FDA 21 CFR Part 11 is the U.S. Food and Drug Administration regulation that defines the criteria for trustworthy electronic records and electronic signatures in FDA-regulated industries. Published on August 20, 1997, Part 11 establishes that electronic records can replace paper records and that electronic signatures are legally equivalent to handwritten signatures, provided specific controls are in place: audit trails, access controls, system validation, and two-factor authentication.
Key Takeaways
- 21 CFR Part 11 applies to any electronic record required by FDA predicate rules (cGMP, GLP, GCP, QSR).
- The regulation has three subparts: General Provisions, Electronic Records, and Electronic Signatures.
- Audit trails (Section 11.10(e)) are the most-cited requirement in FDA 483 observations.
- Electronic signatures must include printed name, date/time, and meaning (Section 11.50).
- Non-biometric signatures require at least two identification components, such as username + password (Section 11.200).
- The FDA enforces a risk-based approach per its 2003 Scope and Application guidance.
This guide explains every major provision of Part 11, walks through the three subparts and their key sections, identifies the most common compliance pitfalls, and provides a practical implementation checklist.
What Is the History of 21 CFR Part 11?
Throughout the early 1990s, the pharmaceutical and medical device industries were rapidly adopting computerized systems. Batch records, laboratory notebooks, adverse event reports, and clinical trial data were increasingly generated, stored, and transmitted electronically. But the FDA's existing regulations were written for a paper-based world. There was no legal framework to determine when an electronic record could replace a paper record, or when clicking "approve" on a screen was equivalent to signing a document by hand.
After years of public comment and rulemaking, the FDA published the final rule for 21 CFR Part 11 on August 20, 1997. The rule established two foundational principles: first, that electronic records could satisfy regulatory requirements previously fulfilled by paper records, provided certain controls were in place; and second, that electronic signatures could be considered legally binding and equivalent to handwritten signatures under defined conditions.
In 2003, the FDA issued a guidance document titled Scope and Application that narrowed the enforcement approach. The agency acknowledged that a rigid, one-size-fits-all interpretation had imposed undue costs on industry without proportionate benefit to public health. The guidance introduced risk-based assessment: organizations should focus Part 11 controls on systems and records where the risk to product quality and patient safety is highest. This risk-based approach remains the FDA's current enforcement philosophy.
Who Must Comply with FDA 21 CFR Part 11?
Part 11 applies to any organization that creates, modifies, maintains, archives, retrieves, or transmits electronic records required by FDA predicate rules or submitted to the FDA. "Predicate rules" are the underlying regulations that mandate specific record-keeping: current Good Manufacturing Practice (cGMP) under 21 CFR Parts 210 and 211, Quality System Regulation (QSR) under 21 CFR Part 820, Good Laboratory Practice (GLP) under 21 CFR Part 58, and Good Clinical Practice (GCP) requirements.
In practice, these organizations typically fall within scope:
- Pharmaceutical manufacturers and contract manufacturing organizations (CMOs)
- Biotechnology companies
- Medical device manufacturers
- Contract research organizations (CROs) conducting FDA-regulated clinical trials
- Clinical trial sponsors and sites
- Laboratories performing FDA-regulated testing (bioanalytical, stability, quality control)
- Companies submitting regulatory filings (NDAs, ANDAs, BLAs, 510(k)s, PMAs) electronically
The Three Subparts of 21 CFR Part 11
Part 11 is organized into three subparts. Understanding their structure is essential for systematic compliance.
Subpart A: General Provisions (Sections 11.1 through 11.3)
Subpart A defines the regulation's scope, establishes when electronic records and signatures can substitute for paper equivalents, and clarifies that Part 11 doesn't limit the use of electronic records where federal regulations already permit them. Section 11.1 states that systems used to create, modify, maintain, archive, retrieve, or transmit electronic records must comply with Part 11 if those records are required by predicate rules. Section 11.2 emphasizes that implementation should be based on a risk assessment, focusing controls where they most protect public health. Section 11.3 provides key definitions, including the distinction between open and closed systems.
Subpart B: Electronic Records (Sections 11.10 through 11.70)
Subpart B contains the technical and procedural controls that must be applied to electronic records. This is the most operationally significant subpart. Its key sections include:
Section 11.10 — Controls for Closed Systems
A closed system is one where access is controlled by the persons responsible for the content of electronic records. Most enterprise systems (LIMS, ERP, QMS, e-signature platforms) operate as closed systems. Section 11.10 requires:
- System validation: Procedures and controls must ensure accuracy, reliability, consistent intended performance, and the ability to detect invalid or altered records.
- Record generation: The system must be capable of generating accurate and complete copies of records in both human-readable and electronic form for FDA inspection.
- Record protection: Records must be protected throughout their retention period to enable accurate retrieval. They can't be obscured, modified, or deleted without authorization.
- Limiting system access: Access must be limited to authorized individuals.
- Audit trails: Secure, computer-generated, time-stamped audit trails must independently record the date and time of operator entries and actions. Audit trail entries can't be modified, and the audit trail must be retained for at least as long as the underlying electronic record.
- Operational system checks: The system must enforce permitted sequencing of steps and events, as appropriate.
- Authority checks: The system must use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or device, or alter a record.
- Device checks: Where applicable, the system must verify the validity of the source of data input or operational instruction.
- Training: Persons who develop, maintain, or use electronic record/signature systems must have the education, training, and experience to perform their assigned tasks.
- Written policies: Organizations must establish and adhere to written policies that hold individuals accountable for actions initiated under their electronic signatures.
- Documentation controls: Adequate controls must exist over the distribution of, access to, and use of documentation for system operation and maintenance.
Section 11.30 — Controls for Open Systems
An open system is one where access isn't controlled by the persons responsible for the electronic records. When records are transmitted over the internet, for example, additional measures such as document encryption, digital signatures using recognized certificate authorities, and other controls are required to ensure record authenticity, integrity, and confidentiality.
Section 11.50 — Signature Manifestations
Signed electronic records must contain information associated with the signing that clearly indicates the printed name of the signer, the date and time when the signature was executed, and the meaning of the signature (such as review, approval, responsibility, or authorship). This information must be included in any human-readable form of the electronic record, whether electronic display or printout.
Section 11.70 — Signature/Record Linking
Electronic signatures and handwritten signatures executed to electronic records must be linked to their respective records so that signatures can't be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
Subpart C: Electronic Signatures (Sections 11.100 through 11.300)
Subpart C addresses the requirements for electronic signatures themselves, ensuring they're attributable to a single individual and can't be reused or repudiated.
Section 11.100 — General Requirements
Each electronic signature must be unique to one individual and must not be reused by or reassigned to anyone else. Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, the organization must verify the individual's identity. Organizations must certify to the FDA that their electronic signatures are the legally binding equivalent of handwritten signatures. This certification must be submitted to the FDA Office of Regional Operations.
Section 11.200 — Electronic Signature Components and Controls
Electronic signatures not based on biometrics must employ at least two distinct identification components, such as a user ID and password. When an individual executes a series of signings during a single continuous period of controlled system access, the first signing must use all identification components; subsequent signings may use at least one component. When signings aren't performed during a single continuous session, each signing must use all components.
Section 11.300 — Controls for Identification Codes/Passwords
Organizations using electronic signatures based on identification codes combined with passwords must employ controls to ensure security and integrity. These include maintaining the uniqueness of each combined identification code and password, ensuring that codes and passwords are periodically revised, implementing procedures to electronically deauthorize lost or compromised tokens, issuing temporary or permanent replacements using suitable controls, using transaction safeguards to prevent unauthorized use, and testing devices that bear or generate identification codes or passwords to ensure proper function.
Key Compliance Requirements in Detail
Audit Trails
The audit trail is arguably the single most important technical control in Part 11. A compliant audit trail must be computer-generated (not manually maintained), time-stamped with a reliable and synchronized clock, independent of the operator (the person performing the action can't modify the audit trail entry), and retained for at least as long as the electronic record it relates to. The audit trail must capture who performed each action, what was changed (including before and after values where applicable), and when the change occurred.
Access Controls
Access controls go beyond simple username/password authentication. Part 11 requires role-based access to ensure that individuals can only perform functions appropriate to their responsibilities. This includes both system-level access (who can log in) and function-level access (who can approve, who can modify, who can view). Multi-factor authentication, while not explicitly mandated by the 1997 regulation text, is increasingly expected by FDA investigators as a best practice, particularly for electronic signatures in clinical trials and other high-risk operations.
System Validation
Validation requires documented evidence that a system consistently performs according to predetermined specifications. This typically includes an Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ). Validation must be maintained throughout the system lifecycle; changes to the system need to be evaluated for their impact on the validated state and re-validated as necessary. Validation documentation should include requirements specifications, test protocols and results, traceability matrices, and deviation management records.
Electronic Signatures
For FDA electronic signatures to be considered equivalent to handwritten signatures, they must satisfy several criteria. The signature must be attributable to a single individual and must include the signer's printed name, the date and time of signing, and the meaning of the signature. Biometric-based signatures must be designed so they can't be used by anyone other than the genuine owner. Non-biometric signatures must use at least two distinct identification components (such as a user ID and a password), with additional controls on how those components are managed and protected per Section 11.300.
Predicate Rules: The Context That Matters
A frequent source of confusion is the relationship between Part 11 and predicate rules. Part 11 doesn't itself specify which records must be created or retained. That obligation comes from the predicate rules. For example, 21 CFR Part 211 (cGMP for finished pharmaceuticals) requires batch production and control records. If those records are maintained electronically, Part 11 applies to the electronic system. Similarly, 21 CFR Part 820 (Quality System Regulation for medical devices) requires design history files and device history records. When maintained electronically, those records must comply with Part 11.
The practical implication: 21 CFR Part 11 compliance can't be assessed in isolation. You must first identify which predicate rules apply to your operations, determine which records required by those predicate rules are maintained electronically, and then apply Part 11 controls to those electronic records and any associated electronic signatures.
What Are the Most Common Part 11 Compliance Failures?
After reviewing hundreds of FDA warning letters and 483 observations related to Part 11, these patterns emerge as the most frequent compliance failures:
| Pitfall | Section | Why It Happens |
|---|---|---|
| No audit trail or incomplete audit trail | 11.10(e) | Legacy systems lack audit trail capability; organizations fail to enable it even when available |
| Shared user accounts | 11.10(d), 11.100 | Teams share credentials for convenience, destroying individual accountability |
| No system validation documentation | 11.10(a) | Systems are deployed without IQ/OQ/PQ or validation isn't maintained after updates |
| Modifiable audit trail entries | 11.10(e) | Database administrators can alter audit log tables; no immutability controls |
| Missing signature meaning | 11.50 | Electronic signatures don't capture whether the signer is approving, reviewing, or authoring |
| No written accountability policies | 11.10(j) | Organizations lack SOPs holding individuals accountable for actions under their signatures |
| Inadequate training documentation | 11.10(i) | Users aren't trained on the specific systems they operate, or training isn't documented |
| Records not available for FDA inspection | 11.10(b) | Systems can't export records in a human-readable format that FDA investigators can review |
FDA Enforcement: Warning Letters and 483 Observations
The FDA enforces Part 11 through facility inspections. When investigators identify deficiencies, they issue Form 483 observations. If the deficiencies are serious or unresolved, the agency may issue a warning letter. While the 2003 guidance document signaled a more risk-based enforcement approach, the FDA hasn't abandoned Part 11 enforcement. In recent years, 483 observations citing Part 11 deficiencies have appeared in inspections of pharmaceutical manufacturing sites, clinical trial sites, and contract laboratories.
Common warning letter themes include failure to maintain audit trails for records, failure to validate computerized systems used to generate regulated data, use of shared login credentials that undermine attribution of electronic signatures, and inability to produce electronic records in a readable format during inspections. Organizations that receive Part 11-related warning letters often face delays in product approvals, import alerts, and reputational damage.
Implementation Checklist
Use this checklist to assess and improve your Part 11 compliance posture:
- Inventory your electronic systems: Identify every system that creates, stores, or manages records required by FDA predicate rules.
- Perform a risk assessment: Prioritize systems based on the criticality of the records they manage and the risk to product quality and patient safety.
- Validate high-risk systems: Develop and execute IQ/OQ/PQ protocols for each system. Maintain validation through change control.
- Enable and verify audit trails: Ensure every system produces immutable, time-stamped audit trails that capture who, what, and when for every record action.
- Implement role-based access controls: Eliminate shared accounts. Assign unique credentials to every user. Enforce the principle of least privilege.
- Configure electronic signatures: Ensure signatures capture printed name, date/time, and meaning. Implement two-factor identification components per Section 11.200.
- Establish written policies: Create SOPs for electronic record management, electronic signature use, system access, password management, and individual accountability.
- Train personnel: Document training for every individual who uses, maintains, or administers Part 11-relevant systems.
- Plan for FDA inspections: Ensure all systems can export records in human-readable formats. Maintain audit trail records for the required retention period.
- Conduct periodic reviews: Schedule internal audits to verify ongoing compliance. Address findings promptly with CAPA.
Part 11 and Modern Technology
The 1997 regulation was written when client-server architectures dominated enterprise computing. Today, cloud-based SaaS platforms, mobile applications, and API-driven integrations are the norm. The FDA has indicated through guidances and public statements that Part 11 applies to cloud-based systems just as it applies to on-premise systems. What matters is whether the required controls are in place, regardless of deployment model.
Cloud-based platforms can actually simplify Part 11 compliance by centralizing audit trail management, automating access control enforcement, ensuring consistent system validation through controlled deployment pipelines, and providing always-current software without the validation burden of manual upgrades. The key is selecting a vendor that understands regulated requirements and can provide the documentation and transparency needed for your validation activities.
Conclusion
FDA 21 CFR Part 11 isn't a relic of the 1990s. It's an active, enforced regulation that defines how electronic records and electronic signatures must be managed across FDA-regulated industries. Compliance requires validated technology, documented procedures, trained personnel, and ongoing oversight. Organizations that treat Part 11 as a technology checkbox rather than a quality system discipline inevitably end up on the wrong side of an FDA investigator's observations.
The most effective approach: select systems designed for regulated use, implement them within a risk-based framework, and embed Part 11 controls into daily operations rather than treating compliance as an afterthought. For more on how these requirements apply to clinical research, read our guide on electronic signatures in clinical trials. For audit trail implementation details, see our audit trails in regulated industries guide. And for the broader GxP context, explore our GxP compliance for electronic records guide. To see how Certivo helps meet Part 11 requirements, visit our compliance page or explore the platform's security architecture.