CFR Part 11 Terms & Definitions

CFR Part 11 Terms, Definitions, Checklists

Having an FDA 21 CFR Part 11 compliant learning management system or quality management system can be the difference between strong performance and success versus negative FDA audit findings. If you are in the life sciences industry—including drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated organizations—you need validated systems that meet Part 11 requirements for electronic records and electronic signatures.

Understanding Part 11 terminology isn’t just about checking compliance boxes—it’s about implementing quality management systems and learning management systems that FDA auditors will trust during inspections. Whether you’re validating a new LMS or eQMS, preparing for an audit, or explaining electronic signature requirements to your quality team, this glossary provides clear definitions with practical eQMS and LMS context.

eLeaP is a validated learning management system (LMS) and a validated quality management system (QMS) in compliance with Part 11. Below you’ll find essential terms and definitions you need to understand for Part 11 compliance.

Essential Part 11 Glossary

21 CFR Part 11

The Food and Drug Administration regulation titled “Electronic Records; Electronic Signatures” that establishes criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. Enacted August 20, 1997, this regulation governs how pharmaceutical, biotech, and medical device manufacturers manage electronic training records, batch records, laboratory data, and quality documentation. → Learn more about 21 CFR Part 11

ALCOA Principles

Acronym defining fundamental data integrity principles required by FDA: Attributable, Legible, Contemporaneous, Original, Accurate. Modern interpretations expand to ALCOA+ by adding Complete, Consistent, Enduring, and Available. For LMS applications, ALCOA principles ensure training records clearly identify who completed training, when it occurred, and that records remain intact and readable throughout retention periods. Every quiz score, course completion, and e-signature must meet these criteria.

Attributable

Data integrity principle requiring every action be attributed to a specific individual with their unique identity recorded. In LMS context, course creation is attributed to instructional designers, training completion to specific employees (not generic “Operator” accounts), and record modifications to administrators with documented reasons. Audit trails must show exactly who performed each action with their unique user ID and timestamp.

Audit Trail

Secure, computer-generated, time-stamped record documenting who did what, when, and why within the electronic system. For training systems, audit trails track user login/logout, course modifications, training assignments, completions, quiz submissions, e-signature execution, and any changes to training records. FDA inspectors expect audit trails to be available for review and protected from unauthorized modification or deletion. → Read about Audit Trail requirements

Authentication

Process of verifying an individual is who they claim to be before granting system access or allowing electronic signature execution. LMS authentication typically uses unique username/password combinations, though some high-security environments implement biometric methods. Part 11 requires unique user IDs (no shared logins), secure passwords with complexity requirements, periodic password changes, account lockout after failed attempts, and session timeouts after inactivity.

Biometrics

Method of verifying identity based on measurable physical features or repeatable actions unique to an individual (fingerprints, facial recognition, iris scans). While traditional LMS authentication uses username/password, some high-security training environments—such as controlled substance handling or sterile manufacturing—implement biometric authentication before allowing employees to complete critical training or sign procedures. Biometrics strengthen but don’t replace Part 11’s other signature requirements.

Closed System

Environment where system access is controlled by persons responsible for electronic record content. Your internal company LMS where only verified employees have accounts represents a closed system—you control who gets accounts, manage passwords, and can verify all user identities. Closed systems can use electronic signatures (username/password) rather than requiring digital signatures with cryptographic certificates. Most life sciences companies choose closed system architectures for GMP training to avoid open system complexity. → Learn about System Classification

Computer System Validation (CSV)

Documented process ensuring a computer system does exactly what it’s designed to do consistently, accurately, and reliably throughout its lifecycle. Before using an LMS for GMP training records, validation testing verifies the system creates accurate records, enforces prerequisites correctly, calculates quiz scores properly, maintains audit trails, and prevents unauthorized changes. Validation follows GAMP 5 principles with Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) testing. → Read about Software Requirements

Contemporaneous

Data integrity principle requiring data be recorded when the activity occurs, not reconstructed from memory later. In LMS applications, quiz scores record immediately upon submission, course completion timestamps reflect actual completion time, and observation checklist steps are signed as performed—not batch-signed later. No backdating of training records is permitted. Audit trails automatically capture when actions occur, preventing after-the-fact manipulation.

Digital Signature

Electronic signature based on cryptographic methods using public/private key pairs to verify signer identity and data integrity. Unlike standard electronic signatures (username/password), digital signatures use encryption technology (PKI – Public Key Infrastructure) to create unique, tamper-evident signatures. Required for open systems where organizations cannot control all users accessing the system. Less common in LMS applications than standard e-signatures but necessary when external consultants or partners access training through cloud portals.

Electronic Record (ER)

Any combination of text, graphics, data, audio, pictorial, or other information in digital form that is created, modified, maintained, archived, retrieved, or distributed by computer. Training completion certificates, quiz results, course enrollment records, video timestamps, observation assessments, and continuing education credits all constitute electronic records when stored in your LMS. Each must maintain integrity from creation through archival—typically spanning employment duration plus additional years per regulatory requirements. → Read about Electronic Records

Electronic Signature (E-Signature)

Computer data compilation of symbols executed to be the legally binding equivalent of a handwritten signature. When employees log into your LMS and click “I acknowledge completion of this training,” that action combined with their unique username/password authentication creates an electronic signature. Unlike scanned images of handwritten signatures, an e-signature is the electronic authentication method itself. Part 11 requires signatures be unique, non-reusable, verified by the system, and executed only by genuinely authorized persons. → Read about E-Signature Requirements

GAMP 5

Good Automated Manufacturing Practice version 5—industry guide published by ISPE providing risk-based approach to computerized system validation. GAMP 5 categorizes software (Category 3: non-configured, Category 4: configured products like eLeaP, Category 5: custom applications) and recommends validation rigor appropriate to each category and risk level. For LMS validation, GAMP 5 focuses efforts on features impacting data integrity (e-signatures, audit trails, record retention) while applying lighter testing to low-risk features like color schemes.

IQ/OQ/PQ (Installation/Operational/Performance Qualification)

Three validation testing phases verifying system installation, operation, and performance. Installation Qualification (IQ) confirms correct installation per specifications (software version, server specs, security settings). Operational Qualification (OQ) verifies functions operate correctly across anticipated ranges (user creation, quiz scoring, e-signatures, audit trails). Performance Qualification (PQ) demonstrates consistent performance under actual operating conditions over time (multiple concurrent users, large data volumes, production workflows). → Read about Testing Requirements

Legible

Data integrity principle requiring data remain readable and understandable throughout retention periods. Training certificates must display clearly when printed or viewed electronically, quiz questions and answers must be readable, audit trails presented in human-readable format (not obscure codes), and systems must render records legibly years later even after software version changes. If training records require 10-year retention, the LMS must still display them clearly a decade later.

Non-Repudiation

Assurance that someone cannot deny validity of their signature on a document or message. Part 11’s electronic signature requirements create non-repudiation—once an operator signs off on training, they cannot credibly claim “that wasn’t me” because the system authenticated their unique credentials before recording their signature. During FDA inspections or legal proceedings, training records with proper non-repudiation demonstrate specific individuals completed specific training at specific times, and those individuals cannot dispute their acknowledgment. → Read about Certification Letters

Open System

Environment where system access is not controlled by persons responsible for electronic record content. A public-facing training portal where external contractors, partners, or customers can self-register represents an open system—you cannot fully verify all users’ identities before granting access. Open systems require additional controls including digital signatures, encryption, and enhanced authentication to ensure record authenticity and integrity. Most life sciences companies avoid open systems for critical GMP training due to complexity.

Predicate Rules

Any requirement in the Federal Food, Drug, and Cosmetic Act, Public Health Service Act, or FDA regulations (other than Part 11) requiring records be maintained or submitted to FDA. Predicate rules create the underlying record requirement—Part 11 defines how to maintain those records electronically. Common predicate rules for training include 21 CFR 211.25 (pharmaceutical personnel training), 21 CFR 820.25 (medical device personnel), and ISO 13485 (quality system competence). Part 11 only applies when a predicate rule requires the record AND you maintain it electronically. → Read about Applicability Assessment

Training Record

Complete documentation of individual training activities including assignments, completion dates, quiz results, e-signatures, observations, and competency verifications. Compliant training records under Part 11 must include: trainee identity (name, employee ID), training description (course title, version, content), instructor/evaluator, date/time completed, duration, assessment results, e-signature with manifestation (name, date/time, meaning), course materials version, and audit trail documenting creation and modifications. Retention requirements vary by regulation but typically span employment duration plus 3+ years.

Validation

Documented process establishing that a system performs according to its intended use and consistently produces accurate results. LMS validation demonstrates the system reliably creates training records, calculates scores correctly, enforces business rules, maintains audit trails, and protects data integrity. Validation follows structured approach: define requirements (User Requirements Specification), design testing protocols (IQ/OQ/PQ), execute tests, document results, and maintain validation state through change control. → Read about LMS Implementation

Additional Critical Terms

Accurate

Data integrity principle requiring data be correct, truthful, and free from errors. Quiz auto-grading algorithms must be verified for accuracy, course completion calculations correct (requiring all lessons plus passing quiz), training hour calculations accurate for continuing education credits, and user profile information current. System validation testing verifies accuracy through IQ/OQ/PQ protocols with documented test cases and acceptance criteria.

Complete

ALCOA+ principle requiring all data relevant to understanding the activity be captured and retained. Training records must include course version, instructor, duration, quiz attempts (not just final passing attempt), pass/fail status, and observation checklist details—not just pass/fail summary. An operator attempting sterile technique assessment three times before passing should have all three attempts documented with scores, dates, and evaluator comments for complete understanding.

Consistent

ALCOA+ principle requiring data follow expected sequence and logical flow without unexplained contradictions. Training completion date cannot precede enrollment date, course version 2 completion cannot show before version 2 release, continuing education credits must sum correctly, and user training history should show logical progression. Inconsistencies like “Cleanroom Training” completed before hire date should be explained in audit trails (data entry error, system issue, fraudulent backdating).

Enduring

ALCOA+ principle requiring records remain intact and accessible throughout required retention periods. Training records must be preserved during system upgrades, data migration must maintain record integrity, backup systems must prevent data loss, and archival procedures must ensure long-term accessibility. FDA typically requires training records for employment duration plus specified period (often 3+ years) or equipment/product lifetime for device manufacturers.

Available

ALCOA+ principle requiring records be readily retrievable for review, audit, or inspection when needed. Search functionality must allow quick record retrieval, reports must be accessible without administrator intervention, FDA inspectors must be able to view records on-demand, and no delays from “system maintenance” or “locked archives” are acceptable. When FDA inspectors arrive requesting three years of aseptic processing training records, your LMS must produce complete, accurate records within reasonable time (typically same day).

Original

Data integrity principle requiring preservation of first data capture or certified true copy maintaining all content and meaning. Original quiz submission must be preserved (not just final score), original course version completed documented (not automatically updated to new version), and source files maintained (video training content, SCORM packages). If printing training records for FDA inspection, printouts must be complete and accurate representations of electronic originals including all metadata (who, when, under what circumstances).

Password Policy

Security controls governing password creation, use, and management to ensure authorized access. Part 11 compliant LMS password policies typically require: minimum complexity (length, character types), periodic password changes (90-180 days), prevention of password reuse, account lockout after failed login attempts, secure password reset procedures, and prohibition of shared credentials. Inadequate password policies represent common Part 11 violations during FDA inspections. → Read about Password Policies

Signature Manifestation

Information displayed with signed electronic records clearly indicating: printed name of signer, date and time signature was executed, and meaning of signature (review, approval, responsibility, authorship). When an employee completes training, the system must record and display: “James Chen – 2026-02-06 09:15:42 EST – Training Completed.” These three components ensure anyone reviewing the record understands who signed, when, and why—creating equivalent weight to traditional handwritten signatures on paper.

System Administrator

Individual with elevated privileges to configure system settings, manage users, and maintain system operation. Part 11 compliance requires system administrator actions be logged in audit trails, administrative access be restricted to authorized personnel only, and separation of duties where administrators cannot also be approvers in workflows they control. Over-permissive administrator access represents common compliance weakness allowing potential unauthorized changes to validated systems.

Comprehensive Part 11 Resources

Now that you understand essential terminology, explore our comprehensive guides organized by topic:

CFR Part 11 Terms

Detailed articles covering specific regulatory terminology, compliance concepts, and implementation approaches:

CFR Part 11 Definitions

Comprehensive guides explaining regulatory concepts, implementation strategies, and industry standards:

CFR Part 11 Checklists

Practical tools and checklists for ensuring compliance across your organization:

CFR Part 11 Examples

Practical scenarios demonstrating compliance principles in action:

Ready to Implement Part 11 Compliance?

Understanding terminology is the foundation, but successful Part 11 compliance requires a validated LMS designed specifically for regulated industries. Connect with an eLeaP solutions advisor to discuss your organization’s specific compliance requirements and see how eLeaP’s 19-year track record in life sciences can support your training and quality objectives.

Key Features of eLeaP’s Part 11 Compliant LMS:

Schedule a Live Demo | Call +1 (502) 653-8579

CFR Part 11 Terms

CFR Part 11 Definitions

CFR Part 11 Checklists

CFR Part 11 Examples