FDA 21 CFR Part 11 — What Electronically Signed Reports Actually Mean
21 CFR Part 11 and monitoring reports: what the FDA expects from electronic records and how SHA-256 signatures with QR codes support compliance.
Zespół Nextriv4 min read
The requirements of 21 CFR Part 11 for reports and electronic records sound intimidating only until you understand their intent. This US FDA regulation — Part 11 of Title 21 of the Code of Federal Regulations — answers a simple question: when are an electronic record and an electronic signature as trustworthy as paper with a handwritten signature? For pharmaceutical companies, medical device manufacturers and laboratories serving the US market, the answer determines whether digital documentation — including temperature monitoring reports — will stand up to an inspector. In this article we explain what Part 11 requires of records, what an "electronically signed report" means technically, and where the line runs between what the system does and what remains the organization's responsibility.
What 21 CFR Part 11 requires of electronic records
The regulation doesn't mandate any particular technology. It defines the properties an electronic records system must demonstrate for the FDA to treat them as equivalent to paper. In brief — because the full text is reading material for the quality department — the key requirements are:
- Access control. Only authorized people enter the system, with permissions matching their role; user identities are verified.
- Audit trail. The system automatically records who did what to a record and when — and those traces cannot be overwritten or quietly switched off.
- Record integrity. A record cannot be changed without leaving a trace; the system must make it possible to detect invalid or altered records.
- Signature-to-record linking. An electronic signature must be permanently bound to a specific document — so it can't be transferred to another record or "detached".
- Availability and retention. Records must be kept for the required period and be producible for inspection in readable form, including as copies.
- System validation. The organization must demonstrate that the system works reliably and reproducibly — a requirement on the implementation process, not just the software.
This list alone shows something worth saying outright: no product "is Part 11 compliant" by itself. Compliance is a property of the entire system of work — software, procedures, training and validation at a specific user. What a vendor can do is provide tools that genuinely support that compliance. And those tools are what the rest of this article is about.
What "an electronically signed report" really means
In the Nextriv platform, a monitoring PDF report can carry a SHA-256 cryptographic signature along with a QR code and the address of a verification page. In plain terms: at the moment the document is generated, the system computes its hash — a kind of fingerprint of the file. Changing even a single character in the document produces a completely different hash, so any later tampering is detectable. The QR code on the report leads to the verification page: anyone — auditor, client, inspector — can scan the code and confirm that the document in their hands is exactly the one the system generated, unchanged.
This solves the problem that is hardest to defend in electronic documentation: "how do I know this PDF wasn't touched up in an editor?". With the signature, the answer requires no trust in the person who brought the report — verification is enough.
How platform features map to the requirements
Mapping Part 11 requirements against the mechanisms available in Nextriv looks like this:
| Part 11 requirement | Mechanism in the platform |
|---|---|
| access and role control | four user roles with different permissions, data isolation for every organization, two-factor login (TOTP) with backup codes, password policy, session management |
| audit trail | an audit trail of actions in the system plus a separate security event log, retained for 5 years (1,825 days) |
| record integrity | PDF reports with a SHA-256 signature, QR code and verification URL; raw measurement data with no manual editing |
| retention and availability | raw measurement history up to 1,825 days; CSV/XLSX and PDF exports as readable copies for inspection |
| trustworthy source data | a data logger with a measurement buffer, timestamps and automatic backfill after a connectivity outage |
The security architecture — from encrypted transmission to data isolation between organizations — is described in more detail on our platform security page.
What the system won't do for you
Honesty requires the second half of the sentence. Part 11 also covers areas no vendor can close on a customer's behalf: deciding which records fall under the regulation in the first place, validating the system within a specific process, operating procedures, user training and oversight of permissions. The platform supplies the mechanisms — the signature, the audit trail, access control, retention — but it's the quality department that decides how to slot them into the documentation system and how to demonstrate they work during an inspection. The honest formula is therefore: Nextriv supports compliance with 21 CFR Part 11, just as it supports the requirements of European good distribution practice — which we wrote about in our article on GDP and temperature monitoring in pharmacies and wholesalers.
A trustworthy report starts with a trustworthy measurement
The cryptographic signature attests that the report wasn't altered — but the report's value depends on the quality of the data at the source. That's why in pharma the measurement point should be a data logger, not an ordinary sensor. The Nextriv Probe Solo carries EN 12830 certification, a 4,000-measurement buffer with timestamps and automatic retransmission after a connectivity outage, and its detachable probe bears its own identifier reported with the data — swapping the probe for a freshly calibrated one doesn't interrupt oversight, and calibration traceability stays in the history. A button lock guards against the logger being "accidentally" switched off.
That is what a complete chain of trust looks like: a certified data logger with a buffer → raw data with no manual editing → an audit trail → a signed report anyone can verify. Practical scenarios on the refrigeration side — from 2–8 °C thresholds to the probe's thermal buffer — are covered in our guide to the vaccine cold chain, and the full deployment across pharmacy, wholesaler and manufacturing site on our pharma solutions page.
Where to start
If your documentation is heading toward the US market — or you simply want monitoring reports that can't be challenged — start with a conversation with your quality department about which records fall under the regime, and with a review of the mechanisms you'll defend them with. Signed reports, a five-year audit trail and full data retention are part of the paid plan: 99 PLN net per 30 days or 990 PLN net per year (excl. VAT) — details in the pricing section.
Book a demo — we'll show you live how a signed report is generated and how its QR code verification works.
