There is often some confusion in companies about 21 CFR Part 11 and related compliance. Many companies think they meet the requirements but in reality they are not.If you think it’s all about validation, audit trails, records and retention, and that your business is safe because it has paper master files, maybe you should review your idea. The question is more complex.

Let’s clarify and give some advice, especially to companies that deal with medical devices.

What is 21 CFR Part 11?

21 CFR Part 11 is a regulation that defines the criteria required by the FDA for electronic data to be truthful, robust and 21 cfr part 11 compliance to the corresponding paper data.

The first part of 21 CFR Part 11 deals with electronic records and data retention, while the second part is inherent to electronic signatures.

One thing to remember is that 21 CFR dates back to 1997, so it is obvious that in the last 20 years our knowledge of electronic systems and their potential have changed a lot.

Who Should Apply 21 CFR Part 11? Any company where electronic data is used must apply the regulation.

Dato elettronico: “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” (11.3)

Purpose of 21 CFR Part 11

know how to use computer systems and software and when they are not working properly

keep your data securely to prevent it from being modified or lost

track changes to the data

identify data falsification and prevent it

Controls for closed systems

Those who use closed systems to create, modify, store or transmit electronic data must have procedures and controls to ensure the authenticity, integrity, and confidentiality of the data through:

system validation

ability to generate certified and controlled copies of data

data protection

limited and controlled access to the system

use of audit trail

operating system checks

access controls

adherence to the SOPs

checks on documentation

Password and access management

Passwords are one of the most secure components of a system. With passwords it is possible to know the role, permissions and limitations of each user.

It is good practice to apply password management best practices, but in this case the document is vague. Here are some general indications to improve security and choose a good password:

minimum 8 characters

do not use common words

use alphanumeric characters

change the password every 90 days

do not reuse the last 6 passwords

do not show the text as you type the password

do not allow the browser to save the password

the password must be personal and non-transferable

do not write the password on paper or post-its

Access to electronic data must be controlled by unique IDs and with personalized logins that provide access via username and password.

After a period of inactivity (about 10 minutes) you should be expected to log out of the system. Any login attempts should be suspended after 3 unsuccessful entries of your credentials.

If an account has been inactive for a long period of time, it must be locked out. This period is usually quantified in 30 days.

Audit trail and electronic signature

The purpose of the audit trail is to know what each user did and when they did it. The audit trail tracks when data is created, changed, deleted and when all these changes have occurred.

All the events that occur concerning a datum must be recorded with the name of the person who made the modification, the date and the time.

The purpose of 21 CFR Part 11 also includes detecting fraud and knowing when each change occurs helps with this task.The audit trail is the complete history of electronic data management.

In 21 CFR Part 11 there is also talk of electronic signature for the review and approval of information.The electronic signature must be associated with a unique and personal username and password and must be completed with date and time.It is essential that once a data has been signed for approval, it becomes impossible to modify.

Remember that:

Compliance with 21 CFR Part 11 is always the responsibility of the company. No softward and / or validation company can take responsibility for you.

Consulting firms will be able to test and validate your platform, support you in filling out the necessary documentation and help you achieve compliance but the ultimate responsibility remains with the company.

Restrict access to the system

A compliant vision system must have a secure authentication mechanism to prevent unauthorized access. The best solution is to link to the manufacturer’s active directory account to verify users and issue appropriate certificates. Any user or login changes must be recorded and appear in the audit log.

Use audit logs

In a compliant vision system, changes to a setting, for example, of a parameter on an image-based scanner, will create a timestamped record, a record that cannot be edited or deleted, and can be reviewed by an auditor at a later time.


Users of a compliant vision system must demonstrate proper software installation via Installation Qualification (IQ), proper software operation via Operational Qualification (OQ), and proper system operation in context of production through Performance Qualification (PQ).

Cognex supports compliance with 21 CFR Part 11

While end users are responsible for final validation to ensure full compliance, Cognex, together with its global network of integration partners, provides all the documentation needed to support the IQ and OQ, as well as the software functions needed to complete the PQ. All Cognex vision systems provide the security and access controls needed to ensure compliance during operations.

The challenges of complying with CFR 21 Part 11

Compliance typically involves creating work instructions to meet each specific 21 CFR Part 11 regulation, developing validation protocols to ensure proper configuration, operation and performance of equipment and software, creating standard operating procedures (SOP) and extensive training for personnel using the equipment and programs.

Any tool that facilitates this process is helpful.

Many manufacturers in FDA regulated industries use our OLYMPUS CIX100 technical cleanliness inspector . Built with an intuitive interface, efficient data acquisition and quick reporting options, the CIX100 system can help you quickly and easily assess the cleanliness of manufactured components to determine if they meet company and international standards