21 CFR Part 11 Compliance

This document maps Cohera platform features to FDA 21 CFR Part 11 requirements for electronic records and electronic signatures. Use this as a reference for your validation activities and regulatory submissions.

Overview

21 CFR Part 11 establishes requirements for electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures. Cohera is designed to meet these requirements when properly configured and validated.

Subpart B - Electronic Records

Section 11.10 - Controls for Closed Systems

Requirement	Cohera Implementation
(a) System validation	Cohera provides validation documentation including IQ/OQ/PQ protocols, traceability matrices, and test scripts. Platform undergoes internal validation before release.
(b) Legible and available copies	All records can be exported in human-readable formats (PDF, CSV). Complete audit trails exportable for regulatory review.
(c) Record protection	Records protected through encryption at rest (AES-256) and in transit (TLS 1.3). Immutable audit logs prevent unauthorized modification.
(d) Access limitations	Role-based access control (RBAC) limits system access to authorized individuals. All access logged in audit trail.
(e) Audit trails	Computer-generated, timestamped audit trail records date/time, operator identity, and before/after values for all record changes. Audit trails cannot be modified or deleted.
(f) Operational checks	System enforces permitted sequencing through workflow states. Prevents execution of steps out of defined order.
(g) Authority checks	System verifies user permissions before allowing actions. E-signatures validated against user’s defined authorities.
(h) Device checks	Input validation ensures data meets defined specifications. System rejects invalid entries with clear error messages.
(i) Personnel identification	Unique user identification through username/email. Password requirements enforced per configuration.
(j) Personnel documentation	System supports acknowledgment workflows for policy acceptance. Training records can be tracked through quality events.
(k) Document controls	Version control for all documents with full history. Distribution controlled through access permissions.

Section 11.30 - Controls for Open Systems

Cohera is primarily designed for closed system deployment. When external access is required (e.g., supplier portal):

Requirement	Cohera Implementation
Document encryption	All data encrypted in transit using TLS 1.3. At-rest encryption using AES-256.
Digital signatures	Electronic signatures cryptographically bound to records.

Section 11.50 - Signature Manifestations

Requirement	Cohera Implementation
(a) Signed record information	Signed records display: printed name of signer, date/time of signature, and meaning of signature (e.g., “review”, “approval”, “responsibility”).
(b) Subject to controls	Signature manifestation information included in audit trail and exported records. Cannot be modified independently of signed record.

Section 11.70 - Signature/Record Linking

Requirement	Cohera Implementation
Linking requirement	Electronic signatures cryptographically linked to their respective records. Signatures bound using SHA-256 hash of record content. Any attempt to modify signed record invalidates signature.

Subpart C - Electronic Signatures

Section 11.100 - General Requirements

Requirement	Cohera Implementation
(a) Uniqueness	Each user has unique identifier (user ID + email). Identifiers not reused for different individuals.
(b) Identity verification	User identity verified during account creation. Password-based authentication with configurable complexity requirements. MFA available for additional verification.
(c) Certification	Organization certifies electronic signatures are legally binding equivalent of handwritten signatures through system configuration. Certification documented in validation records.

Section 11.200 - Electronic Signature Components

Requirement	Cohera Implementation
(a)(1) Non-biometric signatures	Electronic signatures employ at least two distinct components: user identification (username/email) and password.
(a)(1)(i) Multiple signings	During single continuous session, first signing requires both components. Subsequent signings require at least password re-entry.
(a)(1)(ii) Non-continuous signings	Each signing outside continuous session requires both identification components.
(a)(2) Biometric signatures	Not currently supported.
(b) Shared credentials	System prevents use of shared or group accounts. Each user must have individual credentials.

Section 11.300 - Controls for Identification Codes/Passwords

Requirement	Cohera Implementation
(a) Unique combinations	System prevents issuance of the same combination of identification code and password to different persons.
(b) Periodic revision	Configurable password expiration policy. Default: 90 days for production environments.
(c) Loss management	Account lockout after configurable failed attempts (default: 5). Password reset requires identity verification.
(d) Transaction safeguards	Session timeout after inactivity (configurable, default: 30 minutes). Simultaneous session controls available.
(e) Device safeguards	Optional device fingerprinting and IP restrictions. MFA provides additional device-level security.

Implementation Details

Audit Trail Configuration

Cohera’s audit trail captures:

{
  "timestamp": "2024-01-20T14:30:45.123Z",
  "user": {
    "id": "user_abc123",
    "email": "jsmith@company.com",
    "name": "John Smith"
  },
  "action": "update",
  "entity": {
    "type": "supplier",
    "id": "ent_supplier_789",
    "name": "Acme Chemicals"
  },
  "changes": {
    "attributes.qualification_status": {
      "previous_value": "pending",
      "new_value": "qualified"
    }
  },
  "client": {
    "ip_address": "192.168.1.100",
    "session_id": "sess_xyz789"
  },
  "signature": {
    "required": true,
    "meaning": "I approve this qualification status change",
    "signature_id": "sig_abc123"
  }
}

Electronic Signature Flow

When an action requires electronic signature:

User initiates the action
System displays signature dialog with meaning text
User enters password to sign
System validates credentials and permissions
Signature recorded with timestamp and meaning
Action completed and logged

// Example: Approving a deviation
const response = await fetch(
  `https://api.cohera.io/v1/quality-events/${eventId}/approve`,
  {
    method: "POST",
    headers: {
      Authorization: `Bearer ${apiKey}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      signature: {
        meaning: "I have reviewed and approve closure of this deviation",
        password: userPassword,
      },
      comment: "All corrective actions verified complete.",
    }),
  }
);

Access Control Configuration

Define roles with specific permissions:

{
  "role": "quality_manager",
  "permissions": [
    "entities:read",
    "entities:write",
    "quality_events:read",
    "quality_events:write",
    "quality_events:approve",
    "workflows:execute",
    "audit_logs:read"
  ],
  "signature_authorities": [
    "deviation_approval",
    "capa_approval",
    "supplier_qualification"
  ]
}

Validation Checklist

Use this checklist during IQ/OQ/PQ activities:

Installation Qualification (IQ)

Verify Cohera version matches specification
Confirm data center location meets data residency requirements
Verify SSL/TLS configuration
Confirm integration connectivity (SAP, Veeva, etc.)
Document system configuration settings

Operational Qualification (OQ)

Performance Qualification (PQ)

Test with production-representative data
Verify system performance meets requirements
Test integration sync with source systems
Verify compliance reports generate correctly
Test audit trail export for regulatory submission

Audit Support

Generating Compliance Reports

curl -X POST "https://api.cohera.io/v1/audit-logs/reports/21cfr11" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "from": "2024-01-01T00:00:00Z",
    "to": "2024-03-31T23:59:59Z",
    "include_sections": [
      "electronic_signatures",
      "audit_trail_completeness",
      "access_controls",
      "system_validations"
    ]
  }'

Exporting Audit Trails

curl -X POST "https://api.cohera.io/v1/audit-logs/export" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "format": "pdf",
    "from": "2024-01-01T00:00:00Z",
    "to": "2024-03-31T23:59:59Z",
    "include_signatures": true,
    "include_raw_data": true
  }'

Frequently Asked Questions

Q: Is Cohera “21 CFR Part 11 compliant”?

A: Cohera provides the technical controls needed to support 21 CFR Part 11 compliance. However, compliance also requires appropriate procedural controls and validation by the user organization. Cohera is a tool that, when properly validated and used according to documented procedures, can be part of a compliant system.

Q: Does Cohera meet predicate rules?

A: Cohera is designed to support GxP (Good Manufacturing Practice, Good Laboratory Practice, etc.) requirements. The platform’s features align with FDA guidance on electronic records. Specific predicate rule compliance depends on your use case and should be addressed in your validation activities.

Q: How often should we revalidate?

A: Revalidation should occur following significant system changes. Cohera provides release notes and validation impact assessments with each release to help you determine when revalidation is needed.