21 CFR Part 11

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • 21 CFR Part 11, electronic records, electronic signatures, Part 11 readiness, audit trails, ALCOA+, unique user IDs, access control, segregation of duties, signature meaning, record retention, validation evidence, integration bypass prevention • FDA-regulated industries (Pharma, Biotech, Med Device, Food, Dietary Supplements, Cosmetics, Clinical)

21 CFR Part 11 is the FDA regulation that defines when electronic records and electronic signatures are acceptable in place of paper records and handwritten signatures for records required by FDA “predicate rules.” Part 11 is not a brand label you slap on a system. It is a control model: identity, authority, auditability, retention, and validation evidence must be strong enough that the electronic record can stand up to scrutiny without reconstruction or “story repair.”

In modern manufacturing, Part 11 compliance is inseparable from execution integrity. If your MES allows shared logins, permits uncontrolled overrides, or lets records be edited without a secure audit trail, you do not have electronic records you can trust—you have faster paperwork. Part 11 exists because the failure modes are predictable: attribution gaps, silent edits, ambiguous approvals, and records that can’t be reliably retrieved years later.

Part 11 also forces clarity around what “in scope” means. Predicate rules (e.g., 21 CFR Part 211, 21 CFR Part 820, 21 CFR Part 111) tell you which records are required and retained. Part 11 tells you how the electronic version must behave. That’s why Part 11 is tightly linked to Predicate Rule, Data Integrity, ALCOA / ALCOA+, and Audit Trail (GxP).

On the operational side, Part 11 compliance depends on execution-layer control concepts like Credential-Based Execution Control, Segregation of Duties in MES, Dual-Control Manufacturing Operations, and Operator Authorization Matrix. Those aren’t “nice-to-have” features. They are how you prevent convenient fraud and accidental misuse in real plants.

“Part 11 isn’t about being paperless. It’s about being unable to quietly rewrite history.”

1) What Part 11 actually is (and why it exists)

Part 11 exists because electronic systems can create beautiful records that are dangerously easy to manipulate if controls are weak. Paper has friction: it’s hard to change without visible evidence. Electronic records remove that friction, which is great for speed but terrible for integrity unless you replace paper’s “tamper friction” with digital controls: unique identity, authority boundaries, audit trails, and validated behavior.

Part 11 is therefore best understood as a minimum integrity architecture for electronic evidence. It expects you to control who did what, when they did it, what changed, and whether the record is protected against convenience edits. It also expects you to demonstrate that the system consistently performs as intended. That is why Part 11 is inseparable from Computer System Validation (CSV) and structured quality governance.

In execution-heavy environments, Part 11 becomes operational when the “system of record” is the system that runs the work, not a spreadsheet or an end-of-shift summary. That is exactly the posture behind Manufacturing Execution Integrity and In-Process Compliance Enforcement: capture evidence at the point of execution and make invalid actions difficult or impossible.

2) What Part 11 is not: the myths that create audit findings

3) Scope: predicate rules, “records required,” and what triggers Part 11

Part 11 applies when you create, modify, maintain, archive, retrieve, or transmit electronic records that are required by FDA predicate rules. Predicate rules are the actual “you must keep this record” regulations. Part 11 is the “if it’s electronic, it must be trustworthy” overlay. Start scope with Predicate Rule mapping, not with a software inventory.

A practical scoping method: identify the records that drive quality, release, labeling, safety, or regulatory decisions; map where those records are created and approved; then map the systems (and “shadow systems”) that touch them. If a spreadsheet changes a release decision, it is functionally in scope as an electronic record process whether you call it a system or not.

Part 11 scope also evolves. New integrations, new sites, new workflows, and system migrations change the control boundary. That is why Change Control and Document Control must treat configuration and workflow as part of the validated system.

4) Electronic records: what must be controlled (and common examples)

Part 11-aligned electronic records must be trustworthy and reliable. That requires controlling record creation, modification, review, approval, and retrieval. “Record” is broader than a PDF. It includes the structured data and the context that gives it meaning: who performed the action, the equipment/line context, the effective version of instructions, and the audit trail of changes.

In manufacturing execution, record integrity depends on execution systems capturing reality in real time—especially under pressure. This is why execution concepts like Real-Time Shop Floor Execution and Event-Driven Manufacturing Execution matter: you reduce reliance on later transcription and reduce the opportunity to “improve the story” after the fact.

Examples of record categories commonly challenged in inspections include:

• Execution records: step completion, operator sign-offs, equipment assignments, parameter confirmations, and exception handling in MES.
• Quality decisions: deviations, investigations, dispositions, CAPA decisions (often in QMS).
• Master data and instructions: recipes, specs, label masters, controlled documents governed by Revision Control and Master Data Control.
• Approval evidence: electronic approvals, review sign-offs, and release authorization.
• Data exports: reports used as evidence must be reproducible, consistent, and traceable to source records.

5) Electronic signatures: meaning, manifestations, and binding

Part 11 electronic signatures are not “a click.” They are a controlled attestation that must be attributable to a unique individual and must carry meaning: review, approval, authorship, or responsibility. If your UI has one generic “Sign” button that is used for everything, you are creating signature ambiguity—which is exactly what makes signatures less defensible.

Signature expectations also include binding: the signature must be linked to the specific record such that it cannot be excised, copied, or transferred to falsify other records. That’s why signatures must be coupled to audit trails and to a record model that preserves linkage through export and retention.

If you want practical implementation guidance, pair the regulation requirements with readiness practices in Part 11 Readiness and the implementation patterns in Electronic Signatures (Part 11).

6) Closed vs open systems: boundary risk without hand-waving

Part 11 distinguishes “closed systems” (where the organization controls access and operation) from “open systems” (where the record environment or transmission path is not fully controlled). In modern architectures, most environments are mixed: internal execution may be closed, while cloud hosting, vendor access, and external portals introduce open-system characteristics.

Instead of arguing labels, treat it as a boundary analysis: where could the record be intercepted, altered, misrouted, or misattributed? Those are the places where you must increase safeguards and evidence. If the system boundary is fuzzy, inspectors will push until it becomes clear—and they will usually find the weak seam.

7) Identity, access, and authority: UAM, RBAC, and SoD

Part 11 demands attribution. Attribution demands unique users. Unique users demand real access governance, not informal badge sharing. The baseline control stack includes:

• Unique credentials governed by User Access Management (UAM) and provisioned through Access Provisioning.
• Least privilege authority implemented with Role-Based Access and verified with periodic review.
• Execution-grade credential enforcement aligned to Credential-Based Execution Control.
• Segregation of duties enforced by design (not policy-only) per Segregation of Duties in MES.

In many plants, the highest-risk integrity gap is over-privileged roles (everyone can override) and “break glass” access used as the normal operating mode. If supervisors approve their own work or operators can edit master data, Part 11 defensibility becomes fragile fast.

Execution environments benefit from explicit authorization models such as an Operator Authorization Matrix and constrained runtime behavior via Role-Constrained Execution. For high-risk actions, a dual-control posture (two-person control) strengthens integrity when implemented correctly (see Dual-Control Manufacturing Operations).

8) Audit trails: design, protection, and review discipline

Audit trails are where Part 11 stops being a policy and becomes inspectable system behavior. A Part 11-aligned Audit Trail (GxP) must be secure, time-stamped, and computer-generated, capturing creation, modification, approvals/signatures, and (where allowed) deletions. It must also be protected from alteration by normal users and retained for the record’s retention period.

Design matters. A log that says “field changed” without showing before/after values is weak evidence. A log that captures who changed what, from what value to what value, when, and why (reason-for-change) is control-grade evidence. The “why” is not bureaucracy; it is how you distinguish controlled correction from manipulation.

Review matters too. Many organizations implement audit trails and never review them. That is control theater. Mature Part 11 programs establish risk-based audit trail review practices and can demonstrate them under pressure. Practical implementation patterns are covered in Audit Trail Software and integrity governance hubs like Data Integrity, Part 11, Annex 11 & Audit Trails.

9) Record lifecycle integrity: corrections, revision control, and master data

Most Part 11 failures are not about initial entry. They are about what happens after: corrections, overrides, and changes to the “rules of the game.” A compliant system must support controlled corrections without destroying the original truth. That means: the original entry remains visible, the correction is attributable and time-stamped, and the reason-for-change is captured where required.

Correction behavior must align with documentation discipline. If your correction process is “edit the field until it looks right,” you have created the exact integrity risk Part 11 is meant to prevent. Operational correction discipline is reinforced by Good Documentation Practices and practical correction handling via Batch Record Corrections.

Record integrity also depends on controlling upstream definitions: specs, recipes, instructions, and label masters. That is why Revision Control, Master Data Control, and controlled Document Control are part of Part 11 reality, not “separate quality topics.” If you can change the specification without governance, the record’s meaning can be retroactively altered.

10) Validation evidence: CSV, risk-based testing, and “proof tests”

Part 11 expects evidence that the system performs as intended and consistently. That is validation. In regulated environments, this is typically managed through CSV approaches aligned with frameworks like GAMP 5. The key is risk: validate what matters most to product quality, patient/consumer safety, and data integrity.

Validation that only tests happy-path workflows is weak. Real integrity failures occur under stress conditions: exceptions, overrides, corrections, role misuse, and integration bypass attempts. That is why readiness programs should run “proof tests” that demonstrate denial behavior, audit trail completeness, and signature binding. A practical playbook is covered in System Validation and is often assessed in Part 11 Readiness.

11) Time, timestamps, and attribution: making “when” defensible

Part 11 records must be time-stamped in a defensible way. “When” is not a cosmetic detail; it is evidence. If system clocks drift, time zones are inconsistent, or users can manipulate timestamps, your audit trail becomes questionable. In investigations, sequence matters: what happened first, what happened after, and how long a condition persisted.

A defensible time model typically includes centralized time synchronization, consistent time zone handling, and audit trails that record event timestamps in a consistent system of time. If you run multi-site operations, time integrity becomes even more critical because people will compare events across systems and locations.

Tell-it-like-it-is: if you cannot reliably answer “who did what when,” then you cannot reliably defend the record. The system may still run production, but it will not stand up as compliance evidence when the pressure hits.

12) Retention & retrieval: durable records over multi-year horizons

Retention is where “paperless” projects go to die. Year one looks great. Year five, you can’t retrieve records, exports don’t include audit trails, or the system migration broke signature linkage. Part 11 requires that records remain available, readable, and retrievable for the full retention period required by the predicate rule.

Strong retention programs are not just storage. They include verified backup/restore, tested retrieval procedures, documented retention periods, and controlled migrations that preserve record meaning. That posture is supported by Record Retention – Data Integrity & Archival and operationalized through Record Retention Policy.

One practical standard: you should be able to retrieve a record quickly, show the signature manifestations, and show the relevant audit trail entries without needing a “system historian” who remembers legacy configurations. If retrieval requires tribal knowledge, it is not a control—it is a vulnerability.

13) Integrations: stopping bypass paths and split truths

Modern stacks integrate ERP, WMS, MES, QMS, LIMS, devices, and reporting systems. Integrations create the biggest Part 11 risk: bypass paths. If an external system can modify the record truth without passing through the same rules and audit trail logic, your control model collapses.

Examples of integration-driven integrity failures:

• Imports or APIs that update results without generating equivalent audit trail entries.
• ERP transactions that “fix” manufacturing consumption after the fact without controlled correction behavior.
• External label printing paths that can print superseded revisions outside controlled approvals.

Part 11-aligned architecture requires a single authoritative rule set and equivalent enforcement regardless of entry path (UI, API, import). Integration patterns and governance are commonly addressed in ERP Integration and broader architecture guidance like MES, WMS, QMS, ERP Architecture Hub.

14) Procedures that make Part 11 real: GDP, training, periodic review

Part 11 is never only technical. You need procedural governance that keeps controls from degrading: access lifecycle, training, review practices, controlled corrections, and change control. If you don’t have SOPs that match actual behavior, the system will drift into “whatever gets the job done,” which is exactly how shared logins and informal overrides become normalized.

Procedures that carry disproportionate Part 11 weight include:

• Access governance: request/approve/provision/deprovision (see Access Provisioning).
• Documentation discipline: correct entries without erasing truth (see GDP).
• Correction discipline: ensure controlled correction behavior is normal (see Batch Record Corrections).
• Periodic review: access reviews, audit trail review sampling, and control erosion monitoring.

Done correctly, procedures don’t slow operations—they prevent late-stage forensic cleanup and reduce the frequency of investigations driven by weak evidence.

15) Inspection readiness: what auditors probe and how to demonstrate control

Inspectors rarely start by asking for a “Part 11 binder.” They start with a record that matters: a batch decision, a deviation disposition, a label approval, or a critical test result. Then they walk backward: who created it, what changed, who approved, what does the signature mean, and can the system prevent cheating.

A practical inspection readiness routine is to run controlled demonstrations that force failure conditions. Don’t show dashboards. Show controls. A readiness playbook is supported by Audit Readiness and reinforced by programs like Part 11 Readiness.

16) Common failure modes: where Part 11 collapses in real plants

• Shared logins: convenience beats compliance; attribution is destroyed.
• Admin-as-operations: privileged access becomes the default workflow path.
• Audit trails without before/after values: logs exist but don’t prove integrity.
• Unreviewed audit trails: the “camera” is installed but nobody looks at it.
• Ambiguous signatures: “sign” has no defined meaning; approvals become vague.
• Uncontrolled corrections: edits overwrite truth rather than preserving history.
• Integration bypass: external systems can mutate records without equivalent control.
• Weak retention: records can’t be retrieved years later with complete context.
• Validation that ignores exceptions: only happy-path is tested; real failures occur in edge cases.

17) How this maps to V5 by SG Systems Global

V5 supports Part 11-aligned operations by enforcing the behaviors Part 11 demands: attributable actions (unique users), role-based authority, segregation of duties, secure audit trails, controlled electronic signatures with meaning, governed corrections, and retention-ready records. The objective is not to generate prettier records; it is to make records hard to dispute because the system prevents convenient fiction.

• Manufacturing execution evidence: V5 Manufacturing Execution System (MES) supports controlled execution workflows and contemporaneous evidence capture.
• Quality governance & approvals: V5 Quality Management System (QMS) supports governed decisions, approvals, dispositions, and audit-ready workflows.
• Inventory status integrity: V5 Warehouse Management System (WMS) supports controlled inventory states that must align with execution and quality status.
• Integration without bypass: V5 Connect API supports structured connectivity so external systems do not override the authoritative rule set.
• Platform view: V5 Solution Overview.

Part 11 is most effective when it is implemented as an integrity stack across execution, quality, and inventory—not as an IT checkbox. That stack is relevant across regulated industries including Pharmaceutical Manufacturing, Medical Device Manufacturing, and Dietary Supplements Manufacturing.

18) Extended FAQ

Q1. What is 21 CFR Part 11?
21 CFR Part 11 defines the criteria under which electronic records and electronic signatures are considered trustworthy and acceptable in place of paper records and handwritten signatures for records required by FDA predicate rules.

Q2. When does Part 11 apply?
Part 11 applies when you create or maintain electronic records required by predicate rules (see Predicate Rule) and/or use electronic signatures to approve or sign those records.

Q3. What is the biggest red flag for Part 11?
Shared logins and over-privileged roles. If you can’t prove unique attribution and authority boundaries, the integrity of the records collapses regardless of how polished the UI looks.

Q4. Do audit trails matter if QA reviews everything?
Yes. Review does not replace traceability. A secure audit trail is how you prove what changed and why, especially during investigations and inspections.

Q5. What’s the fastest way to test whether a system is Part 11-ready?
Run “proof tests”: attempt unauthorized actions, attempt post-approval edits, perform controlled corrections, validate signature meaning, and test integration paths. A real program blocks, logs, and preserves evidence (see Part 11 Readiness).

Q6. How do Part 11 and Annex 11 relate?
They are different frameworks, but they share the same integrity concerns: validated systems, controlled access, audit trails, and defensible records. See Annex 11 for EU expectations.

Related Reading
• Glossary Crosslinks: Predicate Rule | Data Integrity | ALCOA / ALCOA+ | Audit Trail (GxP) | Electronic Signatures | User Access Management (UAM) | Segregation of Duties in MES | Computer System Validation (CSV) | GAMP 5 | Annex 11 | 21 CFR Part 211
• Implementation Guides: Part 11 Readiness | Electronic Signatures (Part 11) | Audit Trail Software | System Validation | Good Documentation Practices | Batch Record Corrections | Record Retention Policy | Audit Readiness | ERP Integration | MES/WMS/QMS/ERP Architecture Hub