FDA 21 CFR Part 11 — Electronic Records & Signatures

System must be validated to ensure accuracy, reliability, consistent intended performance, and detection of altered records.

In HQ Cortex: Strong engineering controls (strict types, validated inputs, an automated test suite) keep the system reliable. A formal validation pack (URS, risk assessment, IQ/OQ/PQ artifacts) for customers is in development.

21 CFR 11.10(a)

Generate accurate, complete copies of records for inspection, in both human-readable and electronic form.

In HQ Cortex: PDF rendering exists for labels and many records, and structured data exports are supported. A unified inspector-mode export bundle (PDF, structured data, and audit trail together) is on the roadmap.

21 CFR 11.10(b)

Records must be retrievable and protected for the entire retention period.

In HQ Cortex: Records are stored on managed, replicated database and file-storage services, and soft-delete is the default. Customer-configurable retention policy and tested restore evidence are not yet published.

21 CFR 11.10(c)

Enforce the permitted sequencing of steps and events.

In HQ Cortex: Server-side guards enforce the core batch transitions: a batch must be in `planned` to start, `in_progress` to record component usage, and release validates output quantity against committed package lots. Cross-cutting guarantees on QC status routing and a strict block on consuming superseded formulation versions are still being formalized.

21 CFR 11.10(f)

Validate the source and content of data input or operational instruction.

In HQ Cortex: Every server-side write runs structured input validation, and rate-limit middleware bounds traffic per user.

21 CFR 11.10(h)

Secure, computer-generated, time-stamped trail of create/modify/delete actions on regulated records, with actor and time.

In HQ Cortex: Audit logs cover equipment activity, financial actions, and external notifications today. A unified, all-domain audit trail spanning every regulated entity is being expanded.

21 CFR 11.10(e)

Record changes must preserve previously recorded information.

In HQ Cortex: Formulation and procedure versions retain immutable snapshots, and the prior value is always visible from the version history view.

21 CFR 11.10(e)

Audit trail must be retained for at least as long as the underlying record.

In HQ Cortex: Audit logs share retention with their parent records through standard backups. A documented retention policy and customer-visible RPO/RTO is being prepared.

21 CFR 11.10(c), 11.10(e)

Audit trails subject to GMP must be reviewed; provide tooling to review and acknowledge.

In HQ Cortex: A per-record audit-trail view exists for some domains. A QA review-and-acknowledge workflow on audit trails is planned.

FDA Data Integrity Q&A (2018), Q.7

Each electronic signature must be unique to one individual and not reused or reassigned.

In HQ Cortex: Each user has a unique identity through our authentication provider, and user records are retained on deactivation. The full e-signature record binding signer, meaning, record hash, and UTC timestamp is in development.

21 CFR 11.100(a)

Organization must verify identity before assigning or certifying an e-signature.

In HQ Cortex: Organization admins control invites and role assignment. A documented identity-verification step recorded on the user profile is on the roadmap.

21 CFR 11.100(b)

Non-biometric signatures use two distinct components (e.g., user ID + password); the first signing in a session uses both, and signings after timeout require both again.

In HQ Cortex: Not yet implemented. A re-authentication challenge at the moment of each signing event is the most material Part 11 gap.

21 CFR 11.200(a)(1)

Signed records must display printed name, date/time, and meaning of the signature (review, approval, authorship, responsibility).

In HQ Cortex: Approver/changedBy fields exist but a controlled signature meaning vocabulary and rendered signature block are not yet shipped.

21 CFR 11.50(a)

Signatures must be linked to records so they cannot be excised, copied, or transferred.

In HQ Cortex: Planned: store a cryptographic hash of the canonical record at sign time, with a verify-signature action that recomputes the hash.

21 CFR 11.70

System access must be limited to authorized individuals; deactivated users lose access immediately.

In HQ Cortex: A managed authentication provider handles sign-in for every regulated route, and user profiles support both deactivation and anonymization.

21 CFR 11.10(d)

Authority checks ensure only authorized individuals can sign records, alter records, or perform operations.

In HQ Cortex: Resource-level role-based access control is enforced server-side on every regulated action.

21 CFR 11.10(g)

MFA reduces the chance of unauthorized use and supports detection of compromised credentials.

In HQ Cortex: MFA is supported through our authentication provider. Enforced MFA for all regulated-data accounts is configurable per workspace, and default-on enforcement is planned.

21 CFR 11.300(d) — implementation practice

Idle sessions must end such that signing requires re-authentication.

In HQ Cortex: Session expiry is configurable. The signing-specific re-authentication challenge is part of the e-signature work in flight.

21 CFR 11.10(d), 11.200(a)(1)(ii)

Detect unauthorized use; report attempts to security and management.

In HQ Cortex: Rate limiting protects API endpoints. Centralized auth-failure alerting and admin notifications are planned.

21 CFR 11.300(d)

Audit trail and signature timestamps must be generated by the server, not user-supplied.

In HQ Cortex: All created and updated timestamps are set by the database itself, and no regulated workflow accepts a client-supplied timestamp.

21 CFR 11.10(e)

System clock must be synchronized to an authoritative source.

In HQ Cortex: Our hosting and database providers supply NTP-synchronized clocks, and UTC is the canonical storage timezone.

FDA Data Integrity Q&A, Q.10

No shared accounts; every record/audit row carries a user attribution.

In HQ Cortex: Every user has a unique identity, and the acting user is stored on every regulated record and audit row.

ALCOA+; 21 CFR 11.10(e)

Records must be created at the time of the event; back-dating must be flagged.

In HQ Cortex: Server-side timestamps are written when each record is created, and there is no user-supplied 'performed at' override on regulated writes.

ALCOA+; 21 CFR 11.10(e)

Original records preserved on durable media for the full retention period.

In HQ Cortex: Versioned snapshots are in place. Documented backup, geo-replication, and tested restore evidence is being prepared.

ALCOA+

Failed and aborted actions still leave a record; nothing is silently dropped.

In HQ Cortex: Failures on server-side actions are logged. Coverage of failure-path audit logging across every regulated write is being expanded.

ALCOA+