21 CFR Part 11: Records, Signatures, and Audit Trails Without the Theatre

Part 11 covers any electronic record or electronic signature that an FDA-regulated entity uses to satisfy a predicate-rule requirement (211, 820, 111, 117, 1271, 600s, etc.). It splits into two halves. Subpart B covers electronic records: validation, accurate copies, record retention, access controls, audit trails, operational checks, authority checks, device checks. Subpart C covers electronic signatures: unique to one person, two distinct identification components (typically user ID + password), and a clear linkage between the signature manifestation and the record it signs. The 2003 scope-and-application guidance narrowed FDA's enforcement focus to records that are actually relied on for the predicate rule — but it did not delete the rule. If a record is in scope, every clause still applies.

A closed system is one where access is controlled by the people responsible for the content (your eQMS behind SSO, for example). An open system is one where access is controlled by parties outside that responsibility — typically anything traversing the open internet without additional controls. Closed systems carry Subpart B requirements; open systems add §11.30 obligations like document encryption and digital signature standards. In practice, almost every modern SaaS eQMS is treated as a closed system because the vendor authenticates users, controls the network path, and provides the access logs — but you have to be able to demonstrate that on demand. Get the architecture statement, the SSO configuration, and the TLS/encryption posture documented up front; an auditor asking 'closed or open?' on day one of an inspection is a bad surprise.

§11.10(e) is the clause auditors love most: secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Three failure modes recur. First, the audit trail captures the new value but not the old value, so reviewers can't tell what changed. Second, reason-for-change is optional, so it goes blank and the record loses defensibility. Third, the audit trail is editable by an admin, breaking the 'secure and computer-generated' requirement. The bar in 2026 is: every CRUD event captured, before/after values shown, reason-for-change mandatory for regulated records, no admin can edit history. Periodic review of the audit trail (§11.10(e) also requires this) should be a scheduled, signed activity — not a once-a-year scramble.

§11.50 and §11.70 set the rules for electronic signatures: each signature is unique to one individual, contains the printed name, date/time, and meaning (approved, reviewed, released), and is linked to its record in a way that cannot be excised, copied, or transferred. §11.200 specifies two distinct identification components — typically user ID + password, or biometric — and re-authentication on every signing unless the user is in a continuous session. The most common gap is meaning of signature: a record shows a name and a date but doesn't say whether the person approved, reviewed, or merely acknowledged. Define the signature meanings in your SOP, expose them in the UI dropdown, and store them as a structured field on the record.

§11.10(a) requires validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The 2003 guidance softened the prescription to a risk-based approach, and FDA's 2022 draft on Computer Software Assurance (CSA) reinforced this: focus testing on what actually impacts product quality and data integrity, not on documenting every click. For Part 11 specifically, that means proving the audit trail captures every event, the signature binding holds, access controls enforce least privilege, backup and restore actually work, and operational checks (sequencing, holds, two-person sign-off) behave as designed. Build a thin, defensible IQ/OQ/PQ pack focused on those Part 11 controls — not a 400-page binder of redundant evidence.

Days 1 to 10: inventory every electronic record relied on for a predicate rule (batch records, deviations, CAPA, training, releases, supplier qualifications, complaints). Days 11 to 25: confirm SSO, MFA, role-based access, and audit-trail completeness for each system; close any gap on reason-for-change and signature meaning. Days 26 to 40: write the closed-system attestation, the access-control matrix, the data-integrity SOP, and the audit-trail periodic-review SOP. Days 41 to 55: run the CSA-style validation pack on the top three Part 11 controls in each system. Days 56 to 60: dry-run a Part 11-focused inspection with internal QA playing the inspector, fix any gap surfaced. The goal is not a binder — it's a system you'd let an FDA investigator open at random.

FDA Form 483 observations citing Part 11 have ticked up since 2023, concentrated on three themes: audit-trail review not performed (or not signed), shared user accounts, and unvalidated spreadsheets used as regulated records. Warning letters go further and almost always pair a Part 11 gap with a predicate-rule failure (211.68, 820.70(i), 111.150) — the agency rarely cites Part 11 in isolation. Your defence is to make the predicate record bulletproof on its own merits and let Part 11 sit comfortably on top: real audit trail, real signature meaning, real access control, real validation evidence. The companies that get hurt are the ones who treat Part 11 as a separate exercise from operations.