V5 Ultimate
Compliance · The complete guide

21 CFR Part 11

TL;DR

21 CFR Part 11 is FDA’s rule establishing when electronic records and electronic signatures are trustworthy, reliable, and equivalent to paper and handwritten signatures, defining validation, audit trails, security, signature controls, copies, and retention for regulated operations.

Reviewed · By V5 Ultimate compliance team· 2,473 words · ~12 min read
AI · Explain it for MY operation

How does 21 CFR Part 11 apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01What Part 11 Is and Why It Exists

21 CFR Part 11, Electronic Records; Electronic Signatures, is FDA’s framework for determining when electronic records and electronic signatures are the legal equivalent of paper records and handwritten signatures. The final rule was issued in 1997 (62 FR 13430) and is codified in Title 21 of the Code of Federal Regulations. It requires firms to implement controls that ensure authenticity, integrity, and, when appropriate, confidentiality of electronic records, and to ensure that electronic signatures are attributable and binding.

The rule does not create new recordkeeping requirements on its own. Instead, it overlays existing “predicate” regulations across FDA’s programs. If a predicate rule requires a record and you maintain that record electronically, Part 11 sets the controls that make that electronic record trustworthy and reliable. Examples include drug current good manufacturing practice (21 CFR 211) and the Quality System Regulation for devices (21 CFR 820). Nonclinical laboratories (21 CFR 58), blood establishments (21 CFR 606), PET drug CGMP (21 CFR 212), and other parts also serve as predicates.

FDA’s 2003 Guidance on Part 11 (Scope and Application) clarified a risk-based approach and focused enforcement on records required by predicate rules that are maintained in electronic form. This pragmatic stance remains: the agency expects validation, audit trails, security, and signature controls commensurate with data risk, while avoiding unnecessary burdens that provide no improvement in data integrity or product quality.

In daily operations, Part 11 governs how systems are validated and used, how changes are controlled, how access is managed, and how signatures are captured and linked. It also requires that firms can produce accurate and complete copies in both human-readable and electronic forms and that records remain retrievable throughout their retention periods.

02Scope, Applicability, and System Context

Part 11 applies to records that are required by FDA regulations and are maintained in electronic form, and to electronic signatures executed to those records. The applicability analysis begins with the predicate rule: determine which records are required, where they originate, and whether they are created, modified, maintained, archived, retrieved, or transmitted in electronic form. Where the record is strictly paper, Part 11 does not apply to that specific record.

The regulation distinguishes between closed and open systems. A closed system is controlled by persons responsible for the content of the electronic records. An open system includes access by persons who are not under the firm’s control. Open systems require additional measures such as document encryption and digital signatures applied to ensure record authenticity and integrity. Many firms also operate mixed environments where paper and electronic evidence coexist, often called a hybrid record system.

Scope decisions must also consider the type of record. Dynamic records, such as chromatographic data or equipment event logs, need controls that preserve the raw content and context. Static renderings, such as a PDF output, support readability but do not replace the need to retain complete underlying data where the predicate demands it. The same risk-based logic applies when connecting instruments, manufacturing execution, and quality systems in a record chain.

Finally, Part 11 does not require firms to adopt electronic systems. It enables the option, provided appropriate controls exist. When electronic systems are used, the firm remains responsible for their fitness for intended use, regardless of whether the solution is on-premises, hosted, or software as a service.

System contextTypical controls emphasisIllustrative examples
Closed systemRole-based access, unique IDs, audit trails, procedural controlsIn-house MES, LIMS, QMS under firm control
Open systemEncryption, digital signatures, secure transmission, stronger identity proofingSupplier portals, external submissions, cross-company data exchange
Hybrid record environmentTraceability between paper and electronic, reconciliation, scanning controls, metadata completenessPaper batch packets with electronic deviations and equipment logs, mixed signatures

Where a hybrid record environment exists, firms should define how authoritative records are identified and linked, what reconciliations occur, and how audit trails and versioning are maintained across boundaries. See internal SOPs for hybrid dossiers and related bridging controls, and consider detailing this explicitly in your validation plans and procedural controls.

For teams blending media, a documented approach to the hybrid model, such as the practices described in hybrid record system, prevents ambiguity about what constitutes the true and complete record.

03Core Requirements and Controls Under Part 11

Part 11’s essential controls are set out in §§ 11.10, 11.30, 11.50, 11.70, 11.100–11.300. They establish what a compliant system must do to keep electronic records trustworthy and to ensure signatures are legally binding. While the exact mix of controls is risk-based, certain themes recur: validate the system, secure the environment, maintain auditable histories, and preserve records in accurate and complete form for their entire retention period.

Procedures and training are integral to compliance. The regulation anticipates that technical features will be supported by governance, including SOPs for user management, change control, periodic review of audit trails, backup and recovery, records retention, incident handling, and supplier oversight. The objective is not maximal automation, but a coherent set of controls proportional to the risks posed by the data and process.

The following elements typically define a defensible Part 11 control set for systems that create, modify, or maintain predicate records.

  • Validation for intended use with documented specifications, risk assessments, test evidence, and traceability
  • Computer-generated, time-stamped audit trails that are secure, independent of users, and reviewable
  • Security and authority checks, including unique user IDs, strong authentication, and role-based permissions
  • Operational checks that enforce proper sequencing and prevent unauthorized changes
  • Device and system checks to ensure accurate input, transfer, and processing of data
  • Accurate and complete copies in human-readable and electronic forms, including raw data where applicable
  • Record protection, retention, backup, and timely retrieval throughout the retention period

Documentation discipline is crucial. Configuration baselines, changes, and deviations should be controlled under your quality system. Centralized document control and periodic review routines help ensure that procedures, templates, and training remain synchronized with the validated state of the system.

04Electronic Signatures: Identity, Meaning, and Binding Effect

Part 11 requires that electronic signatures be unique to one individual and not reused or reassigned. Before using electronic signatures that are intended to be the legal equivalent of handwritten signatures, a firm must certify to FDA that electronic signatures are the legally binding equivalent of handwritten signatures (§ 11.100). Internally, controls must establish identity, link the signature to its record, and capture the meaning of each signing event.

Non-biometric electronic signatures must comprise at least two distinct identification components, such as a username and password, at the first signing of a session and for each subsequent signing where appropriate (§ 11.200). Biometric signatures are permitted when they uniquely identify an individual and are designed to be difficult to repudiate. The system must prevent unauthorized use and require timely password changes and lockouts after failed attempts (§ 11.300).

Signature manifestations must be clear on the signed record or associated metadata: the printed name of the signer, the date and time of signing, and the meaning of the signing (such as review, approval, responsibility, or authorship) (§ 11.50 and § 11.70). The signature must be permanently linked to the record, so that it cannot be excised, copied without trace, or otherwise falsified without detection.

In multi-person approvals, witness steps and countersignatures must be traceable, with enforced sequence and segregation where required by procedures. This is particularly important in critical steps such as batch disposition, deviation impact assessments, and change approvals, where independent verification is expected. Where required by policy, leverage electronic witnessing to maintain independence and enforce double checks.

05Validation for Intended Use and Data Integrity by Design

Validation is explicit in Part 11 (§ 11.10(a)): systems used to create, modify, maintain, or transmit electronic records must be validated to ensure accuracy, reliability, and consistent intended performance. The risk-based approach articulated in FDA’s 2003 guidance harmonizes well with industry practices. Define intended use, assess data and process risks, and scale effort accordingly. Supplier assessments, configuration specifications, and controlled change management are all part of a defendable strategy.

Data integrity principles such as attributable, legible, contemporaneous, original, and accurate provide the design lens for controls. Applying these principles to user roles, interfaces, and data flows reduces the need for after-the-fact corrections. Where integrations exist, validate data transfer, error handling, and reconciliation routines, and ensure time synchronization of servers and instruments so that audit trails are coherent.

Testing should demonstrate both normal and error conditions, include boundary values, and exercise security behavior, audit trail events, and e-signature mechanics. Traceability from requirements through risks and tests supports efficient impact assessments when changes occur. Periodic review ensures that drift in configuration or usage is detected and corrected before it erodes the validated state.

For teams seeking a structured blueprint, GAMP-aligned validation packages and data integrity readiness tools help right-size deliverables without sacrificing evidence quality. See the readiness approach summarized in ISPE GAMP RDI: Records and Data Integrity readiness for an example of practical scoping and documentation.

06Audit Trails, Record Lifecycle, and Accurate Copies

Part 11 requires secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records (§ 11.10(e)). Audit trails must be retained for as long as the associated record is required and must be available for inspection and copying. They should capture who did what, when, and preferably why, with sufficient context to reconstruct significant events.

Audit trails need periodic review. Define who reviews them, at what frequency, and what triggers a deeper investigation. Reviews should be risk-based and focus on records and steps critical to product quality and patient safety. Ensure audit trail time is synchronized, entries are immutable to end users, and the system prevents administrators from altering audit history without detection.

Accurate and complete copies must be available in both human-readable and electronic forms. For dynamic data, preserve the underlying raw data and metadata alongside any rendered views. Establish backup, archival, and retrieval procedures that protect record integrity throughout retention, including under disaster recovery conditions. Verify restorations periodically to ensure backups are actually usable.

Instrument data and event logs frequently feed higher-level records and often determine final product quality. Treat these as source records, not convenience logs. Where data are captured through specialized software or electronic data capture, ensure that export and migration procedures preserve integrity and traceability to the original context.

07Common Pitfalls and Misinterpretations

Many findings arise from misjudging scope. Over-scoping drives unnecessary controls that burden operations without improving integrity, while under-scoping leaves critical records unmanaged. Successful teams anchor scope in predicate rules, then apply risk-based controls that match how data are generated and used. The goal is practical assurance, not maximalism.

Another frequent issue is equating a static rendering with the authoritative record. When the underlying data are dynamic, a rendered report is, at best, a view. The authoritative record remains the complete set of data, metadata, and audit trails. Similarly, shared accounts, weak passwords, and unsupervised administrator privileges can break attribution and undermine signature credibility. In mixed environments, define how paper and electronic evidence relate, especially when migrating toward a paperless shop floor.

  • Assuming every electronic document is in scope, rather than only predicate records kept electronically
  • Relying solely on PDFs for dynamic records, with no retention of raw data or metadata
  • Disabling or failing to review audit trails for critical records and steps
  • Using shared accounts or generic logins that destroy attribution
  • Validating the network but not the application’s intended use and configuration
  • Lax change control that lets validated configurations drift over time
  • Treating cloud or outsourced systems as exempt from the firm’s responsibilities

08Relationship to Neighboring Frameworks and Global Alignment

Part 11 interacts with multiple frameworks. In the European Union, EudraLex Volume 4 Annex 11 addresses computerized systems, and its principles align closely with Part 11’s emphasis on validation, data integrity, and security. PIC/S adopts similar positions across member inspectorates, driving convergent expectations during inspections. Multinational firms should harmonize controls to satisfy both FDA and EU authorities rather than maintaining divergent regimes.

For medical devices, Part 11 overlays quality system requirements. Under the legacy Quality System Regulation (21 CFR 820) and the FDA Quality Management System Regulation alignment with ISO 13485, device firms must validate software used in production and the quality system and maintain electronic records and signatures in line with Part 11. Similarly, nonclinical laboratories working under 21 CFR 58 and manufacturers under 21 CFR 211 rely on Part 11 for the electronic aspects of their recordkeeping.

ICH Quality guidelines, notably Q9 (Quality Risk Management) and Q10 (Pharmaceutical Quality System), supply the risk-based scaffolding for right-sized validation and governance. ISO 13485 adds specific expectations for software used in the quality management system. ISPE’s guidance on GAMP and data integrity provides practical playbooks for implementing these principles at scale.

In practice, a globally coherent program references FDA Part 11, EU Annex 11, and relevant ICH and ISO guidance, then implements a single set of procedures for validation, data integrity, audit trails, and electronic signatures. Linking device and pharmaceutical expectations across 21 CFR 820, 21 CFR 211, and the agency’s evolving FDA QMSR reduces duplication and inspection risk.

Conceptually, Annex 11’s life-cycle view and FDA’s risk-based enforcement are complementary. A firm that can demonstrate coherent governance, sound risk reasoning, and effective in-use controls will generally satisfy both sides of the Atlantic, provided records remain attributable, complete, and retrievable for their full retention periods.

09How Part 11 Works in Practice

Daily compliance is a choreography between users, procedures, and systems. Users authenticate with unique credentials, perform actions in controlled sequences, and apply signatures that express intent and responsibility. The system stamps each significant event into an audit trail, enforces authority checks, and prevents unauthorized changes. Supervisors review records and audit trails at defined intervals, escalations occur when anomalies are detected, and corrective actions are documented.

Quality and IT teams collaborate to manage the validated state. Changes to configuration, master data, or integrations are assessed for risk, tested, approved, and deployed under control. Periodic reviews verify that accounts, roles, and privileges remain appropriate. Backups are taken, restorations tested, and time sources verified. When a record set is migrated or archived, integrity checks ensure that metadata, signatures, and audit trails remain intact and readable.

When something goes wrong—a corrupted file, a failed interface, or an inadvertent deletion—incident procedures trigger containment, root-cause analysis, and restoration from validated sources. Deviation and CAPA processes address underlying causes, and change controls implement durable fixes. Training closes the loop to prevent recurrence, particularly where human factors contributed to the issue.

In hybrid operations, clarity over which artifact is authoritative is essential. If a paper form captures a critical check while the system logs equipment states, the dossier should explicitly show the linkage and reconciliation between the two, so that a reviewer can reconstruct the event history unambiguously.

10How V5 Ultimate Supports Part 11 Implementation

V5 Ultimate provides a configurable, validation-ready platform for controlled creation, modification, review, and approval of electronic records and signatures in regulated manufacturing. Core capabilities include role-based access with unique user identities, enforced step sequencing, non-editable time-stamped audit trails, and robust electronic signature workflows with signature meaning capture and permanent linkage to records. The platform produces accurate and complete copies in human-readable and electronic forms and preserves raw data where required.

Our validation toolkits support risk-based testing mapped to intended use, with traceability across requirements, risks, and test evidence. Administrators control configuration through governed change workflows and can demonstrate the validated state at any time. Periodic review dashboards highlight dormant accounts, elevated privileges, and audit trail hotspots. Backup and archival features preserve record integrity and ensure timely retrieval across retention periods.

For teams modernizing operations, V5’s implementation patterns avoid unnecessary disruption. We support phased adoption, including hybrid environments where certain checks remain on paper while others are electronic, with reconciliation and cross-references that keep the record whole. When you are ready, our migration tools retain context, signatures, and audit trails, preserving legal defensibility.

Explore dedicated enablement for compliant records and signatures in 21 CFR Part 11, and use our readiness workbook to plan scope, risk, and evidence for go-live in 21 CFR Part 11 readiness.

Frequently asked questions

Q.Does Part 11 apply to all electronic documents my company creates?+

No. Part 11 applies when a predicate FDA regulation requires a record and that record is created, modified, maintained, archived, retrieved, or transmitted in electronic form. Business-only documents with no predicate requirement are generally outside scope.

Q.Do cloud or SaaS systems change my Part 11 obligations?+

No. Outsourcing hosting does not outsource compliance. You remain responsible for validation, security, audit trails, signatures, copies, and retention, including supplier oversight and agreements that preserve data integrity.

Q.Are scanned paper records considered Part 11 electronic records?+

Scans are electronic representations. If the scan becomes the authoritative record under a predicate rule, Part 11 controls apply. If the signed paper remains the authoritative record, the scan is typically a convenience copy.

Q.How should we handle spreadsheets used for cGMP records?+

If a spreadsheet maintains predicate records, it must be validated, access-controlled, and auditable, with change protection. Many firms migrate such records into controlled applications to achieve reliable audit trails and reduce manual risks.

Q.Do we need to notify FDA before using electronic signatures?+

Yes. Firms must certify to FDA that their electronic signatures are the legally binding equivalent of handwritten signatures. Maintain documentation showing identity verification, uniqueness, and procedural controls for signature issuance and revocation.

Q.Are audit trail reviews explicitly required and how often should they occur?+

Part 11 requires secure, time-stamped audit trails and availability for inspection. FDA expects risk-based periodic review of audit trails, with defined responsibilities and frequencies aligned to product and process criticality.

Primary sources

Further reading

Explore this topic

21 CFR Part 11 sits inside 2 overlapping topic clusters in our glossary. Every neighbour is one click away.

See 21 CFR Part 11 working on a real shop floor

V5 Ultimate ships with the 21 CFR Part 11 controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.