21 CFR Part 11 Compliance

The 21 CFR Part 11
Compliant ELN

Complete compliance documentation for CERF 6 — the electronic lab notebook built for regulated research environments. Every applicable section of FDA 21 CFR Part 11 is addressed requirement by requirement, covering electronic records (Subpart B) and electronic signatures (Subpart C).

Request a Live Demo Download PDF Version See All CERF Features
CERF ELN version 6
23 Total requirements CFR sections addressed
19 Compliant Sections fully met
4 Not applicable Sections not applicable
DSA PKI signatures U.S. federal standard
20+ Proven in science Years in regulated labs
Most detailed compliance matrix in the ELN market. CERF's compliance documentation maps every applicable requirement of 21 CFR Part 11 to specific, verifiable product features — not vague assertions. No other commercial ELN vendor publishes this level of detail.
Background & Context

What Is 21 CFR Part 11?

This page provides background information for scientists who are new to data compliance and regulatory record-keeping. If you are already familiar with 21 CFR Part 11, you can jump directly to the CERF compliance matrix.

Title 21 CFR Part 11 — commonly shortened to 21 CFR Part 11 or 21CFR11 — is the part of Title 21 of the US Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) guidelines for electronic records and electronic signatures (ERES). Part 11 defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

Any scientist entering commercial research will certainly encounter these regulations. Additionally, as universities increasingly focus on licensing discoveries and intellectual property as a revenue source, academic labs are becoming subject to the same standards as their commercial counterparts.

  • Developed in the 1990s to ensure that records in a digital system can reasonably be assumed to be a true and accurate representation of the work performed. The regulation was a direct response to the growth of computerized laboratory systems replacing paper notebooks.
  • Answers the fundamental questions regulators and courts ask about any piece of scientific data: who performed the work, when was it performed, who has had access to it, how was the data collected and processed, when was the record completed, when was it locked to prevent changes, and who else can vouch for its authenticity.
  • Required for legal, patent, and regulatory proceedings. Digital records should always be collected and stored in a 21 CFR Part 11 compliant system if you want to use them as supporting evidence in any formal proceeding — patent applications, regulatory submissions, litigation, or due diligence reviews.
  • Disputes are more common than you think. Ownership, accuracy, and legal disputes related to scientific research are surprisingly frequent and expensive in both industry and academia. The majority of these disputes are far easier to resolve — or avoid entirely — when records have been kept in a compliant system from day one.
  • Now the international gold standard. Although 21 CFR Part 11 was initially considered a requirement only for US-based, FDA-regulated commercial organizations, it has gradually been accepted over the past two decades as the international standard for scientific digital data management. It is now widely used in academic institutions and non-scientific sectors wherever managed data access and legally defensible record-keeping are required. No broadly accepted alternative has emerged.
Our view: 21 CFR Part 11 compliance should be considered the baseline standard for any modern, paperless lab — regardless of whether you are in a regulated industry. It is also the primary reason your organization should use a dedicated, professional ELN system rather than non-compliant alternatives like Dropbox, Microsoft SharePoint, OneNote, Evernote, Google Drive, or shared file servers — even when those tools have features that seem convenient. Convenience is not the same as compliance.
Core Requirements

Key Elements of 21 CFR Part 11

The following are the explicit and implicit requirements that a compliant electronic records system must satisfy. CERF was designed to meet all of these from the ground up.

Accurate Representation

Records must be a true and accurate account of the work performed, created at the time the work was done — not reconstructed after the fact.

Human-Readable Copies

The system must be able to generate accurate, complete copies of electronic records in human-readable and electronic form for inspection by authorized parties.

Role-Based Access Control

Access to records must be limited to authorized individuals only, with secure user authorization and documented identity verification for each user.

Visibility Limited to Authorization

Users must only be able to see what they have been specifically authorized to access — including in search results. Unauthorized users should not be aware that restricted records exist.

Immutable Audit Trail

The system must maintain a secure, computer-generated audit trail with timestamps for all user actions. The audit trail must not be modifiable by any user, including administrators.

Permanent Version History

All changes must be visible. Older versions and deleted data must remain available for inspection. No record may be permanently and silently overwritten.

Permanent Record Retention

Records must remain accessible for the full duration of the study — which in practice means indefinitely for most regulated organizations.

Training Records

Training in the proper use of the system must be available and completed by all users, administrators, and support staff. Training records must be maintained.

Digital Signatures

Digital signatures must be unique to each user, non-transferable, non-repudiable, and cryptographically linked to the records they protect. They must contain key metadata: timestamp, signer name, and the role of all signatories, co-authors, and witnesses.

Signature Integrity

A digital signature must not be separable from the data it safeguards. Any modification of a signed record must invalidate the signature.

Password & Access Management

Proper password management procedures, access security, and activity logging must be integral parts of the system — not add-ons.

System Validation

The system must be validated for accuracy, reliability, and consistent intended performance — and must be re-validated when significant changes are made.

Guidance on conflicting requirements: Some compliance rule sets have requirements that directly conflict with each other. It is important to determine which frameworks are most relevant to your organization, and in some cases it may be necessary to segregate different data types into different systems configured to follow different rule sets. Consult your regulatory counsel to determine which frameworks apply to your specific situation.
Subpart B

Electronic Records

Sections 11.10 through 11.70 cover the controls required for systems that create, modify, maintain, archive, retrieve, or transmit electronic records. Every applicable provision is addressed below.

§ Section Code Language Status CERF Implementation
11.10 Controls for closed systems Compliant CERF ensures the authenticity, integrity, and confidentiality of records through security controls, an immutable audit trail, and a PKI-based digital signature system. Only authorized users with valid credentials in authenticated sessions can create or update records. Role-based access controls, signature workflows, and the audit trail collectively prevent repudiation of signed records.
11.10(a) Validation of systems to ensure accuracy, reliability, and ability to discern invalid or altered records Compliant CERF is validated with each release cycle and each customer installation. Hash codes and PKI-based digital signatures stored in the database allow detection of invalid or altered records. All record-altering actions are captured in a secure, computer-generated audit trail.
11.10(b) Ability to generate accurate and complete copies in human-readable and electronic form Compliant CERF produces PDF versions of text and non-text resources, PDF metadata reports for entire notebooks, and full notebook exports in open standard XML format. Records are readable, reviewable, and copyable within the CERF system by any authorized user. All attached files are exportable unaltered in their original format — they are never "blobbed" into a database.
11.10(c) Protection of records for accurate and ready retrieval throughout the retention period Compliant All versions of all resources are kept indefinitely unless removed by the system administrator, in accordance with your formal retention policy. Records are locked during check-out for editing. Finalized records can be restricted from further changes. Unauthorized access and direct modification are prevented by the CERF Server middleware.
11.10(d) Limiting system access to authorized individuals Compliant All users must be registered by qualified administrators and are assigned unique usernames and passwords (transmitted encrypted, stored as hash only). Fine-grained role-based access is enforced at the workgroup and object level. Simultaneous sessions are not permitted; unique session IDs accompany every system communication. Optional TOTP MFA is supported.
11.10(e) Secure, computer-generated, time-stamped audit trails for operator entries and actions that create, modify, or delete records Compliant CERF captures all create, modify, and delete actions in a tamper-proof audit trail recording: date/time, username, object modified, action taken, reason, and new content. Previous record versions are retained under version control. Audit trail records cannot be deleted or modified from within CERF and are available for agency review and copying.
11.10(f) Operational system checks to enforce permitted sequencing of steps and events Compliant All CERF actions are defined by ontologies that end-users cannot change, and by templates that only specified users with appropriate roles can modify. Internal controls verify the validity of data and record workflows at every step — including signature workflows, editing, check-in, version history, and metadata field validation.
11.10(g) Authority checks to ensure only authorized individuals can use the system, sign a record, or alter a record Compliant CERF enforces authority checks using granular managed access roles throughout all operations. Allowable actions are presented as dynamic, context-dependent menus; unauthorized inputs are not offered in the interface and would be rejected by the server if somehow submitted. Signature workflows require a valid session, a signable-state record, appropriate co-signers (if specified in the workflow), and a valid signature password.
11.10(h) Device checks to determine validity of the source of data input or operational instruction Compliant CERF can be configured to accept data only from specific locations using instrument-level username/password sessions, data-in-transit validation, and device IP address requirements. Physical security of devices and workstations is the responsibility of the user organization.
11.10(i) Determination that persons have the education, training, and experience to perform assigned tasks Compliant Lab-Ally staff and developers undergo ongoing training. Lab-Ally provides a full suite of training services for customer admins and end users. Ensuring appropriate training and experience for assigned tasks remains the responsibility of the customer organization. CERF includes built-in tools for issuing and monitoring user completion of training documents.
11.10(j) Written policies holding individuals accountable for actions under their electronic signatures Compliant Lab-Ally provides training and guidance on optimizing compliance and security, working with customers to meet minimum industry standards. CERF includes built-in tools for issuing and monitoring user acceptance of SOPs. Development and adherence to written SOPs for electronic signatures and CERF signature workflows is the responsibility of the client organization.
11.10(k) Controls over systems documentation, including distribution, access, and revision control Compliant Lab-Ally provides system documentation including administration guides, user operation guides, release notes, and versioned modification records. Documentation is distributed only to authorized individuals. Lab-Ally maintains its own records in an internal CERF instance with full audit trail and version controls. The client organization is responsible for disseminating or controlling access to documentation within their organization.
11.30 Controls for open systems — authenticity, integrity, and confidentiality from creation to receipt Not applicable CERF is a closed system; not open. Account creation and access are tightly controlled and the system can, if required, be deployed on a completely sealed local network with no internet connectivity.
11.50(a) Signature manifestations — printed name, date/time, and meaning of signature Compliant Signed records in CERF include the signer's full printed name, date/time of execution, signature meaning, signer role, and any signer comments. Administrators can configure signature roles (e.g., Submitter, Peer Reviewer, Manager/Approver, Legal/Regulatory) and workflows for different record types. CERF supports images of ink signatures and association of ID document images with each user for additional user verification.
11.50(b) Signature information subject to the same controls as electronic records Compliant Electronic signature records are fully secured from unauthorized access and can be displayed or printed for any electronic record. Notebook printing can be configured to meet the signature requirements of the client.
11.70 Electronic signatures linked to their respective electronic records to prevent falsification Compliant CERF establishes an irrevocable link between each PKI digital signature and its associated record upon signing. The cryptographic signature requires access to public and private keys and cannot be deleted, copied, or otherwise transferred. Any modification of the signed object invalidates the signature.
Subpart C

Electronic Signatures

Sections 11.100 through 11.300 govern the controls required for electronic signatures, including uniqueness, identity verification, signature components, and password security. CERF uses the U.S. government's Digital Signature Algorithm (DSA) — the only commercial ELN to do so.

§ Section Code Language Status CERF Implementation
11.100(a) Each electronic signature shall be unique to one individual and not reused or reassigned Compliant CERF enforces uniqueness of each user ID/password combination and requires a separate digital signature password. Signatures cannot be reused or reassigned, even after deactivation of the original user ID. The private key used to generate the signature is unique and not accessible to anyone else.
11.100(b) Identity verification before establishing, assigning, or sanctioning an electronic signature Compliant CERF allows for the in-person collection of ink signature and ID document images, which can be associated with each user in the presence of the user and a System Admin. Users should be made aware at that time that digital signatures are intended as the legally binding equivalent of handwritten signatures. Safeguards ensure that digital signature passwords are known only to individual users.
11.100(c) Certification to the agency that electronic signatures are intended to be legally binding Not applicable Certification submissions and testimonies regarding use of digital signatures are the responsibility of the client organization. Lab-Ally can assist clients in planning and implementing digital signature policies and will work with customers to ensure minimum industry standards are met.
11.200(a)(1) Non-biometric electronic signatures shall employ at least two distinct identification components Compliant CERF requires a unique user ID and password for system access, plus a third component — a digital signature password — to complete each signing. This three-factor model exceeds the two-component minimum requirement. Security can be further enhanced with supported TOTP MFA applications, which we recommend for all customers and especially those with externally accessible servers.
11.200(a)(1)(i) First signing in a continuous session uses all signature components; subsequent signings use at least one Compliant After establishing a session with user ID and password, a user may sign multiple records within that continuous session using only the digital signature password — the component known exclusively to the signer.
11.200(a)(1)(ii) Signings outside a single continuous session each require all signature components Compliant Any break in controlled system access — whether manual or automatic — terminates the session and requires full re-authentication (user ID + password + digital signature password) before additional signatures can be executed.
11.200(a)(2–3) Signatures used only by genuine owners; attempted misuse requires collaboration of two or more individuals Compliant Login passwords are known only to the individual user (not to administrators), and digital signature passwords are encrypted and inaccessible to others. Misusing another individual's signature would require a system administrator to collaborate and bypass a number of safeguards — all of which would be logged in the audit trail and/or system logs.
11.200(b) Biometric signatures designed so they cannot be used by anyone other than their genuine owners Not applicable Biometric devices are not currently used by CERF. Lab-Ally recommends passwords of at least 15 characters and use of a modern password manager (e.g., Bitwarden) with its own biometric features as a best practice. Security can be further enhanced with supported TOTP MFA applications, which we recommend for all customers and especially customers with externally accessible servers.
11.300 Controls for identification codes/passwords to ensure security and integrity Compliant CERF provides robust controls for identification codes and passwords used in electronic signatures, detailed in §§ 11.300(a)–(e) below.
11.300(a) Maintaining uniqueness of each combined identification code and password Compliant No two individuals may share the same user ID in CERF. Business policies enforce password complexity requirements including minimum length and required non-alphabetic character counts.
11.300(b) Periodic checking, recall, or revision of identification codes and passwords to cover events such as password aging Compliant Password aging is fully supported. Administrators can configure renewal frequency (commonly every 30 days). Users must re-enter the current password and supply a new one that meets complexity requirements and differs from the previous password, entered twice for confirmation. Changing the password also forces the user to refresh their TOTP configuration.
11.300(c) Loss management procedures for compromised tokens, cards, or other identification devices Not applicable CERF does not use physical identification devices. Administrators can disable accounts and reset passwords and TOTP codes. Users are required to change passwords to something that only they know immediately upon login following a reset.
11.300(d) Transaction safeguards to prevent and detect unauthorized use of passwords and identification codes Compliant CERF can lock accounts after a configurable number of failed logins (only an administrator can re-enable). CERF enforces configurable session timeouts. CERF prevents concurrent sessions from multiple locations and records all login activity including failed attempts. Administrators can monitor, investigate, and report all unauthorized use or attempted use to organizational management.
11.300(e) Initial and periodic testing of identification devices such as tokens or cards Not applicable CERF does not use tokens or physical identification devices for user authentication. The TOTP MFA feature is tested with every release. Customers with specific requirements for physical identification devices can request Lab-Ally consulting and customization services.
Further Reading

Reference Resources

The following resources provide primary and secondary sources for 21 CFR Part 11, EU Annex 11, and related compliance frameworks. Links to FDA guidance documents, NIH data sharing policies, and comparative analyses are included.

21 CFR Part 11 — Primary Sources

Related Frameworks & Policies

  • NIH Institute and Center Data Sharing Policies Overview of NIH data management and sharing policies applicable to federally funded research, including the 2023 updated policy requirements. sharing.nih.gov › other-sharing-policies
  • NSPM-33 Implementation Guidance National Security Presidential Memorandum-33, governing the protection of federally funded research and development from foreign interference. Interim guidance was issued January 2022; final implementation guidance was issued July 2024. The NSF maintains the authoritative, stable landing page for both versions. nsf.gov › policies › nspm-33
  • EU GMP Annex 11 — Computerised Systems The European counterpart to 21 CFR Part 11. Governs computerized systems used in GMP-regulated manufacturing and research in the EU. Broader in scope than Part 11. gmp-compliance.org › eu-gmp-annex-11-computerised-systems
  • 21 CFR Part 11 vs. EU Annex 11 — Comparative Analysis A practical comparison of the two major electronic records and signatures frameworks — US FDA 21 CFR Part 11 and EU GMP Annex 11 — covering key similarities, differences, and implications for multinational organizations. simplerqms.com › 21-cfr-part-11-vs-eu-annex-11

Ready to Validate CERF for Your Environment?

Lab-Ally and qualified validation partners provide IQ/OQ documentation and services. Contact us to discuss your compliance requirements and arrange a live demonstration.

Request a Live Demo or Free Trial Email Us Directly

Lab-Ally LLC · Columbus, Ohio · +1 (614) 407-4547 · cerf-notebook.com