21 CFR Part 11
Electronic Records; Electronic Signatures
Legal Requirement: This regulation is legally binding and must be complied with for US market access. Non-compliance can result in regulatory action, including warning letters, import detentions, and product recalls.
Overview
Scope
21 CFR Part 11 establishes requirements for electronic records and electronic signatures used in FDA-regulated industries. It applies when electronic records are used in place of paper records or when electronic signatures are used in place of handwritten signatures. The regulation covers systems used to create, modify, maintain, archive, retrieve, or transmit electronic records.
Applicability
Part 11 applies to all FDA-regulated industries including medical devices, pharmaceuticals, biologics, and food. It applies when: (1) electronic records are used in place of paper records required by FDA regulations, or (2) electronic signatures are used in place of handwritten signatures. Common applications include eQMS systems, electronic batch records, electronic CAPA systems, and electronic design history files.
Why It Matters
21 CFR Part 11 is critical for modern medical device companies using electronic systems. Most companies use electronic quality management systems (eQMS), electronic document management, and electronic signatures. Non-compliance can result in FDA warning letters, import detentions, and rejection of regulatory submissions. Understanding Part 11 helps ensure electronic systems meet FDA requirements and support regulatory compliance.
Key Concepts
- Electronic records validation
- Audit trails and data integrity
- Electronic signature requirements
- System security and access controls
- Data backup and recovery
- System validation and testing
- Change control and configuration management
- User training and qualification
- Risk-based approach to compliance
Modern quality systems are electronic. Part 11 compliance enables digital transformation without sacrificing data integrity.
Part 11 covers electronic records and signatures. If you use electronic systems for QMS records—and you probably do—this applies to you. The good news: FDA takes a risk-based approach. Not every system needs the same level of validation. Focus your efforts on systems with the highest data integrity impact.
🔑 Key Takeaways
- →Audit trails are non-negotiable. Ensure your systems capture who did what and when.
- →Electronic signatures must be unique, linked to records, and include meaning.
- →Cloud systems can comply—but you need the right agreements with vendors.
- →Validation doesn't mean over-documenting. It means proving the system works.
— ER | medev.ai
Building better devices, together.
Key Requirements Overview
System Validation (11.10)
Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Validation must be documented and include testing of system functions.
Audit Trails (11.10(e))
Systems must use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trails must be retained and available for review.
Electronic Signatures (11.50-11.200)
Electronic signatures must be unique to one person and not reused or reassigned. They must include identification of the signer, date and time of signing, and meaning of the signature. Signatures must be linked to their respective records.
Access Controls (11.10(d))
Systems must have procedures and controls to ensure that only authorized individuals can access the system, electronically sign records, alter records, or perform operations. Access must be limited to authorized individuals.
Data Integrity (11.10)
Systems must ensure that electronic records are accurate, complete, and not altered in an unauthorized manner. Controls must prevent unauthorized access, modification, or deletion of records.
System Documentation
System documentation must be maintained including standard operating procedures, system descriptions, validation documentation, and user manuals. Documentation must be current and available.
Backup and Recovery (11.10(c))
Systems must have procedures for backup and recovery of electronic records. Backup copies must be exact, complete, and retrievable. Recovery procedures must be tested and documented.
Change Control
Changes to systems must be controlled, validated, and documented. Change control procedures must ensure that system changes do not compromise data integrity or system validation.
Compliance Roadmap
Assess System Scope
Identify all electronic systems that create, modify, maintain, archive, retrieve, or transmit electronic records subject to FDA regulations. Determine which systems fall under Part 11 requirements.
Conduct Gap Analysis
Evaluate each system against Part 11 requirements. Identify gaps in validation, audit trails, access controls, electronic signatures, and documentation. Prioritize gaps based on risk.
Develop Validation Plan
Create a validation plan for each system covering validation approach, scope, test cases, acceptance criteria, and documentation requirements. Consider risk-based validation approach.
Implement Access Controls
Establish user access controls including unique user IDs, password policies, role-based access, and periodic access reviews. Ensure access is limited to authorized individuals only.
Enable Audit Trails
Ensure systems have secure, computer-generated, time-stamped audit trails. Verify audit trails capture all required actions. Test audit trail functionality and reviewability.
Implement Electronic Signatures
Configure electronic signatures to meet Part 11 requirements including unique identification, date/time stamping, and meaning of signature. Ensure signatures are linked to records.
Establish Backup and Recovery
Implement backup and recovery procedures. Test backup and recovery processes. Document procedures and verify backup integrity. Ensure backups are stored securely.
Document System Procedures
Create standard operating procedures for system use, administration, validation, change control, and backup/recovery. Ensure procedures are current and accessible to users.
Train Users
Train users on Part 11 requirements, system use, and procedures. Document training. Ensure users understand their responsibilities for data integrity and electronic signatures.
Maintain Compliance
Establish ongoing compliance monitoring including periodic system reviews, access reviews, validation maintenance, and change control. Update documentation as systems change.
Common Challenges & Solutions
Determining which systems require Part 11 compliance
Assess whether electronic records are used in place of paper records required by FDA regulations. If yes, Part 11 applies. Consider FDA guidance on Part 11 scope and application.
Validating legacy systems
Conduct retrospective validation for legacy systems. Document existing controls and procedures. Implement missing controls where feasible. Consider risk-based approach for legacy systems.
Managing cloud-based systems
Ensure cloud service providers understand Part 11 requirements. Establish agreements covering data integrity, access controls, audit trails, and backup/recovery. Verify provider compliance.
Related Regulations
Related Standards
Resources
Implementation Tools
Legal Notice: This page provides implementation guidance and educational content only. The actual regulation text is the legally binding document. Always refer to the official regulation published in the Code of Federal Regulations (CFR) and FDA guidance documents for compliance purposes.