21 CFR Part 11 is an FDA regulation that establishes the criteria under which the agency considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures. Published in 1997, it applies to all FDA-regulated industries — pharmaceuticals, biologics, medical devices, food, and cosmetics — whenever electronic records or electronic signatures are used in lieu of paper records or handwritten signatures in GxP-regulated activities. Compliance requires specific technical and procedural controls governing how electronic records are created, maintained, and protected.
21 CFR Part 11 applies to any computerized system that creates, modifies, maintains, archives, retrieves, or transmits electronic records that are required to be maintained under FDA regulations — and where those records are used instead of, or in addition to, paper records. This includes LIMS, MES, SCADA, EBR, QMS, CDS, and any other GxP system where electronic records substitute for paper. Systems that maintain paper records as the original and use electronic copies only for reference may have reduced Part 11 obligations, though this requires a formal assessment.
21 CFR Part 11 requires computer-generated, tamper-evident audit trails that capture who did what to a record, when, and why (for changes). Specifically, audit trails must record: the date and time of operator entries and actions that create, modify, or delete electronic records; the original and new values when records are changed; and the identity of the user making the change. Audit trails must be retained for the period required for the subject electronic record and must be available for FDA inspection. They cannot be modified or deleted by users.
Under Part 11, an electronic signature is any computer data compilation of a symbol or series of symbols that is legally binding and equivalent to a handwritten signature. Part 11 distinguishes two types: biometric signatures (based on unique physical characteristics, such as fingerprint or voice recognition) and non-biometric signatures (typically username plus password combinations). Non-biometric signatures require at least two identification components. Electronic signatures must be linked to their associated electronic records so that the signature cannot be excised, copied, or otherwise transferred to falsify another record.
Part 11 requires that system access be limited to authorized individuals only. Access controls must include: unique user IDs that cannot be shared between users; authority checks ensuring users can only perform operations within their authorized roles; device checks where appropriate to verify terminal identity; and operational system checks enforcing proper sequencing of events. Password management procedures must address minimum password length, complexity, and periodic change requirements. Shared accounts — where multiple users operate under a single login — are a direct Part 11 violation and a consistent FDA warning letter finding.
Yes. Part 11 §11.10(a) explicitly requires that systems used to create, modify, maintain, or transmit electronic records be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Validation under Part 11 is not optional — it is a direct regulatory requirement for any in-scope system. The validation approach should follow GAMP 5 or equivalent industry guidance, and the extent of validation should be proportionate to the system's risk and complexity as informed by FDA's CSA guidance.
A predicate rule is the underlying FDA regulation that requires a specific record to be kept — for example, 21 CFR Part 211.188 requiring batch production records. Part 11 governs how those records may be maintained electronically; it does not define what records must exist. Whether a record must be kept is determined by the predicate rule; whether an electronic version is acceptable and what controls it requires is governed by Part 11. Understanding predicate rule requirements is the first step in scoping a Part 11 compliance assessment for any computerized system.
In 2003, FDA issued a Guidance for Industry on Part 11 that significantly narrowed its practical scope compared to the 1997 final rule. Key changes: FDA stated it would exercise enforcement discretion for legacy systems validated before the rule's effective date; narrowed the definition of "electronic records" to exclude hybrid systems where paper is the original; and indicated it would focus inspections on predicate rule compliance rather than strict Part 11 procedural requirements. The 2003 guidance also rescinded earlier draft guidance on validation and audit trails that industry had found overly burdensome.
Both 21 CFR Part 11 and EU GMP Annex 11 govern computerized systems in GxP environments but with different emphases. Part 11 is primarily a records and signatures regulation focused on electronic record integrity and electronic signature equivalency. Annex 11 is broader — it governs the entire lifecycle of computerized systems used in GxP environments, addressing validation, data backup, disaster recovery, security, and system retirement in addition to electronic records. Annex 11 is more prescriptive about validation lifecycle requirements; Part 11 focuses specifically on the technical controls governing electronic records and signatures.
Part 11 obligations follow the regulated company regardless of where systems are hosted. A pharmaceutical company using a cloud-based QMS or LIMS must ensure the system meets all Part 11 requirements — audit trails, access controls, validation, electronic signature compliance — even when the vendor manages the infrastructure. Contracts with SaaS vendors must include provisions ensuring access to audit trails, data availability for inspection, and the vendor's cooperation with FDA audit requests. The regulated company cannot transfer its Part 11 obligations to the vendor; it remains the responsible party.
Part 11 distinguishes between closed systems — where access is controlled by the persons responsible for the content of the electronic records — and open systems — where access is not under the control of the record owners, such as internet-accessible systems or those shared with external parties. Closed systems require the core Part 11 controls: validation, audit trails, access controls, and electronic signatures. Open systems require all of the same controls plus additional procedural safeguards including encryption, use of digital signatures, or other measures to ensure record authenticity and confidentiality during transmission.
Hybrid systems are those where electronic records are generated and used alongside paper records — the paper being the official GxP record and the electronic data existing in a supportive role. Under the 2003 Part 11 guidance, FDA clarified that if paper is the original record and electronic data is a separate backup or working copy, the electronic records may be outside the strict Part 11 scope for that specific record type. However, hybrid approaches require careful documentation of which record is official, and any electronic records that themselves satisfy predicate rule requirements remain in scope regardless.
Part 11 requires that non-biometric electronic signatures use at least two distinct identification components — typically a user ID and a password. The regulation does not prescribe specific minimum lengths or complexity rules, but FDA expects these controls to be meaningful. Industry practice and FDA inspection experience support: minimum 8-character passwords, complexity requirements (mixed case, numbers, special characters), automatic lockout after failed attempts (typically 3–5), forced change intervals (typically 90 days), and prohibition of password reuse. Procedural SOPs must govern these controls even where the system itself enforces them technically.
Data migration from legacy systems must preserve the integrity, traceability, and accessibility of migrated electronic records. Part 11 requires that migrated records retain their original content and context — including original audit trails, electronic signatures, and timestamps. Migration validation must demonstrate that no data was lost, corrupted, or inappropriately modified during transfer. Post-migration, the regulated company must ensure that migrated records remain legible and accessible for the required record retention period, even after the legacy system is decommissioned. A formal data migration validation protocol and report are standard practice.
The most common Part 11 violations cited in FDA warning letters include: shared user accounts making records unattributable to individuals; failure to enable or configure audit trails in GxP systems; ability to delete or modify audit trail data; use of spreadsheets or manual data entry without adequate electronic record controls; failure to validate computerized systems; inadequate access controls allowing unauthorized record modifications; and inadequate electronic signature controls including unsigned records or use of someone else's credentials. Chromatography data systems and LIMS are the systems most frequently cited.
Spreadsheets used to create, modify, or maintain GxP records that substitute for paper are subject to Part 11 requirements. Standard commercial spreadsheet software (Microsoft Excel) does not inherently provide compliant audit trails, access controls, or the tamper-evident record protection Part 11 requires. Pharmaceutical companies using spreadsheets for GxP record-keeping must either apply technical controls and validation to make them Part 11 compliant — which is operationally difficult — or treat paper as the official record and use electronic copies only in a non-predicate-rule role. FDA warning letters involving spreadsheet misuse are common.
Part 11 §11.10(i) requires that personnel responsible for electronic records and electronic signature use have the education, training, and experience necessary to perform their assigned tasks. This means training must cover: how to use the specific system correctly; data integrity obligations; consequences of Part 11 violations including unauthorized signature use; password management requirements; and how to identify and report system anomalies. Training must be documented and records retained. Generic IT security training does not satisfy Part 11 training requirements — training must be system-specific and role-appropriate.
Part 11 requires documentation sufficient to enable authorized individuals to determine the disposition of electronic records, including: validation documentation demonstrating system fitness; system change control records; audit trail configuration documentation; access control policies and user provisioning records; electronic signature binding and certification records; training records; and procedural SOPs governing system use. This documentation must be retained and available for FDA inspection on request. In practice, the documentation burden for a large enterprise system often exceeds the technical implementation effort.
FDA Part 11 enforcement shifted significantly after the 2003 guidance, which introduced enforcement discretion for legacy systems and narrowed inspection focus. However, enforcement remains active for new systems and clear violations — particularly shared accounts, missing audit trails, and unvalidated GxP systems. FDA 483 observations and warning letters continue to cite Part 11 violations regularly, especially in pharmaceutical manufacturing and laboratory settings. The 2003 exercise of enforcement discretion did not eliminate Part 11 compliance obligations; it narrowed the areas of active enforcement focus while leaving core requirements fully in force.
21 CFR Part 11 is a cross-cutting regulation that applies alongside — not instead of — the predicate rules governing specific product types. For pharmaceutical manufacturers, Part 11 operates alongside 21 CFR Parts 210 and 211 (GMPs), Part 58 (GLP), and Part 312 (clinical trials). For medical devices, it applies alongside Part 820 (QSR). For food, alongside Part 117 (FSMA). Part 11 does not replace these regulations — it provides the technical standards for electronic implementation of the record-keeping requirements they impose. Compliance requires satisfying both Part 11 and the applicable predicate rules.