FDA CFR21 part 11 product checklist - LabCollector

Search Knowledge Base by Keyword

You are here:
← All Topics

The Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11) states the rules with which a company who uses an electronic system for document and signature control, must abide by. It puts forth the U.S. Food and Drug Administration’s (FDA) guidelines on electronic records and electronic signatures to ensure that these documents are authentic and make sure that they maintain the security, integrity, and confidentiality. Companies involved in making drugs, biologics, medical devices, CROs (Contract Research Organizations) and any establishment that comes under FDA regulation must follow stringent controls, audits, validations and other rules laid by them.

FDA CFR 21 part 11 compliancy is provided with LabCollector and major add-ons like ELN, LSM, WorkFlow, and equipment integration with I-Collector.
Full compliancy can be achieved with the compliancy pack that offers various options to follow regulations more stringently.  Final validation is however always needed to be performed on the end-user side.
The following checklist is provided as a guide, but AgileBio also provides prechecked certificates and tests to facilitate the lab auditing.
For additional information from about how LabCollector helps to meet additional GxP and regulatory compliance read this Or contact us.

The guidelines by the FDA for electronic data compliance can be found by clicking the link.

The 21 CFR Part 11 Compliance Checklist is described below:-

Name and version of the software

The software version should indicate major and minor changes (§11.10k.1,2)


The access should be limited to authorized users with privileges are assigned to role not individuals. (§11.10.d,g)
The password should be 8 characters minimum with alphanumeric characters (§11.300)
Password use must be changed frequently with predetermined time period (90 days) (§11.300.b)
System must prevent the reuse of the specified number of previous passwords (In 1 year 6 times changed password) (§11.300)
Password characters must not be visible during entering (§11.300)
Passwords should not be remembered by application or the browser (§11.300)
Passwords must be encrypted by the system upon entry and storage. (§11.300)
Passwords should not be able to be copied from password field to paste elsewhere. (§11.300)
Temporary passwords cannot be emailed without the two-factor authentication. (§11.300)
Temporary passwords should be unique (§11.300)
Temporary passwords must be changed during the next login. (§11.300)
Temporary passwords should expire after a short time period (for example 24 hours) (§11.300)
User name should identify the person and should not be generic (§11.300)
User name should appear on the screen and should be unique (§11.300)
User name/ID should be allowed to be disabled/inactivated as to not reuse it (§11.300)
After inactivity of application the system should allow re-entry of the password by logging the user out automatically (§11.300)
The system should lock out the user after too many failed attempts with a warning email to the administrator/security staff. (§11.300.d)
All user activity should be controlled by login in, log out and lock out. (§11.10.a)
Last log in should be displayed when the user logs in. (§11.300)

Data Transfer

Data transfer should be limited and deleted capabilities should be controlled (§11.10.d,g)
Data transfer outside of intranet firewall should be encrypted by security https protocol (§11.10.a)
Type and size of input data should have validity check (§11.10.a)
The date format should not be ambiguous as the month and should be clearly stated (§11.10.b,c)
Audit Trails
Audit trail records should contain information about record creation, modification, inactivation, or deletion of electronic records for data & configuration data (§11.10.c,e)
Audit trail should contain record user name, date, time, previous data, new data, and reason for change if required by predicate (§11.10.c,e)
Users that can change data can access audit trail to see the changes done. (§11.10)
For high risk data, the indication that data is changed should be mentioned on screen and not just in audit trail (§11.10.c,e)
For high risk applications the audit trail is written by database (§11.10.c,e)
Server to be on a centralized time source: server time (§11.70)

Electronic Signatures

Should contains unique user ID & password (§11.100.a)
During signing password should be only known by the user (§11.300)
Meaning of signature (author & reviewer/approver) should be displayed during signature (§11.50.a)
Electronic signature should show the signer’s full printed name, to show the time and date of execution (§11.50,a)
The signed record should be locked from editing and deletion. (§11.50.d,g)
Electronic records must be maintained and linked to signatures for the life of the electronic record (§11.70)