What are the main requirements of 21 CFR Part 11?

The main requirements of 21 CFR Part 11 include: (1) system validation to ensure accuracy and reliability, (2) audit trails that are computer-generated, time-stamped, and secure, (3) access controls limiting system access to authorized individuals, (4) electronic signature controls ensuring uniqueness and non-repudiation, and (5) written policies holding individuals accountable for actions under their electronic signatures.

What is the difference between a closed system and an open system under Part 11?

A closed system is an environment where system access is controlled by persons responsible for the content of electronic records (e.g., internal validated systems). An open system is an environment where system access is NOT controlled by the responsible organization (e.g., cloud systems with vendor-controlled access). Open systems require additional controls including encryption and digital signatures per 11.30.

What is required for electronic signatures under Part 11?

Electronic signatures under Part 11 must be unique to one individual and not reused or reassigned. They must employ at least two distinct identification components (typically user ID and password). Each signature must display the signer's printed name, date and time of execution, and the meaning of the signature (e.g., approval, review). Signatures must be linked to records so they cannot be excised, copied, or transferred.

What are the audit trail requirements under 21 CFR Part 11?

Section 11.10(e) requires secure, computer-generated, time-stamped audit trails that record the date and time of operator entries and actions. Audit trails must not obscure previously recorded information and must be retained for at least as long as the subject electronic records. FDA also expects that audit trails are independently reviewed as part of routine quality processes.

Do all electronic records need to be Part 11 compliant?

No, not all electronic records require Part 11 compliance. Part 11 applies only when: (1) the record is required by an FDA predicate rule, (2) you choose to maintain the record electronically instead of on paper, or (3) you use electronic signatures to meet a signature requirement. Records not required by predicate rules, or paper records merely scanned for archival purposes, generally do not require Part 11 controls.

How do you validate a system for Part 11 compliance?

System validation for Part 11 compliance involves documenting that the system is accurate, reliable, and performs consistently as intended. This typically includes: creating a validation plan, documenting user requirements, performing installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ), and maintaining ongoing validation through change control and periodic review. FDA supports a risk-based approach where validation extent is proportional to system risk.

What happens if you violate 21 CFR Part 11?

Part 11 violations can result in FDA enforcement actions including: Form 483 observations, warning letters, consent decrees, and import alerts. Part 11 deficiencies are frequently cited during FDA inspections. In serious cases, companies may face product recalls, application refusals, or criminal prosecution. The severity depends on the impact on product quality and patient safety.

Does 21 CFR Part 11 apply to cloud-based systems?

Yes, Part 11 applies to cloud-based systems when those systems maintain records required by predicate rules. Cloud systems may be classified as closed or open depending on the contractual arrangements for access control. If the organization has contractual control over system access through service agreements, the system may function as a closed system. Without such agreements, additional open system controls per 11.30 are required.

How often should audit trails be reviewed?

While Part 11 does not specify a review frequency, FDA guidance and industry best practices recommend reviewing audit trails: at each batch release for manufacturing records, before data approval for laboratory data, as part of investigations for deviations and complaints, and at closure for CAPA records. The key is that reviews must be routine and documented.

What is the electronic signature certification requirement?

Per 11.100(c), organizations must certify to the FDA that their electronic signatures are intended to be the legally binding equivalent of traditional handwritten signatures. This certification should be submitted in paper form with a traditional handwritten signature to the relevant FDA office (CDER, CBER, CDRH, etc.). The certification should be maintained on file and updated if the organization expands to new product types. ---

21 CFR Part 11 Compliance: Complete Guide to Electronic Records and Signatures

Quick Answer

21 CFR Part 11 is the FDA regulation establishing that electronic records and electronic signatures are legally equivalent to paper records and handwritten signatures when proper controls are in place. It applies to any FDA-regulated company that maintains electronic records required by FDA predicate rules (such as manufacturing records, clinical trial data, or regulatory submissions). Part 11 requires system validation, secure audit trails, access controls, and electronic signature certification. Organizations that fail to comply face FDA enforcement actions including warning letters, product delays, and application refusals.

21 CFR Part 11 is the FDA regulation that establishes criteria for accepting electronic records and electronic signatures as equivalent to paper records and handwritten signatures. Enacted in 1997 and clarified through FDA guidance in 2003, Part 11 applies to any FDA-regulated company that creates, modifies, maintains, archives, retrieves, or transmits electronic records in any format.

Non-compliance with 21 CFR Part 11 can trigger FDA warning letters, 483 observations, product delays, and significant remediation costs. For pharmaceutical and biotech companies, Part 11 compliance is a foundational requirement for regulatory submissions, clinical trials, and manufacturing operations.

In this guide, you will learn:

The complete structure and requirements of 21 CFR Part 11 (all three subparts)
How to implement Part 11 compliance for electronic records and electronic signatures
The difference between closed systems and open systems under Part 11
Specific audit trail requirements and system validation approaches
A comprehensive Part 11 compliance checklist for your organization

What Is 21 CFR Part 11?

Definition

21 CFR Part 11 is the federal regulation that establishes technical and procedural requirements for using electronic records and electronic signatures in FDA-regulated companies. It defines criteria under which electronic records and signatures are considered trustworthy, reliable, and legally equivalent to paper records and handwritten signatures when organizations implement required controls including system validation, audit trails, access controls, and written policies.

21 CFR Part 11 is a federal regulation issued by the U.S. Food and Drug Administration (FDA) that defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. The regulation is codified in Title 21 of the Code of Federal Regulations (CFR), Part 11.

Key characteristics of 21 CFR Part 11:

Applies to records required by FDA predicate rules (existing regulations)
Covers both electronic records and electronic signatures
Establishes technical and procedural controls for electronic systems
Requires documented validation of computer systems

Key Statistic

21 CFR Part 11 became effective on August 20, 1997, making it over 28 years old. The FDA issued clarifying guidance in 2003 (Scope and Application) that remains the primary interpretive document today.

The regulation consists of three subparts:

Subpart A - General Provisions (scope, definitions, implementation)
Subpart B - Electronic Records (controls, validation, audit trails)
Subpart C - Electronic Signatures (uniqueness, controls, certification)

Part 11 History and Evolution

Understanding the history of 21 CFR Part 11 provides context for its current interpretation:

Year	Event	Significance
1991	FDA begins developing electronic records policy	Response to industry computerization
1997	Part 11 final rule published	Effective August 20, 1997
1999	Early FDA enforcement begins	Strict interpretation period
2003	FDA issues Scope and Application guidance	Risk-based enforcement approach
2007	FDA withdraws several Part 11 draft guidance documents	Reliance on 2003 Scope and Application guidance reinforced
2018	Data Integrity guidance published	Reinforces Part 11 principles
2022	FDA publishes Computer Software Assurance (CSA) final guidance	Modern risk-based validation framework

Key Statistic

Over 28 years since implementation, 21 CFR Part 11 remains the cornerstone of FDA electronic records policy, with Part 11 deficiencies consistently appearing in FDA 483 observations during inspections.

21 CFR Part 11 Compliance: Understanding the Scope

Before implementing Part 11 compliance, organizations must understand what falls within the regulation's scope. Not all electronic records require Part 11 controls.

When Part 11 Applies

Part 11 compliance is required when:

Records are required by predicate rules - The underlying FDA regulation (21 CFR Parts 210, 211, 820, etc.) requires the record
Electronic format is chosen - You elect to maintain records electronically instead of on paper
Electronic signatures are used - You use electronic signatures instead of handwritten signatures

When Part 11 Does NOT Apply

According to FDA guidance on Part 11 scope and application:

Records not required by predicate rules
Paper records that are merely stored electronically (scanned images for archival)
Electronic records created before August 20, 1997 (grandfather clause)

Scenario	Part 11 Applies?	Reason
Electronic batch records	Yes	Required by 21 CFR 211
Electronic laboratory notebooks	Yes	Required by 21 CFR 58 (GLP)
Marketing emails	No	Not required by predicate rules
Scanned paper records (archival only)	No	Original was paper
Electronic signatures on submissions	Yes	Replacing handwritten signatures
eCTD submissions to FDA	Yes	Required by 21 CFR 314 and 601
LIMS data in drug manufacturing	Yes	Required by 21 CFR 211.180

Pro Tip

Create a system inventory that documents which records are subject to Part 11, whether they are electronic or paper, and whether you have implemented Part 11 controls. This inventory becomes your roadmap for compliance prioritization and serves as evidence during FDA inspections that you have thoughtfully assessed the regulation's applicability.

Key Statistic

The FDA's 2003 guidance clarified Part 11's scope, reducing strict enforcement and introducing risk-based approaches. Organizations that have adopted risk-based validation strategies report significantly faster compliance timelines than those using rigid, box-checking approaches.

“
Important: The FDA takes a risk-based approach to Part 11 enforcement. Focus compliance efforts on records that directly impact product quality and patient safety.

Electronic Records Electronic Signatures: Part 11 Subpart A

Subpart A of 21 CFR Part 11 establishes the general provisions, including scope, definitions, and implementation requirements for electronic records electronic signatures.

Key Definitions Under Part 11

Term	Definition per 11.3
Electronic record	Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system
Electronic signature	A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature
Digital signature	An electronic signature based upon cryptographic methods of originator authentication
Closed system	An environment in which system access is controlled by persons responsible for the content of electronic records
Open system	An environment in which system access is not controlled by persons responsible for the content of electronic records
Biometric	A method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable

Closed System vs Open System

The distinction between closed and open systems is critical for determining Part 11 requirements:

Closed System (11.10):

Access controlled by the organization responsible for the records
Examples: Internal LIMS, validated ERP systems, local document management systems
Requires baseline Part 11 controls

Open System (11.30):

Access NOT controlled by the organization responsible for the records
Examples: Cloud-based systems where vendor controls access, internet-based submissions
Requires additional controls: encryption, digital signatures, additional security measures

Requirement	Closed System	Open System
Access controls	Required	Required + enhanced
Audit trails	Required	Required
Encryption	Recommended	Required
Digital signatures	Optional	Often required
Operational controls	Standard	Enhanced
Document encryption	Optional	Required per 11.30

Cloud Systems and Part 11 Classification

A common question is whether cloud-based systems are closed or open. The answer depends on control relationships:

Cloud Scenario	Classification	Rationale
Private cloud (company-owned)	Closed	Organization controls all access
SaaS with contractual controls	Can be closed	If adequate agreements establish control
Public cloud with no agreements	Open	No contractual control over access
Hybrid arrangements	Evaluate case-by-case	Depends on specific controls

“
Best Practice: When using SaaS or cloud systems, establish written agreements that clearly define access controls, making the system functionally closed.

Part 11 Compliance Requirements: Subpart B Electronic Records

Subpart B (11.10 for closed systems, 11.30 for open systems) establishes the specific requirements for electronic records under FDA 21 CFR Part 11.

11.10 - Controls for Closed Systems

Organizations using closed systems must employ procedures and controls that include:

1. System Validation (11.10(a))

Validation to ensure accuracy, reliability, consistent intended performance, and ability to discern invalid or altered records
Documentation of validation activities
Ongoing validation maintenance

2. Record Generation and Storage (11.10(b))

Ability to generate accurate and complete copies of records in both human-readable and electronic form
Protection of records throughout the retention period

3. Record Protection (11.10(c))

Protection of records to enable accurate and ready retrieval
Throughout the records retention period

4. System Access Controls (11.10(d))

Limiting system access to authorized individuals
Role-based access controls
Documented access procedures

5. Audit Trails (11.10(e))

Secure, computer-generated, time-stamped audit trails
Record the date and time of operator entries and actions
Must not obscure previously recorded information
Audit trail documentation must be retained for at least as long as the subject electronic records

“
Critical Requirement: Audit trails must be independently reviewed. FDA expects audit trail review to be part of your routine quality processes, not just during inspections.

6. Operational System Checks (11.10(f))

Use of operational system checks to enforce permitted sequencing of steps and events

7. Authority Checks (11.10(g))

Use of authority checks to ensure only authorized individuals can use the system, electronically sign, access the operation, or alter a record

8. Device Checks (11.10(h))

Use of device checks to determine validity of source of data input or operational instruction

9. Training (11.10(i))

Determination that persons who develop, maintain, or use electronic record/signature systems have the education, training, and experience to perform their assigned tasks

10. Written Policies (11.10(j))

Establishment and adherence to written policies holding individuals accountable for actions initiated under their electronic signatures

11. System Documentation Controls (11.10(k))

Adequate controls over systems documentation including distribution, access, and use
Revision and change control procedures

11.10 Requirements Summary Table

Section	Requirement	Key Implementation
11.10(a)	Validation	Documented IQ/OQ/PQ, risk-based approach
11.10(b)	Accurate copies	Export capability, format preservation
11.10(c)	Record protection	Backup, disaster recovery, retention
11.10(d)	Access controls	Unique IDs, role-based permissions
11.10(e)	Audit trails	Secure, timestamped, reviewed
11.10(f)	Operational checks	Workflow enforcement
11.10(g)	Authority checks	Permission verification
11.10(h)	Device checks	Input validation
11.10(i)	Training	Documented competency
11.10(j)	Written policies	Accountability procedures
11.10(k)	Documentation	Change control, access control

11.30 - Controls for Open Systems

Open systems require all the controls listed in 11.10 PLUS additional measures:

Document encryption
Use of appropriate digital signature standards
Additional operational controls to ensure record authenticity, integrity, and confidentiality

FDA 21 CFR Part 11: Subpart C Electronic Signatures

Subpart C establishes requirements for electronic signatures that are intended to be the legally binding equivalent of handwritten signatures.

11.50 - Signature Manifestations

Each electronic signature must include:

Printed name of the signer
Date and time the signature was executed
Meaning of the signature (e.g., review, approval, responsibility, authorship)

This information must be displayed clearly and must be part of any human-readable form of the electronic record.

11.70 - Signature/Record Linking

Electronic signatures must be linked to their respective electronic records to ensure signatures cannot be:

Excised (cut out)
Copied
Transferred to falsify an electronic record by ordinary means

11.100 - General Requirements

Requirement	Description
Uniqueness	Each electronic signature must be unique to one individual and not reused or reassigned
Identity verification	Organization must verify identity of individual before assigning their electronic signature
Certification	Organization must certify to FDA that electronic signatures are intended to be legally binding equivalents

11.200 - Electronic Signature Components and Controls

Electronic signatures not based on biometrics must employ at least two distinct identification components:

For signatures executed during a single continuous session:

Both components (user ID + password) required at first signing
At least one component required for subsequent signings during session

For signatures executed during non-continuous sessions:

Both components required for EACH signing event

Signature Component Requirements

Scenario	User ID Required	Password Required
First signing in session	Yes	Yes
Subsequent signing (same session)	At least one component	At least one component
New session signing	Yes	Yes
Biometric signature	Not applicable	Not applicable

11.300 - Controls for Identification Codes/Passwords

Control	Requirement
Uniqueness	Codes must be unique to individual users
Periodic revision	Codes must be periodically checked, recalled, or revised
Loss management	Procedures to deauthorize lost, stolen, or compromised tokens/codes
Transaction safeguards	Prevent unauthorized use and detect attempts at unauthorized use
Testing	Initial and periodic testing of devices that bear or generate codes

CFR Part 11 Requirements: Audit Trail Deep Dive

The audit trail is one of the most scrutinized aspects of Part 11 compliance during FDA inspections. Understanding audit trail requirements is essential for Part 11 compliance.

What Must Be Captured in Audit Trails

Per 11.10(e), audit trails must capture:

Date and time of entries and actions (computer-generated, time-stamped)
Operator identification (who made the change)
Previous values (what was there before the change)
New values (what it was changed to)
Reason for change (when required by predicate rules)

Audit Trail Technical Requirements

Requirement	Implementation
Computer-generated	System creates entries automatically, not manually
Time-stamped	Uses synchronized, reliable time source
Secure	Cannot be modified or deleted by ordinary means
Independent	Stored separately or protected from modification
Complete	Captures all changes to subject electronic records
Retained	Kept for at least as long as subject records

Common Audit Trail Failures

FDA commonly cites these audit trail deficiencies in 483 observations:

Insufficient detail - Not capturing what specific data changed
Missing timestamps - Entries without date/time stamps
Modifiable trails - Users can delete or alter audit trail entries
No review process - Audit trails exist but are never reviewed
Retention gaps - Audit trails not retained as long as records
Inconsistent coverage - Some fields audited, others not
Time synchronization issues - Multiple systems with different timestamps

Key Statistic

Audit trail deficiencies are among the most commonly cited FDA 483 observations related to data integrity and Part 11 compliance. Organizations with documented, routine audit trail review processes are significantly less likely to receive audit trail citations.

Pro Tip

Establish a monthly audit trail review schedule for each Part 11 system. Document which fields require detailed review (e.g., batch record temperature data vs. administrative fields), who conducts the review, and what constitutes a reportable discrepancy. This proactive approach prevents audit trail problems from festering until FDA inspection, and demonstrates your organization's commitment to data integrity.

“
Best Practice: Implement routine audit trail review as part of your quality system. FDA expects organizations to proactively review audit trails, not just generate them.

Audit Trail Review Frequency

Record Type	Recommended Review Frequency
Batch records	Each batch release
Laboratory data	Before data approval
Stability data	Before trend reporting
Complaints	As part of investigation
CAPA records	At CAPA closure
Deviation records	At deviation closure

Computer System Validation for Part 11 Compliance

System validation is the cornerstone of Part 11 compliance. Without documented validation, electronic records cannot be considered trustworthy and reliable.

Validation Requirements Under 11.10(a)

The regulation requires validation to ensure:

Accuracy - System produces correct results
Reliability - System performs consistently over time
Consistent intended performance - System does what it is designed to do
Ability to discern invalid or altered records - System can detect tampering

Risk-Based Validation Approach

FDA guidance supports a risk-based approach to validation:

System Risk Level	Validation Extent	Example Systems
High	Full validation (IQ, OQ, PQ)	LIMS, MES, eCTD publishing, clinical data systems
Medium	Focused validation	Document management systems, training databases
Low	Configuration verification	Standard office software, email (when Part 11 applicable)

GAMP 5 Categories and Validation

The GAMP 5 framework provides industry-standard guidance for computer system validation:

GAMP Category	Description	Validation Approach
Category 1	Infrastructure software	Qualification within higher category systems
Category 3	Non-configured products	Installation and operational testing
Category 4	Configured products	Configuration testing plus functional testing
Category 5	Custom applications	Full lifecycle validation

Validation Documentation Requirements

Document	Purpose
Validation Plan	Defines scope, approach, responsibilities
User Requirements Specification (URS)	Documents what system must do
Functional Specification	Documents how system will meet requirements
Design Specification	Documents technical design
Installation Qualification (IQ)	Verifies correct installation
Operational Qualification (OQ)	Verifies system operates as designed
Performance Qualification (PQ)	Verifies system performs in production environment
Validation Summary Report	Documents validation conclusion
Traceability Matrix	Links requirements to test cases

Ongoing Validation Maintenance

Validation is not a one-time event. Part 11 requires:

Change control - All changes assessed for validation impact
Periodic review - Regular assessment of system compliance
Revalidation - When significant changes occur
Incident management - Tracking and resolving system issues

Key Statistic

Systems with documented change control procedures experience significantly fewer validation gaps during FDA inspections compared to organizations without formal change control. The investment in change control documentation pays substantial compliance dividends.

Pro Tip

For legacy systems where full retrospective validation may be prohibitively expensive, conduct a risk-based current-state assessment documenting what Part 11 controls are in place and what gaps exist. Then implement compensating procedural controls for identified gaps (e.g., manual audit trail review, manual access control verification) while planning for system replacement. This pragmatic approach is FDA-acceptable and more cost-effective than abandoning the system immediately.

Part 11 Compliance Checklist

Use this comprehensive checklist to assess your organization's 21 CFR Part 11 compliance status:

Administrative Controls Checklist

Requirement	Status	Evidence
Written Part 11 compliance policy	[ ]	Policy document number
Electronic signature certification on file	[ ]	Certification letter to FDA
Roles and responsibilities defined	[ ]	SOPs, job descriptions
Training program implemented	[ ]	Training records
Periodic compliance assessments	[ ]	Assessment reports
Data integrity policy in place	[ ]	Policy document

System Controls Checklist

Requirement	Status	Evidence
Systems inventoried and categorized	[ ]	System inventory list
Validation documentation complete	[ ]	Validation packages
User access controls implemented	[ ]	Access control procedures
Unique user IDs assigned	[ ]	User account records
Password policies enforced	[ ]	System configuration
Audit trails enabled and configured	[ ]	System settings, audit trail samples
Audit trail review process defined	[ ]	Review SOPs, review records
System change control implemented	[ ]	Change control procedures
Backup and recovery procedures	[ ]	Backup logs, recovery tests
System security measures	[ ]	Security assessment
Time synchronization verified	[ ]	NTP configuration records

Electronic Signature Controls Checklist

Requirement	Status	Evidence
Two-component signatures implemented	[ ]	System configuration
Signature manifestations displayed	[ ]	System screenshots
Signature/record linking enforced	[ ]	System design documentation
Identity verification before assignment	[ ]	Verification procedures
Lost/compromised credential procedures	[ ]	Deauthorization SOP
Signature meaning captured	[ ]	System configuration

Record Controls Checklist

Requirement	Status	Evidence
Records retention policy defined	[ ]	Retention schedule
Records accessible throughout retention	[ ]	Access verification
Records can be rendered human-readable	[ ]	Export capability
Records protected from alteration	[ ]	Access controls, audit trails
Record copies accurate and complete	[ ]	Copy verification
Migration procedures documented	[ ]	Migration protocols

Common Part 11 Compliance Gaps and Solutions

Gap 1: Inadequate Audit Trails

Problem: Systems generate basic audit trails but do not capture sufficient detail or are modifiable.

Solution:

Configure systems to capture before/after values
Enable reason-for-change fields where required
Ensure audit trails are stored in write-once format
Implement regular audit trail review

Pro Tip

When evaluating your current audit trail capabilities, prioritize critical data fields (batch temperatures, concentrations, test results) for detailed audit trail coverage before attempting comprehensive system-wide audit trails. This tiered approach accelerates compliance while focusing limited resources on the fields that matter most to product quality.

Gap 2: Shared User Accounts

Problem: Multiple users share login credentials, making accountability impossible.

Solution:

Assign unique user IDs to every individual
Implement role-based access controls
Disable generic and shared accounts
Document in policy that account sharing is prohibited

Gap 3: Missing Validation Documentation

Problem: Systems are in use but lack documented validation.

Solution:

Conduct retrospective validation where possible
Implement risk-based prioritization
Document current-state assessment
Create remediation plan with timelines

Gap 4: No Electronic Signature Certification

Problem: Organization uses electronic signatures but has not certified to FDA.

Solution:

Submit certification letter to appropriate FDA center
Maintain copy of certification in quality records
Update certification as needed for new product types

Gap 5: Inadequate Training Documentation

Problem: Personnel use systems but training records are incomplete or missing.

Solution:

Create training matrix for all Part 11 systems
Document initial and ongoing training
Include Part 11 awareness in training curriculum
Maintain training records per retention requirements

Gap 6: Legacy System Non-Compliance

Problem: Older systems lack Part 11 controls and cannot be easily upgraded.

Solution:

Conduct risk assessment of legacy systems
Implement compensating procedural controls
Plan for system replacement or upgrade
Document gap analysis and remediation timeline

Part 11 and Other FDA Regulations

21 CFR Part 11 does not exist in isolation. It works in conjunction with predicate rules:

Predicate Rule	Application	Part 11 Interaction
21 CFR 211	Drug cGMP	Batch records, laboratory records
21 CFR 820	Device QSR	Design history file, device master record
21 CFR 58	GLP	Study data, laboratory notebooks
21 CFR 312	IND	Clinical trial records, submissions
21 CFR 314	NDA	Submission records, correspondence
21 CFR 601	BLA	Biologics submission records
ICH E6(R2)	GCP	Clinical trial data, electronic source

“
Key Point: Part 11 requirements apply ON TOP OF predicate rule requirements. You must comply with both the underlying regulation AND Part 11 when using electronic records.

Part 11 and Data Integrity

The FDA's 2018 Data Integrity guidance reinforces Part 11 principles. ALCOA+ criteria align with Part 11 requirements:

ALCOA+ Principle	Part 11 Alignment
Attributable	User identification, electronic signatures
Legible	Human-readable copies, record protection
Contemporaneous	Timestamping, audit trails
Original	Record protection, audit trails
Accurate	System validation, device checks
Complete	Audit trails, record protection
Consistent	Validation, operational checks
Enduring	Retention, record protection
Available	Accessibility throughout retention

Key Takeaways

21 CFR Part 11 is the FDA regulation that establishes requirements for electronic records and electronic signatures in FDA-regulated industries. It defines the criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. The regulation became effective on August 20, 1997.

Key Takeaways

21 CFR Part 11 establishes FDA requirements: The regulation defines how electronic records and electronic signatures can be equivalent to paper records and handwritten signatures in FDA-regulated industries.
Scope determination is critical: Part 11 applies only to records required by predicate rules where electronic format is chosen. Not all electronic records require Part 11 controls.
Audit trails are non-negotiable: Secure, computer-generated, time-stamped audit trails that record operator entries and do not obscure previous information are a core requirement under 11.10(e).
Validation establishes trustworthiness: Without documented computer system validation per 11.10(a), electronic records cannot be considered reliable.
Electronic signatures require certification: Organizations must certify to FDA that electronic signatures are the legally binding equivalent of handwritten signatures.
Take action now: Assess your current systems against Part 11 requirements, prioritize gaps by risk, and implement a remediation plan.
---

Next Steps

Understanding 21 CFR Part 11 requirements is the first step toward compliance. Implementing those requirements across your electronic systems, including eCTD publishing, LIMS, and clinical trial databases, requires systematic assessment and remediation.

Organizations managing regulatory submissions benefit from automated validation tools that catch errors before gateway rejection. Assyro's AI-powered platform validates eCTD submissions against FDA, EMA, and Health Canada requirements, providing detailed error reports and remediation guidance before submission.

Sources

Last updated: January 25, 2026