21 CFR

Everything you ever needed to know about Code of Federal Regulation (CFR)

(Free) Essential Guide to CMMS

What is 21 CFR?

The term “21 CFR” refers to Title 21 of the Code of Federal Regulations (CFR), a list of operational requirements that an FDA-regulated manufacturing company must comply with to produce and sell products to consumers. You may also hear it referred to as “CFR Title 21.” 

21 CFR regulations generally apply to manufacturers of medical devices, pharmaceuticals, or nutraceuticals. These companies produce healthcare and wellness products such as insulin pumps, medications like ibuprofen, or nutritional supplements like vitamins.

When regulating manufacturing operations, the Food and Drug Administration (FDA) cares about two things: 

  • Safety: Is your product safe, or is it dangerous to consumers?

Efficacy: Does your product do what it claims to do?

Note: The FDA regulates companies that sell products to the United States market. However, the regulatory requirements for other countries/regions, such as Canada or the European Union, are often satisfied when a company complies with 21 CFR.

How is maintenance related to 21 CFR?

Manufacturers use a variety of machines to produce medical devices, drugs, and nutraceuticals. Because those machines have the potential to impact both the safety and the efficacy of the end product, 21 CFR includes regulations to ensure they are maintained properly and in a manner that reduces the risk of contamination or other irregularities. 

For example, if the air filtration system hasn’t been maintained, particulate matter could enter the manufacturing facility and contaminate the end product. Due to the possibility of contamination, the product may be deemed unsafe for use.

As a maintenance professional, you will not be required to know everything about 21 CFR. However, you must know the regulations for quality systems, computer systems, and electronic records related to 21 CFR.

Why do you need to care about 21 CFR in maintenance?

One word: audits. Audits are one of the tools regulatory agencies like the FDA use to ensure manufacturers follow consistent and effective procedures.

A 21 CFR audit will thoroughly review your company’s records to ensure that any required policy, practice, or maintenance task is performed.  If an auditor cannot find documentation that a particular 21 CFR rule was followed, it will be noted as non-compliance. As a result, it is essential to have a record-keeping system that makes documentation of such practices simple and easy to review in an auditing scenario.

The consequences of non-compliance (as in findings that don’t comply with 21 CFR) may include many unpleasant penalties such as correction orders, additional audits, product recalls, or, in extreme cases, a complete shutdown of company operations.

You will want to make sure that your company and your team are as prepared as possible to meet the expectations laid out in the 21 CFR regulations.

What to expect in a 21 CFR audit

21 CFR audits come in many shapes and sizes, depending on your organization. Here are some quick facts about what an audit might look like.

Who conducts 21 CFR audits?

Auditors can come from many sources. They could be from the FDA, from companies you sell to, or from a foreign entity if you sell to another country. They typically have a background related to your organization’s area of focus. 

When do 21 CFR audits happen?

Some audits are scheduled, while other audits are unannounced. The best way to keep your auditing schedule at a reasonable interval is to ensure successful audits every time. Organizations that have more areas of non-compliance identified in an audit are more likely to experience additional follow-up audits that may be unannounced. 

That said, 21 CFR includes broad requirements for many areas of an organization. When an auditor visits a company for routine audits, they may not focus on every department every time.

What do auditors look for?

When an auditor visits your maintenance department, they will want to look at the following:

An auditor’s job is to look through your documentation to identify weak points in your policies, procedures, and safety practices that could lead to more significant problems. Each instance where a requirement has not been met (or documented) is called a “nonconformity.” These may include:

  • Improper equipment maintenance
  • Inaccurate or missing records
  • Questionable security of your software or documentation
  • Software that doesn’t comply with 21 CFR requirements
  • Not following your own company’s policies
  • Difficulty finding a document or record associated with a piece of equipment

Or any other 21 CFR rule or internal policy that has not been followed.

How to have perfect 21 CFR audit results

To avoid nonconformities during your audit, closely follow this section from 21 CFR:

“Each manufacturer shall establish and maintain schedules for the adjustment, cleaning, and other maintenance of equipment to ensure that manufacturing specifications are met. Maintenance activities, including the date and individual(s) performing the maintenance activities, shall be documented.” 820.70 (g) (1) Maintenance Schedule

From this section, we learn three things: 

  • You must maintain your equipment. 
  • Your equipment maintenance policies, plans, and schedules must be clearly outlined and documented.
  • Actions taken to adhere to these policies, plans, and schedules must also be documented.

The Essential Guide to CMMS

Download this helpful guide to everything a CMMS has to offer.

How proper documentation solves your 21 CFR problems

You can document your maintenance with pen and paper, but that can be problematic. Even with the best filing systems, it is easy to have issues producing the correct paper documentation during audits. Any organization that has ever had a misplaced file or an illegible date during an audit will tell you so.

The gold standard is to use a software solution to manage and document any activities subject to regulation. For maintenance teams, a Computerized Maintenance Management System (CMMS) helps you in two ways.

1. Maintaining compliance during regular operations

A CMMS provides numerous tools to help maintenance teams meet the expectations of regulatory agencies and helps ensure team awareness of required policies and procedures.

2. Demonstrating compliance during an audit

A CMMS ensures your records are always audit-ready. Records, timelines, and policies are easy to locate when audit time comes.

  • Organizes documentation in a way that is always audit-ready
  • Enables quick searches for key information and documentation
  • Provides one centralized platform for policy review

In this video, Cory Mince at Spectrum Solutions talks about how their paper-based system was not “cutting the mustard” for what they needed. When they implemented a CMMS it made all the difference for their next audit.

What is software validation?

If you are taking the digital route and documenting your activities in a CMMS or other software, the FDA has requirements for that, too. It is called “software validation.”

“When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.” 820.70 (g) (3) (i) Automated Processes

The software validation process proves (and documents) that how you use your maintenance software complies with 21 CFR requirements as well as your own established policies related to 21 CFR.

Software validation requirements in 21 CFR Part 11

21 CFR Part 11 is all about determining exactly who has done what. When using paper to manage maintenance, signatures and signature dates achieve this. However, with software, tasks are attributed to users based on their logins. 

  • Unique usernames and login information are given to each individual, creating a clear audit trail.
  • Automatic timestamps record precisely when something happened in the electronic record.
  • Strong passwords that are reset regularly protect company data.
  • Electronic signatures are available when necessary.

Whether you use paper or a CMMS, it is important to know who has performed what actions and to prevent unauthorized individuals from accessing or manipulating your data. It is critical not just for compliance but for the general security of your operations.

Software validation requirements in 21 CFR Part 820

This section requires a quality system to be in place. Good quality systems aim to ensure the products your company produces meet a minimum level of safety and efficacy

The most important aspects of Part 820 for maintenance are: 

The best software to meet this standard is one that was built to manage maintenance schedules and document maintenance work while providing a high degree of data security. When looking for a CMMS, this is a critical consideration for organizations subject to 21 CFR.

Company requirements

In addition to the requirements written into the regulations, auditors will want to see that you are meeting any other requirements laid out in related internal policies and procedures. 

For example, if your company included a requirement to wear purple hats every Tuesday in your employee handbook policy, an auditor would expect to see weekly documentation of purple hat day somewhere in your records, even though that particular requirement isn’t dictated by 21 CFR rules.

Building mechanisms and spaces to document each part of your internal processes is critical to any compliance program.

How to validate a CMMS


Software validation requires a company to test the software fully to ensure adherence to the requirements of 21 CFR and any internal policies. To achieve this, organizations have a few different paths to choose from.

Path 1: Accept validation from the software provider

The most common path is for companies to simply choose software that has already been built to meet 21 CFR regulations. In these cases, the responsibility still lies with the manufacturer to perform final validation based on how the system will be used in their environment. However, the vendor has already done much of their own testing.  

At Limble, we provide all customers with our current validation documentation along with validation testing results. 

Path 2: Perform your own validation

If you have a quality assurance team, they may have a process in place for performing your own validation, and this path may be the option they prefer. If you or your quality assurance team needs help, contact a regulatory specialist at Limble for guidance. 

Path 3: A combination of both

This path combines Path 1 and Path 2 from above, where you accept the validation from the software provider and then perform additional testing required by your own internal quality systems. 

Note: No software can come pre-validated. If a software provider says their software is already “certified” or that you don’t have to do any paperwork, that they do not understand 21 CFR. The FDA puts that responsibility on the company using the software, as stated in 820.70(g)(3)(i): “the manufacturer shall validate computer software.” 

How do you know which path is best for your company? It depends on a few factors. 

The most important thing to keep in mind is that auditors will make sure you have a documented process in place to make safety and efficacy a priority in everything you do. No matter which path you choose, Limble can provide you with document templates that will help you define your needs and properly document your validation process. 

Please keep in mind that no CMMS software provider can declare that you are meeting regulations and standards. That’s for the auditor to decide.

Finding the right CMMS

With so many options on the market, it can be difficult to find maintenance software that will work best for you and fully meet 21 CFR requirements. Here’s what to look for in a CMMS specific to these regulations

  • Validation testing has been performed, and the CMMS provider is willing to share the results with you.
  • Validation testing is performed by the company for each new update or version release of the software.
  • The validation testing demonstrates that your needs will be met.
  • The software is easy to use, helping ensure that documentation is completed thoroughly.
  • The software was created with 21 CFR in mind.

Want to see Limble in action? Get started for free today!

Pass your 21 CFR audit with Limble

Implementing a CMMS is no small feat, especially when 21 CFR compliance is added to the mix. Luckily, Limble can help! We understand the stress of preparing for an audit, which is why we’ve built features right into our CMMS that can help.

  • Electronic signatures: Limble is designed to comply with the digital signature requirements you’ll need to show an auditor.
  • Full audit log for assets: Limble will log all of the work history on each asset. We’ve even made it searchable so you can easily find who did what, when, and why.
  • Validation testing: Limble provides documentation of the validation testing we do before each release. 

With these features combined with other CMMS benefits and our personalized customer service, Limble will do everything we can to help you pass your 21 CFR audit!

21 CFR is easy with the right tools

Figuring out the nuances of 21 CFR and everything it requires can be a headache. Give yourself less to worry about with a CMMS built with 21 CFR in mind — and built to meet your needs.

Schedule a demo, or send us an email to learn more about how Limble can help your team reach your 21 CFR goals.

Related Content

Explore our blog for insightful articles, personal reflections and ideas that inspire action on the topics you care about.

Request a Demo

Give us a call or fill in the form below and we will contact you. We endeavor to answer all inquiries within 24 hours on business days.