Skip to content Skip to sidebar Skip to footer
Close
GxP Auditing

Understanding 21 CFR Part 11 Requirements

2 days ago
Professionals reviewing inspection readiness and Part 11 documentation alongside a validated digital system in a regulated environment

When inspectors request your electronic batch records, clinical trial data, or laboratory results, they check whether your systems meet 21 CFR Part 11 requirements. The regulation defines how pharmaceutical manufacturers, medical device companies, and clinical research organisations demonstrate that electronic records and signatures are trustworthy, reliable, and equal to paper records and signatures.

Since 1997, Part 11 has set data integrity expectations for FDA-regulated industries. Technology has changed, moving from standalone systems to cloud platforms and AI-assisted workflows. Despite these changes, the core principles of the regulation remain the operational standard.

What Is 21 CFR Part 11?

Part 11 defines when electronic records and signatures meet trustworthiness standards. The regulation applies to records created, modified, maintained, archived, retrieved, or transmitted under FDA predicate rules. These rules include core GMP, GCP, and GLP regulations. Predicate rules establish the underlying requirements for maintaining certain records.

Published March 20, 1997, Part 11 granted the FDA regulatory authority to accept electronic records as legally equal to paper records. Organisations must demonstrate they have proper controls over data integrity, system security, and complete audit trails.

In August 2003, the FDA issued guidance clarifying the scope. The agency allowed enforcement discretion for certain requirements but stressed that predicate rule requirements still apply. The guidance also promoted a risk-based approach. Validation and controls matter most when they affect product quality, patient safety, or regulatory decisions.
 
In October 2024, the FDA finalised guidance on electronic records in clinical investigations. This reinforced Part 11 expectations for sponsors, investigators, IRBs, and CROs. Consequently, as digital health technologies generate more clinical data, these standards become even more important.

When Part 11 Applies

Part 11 applies when predicate rules require records, and you maintain them electronically. Examples include electronic batch production records, LIMS systems recording analytical data, clinical trial EDC platforms, CAPA tracking systems, and pharmacovigilance databases.

FDA’s 2003 guidance distinguishes between required electronic records and voluntary electronic copies. Predicate rules mandate required records when you maintain them electronically. You keep paper as the official record for voluntary copies. Therefore, the whole of Part 11 compliance applies to required electronic records. For voluntary copies, FDA exercises enforcement discretion, provided the paper record remains official and you do not rely on the electronic version for regulatory purposes.

However, hybrid systems add challenges. The key question is which version serves as the official record for inspection. The version that serves this purpose must meet all requirements.

Core Principles: ALCOA+ and Data Integrity

Controls verify that Part 11 records are complete, accurate, secure, and attributable. The FDA expresses these expectations through ALCOA+ principles, which set the operational standard for data integrity.

Recording information contemporaneously—at the time activities occur rather than reconstructing later—is fundamental to meeting these standards. Indeed, FDA warning letters frequently cite violations of this principle.

The FDA established the ALCOA principles (Attributable, Legible, Contemporaneous, Original, Accurate) in the 1990s. The framework expanded to ALCOA+, adding Complete, Consistent, Enduring, and Available.
 

Furthermore, industry practitioners have extended this to ALCOA++, incorporating additional attributes such as Traceable. While ALCOA++ terminology appears in industry publications, FDA guidance documents don’t formally define it. Nevertheless, the framework reflects evolving best practices for comprehensive data integrity management.

Traceability through audit trails—showing who performed each action, when, and why with sufficient detail to reconstruct events—remains a core requirement under 21 CFR Part 11.10(e). Ultimately, ALCOA++ data integrity principles form the foundation of trustworthy, auditable records in GxP and AI-enabled systems.

Traceable: Audit trails show who did each action, when, and why. There should be enough detail to reconstruct incidents.

 
ALCOA++ data integrity principles visualised as layered arcs representing accuracy, completeness, consistency, and traceability in regulated systems
ALCOA++ data integrity principles form the foundation of trustworthy, auditable records in GxP and AI-enabled systems.
Traceable: Audit trails show who did each action, when, and why. There should be enough detail to reconstruct incidents.

Why This Matters

ALCOA+ principles inform technical requirements in Part 11. Systems that meet ALCOA+ usually meet most Part 11 controls. For technologies such as cloud systems and AI workflows, ALCOA+ helps you assess whether new tools preserve data integrity.

Electronic Records Requirements

Part 11, Subpart B, defines controls for closed systems. These are systems where access is limited to people responsible for recording content.

System Validation

The FDA uses enforcement discretion on some Part 11 validation requirements. However, predicate rule validation requirements always apply. All GxP systems must undergo validation to demonstrate they always work as intended.

Match validation scope to the system’s intended use and its effect on product quality and patient safety. Risk-based approaches classify systems into three categories. High-impact systems control key processes, patient data, and regulatory submissions, and have the greatest direct patient impact. In contrast, medium-impact systems support processes with some regulatory or quality consequences. Low-impact systems mainly provide infrastructure and are usually non-GxP.

Specifically, validation typically includes several key stages:

  • Installation Qualification (IQ) documents correct installation.
  • Operational Qualification (OQ) demonstrates correct performance across operating ranges.
  • Performance Qualification (PQ) confirms reliable performance under actual operating conditions.

Auditors look for validation protocols with set acceptance criteria. They want test records showing results, links between requirements and tests, and a documented risk-based rationale for what was tested.

Audit Trails

Additionally, audit trails must operate independently of users; you cannot disable or change them. Retain them for as long as you keep records. Moreover, regularly review audit trails to find unauthorised access or changes.

Common audit trail problems include shared user accounts, trails that can be turned off, missing “reason for change” fields, trails not saved with old records, and a lack of review evidence.

Auditors want to see full audit trails from recent records. They want proof of regular review, such as meeting notes and investigation records. Therefore, procedures should explain who reviews, how often, and when investigations start.

Access Controls

Part 11 requires authority checks, ensuring only authorised individuals use systems, sign records, or perform operations. Implementation includes role-based access control restricting functions to authorised users, approval workflows requiring appropriate authority levels, and administrator privileges separated from normal user access.

In addition, systems must use session timeouts, screen locks requiring re-authentication, logout processes that end sessions, and policies that ban shared passwords.

Auditors look for user access lists showing roles, records of regular access reviews, password policies, and proof that unauthorised actions are stopped.

Data Backup and Retention

Electronic records must be protected from loss. Requirements include a defined backup frequency appropriate to data criticality, off-site or segregated backup storage, regular restoration testing, migration strategies that address obsolescence, and documentation of backup schedules and testing results.
Auditors look for proof that backups can be restored, not just that they exist. They want to see test records of the data recovery and plans to keep the data accessible in the long term.

Electronic Signatures Requirements

An electronic signature under Part 11 consists of unique user identification (no two individuals may share IDs), authentication components (username + password, biometric, hardware token, digital certificate), and signature manifestations linking signatures to records.
When displayed or printed, signed records must clearly show the signer’s printed name, date/time when the signature was executed, and the meaning of the signature (e.g., “Approved by”, “Reviewed by”).

FDA Certification

Each person using electronic signatures must submit a certification to the FDA stating that their electronic signature is legally binding. This one-time letter (often called “Letter of Non-Repudiation”) typically includes the individual’s name, statement that their electronic signature is legally binding, and company information.

FDA Enforcement and Common Findings

FDA takes a risk-based approach, focusing on where electronic record failures most impact product quality, patient safety, or regulatory decisions. The FDA prioritises enforcement when records are submitted to the agency, used to support regulatory decisions, or when data integrity concerns arise, or when predicate rule violations involve electronic records.
Top 5 Inspection Observations:
  1. Inadequate audit trails: Systems lacking audit trail functionality, trails that can be disabled, or logs not preserved with records
  2. Shared login credentials: Multiple personnel using the same username/password
  3. Insufficient validation documentation: Systems deployed without validation or with inadequate testing
  4. Lack of audit trail review: No procedures or evidence reviews occur
  5. Inadequate access controls: Personnel having excessive privileges, no periodic review of access rights, or failure to disable terminated employee accounts
In 2024, the FDA’s Centre for Devices and Radiological Health issued 529 warning letters, of which 8% were directed at medical device manufacturers for design validation failures and data integrity concerns.

Modern Technology Considerations

Cloud Systems and SaaS

Cloud-hosted systems meet Part 11 requirements if the regulated company retains data ownership and control. Access controls must restrict who can view, modify, or delete records. Audit trails must capture all user actions. Data backups protect against provider failures. Contracts must define the responsibilities for validation, security, and retention.
Before implementing cloud systems, assess vendor security certifications (SOC 2, ISO 27001), audit-trail functionality, data ownership and portability, uptime guarantees, and the willingness to support FDA inspections.

AI and Automation

When AI generates content that becomes part of regulatory records (case narratives, batch analysis summaries), audit trails must capture the model version used, the input data provided, the complete output generated, the human review decision, and any modifications made after AI generation.
AI doesn’t eliminate accountability requirements. Electronic signatures still require human authentication. Critical decisions still demand a qualified personnel review. Audit trails must remain attributable to individuals, not “the algorithm.”

Common Implementation Challenges

Interconnected gears illustrating implementation challenges in regulated environments including audit trails, legacy systems, vendor constraints, and cloud validation
Implementing compliant digital and AI systems in regulated environments requires navigating audit burden, legacy platforms, vendor constraints, and cloud validation complexity.

Part 11 in 2025 and Beyond

Despite being written in 1997, Part 11 remains relevant because it focuses on outcomes (data integrity, security, audit trails) rather than specific technologies. As pharmaceutical organisations deploy cloud computing, mobile devices, and AI-assisted workflows, Part 11’s core requirements adapt through interpretation rather than revision.
FDA’s Computer Software Assurance (CSA) approach — finalised in September 2025 — will streamline validation from a documentation-heavy CSV approach to a risk-based assurance approach. CSA focuses on critical functionality, leverages vendor testing, encourages unscripted testing for low-risk functions, and promotes continuous assurance. Importantly, CSA doesn’t eliminate Part 11 requirements. Audit trails, access controls, and electronic signatures remain mandatory where regulations require them.

Key Themes for Sustainable Compliance:

  • Risk-based thinking: Not every system requires the same level of validation rigor. Focus resources on areas where electronic records have the greatest impact on product quality, patient safety, and regulatory decisions.
  • ALCOA+ as operational standard: Data integrity principles provide the conceptual framework. Part 11 provides regulatory specification.
  • Continuous compliance: Validation is the starting point. Sustained compliance requires change control, periodic review, audit-trail monitoring, and a quality culture that prioritises data integrity.
  • Integration with existing QMS: Part 11 compliance integrates with computerised system validation, change control, training, document management, and all quality system elements.
Part 11 will continue to evolve through FDA guidance, enforcement practices, and industry standards. Organisations that build mature quality systems — where data integrity is a core value, not just a compliance checkbox — position themselves for inspection readiness today and adaptability as regulations evolve.

Common Questions and Answers

What is 21 CFR Part 11 and why is it important?

21 CFR Part 11 defines when electronic records and electronic signatures are considered trustworthy,
reliable, and legally equivalent to paper records under FDA regulations.

When does 21 CFR Part 11 apply?

Part 11 applies when FDA predicate rules require a record and that record is created, maintained,
or relied upon electronically for regulatory purposes.

What are ALCOA+ principles?

ALCOA+ principles define data integrity expectations, ensuring electronic records are attributable,
legible, contemporaneous, original, accurate, complete, consistent, enduring, and available.

What are common FDA Part 11 inspection findings?

Common findings include missing or disabled audit trails, shared user accounts, inadequate
validation documentation, and insufficient access controls.

Are cloud and SaaS systems allowed under Part 11?

Yes, provided the regulated organisation retains data ownership and control, audit trails are enabled,
access is restricted, and validation and vendor responsibilities are clearly defined.

How does Part 11 apply to AI-generated records?

AI-generated content used as regulated records must include full traceability, including model version,
inputs, outputs, and documented human review and approval.

Tags:

You May Also Like

A team of pharmaceutical quality and compliance professionals reviewing data integrity reports and audit documents during a meeting.
Development, GxP Auditing, Pharmacovigilance
Quality and ALCOA+ Principles: Building Data Integrity You Can Defend Under Inspection
Two pharmaceutical professionals reviewing TGA clinical trial compliance data and regulatory requirements on monitor showing charts and analytics
GxP Auditing
Understanding 2025 TGA Clinical Trial Requirements: A Practical Guide for Australian Sponsors