21 CFR Part 11 Device-to-Cloud Control Matrix (Algorithm Data Integrity)
Last updated: 2026-03-10 14:15 ET
Owner: BionicLoop quality + cloud integration
Scope: BionicLoop app telemetry path used to carry algorithm/runtime data to cloud ingest (/v1/telemetry) for remote monitoring, support timeline reconstruction, and future IDE submission evidence.
Purpose
This matrix maps current BionicLoop controls to key 21 CFR Part 11 clauses for electronic-record integrity across the device-to-cloud path.
It is a readiness and gap-tracking artifact, not a legal determination. Final Part 11 applicability and closure requires QA/RA signoff.
Status Legend
Implemented: control behavior is implemented and has traceable test evidence in current docs/tests.Partial: baseline exists, but one or more required controls/evidence packages are still open.Gap: not yet implemented, or applicability decision/policy is not yet finalized.
Authoritative Inputs
- Regulatory text: 21 CFR Part 11
- FDA guidance: Part 11, Electronic Records; Electronic Signatures — Scope and Application
- App/cloud contract: TelemetryCloudContractForBionicScout.md
- Integration plan: TelemetryCloudIntegrationPlan.md
- Quality chain:
- SoftwareRequirementsSpecification.md
- SoftwareDesignDescription.md
- SoftwareVerificationAndValidationPlan.md
- TraceabilityMatrix.md
- CybersecurityPlan.md
Part 11 Control Matrix
| Clause | Control intent | Current status | Current implementation/evidence | Gaps to close (tracked workstream) |
|---|---|---|---|---|
11.1 (scope) |
Determine where Part 11 applies to records/signatures used in place of paper. | Partial |
Telemetry contract and quality chain are in place for electronic records. | Create explicit Part 11 applicability decision memo (record classes, intended use, signature use). Add QA/RA approval workflow. (E, J7) |
11.10(a) |
Validate systems to ensure accuracy, reliability, intended performance. | Partial |
Strong app-side test baseline: deterministic algo suites (TV-ALG-*), telemetry/event tests (TV-LOG-*, TV-SEC-*), simulation (TV-SIM-*). |
Add formal cloud STR package proving end-to-end ingest correctness and replay under failure modes; close pending RTM rows. (J5, J7) |
11.10(b) |
Generate accurate and complete copies suitable for inspection/review. | Partial |
App now has structured inspection telemetry scaffolding: algorithm.session.snapshot, algorithm.step.snapshot, full BP matrix row object, and BP_LOG families A, I, G, ~I, ~G, AD/G24h, PA, P, B, C, D, S, plus app-side equivalence renderer/tests for single-step BP/BP_LOG regeneration and bridge-fed regression tests for the newly surfaced families. |
Implement cloud read/export path (inspection-grade, reproducible, role-scoped), extend equivalence beyond single-step/golden fixtures, and close UTC-consistent rendering + provenance metadata verification. (J5, J7) |
11.10(c) |
Protect records for accurate, ready retrieval over retention period. | Partial |
Outbox persistence and idempotency keys are defined app-side; contract defines raw + normalized storage expectations. | Backend durable persistence, retention policy, backup/restore, and retrieval SLAs not closed yet. (J5) |
11.10(d) |
Limit system access to authorized individuals. | Partial |
Cognito-backed auth/session baseline, ingest scope (telemetry.ingest), auth_user_sub correlation, protected API path. |
Complete role-scoped authorization for downstream query/review surfaces and enforce least privilege end-to-end. (I2, J5) |
11.10(e) |
Secure, computer-generated, time-stamped audit trail for create/modify/delete actions; preserve prior info. | Partial |
Event envelope includes event_id, created_at, session_id; step payload includes explicit step_executed_at; alert lifecycle modeled as issue/retract/ack events. |
Need immutable/auditable backend write model with full audit-trail semantics for correction/reprocessing/admin actions (who/when/why), plus replay and tamper detection evidence. (J5, J7) |
11.10(f) |
Operational checks enforcing permitted sequencing/flow. | Implemented (app-layer), Partial (cloud-layer) |
Runtime/flow gating is strongly modeled and tested (meal/BG/session/alert policies, cadence guards). | Add cloud-side operational checks for schema versioning, contract evolution controls, and reject/quarantine policy evidence. (J1, J5) |
11.10(g) |
Authority checks to ensure only permitted users can perform operation. | Partial |
App enforces authenticated ingest usage and has role model planning baseline. | Need explicit role-operation matrix on backend (subject/clinician/admin) with negative authorization tests and auditability. (I2, J5, J7) |
11.10(h) |
Device checks (where appropriate) for validity of source/device. | Gap |
BLE device integration exists for G7/pump at app layer. | Define and implement cloud-level device trust assertions/provenance checks (at minimum session+subject binding rules and anomaly checks). (J5, M) |
11.10(i) |
Training for users who develop/maintain/use system. | Gap |
Development SOP exists for engineering process. | Add controlled training records/process for operators/reviewers and evidence retention in IDE package. (E) |
11.10(j) |
Written accountability policies for electronic signatures. | Gap |
No final signature policy documented yet. | Define policy if Part 11 signatures are in scope; otherwise document signed rationale for not-applicable phase. (E) |
11.10(k) |
Controls over system documentation (distribution, revision/change control). | Partial |
Controlled doc set + code review log + traceability process are in place. | Add explicit change-control/release-document governance with approved-signoff records and archival policy. (E) |
11.30 (open systems) |
Additional controls for open systems to ensure authenticity/integrity/confidentiality. | Partial |
TLS + JWT scope model + auth session controls + payload redaction plan + cloud log policy baseline. | Add explicit integrity/tamper controls at persistence boundary, complete backend schema/idempotency/DLQ hardening, and formal security verification package. (J5, J7, Cybersecurity) |
11.50 |
Signature manifestations (printed name/date/time/meaning). | Gap |
No Part 11 signature implementation in app/cloud telemetry flow today. | Decide if signature workflow is required for this phase; if yes, implement manifestation and test/report chain. (E, I) |
11.70 |
Signature/record linkage so signatures cannot be excised/copied. | Gap |
Not implemented (no signature objects). | Same as above; define signature-object model + immutable linkage controls if in scope. (E, I) |
11.100, 11.200, 11.300 |
Electronic signature uniqueness/components/controls. | Gap |
Not implemented as Part 11 signature system. | Define applicability and either: (a) implement full signature controls, or (b) document justified not-applicable status for current investigational phase. (E, I) |
Algorithm Data Integrity Focus (Device -> Cloud)
For current algorithm telemetry (loop.step.executed + snapshots), the most relevant controls are:
11.10(a/e)correctness + audit trail:- App emits deterministic step records with explicit execution timestamp and input/output snapshots.
-
Remaining closure is backend immutable persistence + replayable audit trail and formal evidence.
-
11.10(b/c)inspection copies + retrieval: - Structured inspection payloads now exist for session metadata, full BP matrix rows, and BP_LOG families
A,I,G,~I,~G,AD/G24h,PA,P,B,C,D,S. -
Remaining closure is cloud inspection-ready exports with role-scoped retrieval, broader equivalence evidence, and retention guarantees.
-
11.30open-system integrity/security: - Authenticated API and scope gates exist.
- Remaining closure is hardening + verification on backend persistence and operation controls.
Concrete Closure Plan (Part 11-Readiness Track)
Phase P11-1: Applicability and policy lock
- Draft and approve Part 11 applicability memo (record classes, signature scope, predicate-rule position).
- Define not-applicable rationale for signature clauses if deferred for this investigational phase.
Phase P11-2: Backend record/audit hardening
- Complete per-event schema enforcement + idempotent durable persistence.
- Add immutable audit metadata for ingest/reprocess/correction paths.
- Add replay/DLQ workflow with traceable operator actions.
Phase P11-3: Inspection copy + retrieval controls
- Implement role-scoped timeline/export APIs that reconstruct algorithm/session chronology.
- Ensure export includes provenance metadata (
subject_id,auth_user_sub,event_id,session_id, UTC timestamps).
Phase P11-4: Verification and objective evidence
- Create
STR-CLOUD-*formal runs for auth failures, schema failures, replay, idempotency, and timeline reconstruction. - Link closure evidence in RTM rows tied to
RA-008/RA-009andSRS-LOG-*/SRS-SEC-*.
Current Recommendation
Yes, Part 11-aligned device-to-cloud algorithm telemetry is achievable with the current architecture direction.
Current program state is best characterized as: - App-side control baseline: strong - Cloud-side Part 11 closure: in progress - Electronic-signature scope: unresolved (policy decision required)