21 CFR Part 11

What 21 CFR Part 11 covers

21 CFR Part 11 is the U.S. Food and Drug Administration regulation titled Electronic Records; Electronic Signatures. It defines the criteria under which electronic records and electronic signatures are treated as trustworthy, reliable, and equivalent to paper records and handwritten signatures executed on paper.

Part 11 by itself doesn't create new GxP requirements. It applies only when a predicate rule (like 21 CFR Part 211 for drug manufacturing or Part 820 for medical devices) already requires the record, and the firm has chosen to keep that record electronically. This scoping point, reinforced in FDA's August 2003 Guidance for Industry: Part 11 — Scope and Application, is the most-misread part of the rule.

The regulation has three subparts: Subpart A defines scope and key terms, Subpart B governs electronic records, Subpart C governs electronic signatures.

Why Part 11 is the most-cited electronic-record rule in the world

Part 11 sits at the centre of nearly every modern pharmaceutical and medical device quality system because nearly every modern QMS, LIMS, MES, ERP, and lab instrument generates electronic records under a predicate rule. The Part 11 controls (validated systems, secure attribution, audit trails, controlled signatures, retention) are what separate a regulator-acceptable electronic record from one that becomes an inspection finding.

Part 11 weaknesses are also among the most consistent themes in FDA 483 observations and warning letters. The 2017–2024 chromatography enforcement wave produced dozens of warning letters citing audit trails not enabled, shared analyst accounts, ability to delete or overwrite data, and inadequate validation. These aren't new patterns. They're the same Part 11 controls firms have known about for over two decades.

Inspector note: When I review a regulated electronic system during an inspection, my first question is always: show me the requirements that link this system to a predicate rule. If that mapping is fuzzy, the rest of the conversation about Part 11 controls gets much harder for the firm to navigate.

How Part 11 is structured, section by section

Part 11 has three subparts. Each section maps to a specific aspect of trustworthiness for either the electronic record or the electronic signature.

Subpart A — General Provisions

• §11.1 — Scope: Part 11 applies to records required by predicate rules and signatures executed under those rules.
• §11.2 — Implementation: firms may use electronic records and signatures in lieu of paper, provided Part 11 is met.
• §11.3 — Definitions: the canonical definitions of closed system, open system, biometrics, electronic signature, digital signature, handwritten signature.

Subpart B — Electronic Records (§§11.10, 11.30, 11.50, 11.70)

• §11.10 — Controls for closed systems: the operative requirements list. Validation; accurate copies; record protection during retention; limited system access; §11.10(e) secure computer-generated time-stamped audit trails; operational system checks; authority checks; device checks; personnel qualifications; §11.10(k) control over system documentation.
• §11.30 — Controls for open systems: adds encryption and digital signature requirements where access isn't controlled by the content owner.
• §11.50 — Signature manifestations: signed electronic records have to display the printed name of the signer, the date and time the signature was executed, and the meaning associated with the signature (review, approval, responsibility, authorship).
• §11.70 — Signature/record linking: signatures have to be linked to their records so they can't be excised, copied, or transferred to falsify an electronic record.

Subpart C — Electronic Signatures (§§11.100, 11.200, 11.300)

• §11.100 — General requirements: each electronic signature is unique to one individual and not reassigned; identity verified before assignment; firm certifies to FDA that the e-signatures are intended to be legally binding equivalents of handwritten signatures.
• §11.200 — Electronic signature components and controls: non-biometric signatures require at least two distinct identification components (typically an ID and a password), with re-execution at first session login and for subsequent signings during a continuous session; biometric signatures have to ensure they can't be used by anyone other than their genuine owners.
• §11.300 — Controls for identification codes and passwords: uniqueness, periodic password change, loss-management procedures, transaction safeguards to prevent unauthorized use, periodic testing of devices that generate or bear identification codes.
• FDA Guidance: Part 11 Scope and Application (August 2003): narrows enforcement focus to validation, audit trails, copies of records, and record retention; confirms firms may use risk-based judgment for other Part 11 requirements. Still FDA's most-cited interpretive document.

What Part 11 looks like day-to-day in production

For a firm running a Part 11 system, the rule turns into a set of recurring quality activities. Each one gets inspected against the relevant section:

• System validation — Every Part 11 system must be validated for intended use under §11.10(a). Under FDA's CSA Final Guidance (February 2026), risk-based assurance evidence is the expected approach; documented evidence isn't optional.
• Audit trail capture and review — §11.10(e) requires secure, computer-generated, time-stamped audit trails. Inspectors expect both the technical capture and a documented periodic review cadence.
• Access control and unique accounts — §11.10(d) limits access; §11.100 requires unique signatures. Shared accounts violate both.
• Signature workflow with meaning — §11.50 requires the signature record to display printed name, date/time, and meaning (review, approval, responsibility, authorship). Captured-without-meaning fails the rule.
• Signature-to-record binding — §11.70 requires the signature to be linked to the record. Foreign-key or cryptographic linking both work.
• Predicate-rule retention — Record and its audit trail retained per the predicate rule.
• Change control on the system — §11.10(k) requires control over system documentation and changes. Configuration, scripts, queries, reports all in scope.
• Producible to an inspector — §11.10(b) requires the ability to generate accurate copies for the agency. ‘Cannot export’ isn't a defensible answer.

What strong Part 11 programs share

Programs that hold up under inspection share a consistent set of operational controls — engineering, procedural, and cultural:

• Predicate-rule mapping is explicit — documented in validation deliverables, not implicit
• Validation evidence stays current — periodic review plus change-control re-validation
• Audit trail is non-disable — engineering controls block IT bypass
• Audit trail review is a controlled record — periodic, independent, signed evidence
• Unique accounts only — shared accounts out of GxP workflows
• Signature meaning is enforced — user selects meaning before signing
• Reason-for-change is captured — at the edit, not back-filled
• Account lockout and password controls match §11.300 — periodic change, uniqueness, loss procedures, lockout
• Open systems use digital signatures and encryption — designed in per §11.30, not bolted on

How Complere supports Part 11 compliance

Part 11 isn't an add-on to a quality system — it's the rules a quality system has to follow whenever its records and signatures are electronic. Complere is built with those rules at the centre rather than layered on after the fact, so the controls inspectors look for behave the same way across every regulated record your team works with.

Every action your team takes on a regulated record — drafting a document, closing a CAPA, approving a change, signing off an audit finding, releasing a deviation — is captured with who did it, when, and the reason. The history can't be quietly edited or deleted from anywhere in the application. Your records stay in your own space; your data never mixes with another customer's.

When someone signs something, the signature shows who signed, the moment they signed, and what they were signing for (review, approval, responsibility, or authorship). The signer picks the meaning before applying the signature, and that choice travels with the signature for life. Roles decide who can apply which meaning to which record; the system checks the person actually has the authority before letting them sign. Logins are individual, never shared.

What your team needs to produce to an inspector — the audit trail for a batch release, the signing history for a CAPA closure, the system documentation for a chromatography integration — Complere produces in a human-readable form your team can hand directly to the agency. Records, signatures, audit trails, signature meanings, timestamps; all of it.

To give your validation team a starting point rather than a blank page, Complere ships a Vendor Validation Package — VMP, URS, IQ/OQ/PQ evidence, and a traceability matrix linking each requirement to the automated test that proves it. Your team extends it for site-specific scope rather than building the baseline from scratch.

What stays with your team: deciding which systems are in Part 11 scope (the predicate-rule mapping), running the validation program, training your users on the weight of an electronic signature, and periodically reviewing how the controls are actually performing. Complere handles the technical controls; the Part 11 program around them stays yours.

Terms related to 21 CFR Part 11

21 CFR Part 11 connects to many other quality concepts. Explore related terms to build a complete picture.

• Audit Trail — §11.10(e), the most-cited subsection in 483s
• Data Integrity — the outcome; ALCOA+ is the diagnostic
• ALCOA+ — principles applied to Part 11 evidence
• Validation — §11.10(a) plus CSA
• Document Control — the most common Part 11 record type
• CAPA — CAPA records and signatures under Part 11 when predicate applies
• Electronic Records & Signatures (compliance hub)