21 CFR Part 11 is the FDA regulation that defines the conditions under which the agency considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.
Since its introduction in 1997, Part 11 has become one of the most inspected areas in pharmaceutical manufacturing. Despite its age, many companies still carry significant compliance gaps - particularly around audit trails and access controls - that generate warning letters and import alerts.
Scope: When Does Part 11 Apply?
Part 11 applies when both of these conditions are met:
- Records are created, modified, maintained, archived, retrieved, or transmitted in electronic form
- Those records are required by FDA predicate rules (21 CFR Part 211 for drugs, Part 820 for devices, etc.)
If you maintain paper records as the original and only keep electronic copies as backup, Part 11 may not apply - but your predicate rule still does. Most modern GxP systems generate electronic records as the primary record, making Part 11 applicable by default.
Electronic Records Requirements
Part 11 Subpart B defines four core requirements for electronic records:
Systems must be validated to ensure accuracy, reliability, consistent performance, and the ability to discern invalid or altered records.
Computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
Records must be protected to enable their accurate and ready retrieval throughout the records retention period required by the predicate rule.
System access must be limited to authorised individuals, with controls to prevent use of unauthorised or falsified data.
Audit Trail - The Most Cited Requirement
Audit trail deficiencies are consistently among the top five observations in FDA drug inspections. Here is what Part 11 §11.10(e) specifically requires:
- Audit trails must be computer-generated - not manual logs
- They must capture the date and time of entry or action
- They must record who performed the action
- For changes, they must capture the old value and new value
- Audit trails must be retained for the same period as the electronic record they protect
- Audit trails must be available for review during inspection - and must have been reviewed by the operator organisation, not just stored
Warning letter language you want to avoid: "Your firm failed to have procedures in place to periodically review audit trails... audit trails were enabled but no evidence of review was found." This phrasing appears in dozens of FDA warning letters every year.
Electronic Signatures
Part 11 Subpart C covers electronic signatures. The key requirements:
- Each electronic signature must be unique to one individual - no shared accounts
- Before using electronic signatures, organisations must certify to the FDA (via letter) that they intend to use them as the equivalent of traditional handwritten signatures
- Electronic signatures must be linked to their respective records so they cannot be excised, copied, or otherwise transferred to falsify records
- Biometric signatures must be designed to ensure they cannot be used by anyone other than the genuine owner
- Non-biometric signatures (the most common type: username + password) require two components: at least one component is unique to the person and at least one is only known to that person
Access Controls & System Security
Section §11.10(d) and §11.10(g) set out the access control framework:
- Limiting system access to authorised individuals only
- Use of operational system checks to enforce permitted sequencing of steps and events
- Use of authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access an operation, or perform a computer operation
- Use of device (e.g., terminal) checks to determine the validity of the source of data input or operational instruction
- Determination that persons who develop, maintain, or use electronic systems have the education, training, and experience necessary to perform their assigned tasks
Common Compliance Gaps
Based on FDA inspection findings and warning letter analysis, the most frequent Part 11 gaps are:
- Audit trail not enabled - or enabled only on some fields, not all GxP-relevant fields
- Audit trail not reviewed - stored but never examined as part of routine operations
- Shared or generic accounts - lab technicians sharing a login defeats the unique-ID requirement
- System clock not controlled - users can adjust the system clock, undermining timestamp integrity
- Passwords not expiring - or complexity requirements not enforced by the system
- No written procedures for system access management, audit trail review, or incident response
- Validation gaps - the system is in use but no IQ/OQ/PQ was ever performed
Quick self-check: Can you produce - right now - a printed audit trail for any GxP record from the last 12 months, with documented evidence that it was reviewed? If not, that is a gap to address before your next FDA inspection.
Free 21 CFR Part 11 Audit Trail Self-Assessment Checklist
Download our 35-point checklist to verify your electronic systems meet 21 CFR Part 11 audit trail requirements - audit trail configuration, review procedures, retention, and access controls.
Get Free Checklist →