What is FDA 21 CFR Part 11?
Plain-English guide to FDA 21 CFR Part 11 electronic records requirements. Learn what life sciences companies need for IT compliance.
If you’re in life sciences - biotech, pharma, medical devices, CROs - you’ve heard of “Part 11.” Let’s demystify what it actually requires.
What Is FDA 21 CFR Part 11?
21 CFR Part 11 is the FDA regulation that defines criteria for electronic records and electronic signatures to be considered trustworthy and equivalent to paper records and handwritten signatures.
Translation: When you use computers instead of paper for regulated activities, Part 11 tells you how to do it properly.
Effective since: 1997 (updated with guidance documents since)
Who Needs to Comply?
Part 11 applies to electronic records that are:
- Created, modified, maintained, archived, retrieved, or transmitted under FDA regulations, AND
- Required to be maintained or submitted to FDA
Industries Affected
- Pharmaceutical companies - Drug development, manufacturing, clinical trials
- Biotechnology companies - Research, development, production
- Medical device manufacturers - Design, production, quality
- Contract Research Organizations (CROs) - Clinical trial management
- Contract Manufacturing Organizations (CMOs) - Production for regulated companies
- Laboratories - Testing and analysis under GxP
Systems Typically In Scope
- Laboratory Information Management Systems (LIMS)
- Electronic Lab Notebooks (ELN)
- Manufacturing Execution Systems (MES)
- Quality Management Systems (QMS)
- Document Management Systems (DMS)
- Clinical Trial Management Systems (CTMS)
- Enterprise Resource Planning (ERP) systems with regulated data
- Chromatography Data Systems (CDS)
- Any system storing GxP data
The Core Requirements
Part 11 has two main sections: Electronic Records and Electronic Signatures.
Electronic Records Requirements
Validation (§11.10(a)) Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
What this means:
- Documented validation protocols
- Installation Qualification (IQ)
- Operational Qualification (OQ)
- Performance Qualification (PQ)
- Ongoing validation maintenance
Generating Accurate Copies (§11.10(b)) Ability to generate accurate and complete copies of records in human-readable and electronic form.
What this means:
- Export functionality
- Print capability
- Data integrity in copies
- Retention of format and meaning
Record Protection (§11.10(c)) Protection of records throughout retention period.
What this means:
- Backup and recovery
- Media integrity
- Protection from alteration
- Disaster recovery
Limiting System Access (§11.10(d)) Limiting system access to authorized individuals.
What this means:
- User access controls
- Role-based permissions
- Authentication mechanisms
- Account management procedures
Audit Trails (§11.10(e)) Secure, computer-generated, time-stamped audit trails.
What this means:
- Automatic recording of who did what and when
- No ability to modify audit trails
- Independent time stamping
- Retention of audit trail data
Operational Checks (§11.10(f)) Use of operational system checks to enforce permitted sequencing of events.
What this means:
- Workflow enforcement
- Data entry validation
- Process sequencing controls
Authority Checks (§11.10(g)) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign records, etc.
What this means:
- Role-based access
- Function-level permissions
- Signature authority verification
Device Checks (§11.10(h)) Use of device checks to determine validity of source of data input.
What this means:
- Input device identification
- Data source verification
- Interface validation
Training (§11.10(i)) Determination that persons who develop, maintain, or use systems have the education, training, and experience to perform their tasks.
What this means:
- Documented training programs
- Training records
- Competency verification
Policies (§11.10(j)) Establishment of written policies that hold individuals accountable for actions initiated under their electronic signatures.
What this means:
- SOP for electronic records/signatures
- Accountability documentation
- Policy acknowledgment
Documentation Controls (§11.10(k)) Adequate controls over system documentation.
What this means:
- Controlled document management
- Version control
- Change control procedures
Electronic Signature Requirements
Uniqueness (§11.100) Each electronic signature must be unique to one individual and not reused by anyone else.
Identity Verification (§11.100) Before establishing electronic signatures, verify the identity of the individual.
Signature Manifestation (§11.50) Electronic signatures must include:
- Printed name of signer
- Date and time of signing
- Meaning of signature (e.g., review, approval, responsibility)
Signature/Record Linking (§11.70) Electronic signatures must be linked to their respective electronic records to ensure that signatures cannot be copied or transferred.
The IT Requirements
Here’s what Part 11 means for your IT infrastructure:
User Management
- Individual accounts - No shared logins, ever
- Strong authentication - Complex passwords, MFA where appropriate
- Access control - Least privilege, role-based
- Account lifecycle - Provisioning, changes, termination procedures
- Documentation - Who has access to what and why
Audit Trails
- Immutable logging - Cannot be modified or deleted
- Comprehensive capture - All create, modify, delete actions
- Timestamps - Accurate, tamper-proof time stamps
- User identification - Who performed each action
- Reason for change - Often required for GxP changes
- Retention - Kept for life of the record plus retention period
Backup and Recovery
- Regular backups - Frequency based on criticality
- Tested recovery - Documented restore tests
- Offsite storage - Protection from site disasters
- Media integrity - Validation of backup media
- Retention - Backups for regulatory retention periods
System Security
- Physical security - Controlled access to infrastructure
- Network security - Segmentation, firewalls, monitoring
- Endpoint security - Antivirus, EDR, patch management
- Encryption - Data at rest and in transit
- Intrusion detection - Monitoring for unauthorized access
Infrastructure Validation
- Qualified infrastructure - Servers, networks, storage validated
- Change control - All changes documented and tested
- Periodic review - Regular validation status checks
- Environmental controls - Temperature, humidity, power for servers
Common Part 11 IT Gaps
When we assess life sciences companies, we typically find:
1. Shared Accounts
“Everyone uses the admin account” - This destroys audit trail integrity.
Fix: Individual accounts for every user, no exceptions.
2. Missing or Inadequate Audit Trails
Systems don’t log enough, or logs can be modified.
Fix: Validate audit trail functionality, protect log integrity.
3. No Backup Validation
Backups exist but have never been tested.
Fix: Documented restore tests, at least quarterly.
4. Inadequate Access Controls
Everyone has admin rights, or access isn’t reviewed.
Fix: Role-based access with documented periodic reviews.
5. Uncontrolled Infrastructure Changes
Server patches applied without change control.
Fix: Change control procedures for all infrastructure.
6. Missing Training Documentation
IT staff trained but no records.
Fix: Document all training with competency verification.
FDA’s Modern Approach
The FDA has evolved its Part 11 enforcement through guidance documents:
2003 Guidance clarified:
- Focus on predicate rule requirements
- Risk-based approach
- Not all systems equally critical
Current Expectations:
- Validated systems, but risk-appropriate validation
- Focus on data integrity
- Emphasis on controls, not just documentation
- Electronic records should be as trustworthy as paper
Data Integrity Focus: FDA has increasingly emphasized ALCOA+ principles:
- Attributable
- Legible
- Contemporaneous
- Original
- Accurate
- + Complete, Consistent, Enduring, Available
Getting Started with Part 11 Compliance
Step 1: System Inventory
Document all systems that create, process, or store regulated data.
Step 2: Risk Assessment
Classify systems by GxP impact and criticality.
Step 3: Gap Analysis
Assess current state against Part 11 requirements.
Step 4: Remediation Planning
Prioritize gaps based on risk.
Step 5: Validation
Validate systems per established protocols.
Step 6: Procedures
Establish SOPs for ongoing compliance.
Step 7: Training
Train all personnel on requirements and procedures.
Step 8: Ongoing Compliance
Periodic reviews, change control, continuous monitoring.
Your IT Provider and Part 11
If you’re a life sciences company, your IT provider needs to understand Part 11:
Questions to Ask
- Do you have experience with FDA-regulated clients?
- Can you support validated infrastructure?
- How do you handle change control for our systems?
- What documentation do you provide for your activities?
- Can you support audit requirements?
- Do your staff have GxP training?
What to Look For
- Experience with life sciences clients
- Understanding of validation requirements
- Robust change control procedures
- Comprehensive documentation
- Training on GxP concepts
- References from similar companies
The Bottom Line
FDA 21 CFR Part 11 isn’t optional for life sciences companies using electronic records for regulated activities. It requires:
- Validated systems
- Controlled access
- Complete audit trails
- Protected records
- Qualified personnel
The good news: With proper planning and the right IT partner, Part 11 compliance is achievable and manageable.
centrexIT has been a Biocom California Endorsed Partner since 2002, supporting life sciences companies with FDA-compliant IT. Contact us to discuss your Part 11 requirements.
Have More Questions?
Our team is here to help. Whether you're evaluating IT services or have a specific question about your technology, we're happy to have a conversation.