21 CFR

Everything you ever needed to know about Code of Federal Regulation (CFR)

(Free) Essential Guide to CMMS
Last updated on November 9, 2023 James Chan

What is 21 CFR?

“21 CFR” refers to Title 21 of the Code of Federal Regulations (CFR). You may also hear it referred to as “CFR Title 21.” It covers a variety of requirements that an FDA-regulated company needs to comply with. 

21 CFR regulations most often apply to manufacturers of medical devices, pharmaceuticals, or nutraceuticals. Think companies who produce life science products such as an insulin pump, medications like ibuprofen, or nutritional supplements like vitamins.

The Food and Drug Administration (FDA) cares about two main things: 

  • Your product is safe and not a danger to consumers.
  • Your product does what it claims to do (referred to as “efficacy”).

Note: The FDA regulates companies that sell products to the United States market. However, the regulatory requirements for other countries/regions, such as Canada or the European Union, are often satisfied when a company complies with 21 CFR.

Table of Contents

How is maintenance related to 21 CFR?
Why do you need to care about 21 CFR in maintenance?
What to expect in a 21 CFR audit
How to have perfect 21 CFR audit results
How proper documentation solvers your 21 CFR problems
What is software validation?
21 CFR software requirements
How to validate a CMMS
Pass your 21 CFR audit with Limble

How is maintenance related to 21 CFR?

Manufacturers use a variety of machines to produce medical devices, drugs, and nutraceuticals. If those machines aren’t maintained properly, they could negatively affect the quality of the end product. 

Let’s consider the air filtration system for a manufacturing room. 

If the filtration system hasn’t been maintained, particulate could enter the manufacturing room and contaminate the end product. As a result, the product may not be safe for use because it is now contaminated.

As a maintenance professional, you will not be required to know everything about 21 CFR. However, you will need to be aware of the regulations for quality systems, computer systems, and electronic records as they relate to 21 CFR.

Why do you need to care about 21 CFR in maintenance?

One word: audit.

A 21 CFR audit will focus on your company’s records. As a result, it is important to have a system that can accurately show the way that equipment has been properly maintained. 

The consequences of audit nonconformities (as in findings that don’t comply with 21 CFR) could lead to, on the most extreme side, a complete shutdown of the company.

You will want to make sure that your company and your team are as prepared as possible to meet auditor expectations and 21 CFR regulations.

What to expect in a 21 CFR audit

21 CFR audits come in many different shapes and sizes. Here are some quick facts about what an audit might look like.

Who conducts 21 CFR audits?

Auditors can come from many sources. 

They could be from the FDA, from companies you sell to, or from a foreign entity if you sell to another country. 

When do 21 CFR audits happen?

Some audits are scheduled, while other audits are unannounced. 

When an auditor visits a company they may not focus on every department — meaning, they may not look at maintenance every time.

What do auditors look for?

When an auditor visits your maintenance department, they will want to look at:

  • Maintenance histories
  • Maintenance schedules
  • Software validation (if using software for maintenance)

An auditor’s job is to identify weak points in your documentation that could lead to larger maintenance problems. They call these “nonconformities.” These can include:

  • Improper maintenance of equipment
  • Inaccurate or missing records
  • Questionable security of your software or documentation
  • Software that doesn’t comply with 21 CFR requirements
  • Not following your own company’s requirements
  • Difficulty finding a document or record associated with a piece of equipment

How to have perfect 21 CFR audit results

To avoid nonconformities during your 21 CFR audit, follow this section from 21 CFR:

“Each manufacturer shall establish and maintain schedules for the adjustment, cleaning, and other maintenance of equipment to ensure that manufacturing specifications are met. Maintenance activities, including the date and individual(s) performing the maintenance activities, shall be documented.” 820.70 (g) (1) Maintenance Schedule

From this section, we learn three things: 

  • You need to maintain your equipment. 
  • You need to have maintenance schedules for your equipment.
  • You need to have all of this clearly documented.

The Essential Guide to CMMS

Download this helpful guide to everything a CMMS has to offer.

How proper documentation solves your 21 CFR problems

You can document your maintenance with pen and paper, of course, but that can be problematic. Most companies that use physical papers to document maintenance run into issues during audits.

The gold standard is to use a CMMS. A CMMS allows you to: 

  • Automate record tracking and organization
  • Set maintenance schedules so they are never missed
  • Quickly search past paperwork
  • Be prepared for an audit at any time
  • Ensure your data integrity is maintained

In this video, Cory Mince at Spectrum Solutions talks about how their paper-based system was not “cutting the mustard” for what they needed. When they implemented a CMMS (in this case, Limble) it made all the difference for their next audit.

What is software validation?

The FDA requires something called “software validation” for manufacturers where 21 CFR requirements apply.

Software validation means that you have documentation to show that the way you are using your maintenance software complies with 21 CFR requirements. 

The FDA itself says:

“When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.” 820.70 (g) (3) (i) Automated Processes

This means both the requirements that the FDA has set and your company’s requirements. 

21 CFR software requirements

The two parts of 21 CFR that are most important to a maintenance team using a CMMS are Part 11 and Part 820.

21 CFR Part 11

The simple way to think about 21 CFR Part 11 is that you (or an auditor) should be able to determine exactly who is doing what. 

When using paper to manage your maintenance, each person can sign and date it. 

When you’re using software (such as a CMMS) you’re able to:

  • Give unique usernames and login information to each individual, creating a clear audit trail
  • Use automatic timestamps that record exactly when something happened in your electronic records 
  • Protect data with strong passwords that are reset regularly
  • Utilize electronic signatures when necessary

Whether you use paper or a CMMS, auditors do not want to see an easy way for someone to impersonate someone else or an opening where the wrong person could manipulate your data.

21 CFR Part 820

This section describes the FDA’s requirement for quality systems. The goal of good quality systems is to ensure that the products your company produces have high levels of safety and efficacy. 

The most important aspects of Part 820 for maintenance are: 

  • Defined maintenance schedules
  • Records that demonstrate you are following your maintenance schedules 

To comply with 21 CFR Part 820 you need software that is meant for this kind of work. You also need it to track and store your data properly. 

That is why it is important to select a CMMS that has been designed for the needs of an FDA-regulated company.

Company requirements

In addition to the requirements in the regulation, auditors will want to see that you are meeting any additional requirements that your company has documented. 

For example, one company had an intern who wrote a requirement in their Standard Operating Procedure (SOP) that there needed to be a life raft on the roof of the building. The intern wrote it in as a joke, but when the auditor saw that requirement, they requested roof access to verify the life raft was on the roof. When it wasn’t there, they included that as a nonconformity in the audit report.

How to validate a CMMS


The last part of software validation that we’ll talk about in this article is validation testing. This requires a company to fully test the software for meeting the requirements of 21 CFR and any internal requirements. 

There are a few different paths that you can take for validation.

Path 1: Accept validation from the software provider

If you choose this path, there are industry standards for regulatory compliance. You want to find a CMMS provider that is both familiar with those and who meets them. You’ll want to have their testing documentation readily available for when an audit occurs. 

At Limble, we provide all customers with our current validation documentation along with validation testing results. This is the most common path that most companies will take when validating their software for 21 CFR.

Path 2: Perform your own validation

If you have a quality assurance team, they may have a process in place for performing your own validation and this path may be the option they prefer. If you or your quality assurance team needs help, contact a regulatory specialist at Limble for guidance. 

Path 3: A combination of both

This path combines Path 1 and Path 2 from above, where you accept the validation from the software provider and then perform additional testing required by your quality systems. 

Note: No software can come pre-validated. If a software provider says their software is already “certified” or that you don’t have to do any paperwork, that means that they do not understand 21 CFR. The FDA puts that responsibility on the company using the software, as stated in 820.70(g)(3)(i): “the manufacturer shall validate computer software.” 

How do you know which path is best for your company? It depends on a few factors. 

The most important thing to keep in mind is that auditors will be making sure you have a documented process in place and you are keeping safety and efficacy a priority in everything you do. 

No matter which path you choose, Limble can provide you with document templates that will help you define your needs and properly document your validation process. 

Please keep in mind that no CMMS software provider can declare that you are meeting regulations and standards. That’s for the auditor to decide.

Finding the right CMMS

Now that you know what 21 CFR requires for equipment maintenance, you may be ready to implement a CMMS. 

With so many options on the market, it can be difficult to find which one will work best for you. Here’s what you should look for in a CMMS:

  • The CMMS provider has performed their own validation and is willing to share the results with you
  • Validation testing is performed by the company for each new update or version release of the software
  • The validation testing demonstrates that your needs will be met
  • The software is easy to use; if not, you will get bad data because people will make mistakes when attempting to document their tasks
  • The software was created with 21 CFR in mind

Now that you know what you need, it may be time to seriously think about investing in a CMMS for your company. 

Want to see Limble in action? Get started for free today!

Start Free Trial

Pass your 21 CFR audit with Limble

Implementing a CMMS is no small feat, especially when 21 CFR compliance is added to the mix. Luckily, Limble can help! We understand the stress of preparing for an audit, which is why we’ve built features right into our CMMS that can help with it.

  • Electronic signatures: Limble is designed to be in compliance with the digital signature requirements you’ll need to show an auditor.
  • Full audit log for assets: Limble will log all of the work history on each asset. We’ve even made it searchable, so you can easily find who did what, when, and why.
  • Validation testing: Limble provides documentation of the validation testing we do before each release. 

These features, along with the myriad of other CMMS features we offer and combined with our personalized customer service, Limble will do everything we can to help you pass your 21 CFR audit!

21 CFR is easy with the right tools

Figuring out the nuances of 21 CFR and everything it requires can be a headache. Give yourself less to worry about with a CMMS built with 21 CFR in mind — and built to meet your needs!

Limble could be the answer to your problems. Schedule a demo, or send us an email to learn more about how Limble can help your team reach your 21 CFR goals.

Related Content

Explore our blog for insightful articles, personal reflections and ideas that inspire action on the topics you care about.
Maintenance Work Order Template
Choosing Maintenance Strategy

reliability centered maintenance
Demystifying the 3 Types of Maintenance Strategies and Their Uses

iiot maintenance
What is CMMS?

Request a Demo

Give us a call or fill in the form below and we will contact you. We endeavor to answer all inquiries within 24 hours on business days.