Compliance Matrix
- Last UpdatedFeb 12, 2025
- 3 minute read
The following table identifies which type of control is needed to comply with specific requirements defined in the Part 11 regulation. An ‘X’ in the Procedural or Technological column indicates the control applies for the requirement listed in that row. Sections 3 and 4 of this guide are structured to mirror the regulation and present the reader with information and specific technical methods or options available to support Part 11 compliance. In each subsection within Sections 3 and 4, the specific regulation text being addressed is presented to aid in the interpretation and application of this guide (shown in bold italics).
|
21 CFR 11 Requirement |
Abbreviated description |
Procedural |
Technological |
|---|---|---|---|
|
Subpart B |
Electronic Records |
||
|
Subpart B 11.10 |
Controls for closed systems |
X |
X |
|
Subpart B 11.10 (a)* |
Systems must be validated |
X |
X |
|
Subpart B 11.10 (b)* |
Records must be available for insp… |
|
X |
|
Subpart B 11.10 (c)* |
Records must be protected for retrieval… |
X |
X |
|
Subpart B 11.10 (d) |
System access is limited to authorized individuals |
X |
X |
|
Subpart B 11.10 (e)* |
Operator entries … audit trail |
X |
X |
|
Subpart B 11.10 (f) |
System checks will enforce sequencing of steps … |
|
X |
|
Subpart B 11.10 (g) |
… electronic signatures only by authorized individuals. |
X |
X |
|
Subpart B 11.10 (h) |
Device checks will determine validity of inputs… |
|
X |
|
Subpart B 11.10 (i) |
System users have the necessary education, training… |
X |
x |
|
Subpart B 11.10 (j) |
Written policies that hold individuals accountable… |
X |
|
|
Subpart B 11.10 (k) |
Controls over system documentation… |
X |
X |
|
Subpart B 11.10 (k) 1 |
…controls over the distribution of, access to, and use |
X |
X |
|
Subpart B 11.10 (k) 2* |
Revision and change control … an audit trail… |
X |
X |
|
Subpart B 11.30* |
Controls for open systems |
N/A** |
N/A** |
|
Subpart B 11.50 (a) |
Signature manifestation |
|
X |
|
Subpart B 11.50 (a) 1 |
printed name of the signer |
|
X |
|
Subpart B 11.50 (a) 2 |
date and time |
|
X |
|
Subpart B 11.50 (a) 3 |
meaning (review, approval, …) |
|
X |
|
Subpart B 11.50 (b) |
same controls as for electronic records … |
|
X |
|
Subpart B 11.70 |
Signature/record linking |
|
X |
|
Subpart C |
Electronic Signatures |
|
|
|
Subpart C 11.100 (a) |
Electronic signatures must be unique to an individual |
X |
X |
|
Subpart C 11.100 (b) |
Organizations must verify an individual’s identity… |
X |
|
|
Subpart C 11.100 (c) |
… electronic signatures … legal equivalent … |
X |
|
|
Subpart C 11.100 (c) 1 |
…certification submitted in paper... to Office… |
X |
|
|
Subpart C 11.100 (c) 2 |
…upon agency request, provide additional cert… |
X |
|
|
Subpart C 11.200 (a) |
Non-biometric signatures |
X |
X |
|
Subpart C 11.200 (a) 1 |
Use at least two different identification components (e.g. user ID and password) |
X |
X |
|
Subpart C 11.200 (a) 1.i |
Multiple signatures in a continuous session … |
X |
X |
|
Subpart C 11.200 (a) 1.ii |
Multiple signatures not in a continuous session… |
X |
X |
|
Subpart C 11.200 (a) 2 |
Must be used only by their genuine users |
X |
|
|
Subpart C 11.200 (a) 3 |
… two or more individuals to use another user’s… |
X |
X |
|
Subpart C 11.200 (b) |
Biometric signatures must be designed … |
N/A*** |
N/A*** |
|
Subpart C 11.300 |
Controls for Identification Codes/Passwords |
X |
X |
|
Subpart C 11.300 (a) |
… no two individuals can have the same comb… |
X |
X |
|
Subpart C 11.300 (b) |
… are periodically checked or revised |
X |
X |
|
Subpart C 11.300 (c) |
Lost or potentially compromised … voided … |
X |
|
|
Subpart C 11.300 (d) |
Transaction safeguards are used to prevent unauth… |
X |
X |
|
Subpart C 11.300 (e) |
ID or password generating devices …must be tested… |
X |
|
* These sections are part of the enforcement discretion defined in the Part 11 Guidance for Industry
** Open systems are outside the scope of this guide
*** Biometric signatures are outside the scope of this guide