Compliance
Dejan Murko21 CFR Part 11 Checklist: A Section-Referenced Self-Audit
At a glance
- This page is the deliverable: a section-by-section Part 11 checklist with the exact subsection reference, a plain “what good looks like,” and a pass / partial / fail column you can fill in during a self-audit.
- It is organized the way the rule is: electronic-records controls (§ 11.10), open-system controls (§ 11.30), and electronic-signature controls (§ 11.50, 11.70, 11.100, 11.200, 11.300).
- Before you score anything, fix scope: confirm a predicate rule requires the record, and decide whether your system is open or closed, because that changes which controls apply.
- A dedicated audit-trail sub-checklist and an e-signature sub-checklist break out the two areas teams most often fail.
- A closing section names five recurring inspection findings this checklist is built to catch.
Most “21 CFR Part 11 checklist” pages either gate the real artifact behind an email form or give a flat bullet list that just restates the rule’s headings. This one is the checklist, on the page, copy-pasteable, with every line tied to its precise subsection and a status column you can fill in. Use it as a self-audit before an inspection or a software decision.
It is a checklist, not a tutorial. For why Part 11 exists and what is in scope, see the Part 11 explainer; for choosing compliant-capable software, the compliant-software guide; for how to actually run validation, the CSV guides; and for audit-trail depth, the audit-trail guide. Here, the audit-trail items appear as checklist rows, not as a standalone explainer.
How to use this checklist
- Confirm scope. Part 11 governs records a predicate rule requires you to keep or submit and that you keep electronically. If no predicate rule requires the record, it is not in Part 11 scope. Start there.
- Classify the system. A closed system is one where access is controlled by the people responsible for the record content; an open system is one where it is not (§ 11.3 definitions). Closed systems follow § 11.10; open systems follow § 11.30, which layers extra measures on top.
- Score each line pass / partial / fail against “what good looks like,” and note the evidence. “Partial” means the capability exists but is not fully configured, validated, or operating.
- Validate the checklist itself. Re-run it after changes; a control that passed last year can fail after an upgrade or a config change.
The checklist: electronic records controls (§ 11.10)
| # | Requirement (ref) | What good looks like | Pass/Partial/Fail |
|---|---|---|---|
| 1 | Validation of systems (§ 11.10(a)) | The system is validated for accuracy, reliability, and consistent intended performance, with the ability to discern invalid or altered records; validation evidence exists and is current. | ☐ |
| 2 | Accurate, complete copies (§ 11.10(b)) | You can produce accurate, complete copies of records in both human-readable and electronic form for FDA inspection, review, and copying. | ☐ |
| 3 | Record protection & retention (§ 11.10(c)) | Records are protected for accurate, ready retrieval throughout the retention period. | ☐ |
| 4 | Limit access to authorized individuals (§ 11.10(d)) | System access is limited to authorized individuals; no shared or generic accounts. | ☐ |
| 5 | Audit trail (§ 11.10(e)) | See the audit-trail sub-checklist below. | ☐ |
| 6 | Operational system checks (§ 11.10(f)) | The system enforces permitted sequencing of steps and events where appropriate. | ☐ |
| 7 | Authority checks (§ 11.10(g)) | Only authorized individuals can use the system, sign records, or access devices/operations. | ☐ |
| 8 | Device checks (§ 11.10(h)) | Where appropriate, the system validates the source of data input or operational instruction. | ☐ |
| 9 | Personnel qualifications (§ 11.10(i)) | People who develop, maintain, or use the system have the education, training, and experience for their tasks. | ☐ |
| 10 | Accountability policies (§ 11.10(j)) | Written policies hold individuals accountable for actions under their electronic signatures, to deter falsification. | ☐ |
| 11 | Controls over documentation (§ 11.10(k)) | Access to and change control of systems documentation is controlled, with a time-sequenced audit trail of documentation changes. | ☐ |
Audit-trail sub-checklist (§ 11.10(e))
| # | Audit-trail item | What good looks like | Pass/Partial/Fail |
|---|---|---|---|
| 5a | Secure & computer-generated | The audit trail is system-generated, not manual, and users cannot disable or edit it. | ☐ |
| 5b | Time-stamped, with author | It independently records the date, time, and author of entries that create, modify, or delete records. | ☐ |
| 5c | No overwrite | Record changes do not obscure previously recorded information; prior values remain visible. | ☐ |
| 5d | Retained as long as the record | Audit-trail documentation is retained at least as long as the underlying record. | ☐ |
| 5e | Available to FDA | The audit trail is available for agency review and copying. | ☐ |
| 5f | Reviewed | Audit trails are actually reviewed (an unreviewed audit trail is a common finding). | ☐ |
The checklist: controls for open systems (§ 11.30)
Apply these only if your system is open (access not controlled by those responsible for the records).
| # | Requirement (ref) | What good looks like | Pass/Partial/Fail |
|---|---|---|---|
| 12 | All § 11.10 controls (§ 11.30) | Every applicable § 11.10 control is in place. | ☐ |
| 13 | Additional measures (§ 11.30) | Additional measures such as document encryption and appropriate digital-signature standards ensure record authenticity, integrity, and confidentiality from creation to receipt. | ☐ |
The checklist: electronic signature controls (§ 11.50, 11.70, 11.100, 11.200, 11.300)
Apply these only where you use electronic signatures.
| # | Requirement (ref) | What good looks like | Pass/Partial/Fail |
|---|---|---|---|
| 14 | Signature manifestations (§ 11.50) | Signed records show the printed name of the signer, the date and time of signing, and the meaning (review, approval, responsibility, authorship). | ☐ |
| 15 | Signature/record linking (§ 11.70) | Signatures are linked to their records so they cannot be excised, copied, or transferred to falsify a record. | ☐ |
| 16 | Uniqueness (§ 11.100) | Each electronic signature is unique to one individual and never reused or reassigned; identity is verified before assignment. | ☐ |
| 17 | Signature components (§ 11.200) | Non-biometric signatures use at least two distinct identification components (e.g., ID + password), with the correct re-authentication rules for continuous vs. non-continuous sessions. | ☐ |
| 18 | ID/password controls (§ 11.300) | Identification-code and password controls ensure uniqueness, periodic revision, loss management, and detection of unauthorized use. | ☐ |
Validation and assessment checklist
A validation/assessment checklist maps each item above to the evidence that proves it: validation protocols and reports for item 1, configuration records for access and signatures, retention SOPs for item 3, and the audit-trail review records for 5f. The how-to of producing that evidence (writing and executing IQ/OQ/PQ, validation protocols and templates) belongs to the CSV deliverables guide; here, the checklist simply asks whether the evidence exists and is current. The difference between an audit checklist (is the control in place and operating?) and a validation/assessment checklist (is there documented evidence it was established correctly?) is the difference between observing the control and proving it.
Five findings this checklist is built to catch
These recur in Part 11 inspection observations; the checklist is structured to surface them:
- Audit trails that are never reviewed (item 5f). The capability exists; the review does not.
- Shared or generic accounts (items 4, 16). Access that cannot be attributed to one individual breaks both access control and signature uniqueness.
- Incomplete e-signature elements (item 14). A signature missing the printed name, the date/time, or the meaning.
- GxP systems never validated (item 1). The system runs regulated records without validation evidence.
- Change control that skips Part 11 impact assessment (items 1, 11). Changes are made without re-assessing validated state or audit-trail integrity.
Download / copy the full checklist
Everything above is plain markdown tables, copy them directly into a spreadsheet (one tab per section) or a document, replace each ☐ with Pass / Partial / Fail, and add an Evidence and an Owner column. There is no gated PDF; the artifact is the page.
A practical note on tooling: purpose-built clinical software can centralize the records, access controls, and audit-trail evidence several of these items ask for, which makes a self-audit faster to run. TrialTrack is one such clinical project management tool; its vendor describes it as offering a Part 11-aligned audit trail (that is TrialTrack’s own claim, and no tool makes a team compliant). Evaluate any tool only against the records it is actually built for.
Frequently asked questions
What does a 21 CFR Part 11 checklist contain? Line items for the electronic-records controls (§ 11.10), open-system controls (§ 11.30), and electronic-signature controls (§ 11.50-11.300), each tied to its subsection, with a status you can score.
What are the audit-trail line items? That the audit trail is secure and computer-generated, time-stamped with author, non-overwriting, retained as long as the record, available to FDA, and actually reviewed (§ 11.10(e)).
What is the difference between a validation/assessment checklist and an audit checklist? An audit checklist asks whether a control is in place and operating; a validation/assessment checklist asks whether documented evidence proves it was established correctly. Run both.
How do open vs. closed systems change which controls apply? Closed systems (access controlled by those responsible for the records) follow § 11.10. Open systems follow § 11.30, which adds measures like encryption and digital signatures on top of § 11.10.
Which 11.x subsection backs each item? Every row above cites its subsection, so each finding maps to the exact requirement.
The bottom line
A useful Part 11 checklist is the artifact, not a summary of the rule. Fix scope and system type first, then score each line, records, open-system, and signature controls, against its precise subsection and “what good looks like,” paying special attention to the audit-trail and e-signature sub-checklists and the five recurring findings. Copy the tables, add Evidence and Owner columns, and run it as a real self-audit, then re-run it after every significant change.
Sources
Dejan Murko
Dejan is the co-founder of Mayet, building software for biotech and pharma teams.