What Is 21 CFR Part 11?
Title 21 of the Code of Federal Regulations, Part 11 (commonly referred to as 21 CFR Part 11 or simply “Part 11”) is the FDA’s regulation governing electronic records and electronic signatures. It establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures.
If your digital health company creates, modifies, maintains, archives, retrieves, or transmits records that are required by FDA regulations, Part 11 applies to those records when they are in electronic form. This is increasingly relevant as the health technology industry moves toward fully digital workflows, from clinical trial data management to quality management systems.
Who Needs to Comply?
Part 11 applies to any organization that:
- Submits electronic records to the FDA (e.g., clinical trial data, regulatory filings)
- Maintains electronic records required by FDA predicate rules (e.g., device history records, batch production records, quality records)
- Uses electronic signatures to sign records that would traditionally require handwritten signatures
This includes pharmaceutical companies, medical device manufacturers, biotech firms, contract research organizations (CROs), and digital health companies whose products or systems generate or manage FDA-regulated records.
The Core Requirements of Part 11
Electronic Records
Part 11 requires that electronic records systems have the following controls:
Validation:
- Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
Audit Trail:
- A secure, computer-generated, time-stamped audit trail must independently record the date and time of operator entries and actions
- The audit trail must record who made each entry or change, what was changed, and what the previous value was
- Audit trail records must be retained for at least as long as the electronic records they support
- The audit trail must not be modifiable by operators
System Access Controls:
- Systems must limit access to authorized individuals
- Operational system checks must enforce permitted sequencing of steps and events
- Authority checks must ensure only authorized individuals can use the system, sign records, or alter records
Device Checks:
- Determine that input or output devices (terminals, printers, etc.) are valid sources or destinations for data
Documentation:
- Written policies must establish accountability for actions initiated under electronic signatures
- Controls must be in place for the distribution, access to, and use of system documentation
Electronic Signatures
Part 11 sets specific requirements for electronic signatures:
- Each electronic signature must be unique to one individual and not reused or reassigned
- Before establishing or certifying an electronic signature, the identity of the individual must be verified
- Electronic signatures must contain the printed name of the signer, the date and time the signature was applied, and the meaning of the signature (approval, review, responsibility)
- Electronic signatures based on biometrics must be designed to ensure they cannot be used by anyone other than the original signer
- Non-biometric electronic signatures must employ at least two distinct identification components (e.g., user ID and password)
Closed vs. Open Systems
Part 11 distinguishes between closed systems (where access is controlled by the same entity responsible for the records) and open systems (where access is not controlled by that entity). Open systems require additional controls such as document encryption, digital signatures, and other measures to ensure record authenticity, integrity, and confidentiality.
Practical Steps for Digital Health Companies
Step 1: Determine Which Records Are Subject to Part 11
Not every electronic record in your organization falls under Part 11. The regulation applies only to records that are created, modified, maintained, archived, retrieved, or transmitted under FDA predicate rules. Start by identifying which of your records are FDA-regulated.
Common examples in digital health include:
- Device design history files and design controls
- Quality system records (CAPA, complaints, nonconformances)
- Clinical trial data and case report forms
- Batch and production records
- Adverse event reports
Step 2: Conduct a Gap Assessment
Evaluate your current systems against Part 11 requirements. Key questions to assess:
- Is each system validated with documented evidence?
- Do your systems generate tamper-proof, time-stamped audit trails?
- Are access controls implemented with role-based permissions?
- Do your electronic signatures meet the two-component identification requirement?
- Are audit trail records retained for the required duration?
- Do you have written policies governing electronic record and signature use?
Step 3: Validate Your Systems
System validation is the most substantial Part 11 requirement. Your validation approach should include:
- Installation Qualification (IQ) — Verify the system is installed correctly according to specifications
- Operational Qualification (OQ) — Verify the system operates according to its functional specifications
- Performance Qualification (PQ) — Verify the system performs reliably in its actual operating environment
Document all validation activities, test results, and deviations. Maintain validation records throughout the system lifecycle.
Step 4: Implement Audit Trail Controls
Ensure your systems record every creation, modification, and deletion of FDA-regulated records. The audit trail must:
- Be automatically generated by the system (not manually maintained)
- Include timestamps, user identification, and the nature of each action
- Capture both old and new values for modifications
- Be unalterable by system users
- Be available for review and copying by the FDA upon request
Step 5: Establish Access and Signature Controls
- Assign unique user accounts with individual credentials
- Implement role-based access to limit permissions by job function
- Require electronic signatures that combine at least two identification components
- Implement session timeouts and re-authentication for signature events
- Maintain records of all user accounts, roles, and permission changes
Step 6: Document Policies and Procedures
Create standard operating procedures (SOPs) covering:
- Electronic record management and retention
- Electronic signature use and accountability
- System validation lifecycle
- Access management and user administration
- Audit trail review and monitoring
- Change control for regulated systems
- Incident and deviation management
Step 7: Train Your Team
All personnel who create, modify, or sign electronic records must understand Part 11 requirements and your organization’s specific procedures. Training should be documented and regularly refreshed.
Common Pitfalls
- Ignoring the audit trail requirement. Many commercial software products do not have Part 11 compliant audit trails out of the box. Verify before adopting any system.
- Shared user accounts. Part 11 requires individual accountability. Shared logins make compliance impossible.
- Treating validation as a one-time event. Systems must be revalidated when updated or when the operating environment changes significantly.
- Overlooking retention requirements. Electronic records and their audit trails must be retained for the period specified by the applicable predicate rule.
How SeedGovernance Helps
SeedGovernance provides a complete Part 11 compliance toolkit for digital health companies. Our platform includes validation protocol templates, SOP frameworks, audit trail policy documents, and access control guidelines — all aligned to FDA requirements. Our guided assessment identifies your specific gaps, giving you a clear roadmap to compliance.
Take the free assessment to evaluate your Part 11 readiness.