21 CFR Part 11 in Practice

How the VDC system implements FDA electronic records and signature requirements in AWS

1. Understanding 21 CFR Part 11

1.1 What is 21 CFR Part 11?

21 CFR Part 11 establishes the FDA''s criteria for accepting electronic records and electronic signatures as equivalent to paper records and handwritten signatures. Originally issued in 1997, it applies to all FDA-regulated industries including pharmaceuticals, biologics, and medical devices.

1.2 Core Requirements

§11.10 - Controls for Closed Systems

Validation of systems
Audit trails for all changes
Authority checks (RBAC)
Device checks (MFA)
Operational system checks
Education and training

§11.50 - Signature Manifestations

Signed records must contain:
Printed name of signer
Date and time of signature
Meaning of signature (approval, review, etc.)

§11.70 - Signature/Record Linking

Electronic signatures must be linked to records
Cannot be excised, copied, or transferred
Preserve integrity of signed records

1.3 FDA Guidance (2003)

In 2003, the FDA issued Guidance for Industry - Part 11, Electronic Records; Electronic Signatures — Scope and Application, clarifying that FDA would exercise enforcement discretion for certain Part 11 requirements when predicate rules are met. This means:

Focus on data integrity and trustworthiness
Risk-based approach to validation and controls
Emphasis on ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate)

2. VDC System Compliance Mapping

2.1 Electronic Records (§11.10)

Requirement

VDC Implementation

Evidence Location

§11.10(a) - Validation

Complete IQ/OQ/PQ validation documented with 61 test cases

IQ/OQ/PQ Results

§11.10(b) - Copy Records

S3 with versioning preserves all document versions; audit trail exportable

FS Section 5.3, 7.2

§11.10(c) - Record Retention

DynamoDB audit logs retained indefinitely (no TTL); S3 lifecycle prevents deletion

URS-070, URS-071

§11.10(d) - Access Limits

IAM least privilege + Cognito RBAC (Submitter/Approver groups)

FS Section 6.2, 6.3

§11.10(e) - Audit Trail

Immutable DynamoDB audit table captures: user, action, timestamp, IP, outcome

URS-030 to URS-034

§11.10(f) - Operational Checks

Lambda function validation, error handling, hash verification

OQ test cases

§11.10(g) - Authority Checks

Cognito MFA + JWT validation + Lambda role checks

URS-020, URS-021

§11.10(h) - Device Checks

MFA (TOTP) required for all user sessions

URS-014, OQ-002

§11.10(i) - Training

User training on VDC workflow and role responsibilities (org responsibility)

Not system-enforced

§11.10(j) - Accountability

Unique Cognito user accounts; no shared credentials

FS Section 3.3

2.2 Electronic Signatures (§11.50, §11.70)

The VDC system implements electronic signature intent through the approval workflow:

Authentication: User logs in with email/password + MFA (§11.200(a)(1))
Action: User clicks "Approve" or "Reject" button
Record Created: Immutable audit log captures:
- Printed name (email from Cognito token)
- Date and time (ISO 8601 UTC timestamp)
- Meaning (action = APPROVE or REJECT)
- Document ID (linking signature to record)

This meets the requirements of §11.50 (signature manifestations) and §11.70 (signature/record linking). The signature cannot be excised or transferred because the audit record is immutable.

3. Cloud-Specific Considerations

3.1 Shared Responsibility Model

When implementing Part 11 on AWS, understand the shared responsibility model:

AWS Responsibility

Physical security of data centers
Infrastructure availability and reliability
Service-level encryption (S3, DynamoDB)
Compliance certifications (SOC 2, ISO 27001)

Customer Responsibility

Application validation (IQ/OQ/PQ)
User access controls (IAM, Cognito)
Audit trail implementation
Data retention policies
Incident response procedures

3.2 Vendor Qualification

AWS is a qualified cloud provider for regulated Life Sciences workloads:

HIPAA BAA Available: Business Associate Agreement for HIPAA compliance
GxP Compliance: AWS follows GxP practices and supports validated environments
Audit Reports: SOC 2 Type II, ISO 27001, and other certifications available
Life Sciences Customers: Moderna, Pfizer, AstraZeneca use AWS for regulated workloads

3.3 Service-Level vs. Application-Level Controls

Part 11 compliance requires application-level controls, not just AWS service guarantees:

Control Type

AWS Provides

Application Must Add

Encryption

✅ SSE-S3, TLS endpoints

Document key management, enforce HTTPS

Access Control

✅ IAM, Cognito services

Implement RBAC, enforce MFA, prevent self-approval

Audit Trail

✅ CloudTrail (AWS API calls)

Application audit logs (user actions, business events)

Validation

AWS service reliability

Full IQ/OQ/PQ of application on AWS

4. Common Pitfalls & Best Practices

4.1 Pitfalls to Avoid

❌ Treating CloudTrail as Your Audit Trail

CloudTrail logs AWS API calls (infrastructure events), not user business actions. You need application-level audit logsthat capture what users did (submitted document, approved, rejected).

❌ Assuming AWS Compliance = Your Compliance

AWS certifications (SOC 2, ISO) cover their infrastructure. You still need to validate your applicationwith IQ/OQ/PQ testing.

❌ Not Testing Immutability

Part 11 requires audit trails to be immutable. Test that your DynamoDB IAM policies actually prevent updates/deletes (see OQ-017).

❌ Weak "Electronic Signature" Implementation

A button click alone isn''t enough. You need: authentication (who), authorization (allowed?), timestamp (when), meaning (what action), and record linking (which document). The VDC system captures all of these.

4.2 Best Practices

✅

Use Managed Services

Cognito (auth), DynamoDB (audit), S3 (storage) are pre-validated by AWS and reduce validation burden

✅

Enforce MFA

Part 11 requires "device checks" - MFA is the modern equivalent of physical tokens

✅

Immutable Audit Tables

Use IAM policies to deny UpdateItem/DeleteItem on audit tables - test this in OQ

✅

Hash Everything

SHA-256 hashes prove document integrity and satisfy ALCOA+ "Accurate" principle

✅

Infrastructure as Code

CloudFormation provides repeatable, validated deployments across environments

✅

Separate Dev/Prod

Completely separate AWS resources (not just different S3 buckets) for dev vs prod

5. Inspection Readiness

5.1 What Inspectors Look For

During an FDA inspection, be prepared to demonstrate:

Validation Documentation: Show complete URS, FS, RTM, and IQ/OQ/PQ protocols
Audit Trail Retrieval: Demonstrate you can quickly pull complete history for any document
Access Control: Show role separation (Submitter cannot approve own documents)
Data Integrity: Demonstrate hash verification prevents tampering
Change Control: Show how system changes are validated and documented

5.2 Key Documentation

Have these documents ready for inspection:

User Requirements Specification (URS)
Functional Specification (FS)
Requirements Traceability Matrix (RTM)
IQ/OQ/PQ Test Results
Standard Operating Procedures (SOPs) for system use
User training records
Change control records for system updates
Incident/deviation logs

6. Resources

FDA Guidance: Part 11, Electronic Records; Electronic Signatures — Scope and Application (2003)
21 CFR Part 11 Text: Electronic Records; Electronic Signatures (CFR)
AWS Life Sciences: AWS Life Sciences Solutions
GAMP 5: Good Automated Manufacturing Practice (risk-based validation)

← Back to Evidence Next: GxP & CSV in AWS →