Skip to main content

FDA 21 CFR Part 11 Electronic Records and Signatures

21 CFR Part 11 is an FDA regulation defining when electronic records and signatures are trustworthy and equivalent to paper, requiring validation, audit trails, access controls, and signature integrity. It applies to GxP computerized systems and is enforced through FDA inspections.

Jurisdiction
United States

What 21 CFR Part 11 Is and Why It Exists

21 CFR Part 11 is a regulation issued by the US Food and Drug Administration (FDA) that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. Effective in 1997, it applies to the computerized systems used in FDA-regulated activities, commonly grouped under "GxP" (good manufacturing, laboratory, and clinical practice).

Part 11 exists because life-sciences organizations increasingly relied on computer systems for data that supports product safety and efficacy. The regulation ensures those electronic records cannot be quietly altered and that electronic signatures carry the same legal weight and accountability as ink.

Who It Applies To

Part 11 applies to organizations regulated by the FDA, including pharmaceutical and biotech manufacturers, medical-device makers, clinical research organizations, and laboratories, whenever they use computer systems to create, modify, maintain, or transmit records required by FDA regulations, or to apply electronic signatures. It therefore reaches the software vendors and cloud providers that supply such systems to these organizations.

Key Requirements

  • System validation: computerized systems must be validated to ensure accuracy, reliability, and consistent intended performance.
  • Audit trails: secure, computer-generated, time-stamped audit trails must record who did what and when, without obscuring prior entries.
  • Access controls: systems must limit access to authorized individuals and enforce authority checks.
  • Electronic signatures: signatures must be unique, verifiable, and linked to their records, with controls preventing repudiation.
  • Record integrity and availability: records must be protected and retrievable in human-readable form throughout the retention period.

The FDA's risk-based guidance clarifies how to scope these controls proportionately.

Penalties for Non-Compliance

Non-compliance is enforced through the FDA's broader authority. Findings during inspections can result in Form 483 observations and Warning Letters; serious or unresolved issues can lead to rejected submissions, import alerts, consent decrees, product seizures, and injunctions. Data-integrity failures involving Part 11 are among the most common and damaging inspection findings, capable of delaying approvals and halting operations.

How to Comply

  • Identify which systems hold GxP-relevant electronic records or apply electronic signatures.
  • Validate those systems and maintain documented evidence of validation.
  • Enable and protect secure, time-stamped audit trails and review them.
  • Enforce role-based access controls and unique user accounts.
  • Implement compliant electronic-signature controls and train users on their legal meaning.
  • Ensure records remain protected, accurate, and retrievable for their full retention period.

Data integrity, often summarized by the ALCOA principles (attributable, legible, contemporaneous, original, accurate), is the practical heart of Part 11 compliance.

Computer System Validation and the Cloud

Applying Part 11 to modern cloud and SaaS systems has reshaped validation practice. The FDA's risk-based approach, and the industry's move toward Computer Software Assurance, encourages focusing validation effort on the functions that most affect patient safety and data integrity rather than exhaustively testing everything. Cloud platforms shift some responsibility to vendors, making supplier qualification, shared-responsibility clarity, and access to audit trails essential. Regulated organizations increasingly rely on vendor validation evidence supplemented by their own configuration and use-case testing. The constant remains data integrity: regardless of where a system runs, records must stay attributable, complete, and tamper-evident throughout their lifecycle.