Part 11 Application to Clinical Investigations

In March 2023, FDA released a draft guidance on Part 11 Application to Clinical Investigations.  The specific introduction in the guidance stated:

This document provides guidance to sponsors, clinical investigators, institutional review boards(IRBs), contract research organizations (CROs), and other interested parties on the use of electronic systems, electronic records, and electronic signatures in clinical investigations of medical products, foods, tobacco products, and new animal drugs. The guidance provides recommendations regarding the requirements, including the requirements under 21 CFR part 11 (part 11), under which FDA considers electronic systems, electronic records, and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

The guidance also explains how the lifecycle of this guidance document will fit in with related guidance documents.  As illustrated below, the intention for this guidance is to:

  • Revise (and retitle) the guidance, “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 — Questions and Answers (June 29, 2017)”
  • Expand upon the recommendations in the guidance, “Part 11, Electronic Records; Electronic Signatures — Scope and Application (August 2003)”
  • Supersede (replace) the guidance, “Computerized Systems Used in Clinical Investigations (May 2007)”


Part 11 application to clinical investigations

Some key take-aways from the guidance:

  1. 21 CFR Part 11 applies to real-world data used in support of predicate rules.
  2. 21 CFR Part 11 applies to data collected at non-US sites in support of predicate rules.
  3. Use validated process to create certified copies of clinical investigation records.
  4. Ensure storage of clinical investigation records are maintained with reliable method.
  5. While 21 CFR Part 11 does NOT address security of records during transmission, other privacy and security laws may necessitate encryption or other types of protection.

Validation of electronic systems used in clinical investigations

The guidance provides input and considerations to the software validation plan for an electronic system used in clinical investigations:

  • Criticality and significance of the record.
  • Intended use functionality – consider the workflow and the essential operations of the software to support the clinical investigation over the entire lifecycle of use, e.g., pre-study, peri-study, post-study.
  • Some office productivity tools may not need protocoled test cases – examine existing downstream QC.
  • Assess your vendor’s / supplier’s custom-made or custom-configured systems for state-of-the-art software validation activities: planning, requirements generation, software design rather than ad-hoc coding, testing at multiple levels such as unit and system, change control, and configuration management.  Do they have a clear strategy for “maintaining” a validated state for subsequent software releases.
  • Audit trail integrity.

Inspection readiness

What documentation should the sponsor have in place for electronic systems that fall under the scope of part 11, and what will be FDA’s focus during inspections of the sponsor?  The guidance gives input to this question – the electronic system “package” should include:

  • Have clear description of the software system.  SoftwareCPR would recommend layered architecture diagrams mapping data flow, software components, configurable items, control checkpoints.
  • Validation as described above.
  • Describe roles and responsibilities of sponsors, clinical sites, and other parties.
  • Describe installation process and necessary infrastructure, including any expected or required testing or “checks” to be performed by the sponsor.
  • Describe any necessary interfaces if applicable and how to ensure or verify interoperability.
  • User management process including instructions for sponsor if applicable.
  • Data backup, recovery, and contingency plan including any required actions by the sponsor.  Contingency plan to cover manual data entry or other method.
  • Training materials.
  • Auditing plans and reports to verify data integrity.

Refer to the guidance for more detail and requirements.


See our 2017 post on 21 CFR Part 11.

Need help with planning your Part 11 strategy?  Our partner John Murray was the internal expert with 21 CFR Part 11 during his tenure at FDA.  Contact us to setup a consultation with John.

About the author

Brian is a biomedical software engineer - whatever that is! Started writing machine code for the Intel 8080 in 1983. Still enjoys designing and developing code. But probably enjoys his garden more now and watching plants grow ... and grandkids grow!

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.