21 CFR Part 11

21 CFR Part 11 is a U.S. Food and Drug Administration (FDA) regulation that defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures for FDA-regulated activities.

Scope and purpose

Part 11 applies to FDA-regulated organizations, such as pharmaceutical, biotechnology, medical device, certain food, and other life science manufacturers, when they use electronic systems to create, modify, maintain, archive, retrieve, or transmit records required by FDA regulations or submitted to the FDA.

It covers both:

• Electronic records: Data and documents stored and managed in electronic form (for example, batch records in MES, quality records in QMS, equipment logs in SCADA or data historians).
• Electronic signatures: Computer-based methods of sign-off that are intended to be the legal equivalent of handwritten signatures.

Key regulatory expectations

Although specific implementations vary, 21 CFR Part 11 commonly refers to requirements in areas such as:

• System validation: Demonstrating that software and computerized systems (for example, MES, LIMS, QMS, DMS, SCADA) perform as intended and consistently.
• Record integrity and security: Protecting records from unauthorized access, alteration, or deletion, including role-based access control and secure storage.
• Audit trails: Computer-generated, time-stamped audit trails that independently record the date, time, user, and nature of actions that create, modify, or delete electronic records.
• User identification and authentication: Unique user IDs and robust authentication mechanisms to ensure that actions and signatures can be reliably attributed to a specific individual.
• Electronic signature controls: Defined signature components (such as user ID plus password or biometric), linking of signatures to their records, and procedural controls over signature use.
• Policies and procedures: Documented procedures, training, and administrative controls that govern how systems are used, maintained, and periodically reviewed.
• Record retention and retrieval: Ensuring that records remain readable, accessible, and retrievable for the required retention period.

Operational meaning in industrial and manufacturing systems

In manufacturing and industrial operations, 21 CFR Part 11 typically affects how OT and IT systems are specified, deployed, and governed when they support regulated products or processes. Example impacts include:

• Configuring MES, LIMS, or QMS workflows so that approvals, reviews, and sign-offs use controlled electronic signatures with appropriate authentication.
• Ensuring automated data capture from equipment, PLCs, or data historians includes protected, reviewable audit trails for critical parameters.
• Integrating ERP, DMS, and shop-floor systems so that regulated records remain complete and traceable across system boundaries.
• Establishing validation and change control for software used in production, quality, and laboratory operations that generate or manage FDA-relevant records.

What 21 CFR Part 11 does not cover

• It does not define how to design processes or products; it focuses on controls for electronic records and signatures.
• It is not a general IT security standard, although it intersects with cybersecurity and access control practices.
• It does not apply to records that are not required by FDA regulations or filings, unless an organization chooses to apply similar controls broadly.

Common confusion

• Generic e-signature vs. Part 11 electronic signature: A basic electronic signature feature (for example, commercial e-sign tools) is not automatically considered Part 11 compliant. Additional technical controls, validation, audit trails, and procedural governance are typically needed.
• System “being Part 11” vs. using it in a Part 11 context: Commercial software is often described as “Part 11 capable” or “supports Part 11 requirements,” but the regulation applies to how a system is configured, validated, and used within a specific quality system, not to the product alone.
• 21 CFR Part 11 vs. EU Annex 11: Both address computerized systems and electronic records in regulated environments, but they are separate regulatory frameworks from different authorities and should not be treated as identical.

Connection to electronic signature approval workflows

When electronic signatures are used for approvals in regulated manufacturing environments (such as batch release, deviation approval, CAPA closure, or document change control), 21 CFR Part 11 is commonly referenced as the regulatory basis for ensuring those signatures are uniquely attributable, securely applied, and traceably linked to the associated electronic records.