21 CFR Part 11 Full Text

Introduction: Understanding 21 CFR Part 11

Title 21 CFR Part 11 is one of the most critical regulations affecting life sciences organizations operating under FDA oversight. This regulation, formally titled “Electronic Records; Electronic Signatures,” establishes the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures. Questions on 21 CFR Part 11 for LMS or eQMS?

Since its implementation in 1997, 21 CFR Part 11 has fundamentally transformed how pharmaceutical companies, medical device manufacturers, biotechnology firms, clinical research organizations, and other FDA-regulated entities manage their digital documentation and validation processes. The regulation impacts every computerized system that creates, modifies, maintains, archives, retrieves, or transmits electronic records required by FDA regulations. Here’s the full text of 21 CFR Part 11.

This comprehensive guide examines the full scope of 21 CFR Part 11, from understanding the complete regulatory text to implementing compliant systems across your organization. Whether you’re establishing initial compliance, validating new systems, or optimizing existing processes, this resource provides the authoritative framework for 21 CFR Part 11 compliance.

Part 1: What is 21 CFR Part 11?

Regulatory Foundation

21 CFR Part 11 was enacted by the Food and Drug Administration on March 20, 1997, to provide criteria for acceptance of electronic records and electronic signatures. The regulation emerged from the need to modernize FDA’s approach to documentation as the life sciences industry increasingly adopted computerized systems.

Scope and Applicability

Who Must Comply

21 CFR Part 11 applies to:

• Pharmaceutical manufacturers
• Biotechnology companies
• Medical device manufacturers
• Contract research organizations (CROs)
• Contract manufacturing organizations (CMOs)
• Clinical trial sites
• Laboratories conducting FDA-regulated testing
• Blood establishments
• Food manufacturers (in certain circumstances)

When Part 11 Applies

According to FDA guidance, Part 11 applies to:

1. Electronic Records That Replace Paper: Records required by predicate rules that are maintained in electronic format instead of paper
2. Electronic Records Used for Regulated Activities: Records maintained in electronic format that are relied upon to perform regulated activities, even if paper copies exist
3. Electronic Signatures: Electronic signatures intended to be equivalent to handwritten signatures required by predicate rules
4. Records Submitted to FDA: Electronic records submitted to FDA under predicate rules in formats the agency accepts electronically

Predicate Rules

Predicate rules are the underlying FDA regulations that require records to be maintained or submitted. Examples include:

• 21 CFR Part 211 (cGMP for finished pharmaceuticals)
• 21 CFR Part 820 (Quality Management System Regulation (QMSR) for medical devices)
• 21 CFR Part 58 (Good Laboratory Practice)
• 21 CFR Part 312 (Investigational New Drug Application)
• 21 CFR Part 812 (Investigational Device Exemptions)

Part 2: The Full Text – Key Requirements

Subpart A – General Provisions

• 11.1 Scope

Establishes that Part 11 applies to electronic records and signatures under any FDA regulation unless specifically excepted.

• 11.2 Implementation

Defines when electronic records and signatures may be used in place of paper records and handwritten signatures.

• 11.3 Definitions

Key definitions include:

• Electronic Record: Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form
• Electronic Signature: Computer data compilation of any symbol executed, adopted, or authorized by an individual as legally binding
• Handwritten Signature: Scripted name or legal mark executed by hand
• Digital Signature: Electronic signature based on cryptographic methods
• Closed System: Environment where system access is controlled by persons responsible for content
• Open System: Environment where system access is not controlled by persons responsible for content

Subpart B – Electronic Records

• 11.10 Controls for Closed Systems

Required Controls:

1. Validation of Systems
   • Ensure accuracy, reliability, consistent intended performance
   • Ability to discern invalid or altered records
   • Documentation of validation activities
2. Accurate and Complete Copies
   • Ability to generate accurate copies in both human readable and electronic form
   • Suitable for inspection, review, and copying by FDA
3. Protection of Records
   • Ensure records are readily retrievable throughout retention period
   • Protection against unauthorized modification or deletion
4. Audit Trails
   • Computer-generated, time-stamped audit trails
   • Document record creation, modification, and deletion
   • Record changes must not obscure previously recorded information
   • Available for agency review and copying
5. System Security
   • Operational checks enforcing permitted sequencing
   • Authority checks ensuring only authorized individuals can use system
   • Device checks to determine validity of data input source
6. Electronic Signatures
   • Signed electronic records must contain:
     • Printed name of signer
     • Date and time of signature
     • Meaning of signature (review, approval, responsibility, authorship)
7. Documentation Controls
   • Controls for distribution, access, and use of system documentation
   • Revision and change control procedures
   • Maintain audit trail for system documentation

• 11.30 Controls for Open Systems

Open systems require all closed system controls plus:

• Document encryption
• Digital signature standards
• Additional measures to ensure authenticity, integrity, and confidentiality

• 11.50 Signature Manifestations

Electronic signatures must display:

• Printed name of signer
• Date and time of execution
• Meaning associated with signature
• Same information must be included in any human readable form

• 11.70 Signature/Record Linking

Electronic signatures must be linked to their respective records to ensure signatures cannot be excised, copied, or transferred for falsification.

Subpart C – Electronic Signatures

• 11.100 General Requirements

1. Uniqueness
   • Each signature must be unique to one individual
   • Cannot be reused or reassigned
2. Verification
   • Identity of individual must be verified before issuing electronic signature
3. Certification
   • Organizations must certify to FDA that electronic signatures are legally binding equivalent to handwritten signatures

• 11.200 Electronic Signature Components

Non-Biometric Signatures:

• At least two distinct identification components (e.g., user ID and password)
• When used during single continuous session, first signing requires all components
• Subsequent signings require at least one component
• When not continuous, each signing requires all components

Controls Required:

• Maintain uniqueness of each combined identification
• Ensure identification is only used by genuine owner
• Administer and execute to ensure attempted use by anyone other than genuine owner requires collaboration of two or more individuals

• 11.300 Controls for Identification

Password Controls:

• Maintain uniqueness
• Periodic revision
• Loss management procedures
• Transaction safeguards
• Initial and periodic testing of devices
• Protection against unauthorized use

Part 3: FDA Guidance and Interpretation

2003 Guidance – Scope and Application

Following industry feedback, FDA issued guidance in 2003 clarifying Part 11 enforcement:

Narrow Interpretation of Scope

FDA indicated it would interpret Part 11 narrowly and focus on:

• Records required to be maintained under predicate rules
• Records maintained in electronic format replacing paper
• Records submitted to FDA in electronic format

Risk-Based Approach

FDA adopted a risk-based approach to enforcement prioritizing:

• Impact on product quality and safety
• Record integrity
• Potential for record falsification
• FDA’s ability to protect public health

Enforcement Discretion

FDA exercises enforcement discretion for:

• Validation requirements (focusing on critical systems)
• Audit trail requirements (for systems posing lower risk)
• Legacy systems (predating August 20, 1997)
• Copies of records (focusing on ability to produce when needed)
• Record retention procedures (when predicate rules specify requirements)

Part 4: Implementation Requirements

System Validation

Validation Approach

IQ – Installation Qualification:

• Verify correct installation
• Document system components
• Confirm environmental conditions
• Check network connections

OQ – Operational Qualification:

• Test system functionality
• Verify security features
• Test audit trail generation
• Confirm backup/recovery procedures

PQ – Performance Qualification:

• Test under actual operating conditions
• Verify user workflows
• Confirm data integrity
• Test reporting capabilities

Standard Operating Procedures (SOPs)

Essential SOPs for Part 11 Compliance

1. System Administration
   • User account management
   • Access control procedures
   • Password policies
   • Security incident response
2. Data Management
   • Backup and recovery
   • Data retention and archival
   • Record change control
   • Audit trail review
3. Validation and Change Control
   • System validation procedures
   • Change management process
   • Periodic review requirements
   • Revalidation triggers
4. Training and Documentation
   • User training requirements
   • Documentation standards
   • Record keeping procedures
   • Competency assessment

Part 5: Technical Controls and Security

Access Control Requirements

User Authentication

Multi-Factor Approaches:

• Something you know (password)
• Something you have (token, card)
• Something you are (biometric)

Password Requirements:

• Minimum complexity standards
• Regular expiration (60-90 days typical)
• History prevention (cannot reuse recent passwords)
• Account lockout after failed attempts
• Encrypted storage

Audit Trail Implementation

Audit Trail Components

Required Information:

• Who: User identification
• What: Action performed
• When: Date and timestamp
• Why: Reason for change (if applicable)
• Original value (for modifications)
• New value (for modifications)

Technical Considerations:

• Secure, computer-generated entries
• Time synchronization across systems
• Tamper-proof storage
• Regular backup procedures
• Retention for record lifetime

Data Integrity Controls

ALCOA+ Principles

Attributable: Data linked to person who generated it
Legible: Data readable and permanent
Contemporaneous: Recorded at time of activity
Original: First capture or certified copy
Accurate: Error-free and complete
Complete: All data included, including repeat analyses
Consistent: Good documentation practices applied
Enduring: Available throughout retention period
Available: Accessible for review and audit

Part 6: System-Specific Applications

Laboratory Information Management Systems (LIMS)

Part 11 Requirements for LIMS

Electronic Records:

• Sample data and test results
• Instrument integration records
• Calculation and method validation
• Review and approval workflows
• Chain of custody documentation

Critical Controls:

• Instrument data capture
• Result calculation audit trails
• Electronic review workflows
• Report generation controls
• Archive and retrieval procedures

Enterprise Resource Planning (ERP) Systems

GxP-Relevant ERP Modules

Inventory Management:

• Material receipt and testing
• Quarantine and release decisions
• Expiration dating
• Distribution records

Production Planning:

• Batch records
• Manufacturing instructions
• In-process testing
• Deviation management

Learning Management Systems (LMS)

Training Record Compliance

Part 11 Application to LMS:

• Training completion records
• Assessment results
• Qualification documentation
• Training effectiveness evaluations
• Curriculum version control

FDA Inspection Focus:

• Evidence of completed training
• Training effectiveness metrics
• Qualification status tracking
• Change control for training materials

Quality Management Systems (QMS)

Document Control Under Part 11

Electronic Document Management:

• SOP version control
• Review and approval workflows
• Distribution controls
• Obsolete document handling
• Effective date management

Part 7: Validation Best Practices

Risk-Based Validation Approach

GAMP 5 Categories

Category 1: Infrastructure software (operating systems)
Category 3: Non-configured products (off-the-shelf)
Category 4: Configured products (LIMS, ERP)
Category 5: Custom applications

Validation Effort Scaling

Higher risk systems require:

• More extensive testing
• Detailed requirements documentation
• Comprehensive change control
• Frequent periodic reviews
• Enhanced security measures

Validation Documentation

Core Validation Documents

1. Validation Plan
   • Scope and objectives
   • Roles and responsibilities
   • Risk assessment
   • Testing approach
   • Acceptance criteria
2. User Requirements Specification (URS)
   • Business requirements
   • Regulatory requirements
   • Technical requirements
   • Security requirements
   • Data integrity requirements
3. Functional Specifications
   • System functionality
   • User interface design
   • Integration points
   • Report specifications
   • Security features
4. Test Protocols and Reports
   • Test scripts
   • Expected results
   • Actual results
   • Deviation handling
   • Final approval

Maintaining Validated State

Ongoing Compliance Activities

Periodic Reviews:

• Annual validation status assessment
• User access reviews
• Audit trail reviews
• Backup verification
• Security assessment

Change Management:

• Impact assessment procedures
• Validation impact determination
• Testing requirements
• Documentation updates
• Revalidation triggers

Part 8: Common Compliance Challenges

Typical Inspection Findings

Top Part 11 Observations

1. Inadequate Access Controls
   • Shared passwords
   • Generic user accounts
   • Excessive privileges
   • Poor password management
2. Audit Trail Deficiencies
   • Disabled audit trails
   • Incomplete change documentation
   • No audit trail review
   • Gaps in audit trail data
3. Validation Gaps
   • Missing validation documentation
   • Inadequate testing
   • No periodic reviews
   • Poor change control
4. Data Integrity Issues
   • Data deletion capabilities
   • Ability to bypass controls
   • Incomplete records
   • Time/date manipulation

Remediation Strategies

Corrective Action Approach

1. Assessment Phase
   • Gap analysis
   • Risk assessment
   • Priority ranking
   • Resource planning
2. Remediation Phase
   • System upgrades
   • Procedure development
   • User training
   • Validation activities
3. Verification Phase
   • Effectiveness checks
   • Internal audits
   • Management review
   • Continuous monitoring

Part 9: Industry-Specific Considerations

Pharmaceutical Manufacturing

Critical Systems

Manufacturing Execution Systems (MES):

• Electronic batch records
• Equipment integration
• Material tracking
• Environmental monitoring
• Deviation management

Key Compliance Points:

• Real-time data capture
• Electronic batch release
• Investigation documentation
• Change control integration

Medical Device Manufacturing

Design History File (DHF)

Part 11 Considerations:

• Design control documentation
• Design review records
• Verification and validation
• Design transfer records
• Design change control

Clinical Trials

Electronic Data Capture (EDC)

21 CFR Part 11 Requirements:

• Subject data integrity
• Protocol compliance
• Investigator signatures
• Monitor review trails
• Query resolution

FDA Inspection Focus:

• Source data verification
• Audit trail completeness
• User access appropriateness
• System validation status

Biotechnology

Cell Banking and Storage

Electronic Records:

• Cell line history
• Storage conditions
• Testing results
• Distribution records
• Stability data

Part 10: Future Considerations

Evolving Technology Landscape

Cloud Computing

Part 11 in the Cloud:

• Vendor qualification requirements
• Data location and sovereignty
• Access control complexity
• Audit trail aggregation
• Backup and recovery responsibilities

Best Practices:

• Detailed service agreements
• Regular vendor audits
• Data encryption requirements
• Compliance certifications
• Exit strategies

Artificial Intelligence and Machine Learning

Validation Challenges:

• Algorithm transparency
• Continuous learning systems
• Decision documentation
• Model version control
• Performance monitoring

Regulatory Harmonization

Global Compliance Considerations

EU Annex 11:

• Similar to Part 11
• Risk-based approach
• Supplier management focus
• Business continuity emphasis

Other Regulatory Frameworks:

• Japan MHLW requirements
• China NMPA guidelines
• ICH Q7 for APIs
• WHO guidelines

Conclusion: Achieving and Maintaining Compliance

Key Success Factors

Successful 21 CFR Part 11 compliance requires:

1. Leadership Commitment: Executive support and resource allocation
2. Risk-Based Approach: Focus on critical systems and high-risk areas
3. Comprehensive Procedures: Well-documented SOPs and work instructions
4. Robust Validation: Thorough testing and documentation
5. Continuous Training: Ongoing user education and awareness
6. Regular Assessment: Periodic reviews and internal audits
7. Change Management: Controlled system modifications
8. Vendor Partnership: Qualified suppliers and service providers

The Compliance Journey

21 CFR Part 11 compliance is not a destination but an ongoing journey. As technology evolves and regulatory expectations mature, organizations must continuously adapt their approaches while maintaining the fundamental principles of data integrity, security, and traceability.

The investment in Part 11 compliance extends beyond regulatory requirements—it establishes a foundation for operational excellence, quality assurance, and ultimately, patient safety. Organizations that embrace comprehensive Part 11 compliance position themselves for success in an increasingly digital and regulated environment.

How eLeaP Ensures 21 CFR Part 11 Compliance

Built-In Compliance Features

eLeaP’s LMS is designed from the ground up with 21 CFR Part 11 requirements:

Electronic Records Management:

• Complete audit trails for all activities
• Version control for all content
• Secure data storage and backup
• Comprehensive reporting capabilities

Electronic Signatures:

• Unique user authentication
• E-signature capabilities
• Time/date stamps
• Signature meaning documentation

Validation Support:

• IQ/OQ/PQ documentation
• Validation templates
• Change control procedures
• Periodic review tools

Get Started with Compliant Training:

• Free Trial: Test our Part 11 compliant features
• Validation Package: Complete IQ/OQ/PQ documentation
• Expert Support: FDA compliance specialists available

Contact Information:

• Phone: (877) 624-7226
• Email: help@eleapsoftware.com
• Website: eleapsoftware.com
• Schedule Demo: Learn More