Businesses that operate in an industry regulated by the Food and Drug Association (FDA) should be familiar with Title 21 CFR Part 11. If your business operates in the life sciences space, this regulation applies to your organization. Commonly referred to as Part 11, this legislation impacts the way the life science companies manage their applications and data because of the consequences on consumers. A poorly tested drug or a software malfunction in a medical device can cause serious harm to a patient. To avoid such incidents and to bring more regulation to the industry, the FDA has instituted 21 CFR Part 11.

What is 21 CFR Part 11?



21 CFR Part 11 lists the guidelines that life sciences organizations need to follow when managing data and applications. The FDA requires that organizations involved in data collection and reporting, adhere to processes that ensure the integrity of the data at all times. In this way, the FDA can ensure that only the highest quality products reach consumers, and those that are defective are identified early on and handled responsibly.

Who needs to comply with 21 CFR Part 11?

There are primarily three types of environments that need to comply with 21 CFR Part 11:

  • Laboratories that supply test results on any materials
  • Clinical testing units that manage data regarding clinical trials
  • Manufacturing plants that record product development and quality

Any life sciences business or organization that manufactures or sells food and healthcare products is regulated by 21 CFR Part 11.

Staying compliant with 21 CFR Part 11

Instituted in 1997, 21 CFR Part 11 is important legislation, but many life sciences businesses are faced with challenges in their attempt to be compliant. With the changing landscape of technology, organizations need to ensure that they remain compliant with the legislation as their infrastructure and application stacks change.

In today’s world of SaaS driven software models, Salesforce is frequently relied upon to develop cutting edge applications in the life science space. Salesforce brings control and simplicity to application development but also brings with it new challenges surrounding compliance. If you build life sciences applications using the Salesforce platform, you need to ensure that you are in compliance with 21 CFR Part 11.

Why is Governance important?


key goal

The cost of not complying

It is mandatory for all organizations under the purview of the FDA to meet these compliance regulations. The FDA regularly conducts inspections to gauge whether companies understand and are compliant with 21 CFR Part 11.

Failure to comply with this legislation will not result in lost revenue. However, it is a serious risk to take. Non-compliance could lead to heavy penalties and may even result in the FDA closing your organization. Because of what is at stake, it is critical for you to ensure your organization complies with 21 CFR Part 11.

It is possible for implementation to be done in a manual manner. In this approach, you would need to document entire processes in either electronic files or on paper. This requires keeping records of important changes with handwritten sign-offs. Implementing 21 CFR Part 11 compliance for large quantities of data may seem overwhelming with numerous records and multiple signatures required throughout the process. This approach is outdated, time-consuming, and prone to errors. Fortunately, there’s help available with compliance-aware tools like Flosum.

Flosum is an application lifecycle management (ALM) and release management tool for Salesforce applications that monitors and gives you control over the end-to-end lifecycle of your software delivery chain. It is built to drive efficiency across the development pipeline, but more importantly, it ensures your applications and data comply with 21 CFR Part 11.

10 ways Flosum helps you comply with 21 CFR Part 11

Flosum enables you to fully comply with 21 CFR Part 11. It considers all aspects of the legislation and ensures you can meet every requirement. Here are ten ways Flosum can benefit your business and help you comply with 21 CFR Part 11:

1. Maintain electronic records for the software development lifecycle.

To comply with 21 CFR Part 11, you must have full control over each of the developer orgs within Salesforce.

You need to be aware of how code was maintained from start to finish. This includes knowing how code is merged, tested, and deployed. This requires complete electronic records; you simply cannot rely on a static documentation of the process.

Flosum is a great platform for collaborative development. It allows multiple development, QA, and IT teams to make changes to the application code while recording every change that is made. This gives you an actual revision history, complete with timestamps, members, and changes made at every point of the lifecycle.

2. Track electronic records for change control

Your electronic records should clearly show any changes made to an application’s code, along with who made the change, the time the change was made, and the precise details of the change. This is necessary for 21 CFR Part 11 and is also essential for post-mortem analysis.

Previously, you could simply record a broad release history at the application level without drilling down to the individual developer level. Flosum changes that by allowing you to record every code change with detailed tracebacks. You can go to the source of each change, no matter how big or small. This is essential for compliance, but it also gives you an edge operationally as you are able to easily do root-case analysis for quicker fixes and bug resolutions.


Track electronic

3. Validate your systems

Validation comes into play with every change made to an application. This helps to ensure that each new update you test and deploy is reliable and meets the standard for quality and compliance.

Flosum is able to map business requirements to the development effort. This way your QA team can assess the quality of new features to ensure they meet your specific requirements. Upon each new release, every part of the application that was modified is checked for quality. If there are any flags, the release can easily be rolled back and fixed.

4. Segregate duties between teams

Separation of duties is important in ensuring the quality of life sciences applications. The person who develops the code should not be the one testing it, and the one deploying it should be different as well. While it is easy to set each person’s responsibility for a release at the start, the hard part is recording each person’s activity across the pipeline.

Flosum is able to separate duties effectively by managing the profiles and permissions for your Salesforce organization. This gives you a way to proactively define who can perform what action, and avoid any unauthorized access or activity by users. Additionally, Flosum tracks changes made by all individuals, no matter which team they are on. This ensures full compliance no matter how large your application becomes.

5. Use secure, computer-generated, time-stamped audit trails

Audit trails are collected automatically when any change occurs in the system. They tell you who made the change and give you deeper visibility into the system. Audit trails enable you to control and enforce changes and are a key part of compliance.

Flosum tracks all changes to an organization automatically and presents you with a detailed audit trail for review. It flags any releases that have not been tested adequately and helps you to identify the exact people involved in the release so the issue can be fixed. Not only does Flosum provide you with necessary visibility, but it also gives you control over the entire development process.

6. Document sign-offs at every stage

For every change of your application, someone has to sign off at the various stages within the pipeline. Someone from Business needs to sign off that the release meets all of the initial requirements. Next, a person from QA has to sign off that the release meets all technical requirements and is aligned with requirements from Business. Traditionally, sign off is a manual process that happens on paper, or at best via email. However, this is not enough for compliance with 21 CFR Part 11.

Sign-offs are built into Flosum so that all approvals from QA and Business are documented by default, including who signed off and when. Beyond this, Flosum’s change management process ensures that all components are reviewed before any code is released.

7. Maintain electronic signatures

For clear visibility into the development process, approvals are required for each step of the process. Previously this was done informally in conversations or through emails which did not allow approvals to be tracked at scale. This is not enough for compliance with 21 CFR Part 11.

Flosum integrates with external eSignature solutions, like DocuSign, and lets you track approvals at every stage of the process. You can define which kinds of changes require an eSignature and enforce these rules by default. Going paperless is not just environmentally responsible, but it also it brings control and visibility to your development while ensuring that you are compliant with 21 CFR Part 11.

8. Improve software quality

While compliance is required by the FDA, 21 CFR Part 11 offers the benefit of improving your entire software delivery chain.

Flosum is an application lifecycle management (ALM) tool for Salesforce. It brings control and visibility to every step of your development. With additional features like version control, continuous integration, and automatic rollback, you can drive improved quality and reliability for your applications.

9. Gain end-to-end visibility

You may often be in the dark, wondering about the status of an important new update to your application. By implementing 21 CFR Part 11 compliance, you gain deeper visibility into every step of your development process.

Flosum provides metrics at every level – organization, team, and individual. It has various reports that can be customized and shared, so you are always aware of the status of any release. Flosum does not just provide an overview; it allows for you to drill down into detailed changes to identify code artifacts that have been changed, the timestamp for the change, and the exact person who made the change. This kind of visibility brings confidence to your development.

10. Minimize costs

As you implement your compliance plan, it is important to keep a budget in mind. Often, it can be expensive to implement a manual review of your processes, which is why this is frequently an outsourced job. If done in-house, you need to hire specialized talent and provide them with the required tools.

Flosum has compliance built into it. This makes it easy to set up and implement compliance measures, even if you are not a compliance expert. You will not need to invest in extra tools, and you can greatly reduce the manual effort required for compliance, saving both time and money.

11. Conclusion

Compliance with 21 CFR Part 11 should not be taken lightly; it is a legal requirement for organizations mandated by the FDA. As your development becomes more reliant on Salesforce, you need to ensure that you are in compliance with 21 CFR Part 11.

A lack of compliance can result in severe penalties. Something this important should not be left to outdated, manual processes. You need an ALM tool like Flosum that has built-in compliance with 21 CFR Part 11. Flosum automatically tracks and reports on every record and signature across your software delivery pipeline, giving you complete control over compliance. With Flosum, you can view compliance metrics at the top level, and drill down to the minute details to identify when changes were made, by whom, and what impact each change had on the application.

Apart from compliance, Flosum also brings improvements to your software quality and brings consistency to your processes. For executives, it provides visibility into every step of the development process. For Salesforce developers and administrators, it offers cutting edge collaborative features like version control, continuous integration, and automatic rollback.

Complying with 21 CFR Part 11 is essential for life sciences organizations and cannot be ignored or left to a manual process. Flosum offers an out-of-the-box solution that includes the underlying requirements to keep you compliant with 21 CFR Part 11. Leverage Flosum so that you can remain compliant as your organization grows and your technology and tools change.

Trusted by


Trusted by

Next Steps


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin