21 CFR Part 11 compliance MCQs With Answer

Understanding 21 CFR Part 11 is essential for M.Pharm students preparing for roles in regulated pharmaceutical environments. This blog presents focused multiple-choice questions with answers to strengthen your grasp of electronic records and electronic signatures, system validation, audit trails, and controls for closed and open systems. Questions emphasize practical compliance requirements — validation strategies, documentation, procedural controls, access management, and the relationship between Part 11 and predicate rules. Use these MCQs for self-assessment or classroom revision; each item is designed to test both conceptual knowledge and application to real-world GMP scenarios. Review guidance and SOPs to ensure you can implement compliant, ALCOA+ aligned electronic systems.

Q1. When does 21 CFR Part 11 apply?

• Whenever any electronic record exists in an organization
• Only to electronic records submitted directly to FDA
• To electronic records and signatures that are used to meet predicate rule requirements
• Only to clinical trial data

Correct Answer: To electronic records and signatures that are used to meet predicate rule requirements

Q2. Which statement best defines a “closed system” under Part 11?

• A system used only for internal networks that prohibits external access
• A system where system access is controlled by persons responsible for the content of electronic records
• A standalone computer not connected to the internet
• A system that uses encryption for all communications

Correct Answer: A system where system access is controlled by persons responsible for the content of electronic records

Q3. Under Part 11, electronic signatures may be considered equivalent to handwritten signatures if which condition is met?

• They are stored on a secure server
• They are linked to their respective electronic records to ensure authenticity, integrity, and non-repudiation
• They are produced by the software vendor
• They are encrypted using AES-128 only

Correct Answer: They are linked to their respective electronic records to ensure authenticity, integrity, and non-repudiation

Q4. What is the primary objective of system validation under 21 CFR Part 11?

• To ensure the user interface is user-friendly
• To demonstrate that the system is secure against hacking
• To ensure accuracy, reliability, consistent intended performance, and the ability to detect invalid or altered records
• To certify that the software vendor has quality assurance processes

Correct Answer: To ensure accuracy, reliability, consistent intended performance, and the ability to detect invalid or altered records

Q5. Which characteristic is required for an audit trail under Part 11?

• Manually editable entries with supervisor approval
• Computer-generated, time-stamped entries that record user identity and changes
• Daily printed reports stored in a binder
• Only system logs available to the IT department

Correct Answer: Computer-generated, time-stamped entries that record user identity and changes

Q6. What are “predicate rules” in the context of Part 11?

• Internal company policies that reference electronic records
• FDA regulations and statutes (e.g., GMP, GLP) that require recordkeeping and use of records
• International standards like ISO that are optional
• Guidance documents that are non-binding

Correct Answer: FDA regulations and statutes (e.g., GMP, GLP) that require recordkeeping and use of records

Q7. Does Part 11 specify how long electronic records must be retained?

• Yes — Part 11 sets specific retention periods for all records
• No — retention periods are determined by the applicable predicate rules
• Yes — all records must be retained permanently
• No — retention is at the discretion of the system vendor

Correct Answer: No — retention periods are determined by the applicable predicate rules

Q8. Which additional control is commonly required for open systems compared to closed systems?

• Only local backups
• Stricter identity proofing, data encryption, and digital signature standards
• No need for user training
• Removal of audit trails

Correct Answer: Stricter identity proofing, data encryption, and digital signature standards

Q9. Who holds primary responsibility for ensuring an organization’s Part 11 compliance?

• The individual end user
• The software vendor
• The organization (management) implementing and operating the system
• The FDA inspector

Correct Answer: The organization (management) implementing and operating the system

Q10. Which elements must be associated with an electronic signature “manifestation” according to Part 11?

• Printed name, time zone, and device model
• Printed name, date/time, and meaning of the signature (e.g., review, approval)
• Signature image file only
• IP address and network credentials

Correct Answer: Printed name, date/time, and meaning of the signature (e.g., review, approval)

Q11. What does ALCOA stand for, a concept often applied alongside Part 11 for data integrity?

• Accurate, Legible, Current, Original, Accessible
• Attributable, Legible, Contemporaneous, Original, Accurate
• Authentic, Logged, Controlled, Organized, Archived
• Available, Legal, Complete, Ordered, Auditable

Correct Answer: Attributable, Legible, Contemporaneous, Original, Accurate

Q12. Are biometric electronic signatures permitted under Part 11?

• No — biometrics are explicitly banned
• Yes — if controls ensure uniqueness, prevent reuse, and link the biometric to the signer and record
• Yes — without any additional controls
• Only for clinical trial staff

Correct Answer: Yes — if controls ensure uniqueness, prevent reuse, and link the biometric to the signer and record

Q13. Which activity is NOT directly mandated by Part 11 but is critical to compliance in practice?

• System validation
• Establishing SOPs and staff training
• Maintenance of audit trails
• Submitting all electronic records to FDA in a specific file format

Correct Answer: Submitting all electronic records to FDA in a specific file format

Q14. Which of the following is NOT a requirement of Part 11?

• Validation of systems to ensure accuracy and reliability
• Secure, computer-generated, time-stamped audit trails
• Annual certification of every signer directly to FDA by the company
• Controlled user access and unique user IDs

Correct Answer: Annual certification of every signer directly to FDA by the company

Q15. What is meant by “electronic record integrity” under Part 11?

• Records are stored in any readable format
• Records are complete, accurate, protected against unauthorized changes, and retrievable throughout retention
• Records are backed up weekly only
• Records are accessible to all employees

Correct Answer: Records are complete, accurate, protected against unauthorized changes, and retrievable throughout retention

Q16. Which role do SOPs play in achieving Part 11 compliance?

• They are optional guidance documents
• They define procedures for system use, responsibilities, training, record handling, and contingency actions
• They replace the need for system validation
• They are only required for paper records

Correct Answer: They define procedures for system use, responsibilities, training, record handling, and contingency actions

Q17. Which action should be available or recorded if a user deletes or modifies an electronic record?

• Silent deletion with no trace
• System must record the change with user ID, timestamp, and reason (or prevent deletion) via audit trail
• Only IT can see the deletion logs, not auditors
• User should print the change and file a paper note

Correct Answer: System must record the change with user ID, timestamp, and reason (or prevent deletion) via audit trail

Q18. Which of the following describes an acceptable form of an electronic signature under Part 11?

• A scanned image of a handwritten signature saved with the record
• A unique combination of user ID and password or biometric that is linked to the record
• A publicly shared password
• A printed name typed into a free-text field

Correct Answer: A unique combination of user ID and password or biometric that is linked to the record

Q19. When implementing Part 11 controls, what is the significance of “equivalent assurance”?

• Any security measure is acceptable as long as it is documented
• Controls for open systems must provide assurance equivalent to closed systems (e.g., encryption, identity proofing)
• Handwritten signatures can always substitute for electronic assurances
• It applies only to administrative records

Correct Answer: Controls for open systems must provide assurance equivalent to closed systems (e.g., encryption, identity proofing)

Q20. Which FDA guidance document clarified the agency’s enforcement discretion and practical application of Part 11?

• FDA Guidance for Industry: 21 CFR Part 11, Scope and Application (2003)
• ICH Q7 Good Manufacturing Practice Guide
• ISO 9001: Quality Management Systems
• ICH E6 GCP Guideline

Correct Answer: FDA Guidance for Industry: 21 CFR Part 11, Scope and Application (2003)

Download