FDA 21 CFR Part 11
Regulator: U.S. Food and Drug Administration
Signal Provenance delivers the technical infrastructure for every section of 11.10 except organizational training (11.10(i)). The hash-chained Aletheia ledger, RBAC module, two-factor electronic signatures, and IQ/OQ/PQ template together form a validated evidence layer your QA function can execute and your auditor can verify.
Scope
Part 11 governs electronic records and electronic signatures for FDA-regulated industries (pharma, medical device, clinical trials, biologics). A compliant system must protect record integrity, maintain secure audit trails, control access, enforce operational sequencing, and support legally binding electronic signatures.
Control-by-control coverage
Every claim below traces to source code in the echology monorepo or to a deliverable template shipped with Signal Provenance. If the code does not do it, the row is not here.
| Control | Requirement | Coverage | Evidence mechanism | Source |
|---|---|---|---|---|
| 11.10(a) | Validated systems to ensure accuracy, reliability, and the ability to discern invalid or altered records | Strong | verify_chain() independently validates the full ledger. Schema validation produces quality scores and violation lists. An IQ/OQ/PQ template ships with every deployment for formal qualification execution. | engine/aletheia/ledger.py, ops/deliverables/templates/signal_iq_oq_pq.py |
| 11.10(b) | Accurate and complete copies of records in human-readable and electronic form | Complete | PDF and JSON compliance export from a single command. HTML dashboard for human-readable display. Temporal reconstruction returns any file as it existed at any past timestamp. | provenance/export.py, provenance/db.py get_file_at_time() |
| 11.10(d) | Limiting system access to authorized individuals | Strong | Role-based access control module (ops rbac) with 6 roles and 24 permissions. Password hashing via scrypt (>=12 char). Time-bounded emergency break-glass with full ledger witness. | ops/rbac.py |
| 11.10(e) | Secure, computer-generated, time-stamped audit trails that record date/time of operator entries and actions | Complete | 49 operational witness points hash-chained in Aletheia. Every write is witnessed with timestamp, actor, workstation, source, and SHA-256 content/result hashes. Tamper-evident. | ops/db.py _witness, engine/aletheia/ledger.py |
| 11.10(f) | Use of operational system checks to enforce permitted sequencing of steps and events | Strong | Four-phase pipeline (raw, true, optimized, ongoing) enforced by CHECK constraint on deployments.phase. Review gates required between phase transitions. Findings must be confirmed before recommendations proceed. | ops/db.py phase constraint, review_gates table |
| 11.10(g) | Authority checks to determine validity of the source of data input or operational instruction | Strong | Workstation field (platform.node()) written into every ledger entry. Host tracking in metadata harvests. Magic-byte verification on file uploads. | engine/aletheia/ledger.py schema, engine/vanta/vanta_security.py |
| 11.100 / 11.200 | Electronic signatures: unique to one individual, two distinct identification components, non-repudiable | Strong | Two-factor signing (password + TOTP per RFC 6238) via ops rbac sign. Each signature is SHA-256 hashed over canonical JSON and chained by prior_hash per (deployment, user). ops rbac sig-verify detects tampering on any historical signature. | ops/rbac.py sign_record, verify_signature_chain |
What Signal Provenance does not do
The platform is the technical evidence layer. The items below require organizational or physical implementation by the client. Listing them explicitly is how we keep the claim honest.
- 11.10(i) Training of personnel on electronic records (organizational).
- 11.300 Controls for identification codes and passwords at the process level (the platform enforces hashing and MFA; the client defines the personnel policy).
- GxP process design (the client defines the SOPs; Signal Provenance captures the evidence).
What you get
Each deployment ships these artifacts. All are generated from the live ledger and current deployment state.
IQ/OQ/PQ qualification package
ops compliance iqoqpq <deployment-id> --environment "..." --installer "..." --reviewer "..." 37-test package aligned to 21 CFR 11.10(a). Ready for execution by the client QA function.
Audit trail export (PDF + JSON)
ops compliance audit <deployment-id> --framework fda_21cfr11 Electronic signature chain verification
ops rbac sig-verify --deployment-id <deployment-id> Signature history
ops rbac sig-list --deployment-id <deployment-id> Prove it for your next audit.
Signal Provenance is deployed white-glove. We configure it on your hardware, point it at your folders, and generate your first FDA 21 CFR Part 11 coverage export together. Your auditor verifies the hash chain independently.
Schedule your deployment
Canonical URL: /provenance/frameworks/fda-21-cfr-11/ \u00b7 Cited in every compliance export for FDA 21 CFR Part 11.