21 CFR Part 11 Requirements Explained: A Practical Guide

FDA's 21 CFR Part 11 governs electronic records and signatures in pharmaceutical manufacturing. Here's what you need to know for compliance.

21 CFR Part 11 FDA compliance electronic records pharmaceutical regulations

FDA’s 21 CFR Part 11 has been the cornerstone of electronic records regulation in pharmaceutical manufacturing since 1997. Despite being nearly 30 years old, it remains highly relevant—and frequently misunderstood.

What 21 CFR Part 11 actually covers

Part 11 establishes the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records. It applies when you use electronic records to meet FDA predicate rules (like GMPs, GLPs, or GCPs).

The regulation has three main sections:

  1. Subpart A - General provisions
  2. Subpart B - Electronic records
  3. Subpart C - Electronic signatures

Key requirements for electronic records

§ 11.10 - Controls for closed systems

Closed systems are those where access is controlled by the people responsible for the content. Most internal pharmaceutical systems fall into this category.

Required controls include:

Validation (§ 11.10(a)) Systems must be validated to ensure accuracy, reliability, and consistency. This doesn’t mean “IQ/OQ/PQ” specifically—it means documented evidence that the system works as intended.

Record generation and copying (§ 11.10(b)) The system must allow accurate and complete copies of records in both human-readable and electronic forms.

Record protection (§ 11.10(c)) Records must be protected throughout their retention period. This includes protection against unauthorized access, modification, and deletion.

Limited system access (§ 11.10(d)) Access should be limited to authorized individuals. This typically means user authentication and role-based access control.

Audit trails (§ 11.10(e)) Computer-generated, time-stamped audit trails must record the date/time of operator entries and actions. Audit trails must be retained for at least as long as the records they track.

Operational system checks (§ 11.10(f)) The system should enforce allowed sequencing of events. For example, preventing a batch record from being closed before all steps are complete.

Authority checks (§ 11.10(g)) The system must verify that only authorized individuals can use the system, access specific records, or perform certain operations.

Device checks (§ 11.10(h)) Where appropriate, the system should verify the source of data input or operational instructions.

Personnel training (§ 11.10(i)) People who use electronic systems must be trained on the systems they use, including their Part 11 implications.

Written policies (§ 11.10(j)) Organizations must establish and adhere to written policies holding individuals accountable for actions under their electronic signatures.

System documentation (§ 11.10(k)) Adequate documentation must exist for system operation and maintenance.

§ 11.30 - Controls for open systems

Open systems are those where access is not controlled by the people responsible for the content—like cloud systems or supplier portals. These require all closed system controls plus additional measures like encryption.

§ 11.50 - Signature manifestations

When an electronic signature is used, the signed record must clearly display:

  • The printed name of the signer
  • The date and time of the signature
  • The meaning of the signature (review, approval, responsibility, etc.)

§ 11.70 - Signature/record linking

Electronic signatures must be linked to their respective records in a way that cannot be removed, copied, or transferred to falsify another record.

Electronic signature requirements

§ 11.100 - General requirements

Each electronic signature must be unique to one individual and not reused or reassigned. Organizations must verify the identity of individuals before assigning electronic signatures.

§ 11.200 - Electronic signature components

Non-biometric signatures must use at least two distinct identification components (e.g., user ID and password). For single signing sessions, only the first signing requires both components; subsequent signings can use one component.

§ 11.300 - Controls for identification codes/passwords

Requirements include:

  • Maintaining uniqueness of codes/passwords
  • Periodic revision of passwords
  • Loss management procedures
  • Detection of unauthorized use attempts
  • Initial and periodic testing of authentication devices

Common misconceptions

”Part 11 requires specific software”

False. Part 11 is performance-based—it specifies what controls must exist, not how to implement them. Many different technical approaches can meet the requirements.

”Audit trails must capture every keystroke”

False. Audit trails must capture “the date and time of operator entries and actions that create, modify, or delete electronic records.” This means meaningful changes, not every mouse click.

”Paper is exempt”

Partially true. Paper records used to satisfy predicate rules are not subject to Part 11. However, hybrid systems (paper with electronic components) can create complex compliance scenarios.

”Validation means IQ/OQ/PQ”

Not necessarily. Part 11 requires “validation” but doesn’t prescribe a specific methodology. Risk-based approaches are acceptable and often more practical.

FDA’s current enforcement approach

The FDA’s 2003 guidance document (Scope and Application) clarified that enforcement should be risk-based. The agency focuses on:

  1. Patient safety - Could failures affect product quality?
  2. Data integrity - Is the data trustworthy?
  3. System security - Are appropriate controls in place?

The FDA no longer requires “paper copies” as backup and accepts modern electronic-only approaches when properly controlled.

Practical compliance steps

1. Identify Part 11 systems

Not every system needs Part 11 compliance. Focus on systems that:

  • Create records submitted to FDA
  • Create records required by predicate rules
  • Replace paper records required by predicate rules

2. Conduct a gap assessment

For each Part 11 system, document:

  • Current controls
  • Gaps against requirements
  • Risk level of each gap
  • Remediation plan

3. Prioritize by risk

Not all gaps are equal. Focus first on:

  • Data integrity risks
  • Electronic signature controls
  • Audit trail completeness

4. Document your approach

Create policies and procedures that explain:

  • How you identify Part 11 applicable systems
  • Your control standards
  • Your validation approach
  • How you maintain compliance over time

5. Train your people

Technical controls only work when people understand them. Ensure everyone who uses Part 11 systems understands their responsibilities.

Part 11 in the cloud era

Cloud and SaaS systems add complexity to Part 11 compliance:

  • Shared responsibility - Vendor controls vs. customer controls
  • Data location - Where records are stored
  • Access controls - Who can access what
  • Audit trails - What the vendor logs vs. what you need

When evaluating cloud systems, request Part 11 compliance documentation and understand exactly what the vendor provides vs. what you must configure.

Looking forward

Part 11 continues to evolve through FDA guidance rather than regulatory changes. Key trends include:

  • Increased acceptance of cloud systems
  • Focus on risk-based approaches
  • Greater attention to data integrity across systems
  • Recognition of modern authentication methods

The fundamentals remain: trustworthy records, secure signatures, and complete audit trails. The technology to achieve these continues to improve.

BioWise is designed from the ground up for Part 11 compliance. See how we handle electronic records.