 CM-05 CM-09 PL-02 SI-12
§11.30	Controls for Open Systems	SC-08 SC-12 SC-13 SC-17 SC-23 SC-07 AC-17 AU-10
§11.50	Signature Manifestations	AU-02 AU-03 AU-12 AU-10
§11.70	Signature/Record Linking	AU-10 SI-07 SC-08 SC-28
§11.100(a)	Electronic Signatures — Unique to One Individual	IA-02 IA-04 IA-05 IA-08 AC-02
§11.100(b)	Electronic Signatures — Identity Verification Before Assignment	IA-12 IA-04 IA-05 PS-03
§11.100(c)	Electronic Signatures — Certification to FDA
§11.200(a)(1)	Electronic Signature Components — Non-Biometric (Two Components)	IA-02 IA-05 IA-06 IA-07
§11.200(a)(1)(i)	Non-Biometric Signatures — Continuous Session Controls	AC-11 AC-12 IA-11 SC-10
§11.200(a)(1)(ii)	Non-Biometric Signatures — Non-Continuous Session Controls	IA-02 IA-05 IA-11 AC-07 AC-11
§11.200(a)(2)	Non-Biometric Signatures — Unique Identification Code/Password Pair	IA-02 IA-04 IA-05 AC-02
§11.200(a)(3)	Electronic Signatures — Biometric Requirements	IA-02 IA-12 PE-19
§11.300(a)	Controls for ID Codes/Passwords — Maintaining Uniqueness	IA-04 IA-05 AC-02
§11.300(b)	Controls for ID Codes/Passwords — Periodic Revision and Recall	IA-05 AC-02
§11.300(c)	Controls for ID Codes/Passwords — Loss Management Procedures	IA-04 IA-05 IR-06 AC-02
§11.300(d)	Controls for ID Codes/Passwords — Transaction Safeguards	SC-08 SC-13 SC-23 AC-17 IA-06
§11.300(e)	Controls for ID Codes/Passwords — Initial and Periodic Testing	CA-02 CA-08 SI-06 IA-05