21 CFR Part 11: What It Is and What It Requires

Almost every pharmaceutical quality system today runs on electronic records, yet the phrase “21 CFR Part 11 compliant” is repeated far more often than it is explained. Part 11 is the United States Food and Drug Administration regulation, codified at Title 21 of the Code of Federal Regulations, Part 11, that sets the criteria under which the FDA will accept electronic records and electronic signatures as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. It was published in 1997 and applies across all FDA-regulated sectors (drugs, biologics, medical devices, and foods) wherever a record required by an underlying regulation is created, modified, maintained, archived, retrieved, or transmitted in electronic form.

The point worth internalising before anything else: Part 11 does not, by itself, require you to keep any particular record. It governs how electronic records and signatures must be controlled once you choose to use them to satisfy a requirement that some other regulation already imposes. That other regulation is called the predicate rule. Get that relationship right and most of Part 11 stops being mysterious.

The regulation divides into three subparts. Subpart A (General Provisions) sets the scope, definitions, and the conditions under which electronic signatures are considered equivalent to handwritten ones. Subpart B (Electronic Records) defines the controls for the records themselves. Subpart C (Electronic Signatures) defines the controls for the signatures applied to them.

The hinge concept is the predicate rule: any FDA regulation that requires a record to be kept in the first place, such as the cGMP requirements in 21 CFR Parts 210 and 211 for drug manufacturing. Part 11 never replaces a predicate rule; it adds controls on top of it. So the question “does Part 11 apply here?” is really two questions: is there a predicate rule that requires this record, and are you keeping that record (or signing it) electronically? If both are yes, Part 11 controls apply. This is why a spreadsheet used to calculate a batch result, or a SaaS quality system that stores release records, can fall squarely within Part 11 even though neither is a “Part 11 system” by name.

Electronic records (Subpart B). The core control list for closed systems sits in §11.10 (a closed system being one where access is controlled by the people responsible for the record content). Section 11.10 requires, among other controls: validation of the system; the ability to generate accurate and complete copies of records in human-readable and electronic form for FDA inspection; protection of records to enable accurate and ready retrieval throughout their retention period; limiting system access to authorised individuals; secure, computer-generated, time-stamped audit trails (§11.10(e)); operational system checks to enforce permitted sequencing of steps and events; authority checks; device checks; that persons who develop, maintain, or use the systems have the education, training, and experience to do their jobs; written policies holding individuals accountable for actions initiated under their electronic signatures; and appropriate controls over systems documentation. For open systems, where access is not controlled by the people responsible for the content (such as records transmitted over the open internet), §11.30 adds measures such as document encryption and digital signature standards to ensure authenticity, integrity, and where appropriate confidentiality. Sections 11.50 and 11.70 cover signature manifestations and the linking of signatures to records.

Electronic signatures (Subpart C). Section 11.100 requires that each electronic signature be unique to one individual and not reused by, or reassigned to, anyone else, and that the organisation verify the identity of the individual before establishing their signature. Section 11.200 sets the controls: electronic signatures not based on biometrics must use at least two distinct identification components (such as a user ID and a password), with defined rules for how those components are used across a session. Section 11.300 covers controls for identification codes and passwords: ensuring their uniqueness, periodic checks and revisions, loss-management procedures, and safeguards against unauthorised use. A signed electronic record must display the printed name of the signer, the date and time of signing, and the meaning associated with the signature (such as review, approval, responsibility, or authorship), and those elements are subject to the same controls as the rest of the record.

Audit trails. A Part 11 audit trail is secure, computer-generated, and time-stamped, and it captures the creation, modification, and deletion of records without overwriting what came before. The original entry stays visible; the change is recorded alongside it with the identity of the person, the timestamp, and, for GMP-significant changes, the reason. Audit trails must be retained for at least as long as the underlying record and must be available for FDA review and copying. The practical test inspectors apply is whether the audit trail would reveal a record that had been altered or backdated; if it can be switched off, edited, or does not capture deletions, it fails that test.

Validation. Section 11.10(a) requires validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The FDA’s current thinking, set out in its 2003 guidance, is that this should be risk-based: the extent of validation justified by the system’s impact on product quality, data integrity, and patient safety, rather than a one-size-fits-all exercise. This is where the industry GAMP 5 approach to computerised system validation is typically applied.

Access controls. Limiting system access to authorised individuals, with authority checks, is what makes every other control meaningful, because an audit trail is only trustworthy if entries can be attributed to a single, identified person. This is the reason shared or generic logins are a recurring inspection finding: they break attributability at the root, so nothing downstream can be trusted to a named individual.

Open vs closed systems. A closed system is one where access is controlled by the persons responsible for the content of the records on it, the typical case for a validated manufacturing or quality system behind an organisation’s own access controls, governed by §11.10. An open system is one where that access is not controlled by those persons (for example, records exchanged across the open internet with a third party), and §11.30 layers on additional measures such as encryption and digital-signature techniques to preserve authenticity, integrity, and confidentiality. The classification determines which control set applies, so it is worth settling explicitly for each system rather than assuming.

After the rule’s first years drew concern that an expansive reading would discourage electronic systems, the FDA issued its guidance Part 11, Electronic Records; Electronic Signatures: Scope and Application (2003). It narrowed the practical scope in three ways: it interpreted the rule to apply to records kept electronically in place of paper, or relied upon to perform regulated activities; it stated that the FDA intends to exercise enforcement discretion over certain requirements (specifically aspects of validation, audit trails, record copying, and record retention) provided the predicate-rule requirements are still met; and it re-centred everything on the predicate rule and a risk-based approach. The guidance is not a relaxation of data-integrity expectations; the predicate-rule obligations (for drugs, the cGMP records and signature requirements in 21 CFR Parts 210 and 211) remain in full force, and the FDA’s later data-integrity enforcement has been vigorous. What the guidance does is tell you to scope Part 11 controls to the records that matter and to the risk they carry, rather than apply every clause uniformly to every electronic file.

The reason this matters in practice: a Part 11 programme that starts from “which predicate-rule records do we keep electronically, and what is the patient-safety risk if each were wrong or falsified” produces a defensible, proportionate control set. One that starts from “make everything Part 11 compliant” produces expense without focus and still misses the records that count.

The practical takeaway mirrors cleaning validation and every other cross-jurisdiction question: build one control set to the more demanding reading and the same evidence answers both an FDA and an EU inspector. A validated system with unique user identities, a non-defeatable audit trail that is actually reviewed, linked electronic signatures, and risk-based scope satisfies the substance of Part 11 and Annex 11 at once.

For a pharmaceutical manufacturer, the place Part 11 becomes concrete is the batch record and the logbook, the predicate-rule documents that move from paper to screen first. The controls described here are exactly what an electronic batch record has to embody: a validated system, attributable entries, a non-defeatable audit trail, and linked electronic signatures at each step. They are also the foundation of data integrity in pharma and the ALCOA+ principles, where Part 11’s controls are what make records attributable, contemporaneous, original, and enduring in practice rather than in principle. A purpose-built manufacturing execution system applies these controls by design across batch execution, logbooks, and QA review, so Part 11 stops being a documentation exercise and becomes how the floor already works.