Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

21 CFR Part 11 Quiz: Check Your Compliance Knowledge

Quick, free part 11 compliance quiz. Instant results.

Editorial: Review CompletedCreated By: Msib AilimaUpdated Aug 26, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration for 21 CFR Part 11 FDA digital signature rules compliance quiz on golden yellow background

This 21 CFR Part 11 quiz helps you check your understanding of electronic records, electronic signatures, audit trails, and validation in regulated environments. Get quick questions with instant feedback to spot gaps before an inspection. If you work across clinical or health data, tune up with our gcp quiz and reinforce privacy basics with the hipaa compliance quiz.

Which government agency enforces the regulations outlined in 21 CFR Part 11?
Environmental Protection Agency (EPA)
Drug Enforcement Administration (DEA)
United States Department of Agriculture (USDA)
Food and Drug Administration (FDA)
21 CFR Part 11 falls under Title 21 of the Code of Federal Regulations, which is enforced by the Food and Drug Administration to ensure the integrity of electronic records and signatures in FDA-regulated industries. The DEA, EPA, and USDA regulate different aspects of federal law and are not responsible for Part 11 compliance. Companies must follow FDA guidance and regulations specifically for electronic records and signatures.
What is the primary focus of 21 CFR Part 11?
Good Manufacturing Practices (GMPs) for tablets
Food labeling guidelines
Requirements for electronic records and electronic signatures
Standards for aseptic processing
Part 11 specifically addresses the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. It does not cover manufacturing details like aseptic processing, food labeling, or general GMPs beyond electronic recordkeeping. Compliance with Part 11 is required in combination with predicate rules such as GMPs.
Which of the following is a requirement for electronic signatures under 21 CFR Part 11?
They must consist of at least eight numeric characters only.
They must be unique to one individual and not reused by anyone else.
They expire automatically 24 hours after creation.
They may be shared among multiple authorized users.
Electronic signatures under Part 11 must be unique to each individual to ensure accountability and traceability of actions. Allowing multiple users to share a signature or forcing auto-expiration in 24 hours would compromise integrity. Part 11 requires controls for unique identification and secure use of electronic signatures.
What term describes a secure, computer-generated, time-stamped record that captures the date and time of operator entries and actions?
Change control
Event log
Activity matrix
Audit trail
An audit trail is a secure, computer-generated, time-stamped record that shows who performed a specific action and when it occurred, which is a core requirement of Part 11. While an event log may capture system events, it is not the formal term used in Part 11. Change control and activity matrix are related to quality systems but do not meet the definition of an audit trail.
Who is responsible for validating electronic systems to ensure compliance with Part 11 requirements?
The regulated company (system owner)
Any third-party consultant
End users of the system
The Food and Drug Administration
Under Part 11, the regulated company that owns or operates the system bears the responsibility for validating that the system meets its intended use and compliance requirements. The FDA does not perform validation; it inspects and enforces regulations. While consultants may assist, ultimate responsibility remains with the system owner.
Does 21 CFR Part 11 specify how long electronic records must be retained?
Yes, all records must be kept for 5 years
Yes, all records must be kept indefinitely
Yes, all records must be kept for 2 years
No, retention periods are defined by predicate rules, not Part 11
Part 11 establishes technical requirements for electronic records but defers to predicate rules (such as GMPs, GLPs, etc.) to define retention periods. Those rules specify how long records must be retained. Part 11 does not impose a uniform retention schedule.
Which term describes the formal process of testing, documenting, and proving that a computerized system performs as intended?
Calibration
Qualification
Validation
Verification
Validation is the documented process of demonstrating that a computerized system meets its intended purpose and regulatory requirements under Part 11. Verification confirms specific functionalities, qualification can refer to installation or operational steps, and calibration applies to instruments. Comprehensive validation includes qualification, verification, and performance checks.
What is a 'predicate rule' in the context of 21 CFR Part 11?
A guidance document issued by FDA
A set of user requirements for laboratory instruments
An existing regulation requiring records that Part 11 builds upon
A rule for writing standardized software code
A predicate rule is an existing FDA regulation (such as GMP, GLP, GCP) that mandates recordkeeping or signature requirements. Part 11 establishes criteria for electronic records to meet those predicate requirements. Guidance documents and user requirements do not define predicate rules.
How does Part 11 differentiate between closed and open systems?
Closed systems are on-premises; open systems are cloud-based
Closed systems use paper records; open systems use electronic records
Closed systems do not require audit trails; open systems do
Closed systems have controlled access; open systems allow external access
Part 11 defines a closed system as one where system access is controlled by persons responsible for the content of electronic records. Open systems are those where internal controls may not fully restrict access (e.g., internet). The on-premises vs cloud distinction is not how Part 11 categorizes systems.
Which additional control is explicitly required for open systems under Part 11?
Use of data encryption to ensure authenticity
Compact disc backups
Physical locking of servers
Handwritten signature on printouts
Part 11 requires that open systems (i.e., systems with potentially uncontrolled access paths) implement measures such as data encryption to ensure record authenticity, integrity, and confidentiality. Physical locking of servers is good practice but not a specific Part 11 requirement for open systems.
What is the purpose of the 'signature manifestation' requirement in Part 11?
To display signer's name, date, and meaning of the signature
To encrypt the signature with a private key
To store the raw biometric data of the signer
To require a second signature for approval
Signature manifestation means that whenever an electronic signature is executed, the record must display the printed name of the signer, date/time of signing, and the meaning (e.g., review, approval). It does not require storing raw biometric data nor encryption of the signature itself.
Which of these is a valid type of electronic signature recognized in Part 11?
Digital certificates based on public key infrastructure
Hand-signed paper signature only
Mechanical stamps
Generic user IDs shared among a team
Part 11 recognizes electronic signatures based on technologies such as digital certificates using public key infrastructure that ensure signer identity. Shared IDs, mechanical stamps, and solely hand-signed paper signatures do not meet the requirements for secure, non-repudiable electronic signatures.
What key elements must a compliant audit trail capture under Part 11?
File size and encryption method
User IP address only
Network topology
Who made the change, what was changed, and when it occurred
Audit trails must record the identity of the person making changes (who), the details of the change (what), and the date and time of the change (when) to ensure traceability. Information like network topology or file size are not required by Part 11 audit trail rules.
What are the three qualification stages often used during computerized system validation?
Software Qualification, Hardware Qualification, Network Qualification
Design Qualification, Risk Qualification, Compliance Qualification
Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ)
User Qualification, Admin Qualification, Security Qualification
IQ, OQ, and PQ are standard protocol stages in system validation: IQ ensures equipment is installed correctly, OQ verifies operation against specifications, and PQ confirms performance under real-world conditions. Other combinations are not standard terminology in Part 11 validation.
When producing a copy of an electronic record for FDA inspection, what must that copy be?
Accurate, complete, and legible
Manually transcribed
Printed only in color
Summarized with key data points
Part 11 requires that any copy of an electronic record for inspection be a complete and accurate representation, including all metadata and audit trail information, and be legible. Summaries or manual transcriptions risk omitting critical details and are not compliant.
Which access control measure is most aligned with Part 11 compliance?
Open guest access
A single shared admin account
Role-based user accounts with unique credentials
Biannual password change without uniqueness
Part 11 requires unique user accounts with controlled access levels, often implemented through role-based access control. Shared accounts and generic changes compromise individual accountability. While password policies are important, uniqueness and role alignment are key for compliance.
How does Part 11 treat biometric identifiers for electronic signatures?
As prohibited data under privacy rules
As equivalent to a digital scan of a handwritten signature
As the only acceptable signature type
As a valid form of electronic signature when properly controlled
Part 11 allows biometric identifiers (fingerprints, retina scans) as a signature method, provided they meet uniqueness, identity verification, and access control requirements. Biometric IDs are not prohibited, nor are they the sole acceptable type. They differ from scanned handwritten signatures because they are unique physiological traits.
Which of the following is NOT a requirement for audit trail functionality under Part 11?
Audit trails must be retained for review
Audit trails must be editable by system administrators
Audit trails must record user identity
Audit trails must be time-stamped
Part 11 mandates that audit trails be secure, computer-generated, time-stamped, and record user identity and actions. Editable audit trails would defeat their purpose and compromise data integrity. Administrators cannot alter audit trail entries.
What is the relationship between Part 11 system documentation and standard operating procedures (SOPs)?
SOPs guide the operation and maintenance of Part 11 systems
SOPs are not required for electronic recordkeeping
System documentation replaces SOPs
SOPs only apply to paper-based systems
Standard operating procedures are critical for defining how electronic record systems are used, maintained, and controlled in compliance with Part 11. They complement system documentation and ensure consistent processes. SOPs do not apply solely to paper systems; they are required for any regulated process.
How does Part 11 influence the retention period defined by predicate rules?
It defers retention requirements to the predicate rules
It mandates immediate destruction after review
It overrides predicate rules with a stricter 10-year period
It sets retention to match patent lifecycles
Part 11 sets technical requirements for electronic records but explicitly defers to the retention periods and recordkeeping requirements defined by the predicate rules. It does not override them or impose additional timeframes.
How should legacy systems (pre-Part 11 implementation) be handled for compliance?
Archive without validation
Replace all records with paper copies only
Exclude them from recordkeeping
Validate or upgrade them to meet current Part 11 requirements
Legacy systems must be validated or upgraded to ensure they meet Part 11 technical controls, such as secure audit trails and user authentication. Excluding or archiving without validation risks non-compliance. Simply converting to paper does not satisfy electronic record regulations.
What is a key consideration for audit trail timestamp synchronization in multinational operations?
Recording local time without offsets
Storing timestamps in text files
Ensuring all systems use a consistent time server (e.g., NTP)
Allowing users to edit timestamps
Consistent timestamping across multiple sites is essential for maintaining the integrity of audit trails. Using a centralized NTP server ensures all systems record events under the same time reference. Local time without offsets or editable timestamps would compromise traceability.
Which statement best describes a closed system under Part 11?
A system where access is controlled by persons responsible for content
A system that only operates offline
A system that does not require audit trails
A system accessible publicly via the internet
A closed system is defined by Part 11 as one where system access is controlled by authorized personnel responsible for the electronic records. Publicly accessible systems are open systems. All regulated systems require audit trails, even if offline.
What method is recommended by Part 11 to ensure data integrity during electronic record transfer between systems?
Printing and rescanning documents
Use of secure hash algorithms combined with digital signatures
Manual checksum verification
Transferring via unencrypted FTP
Part 11 compliance in open or interfaced systems requires controls like secure hash functions and digital signatures to verify that records have not been altered during transfer. Manual methods and unencrypted channels risk data corruption or tampering.
In a hybrid recordkeeping environment mixing paper and electronic records, how does Part 11 apply?
Neither paper nor electronic records need Part 11 compliance
Only paper records require Part 11 controls
Electronic parts must comply with Part 11; paper records follow predicate rules
All documents must be converted to electronic format immediately
In a hybrid environment, Part 11 requirements apply solely to electronic records and signatures, while paper records remain governed by the applicable predicate rules. Both formats must meet their respective regulatory standards, but conversion is not mandatory unless required by predicate rules.
For cloud-based electronic record systems under Part 11, which control requires special attention compared to on-premises implementations?
Vendor control over system validation and environment security
Setting local printer permissions
Installing desktop antivirus software
Using paper backups daily
Cloud-based systems rely on vendors for infrastructure and security controls, so companies must ensure that vendors adhere to Part 11 validation, change control, and environment security standards. On-premises environments keep this responsibility in-house. Paper backups and antivirus, while important, are not unique to cloud implementations.
0
{"name":"Which government agency enforces the regulations outlined in 21 CFR Part 11?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Which government agency enforces the regulations outlined in 21 CFR Part 11?, What is the primary focus of 21 CFR Part 11?, Which of the following is a requirement for electronic signatures under 21 CFR Part 11?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand Fundamental Provisions of 21 CFR Part 11 -

    Gain clarity on the electronic records and digital signature requirements outlined in FDA 21 CFR Part 11 regulations, ensuring you know each core component.

  2. Analyze Digital Signature Compliance -

    Evaluate how various electronic signature controls align with Title 21 CFR Part 11 quiz scenarios to determine proper implementation.

  3. Apply 21 CFR Part 11 Standards to Practical Scenarios -

    Use real-world examples from the FDA 21 CFR Part 11 test to reinforce how to meet compliance requirements during audits or internal reviews.

  4. Identify Common Pitfalls and Risks -

    Recognize frequent noncompliance issues presented in CFR Part 11 compliance questions, helping you avoid audit findings.

  5. Evaluate Record Integrity and Security Measures -

    Assess methods for safeguarding electronic records and ensuring data integrity under 21 CFR Part 11 standards.

  6. Reinforce Knowledge Through Scored Practice -

    Track your progress with 21 CFR Part 11 practice questions and pinpoint areas for improvement before real-world audits.

Cheat Sheet

  1. Electronic Signatures (§ 11.50 - 11.70) -

    Electronic signatures under 21 CFR Part 11 must be uniquely assigned to an individual and linked to all electronic records to prevent repudiation (FDA, 1997). Use dual-factor authentication (e.g., password + hardware token) and the "TAP" mnemonic - Type, Authenticate, Protect - to remember these essentials. Mastering these steps will boost your audit readiness and confidence.

  2. Audit Trail Requirements (§ 11.10(e)) -

    Audit trails must be time-stamped, non-editable, and capture who, what, when, and why for every record change, as outlined in the FDA Final Rule (1997). A simple example - "UserID:JANE, Action:Edit, Timestamp:2024-06-01 10:15:30" - illustrates essential data points. Reviewing sample logs regularly can help reinforce your understanding.

  3. System Validation (GAMP 5 & 21 CFR Part 11) -

    Systems handling electronic records must undergo Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) to verify functionality and compliance (ISPE GPG, 2010). Draft a traceability matrix linking user requirements to test scripts for clear documentation. Following a clear IQ-OQ-PQ roadmap ensures smoother inspections and stronger quality assurance.

  4. Data Integrity & ALCOA+ -

    Ensure records are Attributable, Legible, Contemporaneous, Original, and Accurate (ALCOA), plus Complete, Consistent, Enduring, and Available (+) as per FDA guidelines (FDA, 2018). A memory trick - "ALCOA's CORE" (Complete, Original, Reliable, Enduring) - can help retain all nine principles. Recalling "ALCOA's CORE" fosters consistent data stewardship and audit success.

  5. Access Controls & Security (§ 11.10(a - d)) -

    Robust access controls, including unique user IDs, passwords, and role-based permissions, are mandatory to limit system access to authorized individuals (NIST SP 800-53). Implement periodic password rotation (e.g., every 90 days) and log failed login attempts to maintain compliance. Routine security reviews help you stay ahead of compliance issues and demonstrate proactive governance.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Business & Industry Quizzes

Powered by: Quiz Maker