Almost every pharmacovigilance system you evaluate will claim to be '21 CFR Part 11 compliant'. But what does that actually require, and what should you check rather than take on trust? This guide explains Part 11 in the context of drug safety, the specific controls it demands, and how compliance, validation, and GAMP 5 fit together.
What is 21 CFR Part 11?
21 CFR Part 11 is the section of the US Code of Federal Regulations in which the FDA sets out the criteria for electronic records and electronic signatures to be considered trustworthy and equivalent to paper records and handwritten signatures. For pharmacovigilance — where ICSRs, assessments, and submissions are all electronic — it is foundational. It governs how your safety data is created, modified, stored, and signed.
The core requirements
Part 11 is often summarised into a handful of practical controls a compliant system must provide.
Audit trails
The system must keep a secure, computer-generated, time-stamped audit trail that records who did what and when — including the creation, modification, and deletion of records, with before-and-after values. The audit trail must not be editable by users and should be available for inspection. In a PV system this means every change to a case is captured automatically.
Access control and security
Access must be limited to authorised individuals, with role-based access control (RBAC) enforcing least-privilege and segregation-of-duties. Users should have unique credentials, and the system must protect records from unauthorised change.
Electronic signatures
Where electronic signatures are used, each must be unique to one individual, linked to its record, and include the signer's name, the date and time, and the meaning of the signature (such as review or approval). Signatures must not be transferable, and the link between signature and record must be tamper-evident.
Record integrity and retrieval
Records must remain accurate, complete, and retrievable throughout their retention period, with the ability to generate accurate copies for the agency. Data retention must align to regulatory requirements.
| Control | What to look for |
|---|---|
| Audit trail | Automatic, time-stamped, non-editable, before/after values |
| Access control | RBAC, least-privilege, unique user accounts |
| Electronic signatures | Name, date/time, meaning; tamper-evident link to record |
| Data integrity | Encryption in transit and at rest; tenant isolation |
| Retention & retrieval | Configurable retention; accurate copies for inspection |
Part 11 compliance vs system validation
This is where buyers most often get confused. A system being 'Part 11 capable' means it provides the technical controls above. But Part 11 also has procedural expectations, and demonstrating that your specific installation works as intended is a separate activity: computer system validation (CSV). A vendor can build and document a Part 11-capable platform; the using organisation still has to qualify it in their environment.
Validation-ready, not pre-validated
PVgenix is validation-ready and audit-ready: it ships with a complete IQ/OQ/PQ documentation package to support client-led validation. 'Validated' is a state achieved only after qualification is executed in a specific client environment.
Where GAMP 5 fits
GAMP 5 (Good Automated Manufacturing Practice) is the industry framework for the risk-based validation lifecycle. It provides the structure — user requirements, functional and design specifications, and IQ/OQ/PQ qualification — through which you demonstrate that a Part 11-relevant system is fit for purpose. In practice, GAMP 5 is the method and Part 11 is one of the regulatory targets that method helps you meet, alongside EU GVP for European operations.
Who is responsible for what
Bright Infonet develops and delivers the software, the environment setup, and the supporting documentation. The client and their qualified PV personnel own PV decisions, regulatory interpretation, validation execution, and compliance obligations.
PVgenix is designed around 21 CFR Part 11, EU GVP modules, GAMP 5, and GxP operational compliance, with full audit logging, RBAC, tenant data isolation, encryption in transit and at rest, and electronic signature capture. The supporting IQ/OQ/PQ documentation package is provided to support your validation. To see how these controls are implemented, visit the Security & Compliance page.
Frequently asked questions
It sets the FDA criteria for trustworthy electronic records and signatures: secure time-stamped audit trails, role-based access control, unique electronic signatures with meaning, data integrity, and reliable retention and retrieval.
No. A system can provide Part 11 technical controls, but demonstrating it works as intended in your environment is a separate activity — computer system validation (CSV) — which the using organisation owns.
GAMP 5 is the risk-based validation lifecycle framework — the method (URS, FS, DS, IQ/OQ/PQ) you use to demonstrate a system is fit for purpose. Part 11 is one of the regulatory targets that method helps you satisfy.