ApprovaDoc
Start free trial
Part 11 Training Guide

Part 11 for Read-and-Understand Training: What to Verify

21 CFR Part 11 sets requirements for electronic records and electronic signatures. When your training acknowledgments are electronic, Part 11 applies. This guide explains what that means for read-and-understand SOP training workflows.

Start free trial Trust & security
14-day free trialNo credit card requiredPart 11 e-signatures available

Part 11 applies to your electronic training records

If your training acknowledgments are electronic and part of your FDA-regulated quality system, Part 11 requirements apply. Here is what that means in practice.

Common pain points

  • Part 11 requires electronic signatures to be attributable to a specific individual — a shared account checkbox does not qualify
  • Audit trails must capture who did what, when, and the original values — not just the latest state
  • Access controls must limit system access to authorized individuals based on their role and responsibility
  • Electronic records must be protected from unauthorized modification — training acknowledgments should be immutable

Until an audit asks

  • How are electronic signatures authenticated in your training system?
  • Can completed training records be modified or deleted?
  • Does the system maintain an audit trail of all changes?
  • Are access controls enforced based on user roles?
  • Can you demonstrate that the electronic record has not been altered?

What Part 11 requires for training acknowledgments

21 CFR Part 11 addresses electronic records and electronic signatures used to meet FDA requirements. For training acknowledgments, four areas of Part 11 are directly relevant. Below is what the regulation expects, how it applies to read-and-understand training workflows, and what you should verify in any tool you evaluate.

Electronic signatures

What Part 11 says

Electronic signatures must be unique to one individual, not reused or reassigned. They must include the printed name of the signer, date and time, and meaning of the signature (e.g., review, approval, acknowledgment).

What this means for training

When a team member acknowledges an SOP, the acknowledgment must be attributable to that specific person — not to a shared account, a checkbox on someone else's screen, or a name typed into a spreadsheet. The signature should capture the signer's identity, the timestamp, and the fact that they are acknowledging the document.

What to verify in a tool

Confirm that acknowledgments are tied to authenticated user accounts, that re-authentication is required at signing time, that the full signature manifestation (name, date, time, meaning) is recorded, and that signatures cannot be repudiated.

Audit trails

What Part 11 says

Systems must use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

What this means for training

Every training-related action — assignment, acknowledgment, export, role change, document revision — should be logged with who performed it, when, and what changed. The audit trail should be independent of the training records themselves, so that the trail exists even if someone questions a record.

What to verify in a tool

Confirm that the system logs all relevant actions automatically, that audit trail entries include timestamps and user identifiers, that the trail is write-once (cannot be edited or deleted), and that it captures enough detail to reconstruct the sequence of events.

Access controls

What Part 11 says

Systems must use authority checks to ensure that only authorized individuals can use the system, electronically sign records, operate devices, or alter records.

What this means for training

Not everyone should be able to assign training, acknowledge on behalf of others, or modify document versions. Role-based permissions should ensure that members can only acknowledge their own assignments, while administrators can manage documents and assignments.

What to verify in a tool

Confirm that the system enforces role-based permissions, that users cannot perform actions outside their role, that authentication is required for system access, and that session timeouts or controls are in place.

Record integrity

What Part 11 says

Electronic records must be maintained in a way that ensures their integrity throughout the records retention period. They must be readily retrievable and protected from unauthorized alteration.

What this means for training

Completed acknowledgments, quiz attempts, and the associated audit trail should be immutable — write-once records that cannot be edited or deleted, even by administrators. The document itself should be verifiable through hashing or similar integrity mechanisms.

What to verify in a tool

Confirm that acknowledgment records cannot be modified or deleted after creation, that document versions are hash-verified, that records are retained for the required period, and that they can be retrieved and exported on demand.

How ApprovaDoc supports Part 11 requirements

Re-authenticated, HMAC-bound electronic signatures designed to support 21 CFR Part 11 requirements. Available on Team and Growth plans.

Here is what ApprovaDoc provides to support your Part 11 compliance approach for read-and-understand training workflows:

  • Re-authenticated, HMAC-bound electronic signatures at acknowledgment time
  • Full signature manifestation: signer name, date, time, and meaning of signature
  • Immutable acknowledgment records enforced at the database level (no UPDATE or DELETE)
  • Immutable audit log capturing every action with who, what, when, and IP address
  • SHA-256 document hashing for version integrity verification
  • Role-based access controls (owner, admin, member) with row-level security
  • Time-limited signed URLs for document access — no persistent public links
  • Export of complete training evidence packs including signature details

Beyond the tool: procedural requirements for Part 11

Part 11 compliance is not just about software features. It also requires organizational procedures and controls that operate outside any specific tool. When evaluating your Part 11 readiness for training records, consider these procedural elements alongside your QMSR Subpart D training documentation strategy:

Written policies on electronic signatures: Your organization should have a policy stating that electronic signatures are the legally binding equivalent of handwritten signatures. This is a Part 11 requirement that exists at the organizational level, not the software level.

User account management: Procedures for creating, modifying, and deactivating user accounts. Each account must be tied to a specific individual — no shared logins, no generic accounts. The tool enforces this technically, but your SOP should govern the process.

Training on the system itself: Personnel who use the SOP training records system should be trained on how to use it, how electronic signatures work, and what their obligations are under your electronic records policy. This is a procedural requirement your organization manages.

Periodic review and validation maintenance: Your quality system should include procedures for periodically reviewing the training record system, assessing changes, and determining whether revalidation is needed. See how to validate training record software in a small QMS for a practical guide. The tool supports this with audit trails and export capabilities, but the review process is yours.

The training workflow with Part 11 controls

The same straightforward workflow, with electronic signatures, audit trails, and record integrity at every step.

1

Upload a controlled SOP or policy

Add the SOP or policy, document ID, and revision. Start as Draft.

2

Submit for review

Choose reviewers. They comment and approve or request changes.

3

Route through approval

Approvers sign off with e-signatures. Sequential phases ensure the right order.

4

Assign training

Choose the users, teams, or roles that need to acknowledge the effective version.

5

Collect acknowledgment by revision

With optional quiz to verify comprehension.

6

Reassign when a document changes

Release a new revision and trigger fresh review, approval, and acknowledgment.

7

Export clear evidence

View live status or download records for audits.

Features that support Part 11 compliance

Designed for teams that need electronic signatures, audit trails, and immutable records.

Audit log

Maintain a clear history of review decisions, approvals, assignments, acknowledgments, and exports.

"Read & Understand" acknowledgment

Collect a clear record of acknowledgment tied to the exact revision assigned.

Exportable evidence pack

Download audit-ready records with assignment, acknowledgment, and revision history.

Controlled SOP register

Track document ID, title, owner, effective date, revision, and version status. Upload pre-approved documents with audit justification.

Optional comprehension quizzes

Attach multiple-choice questions to any document version. Users must pass before they can acknowledge.

Revision-triggered retraining

Release a new revision and reassign only where needed.

A note from the team

Built from real audit experience

ApprovaDoc comes from direct experience developing medical devices, navigating ISO 13485 and FDA audits, and working inside quality systems that ranged from excellent to barely functional. Training evidence deserves focused tooling — not a module buried inside an overbuilt system.

— the ApprovaDoc teamLearn why we built this →
Common questions

Part 11 for training records — common questions

Re-authenticated, HMAC-bound electronic signatures designed to support 21 CFR Part 11 requirements. Available on Team and Growth plans. ApprovaDoc provides design features that support Part 11 requirements — electronic signatures, audit trails, access controls, and record integrity. However, Part 11 compliance depends on how the system is used, configured, and validated within your organization. ApprovaDoc is designed to support Part 11 requirements, but compliance is a shared responsibility between the tool and your procedures.
In the context of Part 11, an electronic signature is a legally binding authentication that is attributable to a specific individual and includes the signer's name, date/time, and meaning. A simple acknowledgment — clicking a button or checking a box — may not meet Part 11 signature requirements unless it includes re-authentication, attribution, and the full signature manifestation. ApprovaDoc supports both: basic acknowledgments for teams that do not require Part 11 signatures, and re-authenticated electronic signatures for teams that do.
Part 11 applies when electronic records are used to meet FDA predicate rules — the underlying regulations that require the records in the first place. If your training records are maintained electronically and are part of your FDA-regulated quality system, Part 11 requirements likely apply. The scope and rigor of Part 11 controls should be proportional to the risk of the records. Training acknowledgments are typically considered important compliance records, though the exact requirements depend on your quality system and regulatory strategy.
HMAC (Hash-based Message Authentication Code) binding means the electronic signature is cryptographically linked to the specific record being signed. If the record were altered after signing, the HMAC verification would fail — proving the record has been tampered with. This provides non-repudiation: the signer cannot claim they signed a different record, and no one can claim the record was modified after signing. ApprovaDoc uses HMAC binding for all Part 11 electronic signatures.
Key areas to evaluate: (1) How are electronic signatures implemented — do they require re-authentication? (2) Is the full signature manifestation recorded (name, date, time, meaning)? (3) Are completed records immutable — can anyone edit or delete them? (4) Is there a complete, independent audit trail? (5) Are access controls enforced based on user roles? (6) How is document integrity verified? (7) Can you export records that include all Part 11 relevant data? No single feature makes a tool Part 11 compliant — it is the combination of these controls that supports compliance.
In ApprovaDoc, Part 11 electronic signatures are available on the Team and Growth plans. The Starter plan supports basic acknowledgments (timestamped, attributed, immutable) but does not include the re-authenticated signature workflow. If your regulatory strategy requires Part 11 e-signatures for training acknowledgments, you will need the Team or Growth plan. Contact info@approvadoc.com with specific compliance questions.

Training acknowledgments designed for Part 11

Re-authenticated e-signatures, immutable records, and complete audit trails. Available on Team and Growth plans.

Built for medtech startups Transparent pricing No demo required
More to read

Related pages

Trust, Security & Validation

How ApprovaDoc handles data security, audit trail integrity, and regulatory compliance.

Medical Device SOP Training

SOP training software built for medtech startups and ISO 13485 manufacturers.

QMSR Training Records

Document FDA QMSR Subpart D training evidence for small medical device teams.