Calculate your potential savings with our ROI Calculator
ROI Calculator
Electronic records now sit at the center of how regulated organizations make and document quality decisions. Therefore, when those records replace paper, the U.S. Food and Drug Administration (FDA) requires that they be as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures.Consequently, 21 CFR Part 11 formalizes that expectation. This regulation establishes criteria for the acceptance of electronic records and electronic signatures in FDA-regulated activities.
Part 11 matters because it ties everyday digital actions—logging data, approving steps, making changes—to data integrity and accountability. Weak controls can ripple into release decisions, recalls, or audit findings. In contrast, strong controls help ensure that users accurately capture, attribute, and retrieve actions throughout the record’s life. Moreover, FDA guidance reinforces a risk-based approach to applying Part 11. This approach emphasizes practices that protect the completeness, consistency, and accuracy of data over time.
This guide explains what Part 11 covers, how it applies, and what compliant electronic records and signatures look like in practice. It summarizes key requirements, common challenges, enabling technologies, and practical best practices. Finally, it closes with a look at where Part 11 is headed next. Therefore, the intent is educational and non-promotional, aligning with ASQ’s focus on knowledge transfer and learner value.
21 CFR Part 11 is an FDA regulation. It sets the criteria under which the agency will consider electronic records and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. In short, it defines when and how electronic documentation and signatures can stand in for their paper counterparts in FDA-regulated work.
Part 11 applies to records in electronic form. These records are created, modified, maintained, archived, retrieved, or transmitted to satisfy requirements in other FDA regulations (often called “predicate rules”). In addition, it applies to electronic signatures used in these contexts. It also applies to electronic records submitted to FDA under the Federal Food, Drug, and Cosmetic Act or the Public Health Service Act.
FDA’s guidance clarifies the rule’s scope and encourages a risk-based application. Organizations that choose to maintain or submit records electronically should implement controls proportionate to the risks those records pose to product quality and patient safety. For example, these controls include system validation, secure audit trails, authority checks, and signature controls.
The regulation’s objective is to enable appropriate use of electronic technologies while preserving record integrity and accountability. Therefore, decisions based on electronic information must be as dependable as those based on paper.
Electronic records and signatures are not just administrative conveniences. Instead, they underpin decisions that affect product quality and patient safety. 21 CFR Part 11 establishes the conditions under which the FDA accepts electronic records and signatures as trustworthy, reliable, and generally equivalent to paper and ink. This ensures that batch releases, design changes, clinical documentation, and post-market actions can be defended with confidence.
In practice, this matters because most regulated activities already operate in mixed or fully digital environments. When records required by “predicate rules” (e.g., cGMP, GCP, GLP) are created or modified electronically, Part 11 expects controls proportionate to the risk of those records. Thus, electronic evidence must be able to stand up to internal review and regulatory inspection.
Integrity lapses (e.g., incomplete audit trails, uncontrolled access) can compromise the reliability of test results or manufacturing data. Consequently, this affects release and recall decisions. FDA’s data-integrity guidance links sound controls to cGMP compliance and public health protection.
Unique user identification, secure time-stamped audit trails, and signature meaning ensure actions are attributable and reconstructable across the record’s life cycle.
Part 11 intends to enable appropriate use of electronic technologies while preserving assurance that records and signatures are authentic and unaltered.
At its core, 21 CFR Part 11 enables FDA to accept electronic records and electronic signatures when they are as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. The rule has a twofold objective: preserve data integrity and accountability, while allowing appropriate use of electronic technologies in regulated work. eCFR
The FDA’s guidance further clarifies that organizations should apply Part 11 risk-based and in proportion to the impact of the records on product quality and patient safety. If an organization chooses to create, maintain, or submit required records electronically, it must implement commensurate controls. Such controls include validation, secure audit trails, authority checks, and signature controls. U.S. Food and Drug Administration
Practical takeaway: If you go digital for records that predicate rules require, treat the system, the procedures, and the people as a cohesive control set. This means you must validate for intended use, define roles and authority checks, enforce audit trails, and bind signatures to identity and meaning. That alignment meets the regulation’s objective: electronic evidence you—and the regulator—can trust. eCFRU.S. Food and Drug Administration
The FDA embraced digital recordkeeping, and Part 11 evolved as a result. After early rulemaking, the final rule arrived on March 20, 1997 (effective August 20). This rule established electronic records/signatures as equivalent to paper/ink. The eCFR remains the operative text.
Subsequently, in 2003, the FDA’s Scope and Application guidance adopted a risk-based lens. It signaled enforcement discretion while retaining expectations for validation and audit trails. Clinical guidelines (2007, 2013) clarified reliable eSource capture and traceability. From 2018 onward, Data Integrity Q&A reinforced ALCOA/ALCOA+ and lifecycle controls. Most recently, in 2024,the FDA finalized an eClinical Q&A, consolidating expectations and superseding the 2007 guidance. This cements a data-integrity-by-design trajectory.
When it applies: If required records (per predicate rules) are kept or submitted electronically, or electronic signatures replace handwritten ones, Part 11 applies.
What’s out: Purely paper records and electronic systems not used to meet predicate-rule requirements are out of scope. The FDA applies a risk-based lens and may use enforcement discretion. Nonetheless, the agency still expects validation, audit trails, and access controls where records are regulated.
Closed vs. open systems: Closed systems rely on internal access control. However, open systems need added safeguards, for example, encryption and digital signatures.
Clinical note (2024): The FDA won’t assess Part 11 compliance of some external sources (e.g., EHRs). Yet, they still expect reliable capture, traceability, and certified copies.
At a high level, 21 CFR Part 11 sets out controls for trustworthy electronic records and electronic signatures. The regulation distinguishes closed systems (access controlled by record owners) from open systems. It also specifies additional measures for the latter. Furthermore, it prescribes what a signed record must show, how signatures must be linked to records, and the components/controls for electronic signatures.
System validation: Demonstrate accuracy, reliability, and consistent intended performance. The system must be able to detect invalid/altered records.
Accurate/complete copies: Generate human-readable and electronic copies suitable for inspection, review, and copying.
Record protection/retention: Ensure accurate, ready retrieval throughout the retention period.
Access controls: Limit system access to authorized individuals.
Audit trails: Use secure, computer-generated, time-stamped audit trails. Changes must not obscure previous entries. Retain them for at least the record’s retention period.
Operational checks: Enforce permitted sequencing of steps/events.
Authority checks: Ensure only authorized individuals can sign, alter, or perform operations.
Device checks: Verify the validity of data sources or operational instructions.
Training/qualification: Ensure personnel have the education, training, and experience for assigned tasks.
Policies for accountability: Written policies that hold individuals responsible for actions taken under their e-signatures.
Documentation controls: Control system docs and maintain change control with an audit trail of documentation changes.
All of the above, plus measures such as encryption and appropriate digital signature standards. These measures are necessary to ensure authenticity, integrity, and (as appropriate) confidentiality from creation to receipt.
Every signed record must clearly indicate:
(1) the signer’s printed name,
(2) the date/time of signing, and
(3) the meaning of the signature (e.g., review, approval, authorship).
Crucially, these elements must appear in any human-readable form of the record.
Electronic (and handwritten) signatures executed to electronic records must be linked so that ordinary means cannot transfer or excise them to falsify the record. Therefore, the link must be indelible.
Each e-signature must be unique to one individual. Furthermore, the organization must verify identity before assignment. Firms must submit a certification to FDA that e-signatures are intended to be the legally binding equivalent of handwritten signatures.
For non-biometric e-signatures: Use at least two distinct components (e.g., ID + password). First signing in a controlled session uses all components. However, subsequent signings in the same, continuous session may use one component unique to the user. Controls must prevent use by anyone other than the genuine owner.
For biometric e-signatures: Design them so they cannot be used by anyone else.
Organizations employing ID+password signatures must implement controls for uniqueness. In addition, they must periodically check/recall/revise credentials. They need loss management procedures. Finally, they must implement transaction safeguards and initial/periodic testing of devices that bear or generate codes.
Practical implication. Effective e-signature programs combine procedures (identity proofing, certification letters, training), technology (unique IDs, strong authentication, session controls), and governance (periodic access reviews, audit-trail monitoring). Consequently, these combined efforts ensure signings are attributable, intentional, and non-repudiable across the record life cycle. FDA’s risk-based guidance reinforces applying these controls proportionate to the record’s impact on product quality and patient safety.
When you use a closed system to create, modify, maintain, or transmit electronic records required by predicate rules, you must have procedures and technical controls that ensure authenticity, integrity, (as appropriate) confidentiality, and non-repudiation. At minimum, this includes the following: validation for intended use, the ability to generate accurate and complete copies (human-readable and electronic), protection for ready retrieval throughout retention, access controls, secure time-stamped audit trails, operational checks (enforcing step sequence), authority checks (only authorized users can sign/alter), device checks, training/qualification, accountability policies, and controlled system documentation.
Part 11 requires computer-generated, time-stamped audit trails. These trails must record the date/time of operator entries and actions creating, modifying, or deleting records. Previous entries cannot be obscured. Therefore, audit trails must be retained at least as long as the underlying records and be available for agency review and copying.
Systems must be able to produce accurate and complete copies in both human-readable and electronic form. These copies must be suitable for inspection, review, and copying by FDA. Records must remain accurate and readily retrievable for the full retention period. Consequently, these capabilities are part of demonstrating fitness for intended use during validation.
FDA’s data-integrity guidance reinforces that records should remain complete, consistent, and accurate from creation through disposition. It requires changes to be traceable and reviewed for accuracy and compliance. These principles are often summarized as ALCOA/ALCOA+. Effective governance, role design, and periodic review support these outcomes.
Many firms operate mixes of old instruments, spreadsheets, and newer platforms. When required records move between paper and electronic steps, traceability can break. For example, there may be no secure audit trail for interim edits or missing metadata when transcribing. FDA’s Part 11 rule and data-integrity guidance both stress lifecycle controls that preserve attribution, time stamps, and completeness.
Common gaps include disabled audit trails, trails that don’t capture deletions/overwrites, or audit logs that aren’t periodically reviewed. Part 11 requires secure, computer-generated, time-stamped audit trails retained at least as long as the record and available for FDA review. Consequently, FDA’s CGMP data-integrity Q&A links audit-trail governance directly to compliance.
Practices like shared “lab” logins or insufficient identity verification undermine attribution and non-repudiation. Therefore, guidance emphasizes unique user IDs, appropriate authentication, and controls against single-person misuse of credentials.
Systems in scope must be validated for intended use with documented evidence. Gaps appear when user requirements aren’t traced to test cases, changes aren’t re-validated, or backup/restore isn’t tested. Specifically, the FDA’s Scope & Application guidance frames a risk-based validation approach. Inspection observations and warning letters frequently cite validation/control issues.
When access isn’t fully controlled by the record owner (e.g., certain cloud or partner arrangements), additional measures are expected. These include encryption and robust e-signature controls. Roles for validation, audit-trail review, certified copies, and time-sync must be contractually clear. Significantly, recent clinical-investigation guidance expands on shared responsibilities across sponsors, sites, and service providers.
Even with capable systems, weak SOPs (e.g., no defined audit-trail review cadence) or inconsistent training create gaps between policy and practice. This is an area FDA’s data-integrity guidance repeatedly flags.
Platforms that manage regulated records (e.g., QMS/LIMS/MES/eBR, clinical EDC/eSource) need validation for intended use and documented evidence of accuracy, reliability, and consistent performance. These systems must generate accurate/complete human-readable and electronic copies and protect records for the full retention period.
Part 11 expects unique user IDs and authority checks for regulated actions. Furthermore, it requires controls to prevent credential misuse. For non-biometric e-signatures, systems use two distinct components (e.g., ID + password) and bind signatures to identity and meaning.
Systems must create secure, computer-generated, time-stamped audit trails. These must capture who did what and when, without obscuring prior entries. Retain them as long as the record. Time synchronization and periodic review are essential operational practices.
If record owners do not control access end-to-end (open systems), additional measures are expected. Specifically, these include encryption and robust digital signature standards. This assures authenticity, integrity, and, as appropriate, confidentiality from creation to receipt.
Here are some best practices that you must weave into your organization's culture to achieve and maintain compliance:
Map scope, then scale controls. Identify which electronic records fulfill predicate-rule requirements or are submitted to the FDA. Then, apply Part 11 with a risk-based approach. This means heavier controls where the impact on quality/patient safety is higher.
Validate for intended use. Trace user requirements to test cases. In addition, include data migration, backup/restore, and report generation in the protocol. Re-validate meaningful changes.
Govern identity, signatures, and authority. Enforce unique IDs, define signature meaning (review/approval/authorship), bind signatures to records, and restrict high-risk actions to authorized roles.
Operate the audit trail. Ensure trails are enabled, tamper-evident, and routinely reviewed. Also, retain them for the entire record life and make them available for inspection and copying.
Protect data integrity across the life cycle. Follow ALCOA/ALCOA+ principles. Furthermore, control original records and certified copies. Manage hybrid flows (paper $\leftrightarrow$ electronic) so attribution and metadata are preserved.
Clarify partner/cloud roles. Document responsibilities with CROs and providers for validation, data retention, access reviews, incident response, and certified-copy production.
Modernized Expectations, Same Core Principle
FDA’s 2024 clinical guidance expands on the 2003 Part 11 guidance. It reinforces that electronic records and signatures must remain trustworthy, reliable, and generally equivalent to paper. This is true even while recognizing cloud services, digital health technologies, and broader eSource use.
Broader cloud/SaaS adoption with explicit delineation of responsibilities and controls.
Stronger identity assurance and credential governance for non-biometric signatures.
More routine audit-trail analytics and periodic assessments to surface anomalies early.
Continued risk-based validation and data-integrity focus rather than one-size-fits-all checklists.
Directionally, Part 11 practice is aligning with digital-by-default operations. However, its foundation remains constant: validated systems, accountable users, and records that stand up to review over time.
Electronic records and signatures shape decisions that affect trust, quality, and patient safety. Part 11 provides a durable framework so those electronic artifacts are as defensible as paper and ink. They must be authentic, complete, and attributable for the full record life.
To sustain compliance, take the right approach with next-generation AI-powered Intelligent EQMS like Qualityze: map scope, validate for intended use, run the audit trail, and keep roles and responsibilities clear, especially with partners and service providers. For many organizations, adopting a documented, risk-based program with validated digital systems and periodic assessments is the most reliable path to consistent practice and inspection readiness.
To see for yourself, request a personalized demo today!
Author
Qualityze Editorial is the unified voice of Qualityze, sharing expert insights on quality excellence, regulatory compliance, and enterprise digitalization. Backed by deep industry expertise, our content empowers life sciences and regulated organizations to navigate complex regulations, optimize quality systems, and achieve operational excellence.
