21 CFR Part 11
21 CFR Part 11 – Electronic Records & Electronic Signatures
This topic is part of the SG Systems Global regulatory glossary series.
Updated October 2025 • FDA / GMP • Data Integrity (ALCOA+) • EU Annex 11
21 CFR Part 11 is the U.S. Food and Drug Administration regulation defining when electronic records and electronic signatures are trustworthy, reliable, and equivalent to paper records and handwritten signatures for GxP decision-making. In practice, Part 11 overlays predicate rules such as drugs 21 CFR 210/211, foods 117 and supplements 111, and medical devices 820, by requiring controls that assure identity, integrity, security, attribution, and retention of records used to release materials, disposition batches, issue labels, or document quality events. This entry provides an unbiased overview of scope and expectations, then explains how these requirements are executed in V5, followed by a concise FAQ and related reading.
“Part 11 isn’t a feature you toggle; it’s the auditable chain that proves who did what, when, why, and with which version—end to end.”
1) What It Is
Part 11 applies where electronic records or signatures fulfill requirements set by predicate rules or where electronic source data support those required records. Typical in-scope content includes Electronic Batch Records (eBMR), Device History Records (DHR), Certificates of Analysis (CoA), weighing data, laboratory results, Hold & Release decisions, deviations/NCRs, CAPA records, training and equipment status, and master definitions like eMMR and specifications. Because many records are composed of data coming from scales, PLCs, printers, and WMS/LIMS/ERP, control extends to interfaces and traceability standards to ensure completeness and attribution end-to-end.
2) Core Expectations & Typical Controls
Validation for intended use. Systems must be validated commensurate with risk so regulators can rely on outputs for product quality decisions. A lifecycle approach aligned to GAMP 5 and CSV principles is typical: define user requirements, assess risk, verify through IQ/OQ/PQ-style testing, control configuration, and release changes under Change Control with traceability. Interfaces (e.g., MES↔LIMS, WMS↔labeling, MES↔ERP) require testing for accuracy, acknowledgements, and failure handling so transactions don’t go missing or duplicate.
Identity & access management. Each user has a unique account; roles enforce least privilege and segregation of duties; administrative actions are restricted and audited; password/credential policies, lockouts, and session controls avoid shared accounts. Elevated activities (e.g., by-pass, override) may require Dual Verification.
Audit trails. Computer-generated audit trails capture who did what, when, previous/new values, and—where appropriate—reason for change, with time synchronization across systems. Trails must be secure, tied to the record, and retrievable for the retention period, which frequently outlives the system where the data were created.
Electronic signatures. Signatures are unique and non-repudiable and include the meaning of the signature (e.g., review, approval, responsibility). Multi-factor may be applied based on risk. Signatures bind to the record content so later edits are visible and attributable.
ALCOA+ data integrity. Attributable, Legible, Contemporaneous, Original, Accurate—plus Complete, Consistent, Enduring, Available. Systems should minimize free text, prefer automatic capture from devices, and ensure attachments (photos, printouts) are contemporaneous and version-controlled.
Record retention & retrieval. Required records must be human-readable along with raw data, metadata, and trails. “PDF-only” archives risk losing context (e.g., version, parameters, calculations). Retention periods are defined by predicate rules; readability and rendering must be proven, including after migrations or format changes, under Retention & Archival procedures.
Procedural controls and training. Technical controls are paired with SOPs for user lifecycle, signature controls, periodic review, backup/restore, incident response, CAPA, and business continuity. Training must be current before a user is allowed to execute or approve GxP actions; systems can enforce training gating through Document Control.
3) Scope Boundaries, Hybrids & Special Cases
Hybrid (paper + electronic). Organizations sometimes print to paper for signatures; however, if electronic source data exist (e.g., scale weights, barcode scans, PLC readings), regulators expect control at the source. Transcription introduces risk. Treat paper as a rendering, not the system of record, where feasible.
Spreadsheets and small tools. If a spreadsheet or desktop tool calculates yields, specifications, or label data used for Batch Release or CoA, it falls under Part 11: protect cells and formulas, control versions, restrict access, document verification, and capture change history (ideally via an audit trail).
Cloud/SaaS. Part 11 is technology-agnostic; responsibilities are shared. Vendors may support features (identity, trails), but regulated companies remain responsible for validation, configuration management, and procedural controls. Supplier qualification and GDP/GMP alignment are part of due diligence.
EU Annex 11 alignment. While not identical, FDA Part 11 and EU Annex 11 share themes: validation, data integrity, security, audit trails, and archiving. Global firms harmonize controls to satisfy both.
4) Where It Shows Up in Operations
Manufacturing execution. eBMR steps, interlocks, limits (SPC limits), barcode validation, weighing, timers, and dual sign-off must be attributable and auditable. Laboratory. Sample login, chain-of-custody, methods, results, and retests link to lots and masters. Warehouse. Goods Receipt, quarantine, FEFO/FIFO, bin/location, and pick/pack/ship events form part of release evidence. Labeling. Approved templates, GS1/GTIN and date code rules, and scan-back logs are critical where allergens or expiry are safety-relevant.
5) Governance, Review & Continuous Improvement
Part 11 controls live within a broader GxP framework. Masters (SOPs, methods, specs) are created and maintained under Document Control with periodic review. Revisions follow formal Change Control, with impact analysis on validation status, training, labels, and integrations. Exceptions feed deviation/NC workflows; systemic gaps escalate to CAPA with effectiveness checks. Evidence rolls into APR/PQR-style reviews, and for devices, into design and production history artifacts (e.g., DHF, DHR).
6) How This Fits with V5
V5 by SG Systems Global operationalizes Part 11 expectations so the act of doing the work creates compliant evidence. In V5 MES, the eMMR drives executable steps in the eBMR, pinning the master version and enforcing interlocks, limits, and Dual Verification. Device integrations (scales, PLCs, printers) capture attributable readings and labels under Barcode Validation. In V5 QMS, Document Control and structured approvals maintain masters; Change Control governs revisions with risk and training effects; deviations and CAPA provide closed-loop remediation. In V5 WMS, Hold & Release, quarantine, FEFO, and bin rules are enforced at scan points. Across modules, identity, e-signatures, time-stamped audit trails, and rapid retrieval underpin Part 11 readiness; CoA compiles directly from controlled data and Batch Release applies review-by-exception to shorten QA cycle time without sacrificing rigor.
7) FAQ
Q1. Does Part 11 apply to every computerized system?
No. It applies where electronic records or signatures fulfill predicate requirements, or where electronic source data support those records. Systems that feed eBMR/DHR, release, labeling, or quality decisions are typically in scope.
Q2. If we “print and sign” on paper, can we avoid Part 11?
Printing may reduce scope, but if the source data are electronic (e.g., scale values, scans), inspectors expect control at the source to avoid transcription and backdating risk.
Q3. What makes an audit trail acceptable?
Secure, time-stamped entries that capture identity, action, previous/new values, and reason when applicable; immutable, linked to the record, and retained with it for the required period.
Q4. How much validation is enough?
Risk-based lifecycle evidence. High-impact functions (identity/strength/purity, disposition, labels) merit deeper and negative testing. Use requirements→tests traceability and controlled releases.
Q5. Do spreadsheets fall under Part 11?
Yes—if they generate or maintain GMP data. Protect formulas and cells, version and access-control files, verify/validate logic, and preserve change history.
Q6. How does EU Annex 11 relate?
Annex 11 shares themes with Part 11 (validation, trails, security). Many global firms design a single set of controls to satisfy both.
Q7. What evidence convinces inspectors?
A clear line from master to execution: validation packages, controlled configurations, user and access records, audit trails, incident/CAPA history, and fast, faithful record rendering (including raw data and metadata).
Q8. Where do training and equipment logs fit?
If required by predicate rules and kept electronically, they’re in scope. Tie user training to effective dates and enforce asset status checks before use.
Q9. What about labels and date codes?
If allergen statements or expiry calculations affect safety/compliance, treat labeling as a controlled, validated process with template control, variable-data rules, and scan-back verification using GS1/GTIN and EPCIS events.
Q10. How are holds and releases handled?
Use electronic Hold & Release with role-based authority, reason codes, and audit trails; integrate lab results and CoA before Batch Release.
Related Reading
• Foundations: ALCOA+ | EU Annex 11 | GxP | GMP / cGMP
• Masters & Execution: eMMR | eBMR | Gravimetric Weighing | Control Limits (SPC) | Dual Verification
• Quality System: Document Control | Change Control | Deviation / NC | CAPA | Data Retention & Archival
• Materials, Labels & Traceability: Goods Receipt | FEFO | FIFO | GS1 / GTIN | EPCIS Traceability Standard
• Validation Context: GAMP 5 | Computer System Validation (CSV) | IQ/OQ/PQ | Cleaning Validation | Continued Process Verification (CPV)