top of page

21 CFR Part 11 Compliance with Electronic Record Keeping


What Medical Devices need to know about 21 CFR Part 11? 

How to Ace 21 CFR Part 11 Compliance for Electronic Records?

Medical device companies who want to bring devices and solutions to market in North America must abide by strict FDA regulations to ensure that they’re essentially making the right devices the right way.  


Patient safety is a complex, multivariate, and multi-faceted problem because in addition to the obvious technical considerations a device company needs to make prior to submitting for and even after receiving a 510(k) clearance or Pre-Market Authorization (PMA) approval, the factors they need to consider extend beyond the device itself.  


The FDA’s 21 CFR Part 820 is designed to determine what a medical device company needs to factor in during the months and years that lead up to their application for a 510(k) or PMA. Documents that they need to submit in their bid to bring a product to market include a Design History File (DHF), Device Master Records (DMR), and a Device History Record (DHR).  


As device and design data is of prime importance, so is the need to record and maintain all communications, reviews, approvals, and signatures, that are part of the device’s lifecycle up and down the supply-chain. Being able to record and trace all the considerations that go into making device and design level decisions ultimately impact patient-level decisions and patient quality of life.  


So what does all this have to do with 21 CFR Part 11? 

Traditionally, all documentation that medical devices gathered has been paper-based. Since 1997, however, the FDA established the criteria of acceptance for electronic records, signatures, and handwritten signatures executed to electronic documents.  


In order to be 21 CFR Part 11 compliant in record keeping by FDA standards, medical device companies need to understand how the FDA views any record that a company creates, modifies, maintains, archives, retrieves, and/or transmits during the device’s life cycle. 


Records and signatures primarily need to have three key aspects: 

  • Unique authentication 

  • Completeness 

  • Security  


The FDA defines criteria for these in the context of electronic records in 21 CFR Part 11 Subpart B, and in the context of the actual electronic signatures in Subpart C. 


Electronic Records 

Controls for closed and open systems 

Whether you use a closed or open system to manage and keep records, the key priorities are authenticity, integrity, and confidentiality of the record. Anyone contributing to a record, either by approval, stamping, reviewing, or creating it is not able to repudiate the record. This means controlling system access and providing the right level of system access to each user. This is done to ensure only those who should provide approval are authorized to do so.  For open systems, administrators need to ensure authenticity, integrity, and confidentiality of a record from the time it is created all the way until it is received by the responsible authority or recipient. 


Signature manifestations 

Signed electronic records need to show the printed name, date and time of the signature and also whether the signature indicates that it is a review, approval, authorship, or responsibility. 


Signature and record linking 

Electronic signatures and handwritten signatures executed to electronic records should be linked to the correct electronic records. This is done to create clear traceability and make it harder for anyone to try to falsify electronic records by copying signatures. 


Electronic Signatures 

Electronic signatures and controls 

Signatures collected electronically must be completely genuine. This is of prime importance otherwise anyone can sign for the designated authority with impunity and that exposes a lot of risk. Unique identification of people interacting with electronic records to create, authorize, approve, review, or authenticate must be tied to their unique identification and password. It goes without saying that User IDs and passwords should only be used by those to whom the ID belongs.  


Controls for identification codes and passwords

While it doesn’t need to be said that you must keep your user IDs and passwords secure, password security is still a very pressing issue for cyber-safety and cybersecurity. Passwords can be compromised through many different ways, so preserving the integrity of user IDs and passwords is critical to ensure no data and approval record is lost, stolen, missing, or otherwise compromised.  


A key requirement for any company trying to take their record-keeping and approvals paperless needs to make 21 CFR part 11 compliance a key focus. The ability of users to create, maintain, and authorize the authenticity of records in a secure and safe manner lies entirely in their ability to uniquely perform these tasks. Medical device companies who prioritize paperless initiatives can then have a chance to have the chance to automate approvals, collaboration, and accelerate their time to market. Going paperless is the seed to that vision. 



Compliance with FDA guidelines about managing and maintaining design controls, requirements, Design History Files (DHF), Device Master Records (DMR), production plans, V&V plans and quality plans is an absolutely critical aspect of giving your medical device solutions a fair chance to enter the market. Preparing dossiers for 510(k) or PMA submissions  


On Nov 19 and 20, 2019, Aventec in partnership with Dassault Systèmes is launching Accelerate: a Medical Device Innovation Summit with the goal of helping Medical Device companies ensure compliance, quality, and innovation remain the central pillars of your success. Learn more about the event to see whether you should attend. Register while spots are open. 


bottom of page