21 CFR Part 11 is the FDA regulation governing electronic records and electronic signatures for all FDA-regulated organisations. It requires validated systems, tamper-evident audit trails, unique user IDs, and e-signatures permanently bound to records. This checklist covers all five requirement areas so you find your gaps before an inspector does.
What 21 CFR Part 11 Actually Requires
Four areas — each with specific technical and procedural requirements your systems and SOPs must satisfy.
🔒
System Validation
Every system creating or storing regulated records must be validated before GxP use begins.
📋
Audit Trails
Computer-generated, time-stamped, tamper-evident — reviewed by QA on a documented schedule.
👤
Access Controls
Unique user IDs, role-based permissions, system-enforced password policy, and account lifecycle management.
✍️
E-Signature Integrity
Permanently bound to records with signer identity, date/time, and signature meaning at every event.
The Complete 21 CFR Part 11 Checklist
§11.10a 1 — System Validation
| ☑ | Formal system validation completedIQ, OQ, PQ — or CSA-equivalent risk-based evidence — approved before GxP use. Approach proportionate to GAMP category. |
| ☑ | Validation docs version-controlled and retainedAll protocols, execution records, and summary reports stored for system lifetime plus regulatory retention period. |
| ☑ | Change control assesses Part 11 impactEvery patch, upgrade, or config change goes through formal impact assessment. Cited in over 28% of Part 11-related 483s in 2025.28% of 483s |
| ☑ | SOPs govern system operation and administrationWritten procedures cover account management, backup/recovery, incident response, and periodic review of controls. |
| ☑ | Vendor qualification documentedSupplier assessment confirms development practices, support model, and security controls before any GxP records are handled. |
§11.10e 2 — Audit Trail Requirements
| ☑ | Audit trails are computer-generated and automaticAll creates, reads, updates, and deletes of GxP records logged automatically — no user trigger required. |
| ☑ | Each entry captures who, what, and whenUser identity, date/time, action type, and old vs new values recorded in every entry. |
| ☑ | Audit trails are tamper-evidentNo user — including admins — can modify or delete entries. Any attempted alteration is itself logged and flagged. |
| ☑ | Retained for the required periodAt least as long as the records they reference — typically batch record lifetime plus regulatory retention period. |
| ☑ | Periodically reviewed with documented evidence ⚠️ Most cited gapQA review schedule exists, reviews executed on time, each review e-signed. Having the trail without reviewing it fails every time. |
§11.10d/g 3 — Access Controls
| ☑ | Every user has a unique individual ID — no shared accountsGeneric or departmental accounts prohibited for any GxP action. Shared accounts are a citable finding regardless of other controls. |
| ☑ | Role-based access limits permissions to job functionLab analyst cannot approve records. Read-only reviewer cannot create entries. Access provisioned by role. |
| ☑ | Password policy is system-enforced, not just SOP-statedComplexity, periodic changes, and lockout after failed attempts enforced by the system — not just documented in a policy. |
| ☑ | Account provisioning and deactivation formally documentedDeparting employees deactivated promptly with a record showing when and by whom. |
| ☑ | Session timeouts configured and enforcedSessions lock after defined inactivity, preventing unauthorised use of unattended workstations. |
§11.50–§11.200 4 — Electronic Signature Requirements
| ☑ | Every e-signature displays all three mandatory elementsSigner's full name, date/time, and meaning (Approved/Reviewed/Authored) under §11.50. Missing any one is a citable finding. |
| ☑ | Signatures permanently and inseparably linked to recordsImpossible to copy, transfer, or remove without detection under §11.70. Bound to record content at the moment of signing. |
| ☑ | Each signing event requires fresh credential entryUnder §11.200, every signature requires fresh user ID + password. Session login is not sufficient. "Click to approve" is non-compliant. |
| ☑ | One-time FDA e-signature certification sent§11.100(c) requires a one-time written letter to FDA. Many organisations have never sent it and only discover this during inspection. |
§11.10b/c 5 — Record Integrity
| ☑ | Records remain accurate and readable throughout retentionAccessible and unaltered through software upgrades, data migrations, and system decommissioning events. |
| ☑ | Backup and recovery procedures validated and testedBackup documented and verified. Recovery tested at defined intervals confirming complete restoration. |
| ☑ | Printed copies include all e-signature informationPaper output includes signer name, date/time, and signature meaning — as informative as the electronic version. |
How GoVal Satisfies Every Part 11 Requirement
| Requirement | How GoVal addresses it |
|---|---|
| System Validation | ✓Validated VLMS. IQ/OQ/PQ vendor docs provided at onboarding. Built-in templates for every system you manage. |
| Audit Trails | ✓Automatic, tamper-evident trails on every record. No user — including GoVal staff — can modify entries. |
| Unique User IDs | ✓Shared accounts architecturally blocked, not just policy-prohibited. Role-based permissions enforced. |
| Electronic Signatures | ✓Credential re-entry at every signing event. Name, date/time, and meaning permanently bound to the record. |
| Record Integrity | ✓Tamper-evident cloud storage with automated backups, version history, and configurable retention periods. |
| Audit Trail Review | ✓Built-in review workflows with configurable schedules, automated reminders, and e-signed review records. |
Frequently Asked Questions
What is 21 CFR Part 11? +
21 CFR Part 11 is the FDA regulation governing electronic records and e-signatures for FDA-regulated organisations replacing paper with electronic systems. It applies to pharma, biotech, medical device, CRO, and CDMO companies — on-premise or cloud — where systems create, modify, or store records required by FDA predicate rules.
Does 21 CFR Part 11 apply to SaaS and cloud systems? +
Yes. Cloud hosting does not transfer compliance responsibility to the vendor. Your organisation retains all Part 11 obligations and must validate the system and confirm all controls are in place. Vendor-hosted means vendor-supported — not vendor-responsible for your compliance.
What are the 21 CFR Part 11 audit trail requirements? +
Under §11.10(e), audit trails must be computer-generated, automatic, time-stamped, and tamper-evident. No user including admins can modify entries. Every entry captures user identity, action type, date/time, and old vs new values. Trails retained as long as the records they reference and reviewed by QA on a documented schedule — the most consistently missed element in inspections.
What must an electronic signature include under 21 CFR Part 11? +
Three mandatory elements under §11.50: full printed name, date/time of signing, and meaning (Approved/Reviewed/Authored). Under §11.70 the signature must be permanently bound to the record. Under §11.200, each signing event requires fresh user ID and password — session login is not sufficient.
Do we need to certify our e-signatures to the FDA? +
Yes — once. Section 11.100(c) requires a one-time written certification to FDA that your e-signatures are legally binding equivalents of handwritten signatures. Send it once, retain a copy in your compliance records, and the requirement is satisfied permanently.
What are the most common 21 CFR Part 11 inspection findings? +
Five consistent findings: (1) audit trails exist but never periodically reviewed, (2) shared user accounts, (3) e-signatures missing required elements, (4) GxP systems never formally validated, and (5) change control skipping Part 11 impact assessment on software updates. All five are preventable with the right platform and SOPs.
Is EU Annex 11 the same as 21 CFR Part 11? +
Similar but not identical. Both require validated systems, audit trails, and access controls. EU Annex 11 goes further on supplier management, business continuity, and data migration. A 2025 revision expected to finalise in 2026 introduces Annex 22 for AI systems. Dual-regulated organisations must satisfy both independently.
How does FDA Computer Software Assurance affect Part 11 compliance? +
FDA's CSA guidance (September 2025) changes how you demonstrate compliance — not what you must comply with. Audit trail, unique user ID, and e-signature requirements are unchanged. CSA allows risk-based proportionate validation evidence rather than exhaustive documentation, but Part 11 controls remain mandatory for all covered systems.
What is the difference between a closed and open system under Part 11? +
A closed system is controlled by the persons responsible for the records — typically an internal authenticated system. An open system allows access by external parties not responsible for the records and requires additional controls including encryption to protect record authenticity during transmission.
Find Your Part 11 Gaps Before an Inspector Does
GoVal builds every 21 CFR Part 11 control into the platform by default — tamper-evident audit trails, compliant e-signatures, automated review workflows, and role-based access that structurally prevents shared accounts.
Book a Free Part 11 Gap Assessment