21 CFR Part 11

21 CFR Part 11 is a regulation issued by the FDA that establishes requirements for electronic records and electronic signatures in regulated industries. This includes pharmaceuticals, biologics, medical devices, and food products (human and veterinary). Companies in these industries that do business in the United States, as well as providers of raw materials and components to pharmaceutical companies and contract labs commissioned to perform analysis work, must all operate to ensure that electronic records and electronic signatures are trustworthy and reliable.

Key requirements of 21 CFR Part 11:

• Electronic records must be created, maintained, and archived in a way that ensures their authenticity, integrity, and confidentiality
• Electronic signatures must be used in a way that is equivalent to handwritten signatures
• Companies must have procedures in place to control access to electronic records and electronic signatures
• Systems must maintain secure, computer-generated, time-stamped audit trails including the who, what, when, and why of any record creation, modification, or deletion
• Organizations must implement standard operating procedures (SOPs) for system use, including training, documentation, and security measures
• Systems used to generate and manage electronic records must be validated to ensure accuracy, reliability, and consistent performance

21 CFR Part 11 is designed to protect the safety of consumers by ensuring the accuracy and reliability of electronic records and electronic signatures. By complying with these requirements, companies can help to ensure that their products are safe and effective.

While 21 CFR Part 11 provides the legal and technical framework, ALCOA++ principles provide the practical and ethical foundation for how data should be handled. 

While 21 CFR part 11 is a U.S. FDA regulation, its principles have been widely embraced by other regulatory bodies around the world and adopted in local regulations, such as European Medicines Agency (EMA), Medicines and Healthcare Products Regulatory Agency (MHRA) and Ministry of Health in Japan. 

EU Annex 11

The EU Annex 11 to the EudraLex Volume 4 (GMP guidelines) is considered the European counterpart introduced by the EMA. It focuses on computerized systems used in GxP environments and provides requirements for data integrity, audit trails, and system validation. The key requirements are:

• Systems must ensure that data is accurate, complete, and protected from unauthorized changes
• Audit trails must be secure, time-stamped, and reviewable to track changes and user actions
• Systems must be validated to demonstrate that they perform as intended throughout their lifecycle
• Electronic signatures must be uniquely identifiable and linked to the individual who applied them
• Any changes to the system must be documented, assessed for risk, and revalidated if necessary

GxP Data Integrity Guidance

In the UK, the MHRA has introduced the GxP Data Integrity Guidance and Definitions provides detailed expectations for maintaining data integrity across all GxP-regulated activities. These guidelines make use of the ALCOA++ principles as a foundation for data integrity. The key concepts are:

• All data are complete, consistent, and accurate throughout the data lifecycle
• Audit trails provide secure, computer-generated records that track changes to data and who made them
• Systems must be designed to prevent, detect, and mitigate data integrity issues
• A system of controls to ensure data integrity is maintained across the organization

ERES Guideline

The ERES Guideline (Electronic Records and Electronic Signatures) closely mirrors 21 CFR Part 11. Japanese companies exporting to the U.S. often adopt 21 CFR Part 11 standards to ensure compliance. The key requirements are:

• Ensure the reliability and authenticity of electronic submissions and records
• All computerized systems must be validated to ensure they function as intended
• Electronic records must be stored securely and be retrievable for the required retention period
• Audit trails must be secure, time-stamped, and capable of tracking all changes
• Electronic signatures must be uniquely linked to individuals and verifiable

The global adoption of 21 CFR part 11 was accelerated by its implementation by multinational companies as a way to maintain uniform compliance practices across all facilities and allowed standardization practises. Many enterprise systems, such as OmniTrust from Malvern Panalytical, are designed to be 21 CFR Part 11-compliant, making it easier for global teams to align to the regulatory compliance.

USP <1058> Analytical Instrument Qualification (AIQ), is a general chapter in the United States Pharmacopeia that provides a structured framework for ensuring that analytical instruments are suitable for their intended use in regulated laboratories. 

It defines the qualification process for analytical instruments used in pharmaceutical testing, based on four stages of qualification. Its goal is to ensure that instruments consistently produce accurate, reliable, and reproducible results. 

Four stages of qualification USP <1058>:

• Design Qualification (DQ): Ensures the instrument design meets user requirements
• Installation Qualification (IQ): Verifies the instrument is installed correctly
• Operational Qualification (OQ): Confirms the instrument operates as intended
• Performance Qualification (PQ): Demonstrates consistent performance under real-world conditions

Similarly, the EU GMP Annex 15 is the section of the European Union's Good Manufacturing Practice (GMP) guidelines that specifically addresses qualification and validation in the manufacturing of medicinal products. The principles are focused on the same four stages of qualification outlined in USP <1058> and it emphasizes a lifecycle approach to validation, including planning, execution, and maintenance.

While USP <1058> and Annex 15 ensures instruments produce valid data, 21 CFR Part 11 and related data integrity regulations ensure that data is securely managed. Together they play a foundational role in ensuring data integrity and regulatory compliance.

Find more about Analytical instrument qualification here.

Developed by Malvern Panalytical, OmniTrust is a flexible, scalable, and multi-instrument solution that can be tailored to meet the specific needs of your organization. Designed to enhance data integrity and streamline compliance, it provides the tools you need to meet evolving regulatory demands with confidence.

OmniTrust supports 21 CFR Part 11 compliance through a comprehensive offering that combines software and expert services. It helps ensure the authenticity, integrity, and confidentiality of electronic records and signatures, while also supporting validation efforts and the implementation of robust operational and procedural controls, delivering end-to-end regulatory compliance.

Learn more about OmniTrust here. 

Our software, including our OmniTrust package, enables the products shown in the table below (alongside appropriate local IT infrastructure) to be compliant with the following regulations and guidance: 

• 21 CFR Part 11
• ALCOA++ data
• USP <1058>

Learn more about the Malvern Panalytical instruments and software that meet these requirements below.