If your medical devices reach the US market — directly or through a distributor — your quality records may fall under 21 CFR Part 11, the FDA regulation for electronic records and electronic signatures.
Many Indian manufacturers discover this during a FDA inspection or when a US customer sends a supplier audit questionnaire asking about Part 11 compliance. By then, gaps in e-signature controls and audit trails become urgent.
You do not need Part 11 compliance for domestic-only sales in India. But if electronic records support GMP decisions for US-bound product, this regulation applies.
What 21 CFR Part 11 covers
Part 11 applies when:
- Records are created, modified, maintained, archived, retrieved, or transmitted electronically
- Those records would otherwise be required under FDA regulations (QSR 21 CFR Part 820, etc.)
- Electronic signatures are used in place of handwritten signatures
It does not force you to go paperless. You can keep paper records for US product. But if you use a QMS, batch record system, or LIMS electronically, Part 11 applies to those records.
The core requirements in plain language
1. System validation
Computer systems that create, modify, or store GMP records must be validated. This means documented evidence that the system does what it is supposed to do, consistently.
For a QMS or batch record system, validation typically includes:
- User requirements specification
- Risk assessment
- Installation and operational qualification (IQ/OQ)
- Performance qualification (PQ) in your environment
- Change control for system updates
SaaS platforms like RapidFacto often provide validation documentation packages — but your company still owns the validation for your specific deployment and configuration.
2. Audit trail
Every creation, modification, or deletion of a GMP record must be logged. The audit trail must capture:
- Who made the change
- When
- What was changed (previous and new value)
- Why (reason for change, where applicable)
Auditors will pick a batch record, ask you to show its history, and verify no data was altered without traceability.
3. Electronic signatures
An e-signature under Part 11 must be:
- Unique to one individual — shared login credentials fail immediately
- Verified at each signing — re-entry of password or equivalent at time of signature
- Linked permanently to the record signed — cannot be copied to another document
- Legally equivalent to handwritten signatures per your company's policy
The signature manifestation must show the printed name, date/time, and meaning (review, approval, authorship).
4. Access controls
Role-based access. Production operators cannot approve their own batch releases. System administrators cannot modify audit trails. Access rights documented and reviewed periodically.
5. Record retention and retrieval
Electronic records must be retained for the required period and producible in human-readable form. Backups, disaster recovery, and data integrity during storage matter.
Common Part 11 findings in Indian facilities
Shared user accounts. "Operator1" used by three people on the same shift. Instant finding.
No audit trail on critical records. Batch records can be edited without logging who changed what.
Signatures without re-authentication. System remembers login; approval button does not require password re-entry.
Incomplete validation documentation. System purchased and used for two years with no validation protocol.
Legacy Excel workflows. Spreadsheets with macros used for batch calculations — no access control, no audit trail, no validation.
Part 11 and ISO 13485 — overlap and differences
ISO 13485 requires document control, record control, and identification — but does not specify e-signature technical requirements in the same detail as Part 11.
If you are ISO 13485 certified and export to the US, you need both:
- ISO 13485 QMS structure
- Part 11 technical controls on electronic systems
A single QMS platform can satisfy both if implemented correctly — but Part 11 adds specific requirements around audit trails, signature manifestation, and system validation that go beyond ISO 13485 alone.
Practical steps for Indian manufacturers
- Inventory your electronic records — which systems hold GMP data for US product?
- Eliminate shared accounts — one user, one login, role-based permissions
- Verify audit trail capability — test it before an auditor does
- Document your e-signature policy — what constitutes a signature, who can sign what
- Plan validation — even for cloud systems, maintain validation records on your side
- Train users — operators must understand that electronic actions are legally binding
Need Part 11-ready e-signatures and audit trails? RapidFacto includes role-based access, electronic signatures with full audit trails, and validation support documentation. Book a demo to learn more.