Skip to content
NewIoMT security correlation is now built into device inventory
Resources
Compliance

21 CFR Part 11 for clinical engineering: a practical checklist

21 CFR Part 11 is short, old, and routinely misunderstood. For clinical engineering teams moving calibration and maintenance records off paper, it's also the single clearest yardstick for whether your electronic records will survive an audit. Here's what the rule asks for — and a checklist you can run against any CMMS.

Checklist 9 min readUpdated June 2026

What Part 11 is — and what it isn't

21 CFR Part 11 is the FDA regulation that says: if you keep a record electronically that an FDA rule otherwise requires you to keep, the electronic version has to be as trustworthy as a signed paper one. It sets controls for electronic records and electronic signatures so they can't be quietly altered, repudiated, or faked.

The scope detail that trips people up: Part 11 applies to records required by a 'predicate rule' — another FDA regulation that mandates the record in the first place. It does not, by itself, require you to keep anything. So whether a given clinical-engineering record is strictly 'a Part 11 record' depends on the predicate rule behind it.

FDA's own 2003 'Scope and Application' guidance narrowed how aggressively it enforces Part 11, pointing to a risk-based approach: apply the controls in proportion to the record's impact on product quality, safety, and record integrity. That's the spirit to bring to the checklist — not box-ticking, but asking 'could this record be wrong, altered, or disowned without anyone knowing?'

1. Validation (§11.10(a))

The system has to do what it claims, consistently, and you have to be able to show it. For a CMMS that means documented evidence that scheduling logic, calibration calculations, and record-locking behave as specified — including for invalid or edge-case input.

  • Documented validation of the records the system produces
    Not just 'it installed' — evidence that calibration math, PM scheduling, and audit logging produce correct results.
  • Re-validation tied to version changes
    A defined process to re-test affected functions when the vendor ships an update.
  • The vendor can supply validation documentation
    Look for a validation package or summary you can attach to your own quality records.

2. Access control & authority checks (§11.10(d), (g))

Only authorized people get in, and within the system only authorized people can take a given action. A BMET should be able to record a calibration; approving and locking it should require someone with that authority.

  • Unique accounts per individual — never shared logins
    Shared credentials make every signature and audit entry unattributable, which collapses the whole model.
  • Role-based permissions that gate sensitive actions
    Create vs. approve vs. void are distinct authorities, not one 'edit' grant.
  • Access is provisioned and de-provisioned on a defined process
    Leavers lose access promptly; SSO/MFA for elevated roles.

3. Audit trails (§11.10(e))

This is the heart of Part 11 and the most common place electronic systems fail it. The rule asks for secure, computer-generated, time-stamped audit trails that independently record the date and time of operator actions that create, modify, or delete records — and crucially, changes must not obscure previously recorded information. You keep the audit trail at least as long as the record itself, available for review and copying.

  • Audit entries are automatic, not optional
    The user can't choose whether an action is logged, and can't edit the log.
  • Timestamps are server-generated and unambiguous
    Trustworthy time source, ideally UTC, not the client's clock.
  • Edits preserve the prior value
    A change shows old → new; it never silently overwrites history.
  • The trail covers create, modify, and delete (or void)
    Including who, what, when — and ideally why for significant changes.
  • Audit data is exportable for an inspector
    You can hand over a complete, readable record of changes without screenshots.

4. Electronic signatures (§11.50, §11.70, §11.100–11.300)

When someone signs a record electronically, the signature has to mean something and stick to the record. Part 11 spells out the manifestation (what a signature shows), the linking (it can't be lifted off and reused), and the credentials behind it.

  • Each signature shows the signer's printed name, date/time, and meaning
    'Reviewed', 'Approved', 'Performed' — the act being attested, per §11.50.
  • Signatures are bound to their record and can't be transferred
    Per §11.70 — you can't copy a signature onto a different record.
  • Each signature is unique to one person, with verified identity
    §11.100 — no generic 'approver' account.
  • Non-biometric signing uses two distinct components
    e.g., an ID and a password; §11.200.
  • Password controls: uniqueness, aging, lockout, loss handling
    The §11.300 controls around identification codes and passwords.

5. Accurate copies & retention (§11.10(b), (c))

You have to be able to produce accurate, complete copies of records in both human-readable and electronic form for inspection, and protect records so they're retrievable for their whole retention period. For HTM that means a calibration record from years ago is still complete, legible, and exportable — including its audit trail and signatures.

  • Records export as complete, human-readable copies
    PDF or print that includes signatures and the audit trail, not just the data row.
  • Retention meets your longest applicable requirement
    Often the device's service life plus a margin — confirm against your policies.
  • Backups are immutable and tested
    You've actually restored from backup, not just configured one.

6. Training & accountability (§11.10(i), (j), (k))

The technical controls only hold if the people using them are trained and on the hook. Part 11 expects documented training for anyone working with the records, and a written policy that makes individuals accountable for actions taken under their electronic signatures.

  • Training records for everyone who touches regulated records
    Including the meaning and legal weight of their electronic signature.
  • A signed policy making e-signatures legally binding
    So a signature can't later be disowned.
  • Controlled system documentation and change control
    Versioned SOPs and distribution control over how the system is operated.

How to use this checklist

Run it as a procurement and audit-prep tool, not a one-time exercise. When you evaluate a CMMS, ask the vendor to show you each control rather than assert it — especially the audit trail behaving correctly on an edit, and a complete record export with signatures. When you prep for a survey, walk the same list against records you actually keep. The gaps you find are your remediation plan.

Key takeaways
  • Part 11 applies to electronic records an FDA predicate rule requires — but its controls are the integrity gold standard worth meeting regardless.
  • The audit trail is where most electronic systems fail: it must be automatic, tamper-evident, and never obscure prior values.
  • Electronic signatures must show name, time, and meaning, stay bound to their record, and rest on unique, verified credentials.
  • Pressure-test a CMMS by making the vendor demonstrate each control — especially an edit's audit entry and a complete record export.

See an audit-ready record in CogniQuip

Immutable calibration, computer-generated audit trails, and one-click record exports — built in. Walk through it on your own equipment.

Request a demoExplore the platform