Guide to 21 CFR Part 11: Electronic Records & Signatures

Electronic records now sit at the center of how regulated organizations make and document quality decisions. When those records replace paper, the U.S. Food and Drug Administration (FDA) requires that they be as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. That expectation is formalized in 21 CFR Part 11, which establishes criteria for the acceptance of electronic records and electronic signatures in FDA-regulated activities.  

Part 11 matters because it ties everyday digital actions—logging data, approving steps, making changes—to data integrity and accountability. Weak controls can ripple into release decisions, recalls, or audit findings; strong controls help ensure that what was done is accurately captured, attributable, and retrievable throughout the record’s life. FDA guidance reinforces a risk-based approach to applying Part 11 and emphasizes practices that protect the completeness, consistency, and accuracy of data over time.  

This guide explains what Part 11 covers, how it applies, and what compliant electronic records and signatures look like in practice. It summarizes key requirements, common challenges, enabling technologies, and practical best practices—then closes with a look at where Part 11 is headed next. The intent is educational and non-promotional, aligning with ASQ’s focus on knowledge transfer and learner value.  

What is 21 CFR Part 11?

21 CFR Part 11 is an FDA regulation that sets the criteria under which the agency will consider electronic records and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. In short, it defines when and how electronic documentation and signatures can stand in for their paper counterparts in FDA-regulated work.  

Where it applies. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted to satisfy requirements in other FDA regulations (often called “predicate rules”). It also applies to electronic signatures used in these contexts and to electronic records submitted to FDA under the Federal Food, Drug, and Cosmetic Act or the Public Health Service Act.  

How FDA interprets it. FDA’s guidance clarifies the rule’s scope and encourages a risk-based application. Organizations that choose to maintain or submit records electronically should implement controls—such as system validation, secure audit trails, authority checks, and signature controls—proportionate to the risks those records pose to product quality and patient safety.  

Why it exists. The regulation’s objective is to enable appropriate use of electronic technologies while preserving record integrity and accountability—so that decisions based on electronic information are as dependable as those based on paper.  

Why it matters in regulated industries (pharma, biotech, medical devices, etc.) 

Electronic records and signatures are not just administrative conveniences; they underpin decisions that affect product quality and patient safety. 21 CFR Part 11 establishes the conditions under which FDA accepts electronic records and signatures as trustworthy, reliable, and generally equivalent to paper and ink—so batch releases, design changes, clinical documentation, and post-market actions can be defended with confidence.  

In practice, this matters because most regulated activities already operate in mixed or fully digital environments. When records that are required by “predicate rules” (e.g., cGMP, GCP, GLP) are created, modified, maintained, or submitted electronically, Part 11 expects controls proportionate to the risk of those records—so electronic evidence can stand up to internal review and regulatory inspection.  

What’s at stake 

• Data integrity → product decisions. Integrity lapses (e.g., incomplete audit trails, uncontrolled access) can compromise the reliability of test results or manufacturing data, affecting release and recall decisions. FDA’s data-integrity guidance links sound controls to cGMP compliance and public health protection.  

• Accountability and traceability. Unique user identification, secure time-stamped audit trails, and signature meaning ensure actions are attributable and reconstructable across the record’s life cycle.  
• Operational efficiency—without trading off control. Part 11 is intended to enable appropriate use of electronic technologies while preserving assurance that records and signatures are authentic and unaltered.  

FDA’s objective behind the regulation

At its core, 21 CFR Part 11 enables FDA to accept electronic records and electronic signatures when they are as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. The rule’s objective is twofold: preserve data integrity and accountability, while allowing appropriate use of electronic technologies in regulated work. eCFR 

FDA’s guidance further clarifies that Part 11 should be applied risk-based and in proportion to the impact of the records on product quality and patient safety. If an organization chooses to create, maintain, or submit required records electronically, it must implement controls such as validation, secure audit trails, authority checks, and signature controls commensurate with the risks associated with those records. 

What FDA aims to ensure 

• Equivalence and integrity: Electronic records/signatures can substitute for paper/ink without loss of authenticity, integrity, or readability over the record life cycle. 

• Accountability: Actions are attributable to specific individuals via unique identification, appropriate authentication, and time-stamped audit trails that capture who did what, when, and why. 
• Appropriate use of technology: The regulation is intended to enable digital processes, not to discourage them—provided controls are in place and documented. 

What FDA is not doing 

• Mandating that all records be electronic; organizations may still use paper. Part 11 applies when firms elect to manage required records electronically or submit them electronically to FDA. U.S. Food and Drug Administration 

• Replacing predicate rules (e.g., GMP/GLP/GCP). Instead, Part 11 sets additional criteria for electronic records and signatures used to meet those predicate-rule obligations. 

Practical takeaway: If you go digital for records that predicate rules require, treat the system, the procedures, and the people as a cohesive control set—validate for intended use, define roles and authority checks, enforce audit trails, and bind signatures to identity and meaning. That alignment meets the regulation’s objective: electronic evidence you—and the regulator—can trust. 

History & evolution of electronic records/signatures requirements

Part 11 evolved as FDA embraced digital recordkeeping. After early rulemaking (1992 ANPRM, 1994 proposal), the final rule arrived on March 20, 1997 (effective August 20), establishing electronic records/signatures as equivalent to paper/ink. The eCFR remains the operative text. In 2003, FDA’s Scope and Application guidance adopted a risk-based lens and signaled enforcement discretion while retaining expectations for validation and audit trails. Clinical guidances (2007, 2013) clarified reliable eSource capture and traceability. From 2018 onward, Data Integrity Q&A reinforced ALCOA/ALCOA+ and lifecycle controls. In 2024, FDA finalized an eClinical Q&A, consolidating expectations and superseding the 2007 guidance—cementing a data-integrity-by-design trajectory.  

Scope of 21 CFR Part 11

When it applies: If required records (per predicate rules) are kept or submitted electronically, or electronic signatures replace handwritten ones, Part 11 applies. 

What’s out: Purely paper records and electronic systems not used to meet predicate-rule requirements. FDA applies a risk-based lens and may use enforcement discretion, but still expects validation, audit trails, and access controls where records are regulated. 

Closed vs. open systems: Closed systems rely on internal access control; open systems need added safeguards (e.g., encryption, digital signatures). 

Clinical note (2024): FDA won’t assess Part 11 compliance of some external sources (e.g., EHRs), yet still expects reliable capture, traceability, and certified copies.  

Key Requirements of Part 11

At a high level, 21 CFR Part 11 sets out controls for trustworthy electronic records and electronic signatures. The regulation distinguishes closed systems (access controlled by record owners) from open systems and specifies additional measures for the latter. It also prescribes what a signed record must show, how signatures must be linked to records, and the components/controls for electronic signatures.  

Core controls for electronic records (closed systems) — §11.10 

• System validation: Demonstrate accuracy, reliability, and consistent intended performance; be able to detect invalid/altered records. 

• Accurate/complete copies: Generate human-readable and electronic copies suitable for inspection, review, and copying.  

• Record protection/retention: Ensure accurate, ready retrieval throughout the retention period. 

• Access controls: Limit system access to authorized individuals. 

• Audit trails: Use secure, computer-generated, time-stamped audit trails; changes must not obscure previous entries; retain for at least the record’s retention period.  

• Operational checks: Enforce permitted sequencing of steps/events.  

• Authority checks: Ensure only authorized individuals can sign, alter, or perform operations.  

• Device checks: Verify the validity of data sources or operational instructions.  

• Training/qualification: Ensure personnel have the education, training, and experience for assigned tasks. 

• Policies for accountability: Written policies that hold individuals responsible for actions taken under their e-signatures.  
• Documentation controls: Control system docs and maintain change control with an audit trail of documentation changes.  

Additional measures for open systems — §11.30

All of the above, plus measures such as encryption and appropriate digital signature standards to ensure authenticity, integrity, and (as appropriate) confidentiality from creation to receipt.  

What a signed electronic record must show — §11.50
Every signed record must clearly indicate: (1) the signer’s printed name, (2) the date/time of signing, and (3) the meaning of the signature (e.g., review, approval, authorship). These elements must appear in any human-readable form of the record.  

Linking signatures to records — §11.70
Electronic (and handwritten) signatures executed to electronic records must be linked so they cannot be excised, copied, or otherwise transferred to falsify the record by ordinary means.  

Electronic signature requirements — Subpart C 

• General requirements (§11.100): Each e-signature must be unique to one individual, identity must be verified before assignment, and firms must submit a certification to FDA that e-signatures are intended to be the legally binding equivalent of handwritten signatures. 

• Signature components/controls (§11.200): 

• For non-biometric e-signatures: use at least two distinct components (e.g., ID + password). First signing in a controlled session uses all components; subsequent signings may use one component unique to the user. Use must be restricted to genuine owners and administered to prevent single-person misuse. 

• For biometric e-signatures: design so they cannot be used by anyone other than the genuine owner.  

• Identification codes/passwords (§11.300): Maintain uniqueness; periodically check/recall/revise credentials; have loss management procedures; implement transaction safeguards and initial/periodic testing of devices that bear or generate credentials.  

Risk-based application (FDA guidance)

FDA’s Scope and Application guidance emphasizes applying Part 11 proportionate to risk—focusing controls on records required by predicate rules and those that impact product quality or patient safety. Validation, secure audit trails, and authority checks remain expectations where electronic records fulfill regulatory requirements.  

Electronic Records Under Part 11  

What the rule expects. When you use a closed system to create, modify, maintain, or transmit electronic records required by predicate rules, you must have procedures and technical controls that ensure authenticity, integrity, (as appropriate) confidentiality, and non-repudiation. At minimum, this includes validation for intended use, the ability to generate accurate and complete copies (human-readable and electronic), protection for ready retrieval throughout retention, access controls, secure time-stamped audit trails, operational checks (enforcing step sequence), authority checks (only authorized users can sign/alter), device checks, training/qualification, accountability policies, and controlled system documentation.  

Audit trails—what they must capture. Part 11 requires computer-generated, time-stamped audit trails that record the date/time of operator entries and actions creating, modifying, or deleting records; previous entries cannot be obscured. Audit trails must be retained at least as long as the underlying records and be available for agency review and copying. 

Copies and readability. Systems must be able to produce accurate and complete copies in both human-readable and electronic form, suitable for inspection, review, and copying by FDA. Records must remain accurate and readily retrievable for the full retention period. These capabilities are part of demonstrating fitness for intended use during validation.  

Metadata and attribution in practice. FDA’s data-integrity guidance reinforces that records should remain complete, consistent, and accurate from creation through disposition, with changes traceable and reviewed for accuracy and compliance—principles often summarized as ALCOA/ALCOA+. Effective governance, role design, and periodic review support these outcomes. 1 

“Certified copy” contexts. In clinical investigations, FDA’s 2024 guidance explains expectations for trustworthy copies (e.g., certified copies that are verified as exact and complete) when source data flow into electronic systems used for submissions or inspection. While this document is clinical-focused, its copy/traceability concepts align with Part 11’s emphasis on reliable, reviewable electronic records.  

Electronic Signatures Under Part 11  

What qualifies as an electronic signature. Under Part 11, an electronic signature is a computer data compilation of any symbol (including biometrics) executed, adopted, or authorized by an individual to be the legally binding equivalent of a handwritten signature—provided the regulation’s controls are met. Each signature must be unique to one individual, assigned only after identity verification, and supported by a firm’s certification to FDA that e-signatures are legally binding.  

What a signed record must show (§11.50). Any human-readable version of a signed electronic record must clearly display (1) the signer’s printed name, (2) the date and time of signing, and (3) the meaning of the signature (for example, authorship, review, or approval).  

Linking signatures to records (§11.70). Signatures—electronic or handwritten executed to electronic records—must be inextricably linked to the record so they cannot be cut, copied, or otherwise transferred to falsify the record by ordinary means.  

General requirements (§11.100). 

• Each electronic signature is unique to one person and may not be reused or reassigned. 

• The organization verifies an individual’s identity before assigning e-signature credentials. 

• The organization submits certification to FDA stating that e-signatures are the legal equivalent of handwritten signatures.  

Signature components and controls (§11.200). 

• Non-biometric signatures use at least two distinct components (for example, an identification code and password). On first signing in a session, both components are used; subsequent signings in the same, continuous session may use one component that is only the signer’s. Controls must prevent use by anyone other than the genuine owner. 
• Biometric signatures must be designed so they cannot be used by anyone else. 

Identification codes and passwords (§11.300).

Organizations employing ID+password signatures must implement controls for uniqueness, periodic credential checks/revisions, loss management (for compromised credentials), transaction safeguards, and initial/periodic testing of devices or tokens that generate or bear codes.  

Practical implication. Effective e-signature programs combine procedures (identity proofing, certification letters, training), technology (unique IDs, strong authentication, session controls), and governance (periodic access reviews, audit-trail monitoring) so that signings are attributable, intentional, and non-repudiable across the record life cycle. FDA’s risk-based guidance reinforces applying these controls proportionate to the record’s impact on product quality and patient safety.   

FDA Guidance on Part 11 Compliance

What FDA’s guidance does. FDA’s Scope and Application guidance explains how to apply Part 11 in a risk-based manner, focusing on electronic records that fulfill predicate rule requirements and on controls that protect data integrity (e.g., validation, audit trails, authority checks). It also outlines areas of enforcement discretion while reaffirming expectations where electronic records are used to meet regulatory obligations. 

Data integrity expectations. FDA’s final Data Integrity and CGMP: Q&A (2018) frames integrity as complete, consistent, and accurate data across the life cycle, including metadata. It addresses topics such as unique user access (no shared logins), secure, time-stamped audit trails, control of original records and certified copies, and governance over backup/restore and archival practices—tying these directly to CGMP compliance. 

Clinical investigations update (2024). FDA’s Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Q&A (finalized Oct 2, 2024) consolidates and modernizes expectations for trustworthy electronic systems in trials (superseding earlier clinical computerized-systems guidance). It reiterates that electronic records/signatures must be trustworthy, reliable, and generally equivalent to paper/ink, expands on source data capture and certified copies, and clarifies responsibilities across sponsors, investigators, and service providers (including cloud/IT). The document explicitly builds on and expands the 2003 Part 11 guidance.  

Challenges in Achieving Compliance

Legacy and “hybrid” environments. Many firms operate mixes of old instruments, spreadsheets, and newer platforms. When required records move between paper and electronic steps, traceability can break—for example, no secure audit trail for interim edits or missing metadata when transcribing. FDA’s Part 11 rule and data-integrity guidance both stress lifecycle controls that preserve attribution, time stamps, and completeness. 

Incomplete or ineffective audit trails. Common gaps include disabled audit trails, trails that don’t capture deletions/overwrites, or audit logs that aren’t periodically reviewed. Part 11 requires secure, computer-generated, time-stamped audit trails retained at least as long as the record and available for FDA review. FDA’s CGMP data-integrity Q&A links audit-trail governance directly to compliance.  

Shared or weak credentials. Practices like shared “lab” logins or insufficient identity verification undermine attribution and non-repudiation. Guidance emphasizes unique user IDs, appropriate authentication, and controls against single-person misuse of credentials.  

Validation shortfalls. Systems in scope must be validated for intended use with documented evidence; gaps appear when user requirements aren’t traced to test cases, changes aren’t re-validated, or backup/restore isn’t tested. FDA’s Scope & Application guidance frames a risk-based validation approach; inspection observations and warning letters frequently cite validation/control issues.  

Open-system risks and supplier/cloud responsibilities. When access isn’t fully controlled by the record owner (e.g., certain cloud or partner arrangements), additional measures (e.g., encryption, robust e-signature controls) are expected. Roles for validation, audit-trail review, certified copies, and time-sync must be contractually clear. Recent clinical-investigation guidance expands on shared responsibilities across sponsors, sites, and service providers.  

Records management over time. Firms struggle to prove accurate, complete copies (both human-readable and electronic), ensure long-term retrievability, and manage archiving/migration without data loss. FDA highlights retention, readability, and certified-copy concepts as part of trustworthy records.  

Training and procedural drift. Even with capable systems, weak SOPs (e.g., no defined audit-trail review cadence) or inconsistent training create gaps between policy and practice—an area FDA’s data-integrity guidance repeatedly flags.  

Technology & Tools Supporting Part 11

Validated quality systems. Platforms that manage regulated records (e.g., QMS/LIMS/MES/eBR, clinical EDC/eSource) need validation for intended use and documented evidence of accuracy, reliability, and consistent performance. They must generate accurate/complete human-readable and electronic copies and protect records for the full retention period.  

Identity and access management. Part 11 expects unique user IDs, authority checks for regulated actions, and controls to prevent credential misuse. For non-biometric e-signatures, systems use two distinct components (e.g., ID + password) and bind signatures to identity and meaning. 

Audit trails and time. Systems must create secure, computer-generated, time-stamped audit trails that capture who did what and when, without obscuring prior entries; retain them as long as the record. Time synchronization and periodic review are essential operational practices.  

Open vs. closed systems. If record owners do not control access end-to-end (open systems), additional measures—such as encryption and robust digital signature standards—are expected to assure authenticity, integrity, and, as appropriate, confidentiality from creation to receipt.  

Cloud and service providers. FDA’s recent clinical-investigation guidance expands on shared responsibilities across sponsors, sites, and IT service providers. Contracts and procedures should specify who validates, who maintains audit trails and time sync, and how certified copies are produced and preserved.  

Best Practices for Compliance

Here are some best practices that you must weave into your organization culture to achieve and maintain compliance: 

1) Map scope, then scale controls. Identify which electronic records fulfill predicate-rule requirements or are submitted to FDA; apply Part 11 with a risk-based approach—heavier controls where impact on quality/patient safety is higher.  

2) Validate for intended use. Trace user requirements to test cases; include data migration, backup/restore, and report generation in the protocol; re-validate meaningful changes.  

3) Govern identity, signatures, and authority. Enforce unique IDs, define signature meaning (review/approval/authorship), bind signatures to records, and restrict high-risk actions to authorized roles.  

4) Operate the audit trail. Ensure trails are enabled, tamper-evident, and routinely reviewed; retain them for the entire record life and make them available for inspection and copying.  

5) Protect data integrity across the life cycle. Follow ALCOA/ALCOA+ principles; control original records and certified copies; manage hybrid flows (paper ↔ electronic) so attribution and metadata are preserved. 

6) Clarify partner/cloud roles. Document responsibilities with CROs and providers for validation, data retention, access reviews, incident response, and certified-copy production.   

Future of 21 CFR Part 11

Modernized expectations, same core principle. FDA’s 2024 clinical guidance expands on the 2003 Part 11 guidance, reinforcing that electronic records and signatures must remain trustworthy, reliable, and generally equivalent to paper—while recognizing cloud services, digital health technologies, and broader eSource use.  

Where practice is heading. 

• Broader cloud/SaaS adoption with explicit delineation of responsibilities and controls.  

• Stronger identity assurance and credential governance for non-biometric signatures.  

• More routine audit-trail analytics and periodic assessments to surface anomalies early.  

• Continued risk-based validation and data-integrity focus rather than one-size-fits-all checklists.  

Directionally, Part 11 practice is aligning with digital-by-default operations, but its foundation remains constant: validated systems, accountable users, and records that stand up to review over time. 

Conclusion (Why compliance matters; practical next steps)

Electronic records and signatures shape decisions that affect trust, quality, and patient safety. Part 11 provides a durable framework, so those electronic artifacts are as defensible as paper and ink—authentic, complete, and attributable for the full record life.  

To sustain compliance, take the right approach with next-generation AI-powered Intelligent EQMS like Qualityze: map scope, validate for intended use, run the audit trail, and keep roles and responsibilities clear—especially with partners and service providers. For many organizations, adopting a documented, risk-based program with validated digital systems and periodic assessments is the most reliable path to consistent practice and inspection readiness.  

To see for yourself, request a personalized demo today!