<!-- LLM_VERSION_INFO
FORMAT: text/markdown
CONTENT_TYPE: article
ORIGINAL_URL: https://www.ketryx.com/blog/21-cfr-part-11-compliance-guide-for-jira-atlassian
ALTERNATE_VERSION: blog/21-cfr-part-11-compliance-guide-for-jira-atlassian/index.html (text/html)
EXTRACTION_DATE: 2026-05-05T02:38:44.890Z

This is the markdown version with text-only content (images converted to alt-text).
For rich formatting with images, request the HTML version at: blog/21-cfr-part-11-compliance-guide-for-jira-atlassian/index.html
-->

# 21 CFR Part 11 Compliance Guide for Jira (Atlassian)

Jake Stowe

April 12, 2024

## Table of Contents

- [Is Jira FDA 21 CFR Part 11 Compliant?](/content/blog/21-cfr-part-11-compliance-guide-for-jira-atlassian#is-jira-fda-21-cfr-part-11-compliant/index.html)
- [Adjusting issues in Jira to prevent companies from falling out of FDA 21 CFR Part 11 compliance](/content/blog/21-cfr-part-11-compliance-guide-for-jira-atlassian#adjusting-issues-in-jira-to-prevent-companies-from-falling-out-of-fda-21-cfr-part-11-compliance/index.html)
- [21 CFR Part 11, Subpart C–Electronic Signatures in Jira, § 11.100 Electronic signature components and controls.](/content/blog/21-cfr-part-11-compliance-guide-for-jira-atlassian#21-cfr-part-11-subpart-c-electronic-signatures-in-jira-11100-electronic-signature-components-and-controls/index.html)
- [How Ketryx can ensure companies are compliant with the FDA and 21 CFR Part 11 in Jira](/content/blog/21-cfr-part-11-compliance-guide-for-jira-atlassian#how-ketryx-can-ensure-companies-are-compliant-with-the-fda-and-21-cfr-part-11-in-jira/index.html)
- [FDA 21 CFR Part 11 Compliance in Jira interview with Part 11 experts, Jake Stowe and Lee Chickering:](/content/blog/21-cfr-part-11-compliance-guide-for-jira-atlassian#fda-21-cfr-part-11-compliance-in-jira-interview-with-part-11-experts-jake-stowe-and-lee-chickering/index.html)

FDA 21 CFR Part 11, also known as Part 11, are complex regulations all medical device software companies (and other companies under FDA regulation) in the United States must comply with. Part 11 regulations require detailed planning and documentation, proof the organization uses a compliant quality management system (QMS), as well as proof that all electronic records, electronic signatures, and handwritten signatures attached to electronic records are dependable and credible.

In the words of the [FDA](https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application), “Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. … We intend to enforce all other provisions of Part 11 including, but not limited to, certain controls for closed systems in § 11.10. For example, we intend to enforce provisions related to the following controls and requirements:

- limiting system access to authorized individuals
- use of operational system checks
- use of authority checks
- use of device checks
- determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks
- establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures
- appropriate controls over systems documentation
- controls for open systems corresponding to controls for closed systems bulleted above (§ 11.30)
- requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300)”

[Jira](https://www.atlassian.com/software/jira), Atlassian’s product management software, can be an excellent choice to ensure companies are compliant with 21 CFR Part 11. However, Jira alone is unable to ensure compliance with 21 CFR Part 11. To become compliant with Part 11, Jira needs to be properly managed with specific plugins and/or external software. Although Jira has many important features to help with Part 11, companies using Jira to be FDA 21 CFR Part 11 compliant need to be aware of specific pitfalls within Jira that can push them out of compliance.

## Is Jira FDA 21 CFR Part 11 Compliant?

Yes, Jira could be FDA 21 CFR Part 11 compliant, only if it is configured with the correct features. **However, Jira, by design, is not Part 11 compliant**. The main issue with the default configuration in Jira is the lack of an audit trail when tickets are changed or deleted. Jira only cares about the current state of tickets and does not provide an immutable audit trail for each record. Jira does not show who made a change to the record, when the changes were made or the difference between the old and revised record. This is one major issue that companies must address to stay in 21 CFR Part 11 compliance.

When using Jira, companies need to make sure evidence can be created and exported to be able to show they meet Part 11 requirements, such as: knowing how to use the specific company’s computer systems and software, tracking data changes, preventing and/or detection of falsified records, storing data securely and ensuring data is neither corrupted or lost, and ensuring that approval and verification of signatures cannot be disputed.

## Adjusting issues in Jira to prevent companies from falling out of FDA 21 CFR Part 11 compliance

#### 21 CFR Part 11, Subpart B – Electronic Records in Jira, § 11.10 Controls for closed systems.

[Subpart B, Section 11.10 of 21 CFR Part 11](https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11) states that Persons who use closed systems must have “use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.” A very important flaw to note in Jira is the irreversibility of the ‘Delete’ operation. Deleting an issue in Jira permanently removes the issue, comments, and attachments, with no way of retrieving the deleted data. If information is permanently deleted—with no audit trail to show when or what item was deleted, or by whom—companies will automatically fall out of compliance with 21 CFR Part 11. To resolve this, users can change the default setting in Jira to set up a dedicated resolution type such as ‘Canceled’ or install the Atlassian plugin, ‘Issue History for Jira,’ to allow an audit trail to track all changes and deletions.

## 21 CFR Part 11, Subpart C–Electronic Signatures in Jira, § 11.100 Electronic signature components and controls.

[Subpart C, Section 11.100 of 21 CFR Part 11](https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11) states, “When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.” This means that after a user first uses an electronic signature (signing in to their Jira account), users must provide a secondary electronic signature component when modifying, adding, or removing data from the system. This secondary electronic signature can consist of a user name / password, biometric identification (fingerprint of retina scan), or a secure token / device.

## How Ketryx can ensure companies are compliant with the FDA and 21 CFR Part 11 in Jira

Ketryx lifecycle management software effectively solves all of Jira’s non-compliance problems with 21 CFR Part 11. If users integrate Jira with Ketryx, there is no need for multiple plugins, guess work, or the tedious amount of time and effort administrators need to exert in order to be 21 CFR Part 11 compliant. With the integration, Ketryx transforms companies' Jira instance into 62304 compliance. Ketryx preserves companies data by validating the system to maintain the integrity of all data and gives Ketryx users 21 CFR Part 11 signature compliance in the front-end of Jira.

### Interview transcript

**FDA 21 CFR Part 11 Compliance in Jira interview with Part 11 experts, Jake Stowe and Lee Chickering:**

As a benefit to our readers, we have included an edited transcript of an interview with two top engineers at Ketryx about compliance with the FDA and 21 CFR Part 11 in Jira.

##### **21 CFR Part 11 Compliance in Jira – Abridged Interview Transcript:**

The topic is 21 CFR part 11 and its application. Initially built for pharmaceuticals to be applied to manufacturing facilities, 21 CFR part 11 is a set of regulations promulgated by the FDA in the late 1990s to adapt to the industries they were regulating and who were starting to use electronic media to record sensitive data, rather than paper. There are two primary problems. One of them is that you have to follow a very strict set of procedures and policies. The other problem is that you need to very rigorously record the data that is generated from each of those steps.

The agency is basically taking this very old practice within the regulated environment and bringing it into this modern way of doing things. In the end, the 21 CFR Part 11 is about ensuring that the people who are working within the electronic system are who they say they are, that they are doing the things that they're allowed to do, and that the system isn't going to inadvertently lose data or isn't going to inadvertently transform data in a way that could be misinterpreted.

The three main things are the signatures, the version trail and then the auditing. That's their method of doing it because they're not doing things nearly as sophisticated as Ketryx is.