Data Integrity

FDA 21 CFR Part 11: Data Integrity Requirements Explained

6 min read By Mohammad Awawdeh

21 CFR Part 11 is the FDA regulation that defines the conditions under which the agency considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.

Since its introduction in 1997, Part 11 has become one of the most inspected areas in pharmaceutical manufacturing. Despite its age, many companies still carry significant compliance gaps - particularly around audit trails and access controls - that generate warning letters and import alerts.

Scope: When Does Part 11 Apply?

Part 11 applies when both of these conditions are met:

  • Records are created, modified, maintained, archived, retrieved, or transmitted in electronic form
  • Those records are required by FDA predicate rules (21 CFR Part 211 for drugs, Part 820 for devices, etc.)

If you maintain paper records as the original and only keep electronic copies as backup, Part 11 may not apply - but your predicate rule still does. Most modern GxP systems generate electronic records as the primary record, making Part 11 applicable by default.

Electronic Records Requirements

Part 11 Subpart B defines four core requirements for electronic records:

Validation

Systems must be validated to ensure accuracy, reliability, consistent performance, and the ability to discern invalid or altered records.

Audit Trail

Computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

Record Retention

Records must be protected to enable their accurate and ready retrieval throughout the records retention period required by the predicate rule.

Access Controls

System access must be limited to authorised individuals, with controls to prevent use of unauthorised or falsified data.

Audit Trail - The Most Cited Requirement

Audit trail deficiencies are consistently among the top five observations in FDA drug inspections. Here is what Part 11 §11.10(e) specifically requires:

  • Audit trails must be computer-generated - not manual logs
  • They must capture the date and time of entry or action
  • They must record who performed the action
  • For changes, they must capture the old value and new value
  • Audit trails must be retained for the same period as the electronic record they protect
  • Audit trails must be available for review during inspection - and must have been reviewed by the operator organisation, not just stored

Warning letter language you want to avoid: "Your firm failed to have procedures in place to periodically review audit trails... audit trails were enabled but no evidence of review was found." This phrasing appears in dozens of FDA warning letters every year.

Electronic Signatures

Part 11 Subpart C covers electronic signatures. The key requirements:

  • Each electronic signature must be unique to one individual - no shared accounts
  • Before using electronic signatures, organisations must certify to the FDA (via letter) that they intend to use them as the equivalent of traditional handwritten signatures
  • Electronic signatures must be linked to their respective records so they cannot be excised, copied, or otherwise transferred to falsify records
  • Biometric signatures must be designed to ensure they cannot be used by anyone other than the genuine owner
  • Non-biometric signatures (the most common type: username + password) require two components: at least one component is unique to the person and at least one is only known to that person

Access Controls & System Security

Section §11.10(d) and §11.10(g) set out the access control framework:

  • Limiting system access to authorised individuals only
  • Use of operational system checks to enforce permitted sequencing of steps and events
  • Use of authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access an operation, or perform a computer operation
  • Use of device (e.g., terminal) checks to determine the validity of the source of data input or operational instruction
  • Determination that persons who develop, maintain, or use electronic systems have the education, training, and experience necessary to perform their assigned tasks

Common Compliance Gaps

Based on FDA inspection findings and warning letter analysis, the most frequent Part 11 gaps are:

  1. Audit trail not enabled - or enabled only on some fields, not all GxP-relevant fields
  2. Audit trail not reviewed - stored but never examined as part of routine operations
  3. Shared or generic accounts - lab technicians sharing a login defeats the unique-ID requirement
  4. System clock not controlled - users can adjust the system clock, undermining timestamp integrity
  5. Passwords not expiring - or complexity requirements not enforced by the system
  6. No written procedures for system access management, audit trail review, or incident response
  7. Validation gaps - the system is in use but no IQ/OQ/PQ was ever performed

Quick self-check: Can you produce - right now - a printed audit trail for any GxP record from the last 12 months, with documented evidence that it was reviewed? If not, that is a gap to address before your next FDA inspection.

Free 21 CFR Part 11 Audit Trail Self-Assessment Checklist

Download our 35-point checklist to verify your electronic systems meet 21 CFR Part 11 audit trail requirements - audit trail configuration, review procedures, retention, and access controls.

Get Free Checklist →
FDA 21 CFR Part 11 Data Integrity Audit Trail Electronic Signatures Access Controls CSV

Not Sure Where Your Part 11 Gaps Are?

PHARPRO's data integrity audit identifies every gap and delivers a prioritised remediation plan - in writing.

Request a Free Assessment View QA Services
PHARPRO - Expert Pharma Consulting

PHARPRO specialises in FDA 21 CFR Part 11 compliance - from audit trail implementation to full computerised system validation projects.

FDA 21 CFR Part 11 CSV Consulting → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

21 CFR Part 11 Audit Trail: What Your System Must Capture
Which events must be logged, how to configure compliant audit trails, and the most common gaps.
EU GMP Annex 11: A Practical Compliance Checklist
Supplier assessment, validation documentation, audit trails, and data integrity - 2025 edition.
CSV for SaaS and Cloud Applications in Pharma
Validation approach, vendor qualification, and documentation strategy for cloud-hosted GxP systems.
Data Integrity in Pharma: ALCOA+ Requirements
ALCOA+ principles, FDA and EU GMP expectations, audit trail controls, and the most common gaps.
Pharmaceutical Validation Software: Buyer's Guide 2026
How DVS and competing platforms compare - what to look for before you buy.