Current status: Not Part 11 validated. The AVD Clinical platform in its current form does not meet all requirements of 21 CFR Part 11 for use in FDA-regulated electronic records and electronic signatures. This page explains exactly what is and is not in place, and what is required for future regulated use.
Who this matters to: 21 CFR Part 11 applies to FDA-regulated entities (sponsors, CROs, sites under IND/IDE/NDA/BLA) that create, modify, maintain, archive, retrieve, or transmit electronic records required by FDA regulations, and to electronic signatures applied to those records. If your organisation is not FDA-regulated, or you are using AVD Clinical tools only as internal reference frameworks (not as the regulated record itself), Part 11 may not apply to your use.
1. What Part 11 Requires
21 CFR Part 11 (Title 21, Code of Federal Regulations, Part 11) establishes FDA requirements for electronic records and electronic signatures used in place of paper records and handwritten signatures. It covers two main areas:
- Subpart B — Electronic Records: System validation, audit trails, record retention, access controls, computer-generated audit trails, authority checks, and operational system checks.
- Subpart C — Electronic Signatures: Uniqueness, identity verification, linking signatures to records, and fraud prevention controls.
FDA's guidance document "Part 11, Electronic Records; Electronic Signatures — Scope and Application" (2003) further clarifies that Part 11 applies only to records that are required by FDA regulations — not to all electronic records a regulated entity happens to maintain.
2. Where AVD Clinical Stands Against Part 11 Requirements
| Part 11 requirement | Status | Current implementation / gap |
|---|---|---|
| §11.10(a) Validation Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. |
✗ Not validated | AVD Clinical has not undergone formal IQ/OQ/PQ validation. Our SOP templates include validation frameworks (see Validation Bundle), but the platform itself has not been through a regulated validation process. |
| §11.10(b) Exact copies Ability to generate accurate and complete copies of records in human readable and electronic form. |
~ Partial | The Calculator can export PDF, Word, and CSV copies. Library and SOP downloads are full-fidelity copies of source documents. However, no validated copy-generation procedure exists, and outputs have not been validated against a regulated requirement. |
| §11.10(c) Record protection Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
~ Partial | Records are stored in Supabase (PostgreSQL on AWS) with AES-256 encryption at rest. No formal retention schedule enforcement or regulated archive procedure is implemented. |
| §11.10(d) System access Limiting system access to authorised individuals. |
~ Partial | Authentication via OTP (email or SMS) — no passwords stored. Row-Level Security limits data access to the account owner. Role-based access controls (investigator, CRA, coordinator, sponsor roles) are planned but not yet implemented. |
| §11.10(e) Audit trails Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. |
✗ Not implemented | No dedicated Part 11-compliant audit trail exists for user actions on records. Supabase maintains database-level logs (WAL), but these have not been configured or validated as a Part 11 audit trail. This is a significant gap for regulated use. |
| §11.10(f) Operational system checks Use of operational system checks to enforce permitted sequencing of steps and events. |
✗ Not implemented | AVD Clinical does not enforce regulated workflow sequencing (e.g., requiring review before approval). Templates include SOP frameworks for this but the platform does not enforce workflow controls. |
| §11.10(g) Authority checks Use of authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at issue. |
~ Partial | Authentication controls exist (OTP, session tokens). Role-based authority checks for regulated operations (sign, approve, lock) are not implemented. |
| §11.10(h) Device checks Use of device (e.g., terminal) checks to determine the validity of the source of data input or operational instruction. |
✗ Not implemented | No regulated device checking or terminal validation is implemented. |
| §11.10(i) Training Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. |
✗ Not documented | No formal training programme or competency documentation system for AVD platform users exists. |
| §11.50 Signature manifestations Electronic signatures must include the printed name of signer, date and time of signing, and meaning of signature. |
✗ Not implemented | AVD Clinical does not implement electronic signatures. OTP authentication is not an electronic signature in the Part 11 sense — it is an authentication mechanism, not a regulated signature event. |
| §11.70 Signature/record linking Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record. |
✗ Not implemented | No electronic signature infrastructure exists on the current platform. |
3. What This Means for How You Can Use AVD Clinical
Acceptable uses (Part 11 does not apply)
- Downloading SOP and template frameworks for adaptation and use within your own validated system
- Using the budget calculator for internal feasibility estimation (not as a regulated submission record)
- Using the Library for reference and research
- Using medicine reminders for personal medication management (not a clinical device)
Uses requiring caution
- If your organisation intends to designate any AVD Clinical-generated output as the regulated record of a GxP activity, you must validate your use of that output within your own validated system.
- AVD SOP templates used as the basis for your organisation's validated SOPs — the template is a starting framework; your organisation's validated SOP creation, review, approval, and change control process governs the resulting regulated record, not AVD Clinical.
Do not use the current AVD Clinical platform as a regulated electronic records system. Do not rely on AVD Clinical as the system of record for GxP activities, electronic signatures on regulated documents, or regulated audit trails. AVD Clinical tools are operational aids and reference frameworks — the regulated record remains within your organisation's validated systems.
4. The Path to Part 11 Readiness
The following must be completed before any AVD Clinical functionality can be positioned as Part 11-validated:
- Formal IQ/OQ/PQ validation of the platform against a defined User Requirements Specification
- Implementation of a computer-generated, time-stamped audit trail for all record-affecting actions
- Implementation of role-based authority checks with segregation of duties
- Electronic signature infrastructure meeting §11.50 and §11.70 requirements
- Formal training documentation system for users performing regulated activities
- Executed validation summary report, traceability matrix, and periodic review SOP
- Executed BAA (for any HIPAA-regulated data processed during regulated use)
These are planned for the future enterprise platform. They are not features that can be "turned on" — they require dedicated development effort, validation resources, and regulatory review. Timeline and progress will be communicated to enterprise customers directly.
5. Questions
If you have specific questions about how your organisation's use of AVD Clinical templates or tools interacts with your Part 11 obligations, we recommend engaging your Quality Assurance function and, if necessary, regulatory counsel. We are happy to discuss the current platform's controls in more detail.
AVD Clinical
Email: [email protected]
Phone: +1 929-502-4973
6. Related Pages
- Security — technical controls in place today
- HIPAA & PHI Notice — HIPAA position and PHI prohibition
- Data Flow — what data goes where
- Subprocessors — vendors and certifications
- Validation Bundle — 21 CFR Part 11 assessment template and validation plan frameworks