21 CFR Part 11 is the FDA regulation that sets the conditions under which electronic records and electronic signatures are trustworthy, reliable, and equivalent to paper records and handwritten signatures. It applies across FDA-regulated industries, food, pharmaceuticals, medical devices, biologics, whenever records required by other FDA rules are kept electronically.

Part 11 has a reputation for being confusing, and most of the confusion comes from three things: it never applies on its own (a “predicate rule” has to require the record first), FDA formally narrowed how it enforces the rule back in 2003, and vendors stretch the phrase “Part 11 compliant” to mean almost anything. This post untangles all three, and lays out the actual requirements as a checklist you can hand to IT, quality, and any software vendor you are evaluating.

What is 21 CFR Part 11?

Part 11, codified at 21 CFR Part 11 and issued by FDA in 1997, defines the criteria for accepting electronic records and electronic signatures in place of paper and ink. The logic is equivalence: paper records earn trust through physical properties (ink is hard to alter invisibly, signatures are hard to forge, pages sit in a controlled file room). Electronic records have none of those properties by default, so Part 11 requires systems to supply them deliberately: validation, audit trails, access controls, and signature controls.

The rule has three parts. Subpart A covers scope and definitions. Subpart B covers electronic records, with the closed-system controls in section 11.10 doing most of the work, plus open-system controls (11.30), signature manifestation requirements (11.50), and signature-to-record linking (11.70). Subpart C covers electronic signatures: general requirements (11.100), signature components and controls (11.200), and controls for ID codes and passwords (11.300).

When does Part 11 apply? The predicate rule test

Part 11 applies only when some other FDA regulation, the predicate rule, requires you to create or keep the record, and you choose to keep it electronically or sign it electronically. Part 11 itself never requires a single record; it only governs the electronic form of records other rules demand.

Examples make it concrete. A drug manufacturer's batch production records are required by 21 CFR 211 (the predicate rule); keep them in software instead of on paper and Part 11 applies to that system. A food plant's preventive-controls monitoring records are required by 21 CFR 117; move those checks to tablets and Part 11 is in scope (Part 117 explicitly says electronic records kept under it must comply with Part 11, while noting FDA's enforcement-discretion guidance). A spreadsheet nobody is required to keep, meanwhile, is not a Part 11 record no matter how it is stored. That is the test to run on every system: what predicate rule requires this record, and is the record electronic?

What is the difference between closed and open systems?

The distinction is about who controls access to the system, and it decides which control set applies. A closed system is one where access is controlled by the same people responsible for the records in it, your MES, QMS, or LIMS inside your environment, including hosted systems where access is governed by your organization. An open system is one where access is not controlled by the people responsible for the records, such as records transmitted through third-party networks you do not govern. Closed systems follow 11.10. Open systems follow 11.30, which is 11.10 plus additional measures such as encryption and digital signature standards to protect records in transit. Most plant systems are closed systems.

What does Part 11 actually require? The compliance checklist

It requires that you can prove your electronic records are authentic, unaltered, attributable, and reproducible, and that electronic signatures are genuinely the act of the person who applied them. Here is the requirement set as a working checklist, consolidated from 11.10 through 11.300.

  1. System validation (11.10(a)). Document evidence that the system does what it is supposed to do: accuracy, reliability, consistent intended performance, and the ability to detect invalid or altered records. Scale the effort to risk; a signature workflow for batch release deserves more rigor than a training-log viewer.
  2. Accurate and complete copies (11.10(b)). The system must generate accurate, complete copies of records in both human-readable and electronic form, so FDA can inspect them.
  3. Record protection and retention (11.10(c)). Records must be protected and readily retrievable for their full retention period, which is set by the predicate rule, not by Part 11.
  4. Access controls (11.10(d), (g)). System access limited to authorized individuals, with authority checks so only permitted users can sign, alter, or perform operations. Shared logins are the classic failure here; attribution dies with them.
  5. Audit trails (11.10(e)). Secure, computer-generated, time-stamped audit trails that record the who, what, and when of record creation, modification, and deletion, without obscuring previously recorded values, retained as long as the record itself.
  6. Operational and device checks (11.10(f), (h)). Enforced sequencing of steps where order matters, and checks on the validity of data sources and terminals where required.
  7. Signature manifestation and linking (11.50, 11.70). Signed electronic records must display the signer's printed name, the date and time, and the meaning of the signature (reviewed, approved, authored), and signatures must be linked to their records so they cannot be excised or copied to falsify anything.
  8. Electronic signature controls (11.100–11.300). Each signature unique to one person and never reassigned; identity verified before assignment; non-biometric signatures built from at least two components (typically ID plus password); passwords managed, aged, and deauthorized when compromised. Organizations must also certify to FDA, once, in writing, that electronic signatures in their systems are the legally binding equivalent of handwritten ones.
  9. Training and accountability (11.10(i)–(k)). People who develop, use, or maintain the systems must be qualified and trained; written policies must hold individuals accountable for actions under their signatures; and documentation for the system itself must be controlled with change history.
21 CFR Part 11 requirement map 21 CFR Part 11 applies via predicate rules Subpart B · Electronic records 11.10 · 11.30 · 11.50 · 11.70 Subpart C · E-signatures 11.100 · 11.200 · 11.300 Validation 11.10(a) Audit trails 11.10(e) Access controls 11.10(d),(g) Copies + retention 11.10(b),(c) Sign. manifestation 11.50 + link 11.70 Open systems: + encryption · 11.30 Unique to one person · 11.100 Two components ID + password · 11.200 Password controls aging, revoke · 11.300 PLUS FDA certification letter (one-time) training + written accountability policies SOPs + doc control
The Part 11 requirement map: Subpart B governs electronic records, Subpart C governs electronic signatures, and procedural controls wrap both.

What did the 2003 enforcement-discretion guidance change?

It narrowed how FDA enforces Part 11 without changing the regulation's text. After years of industry complaints that broad readings of Part 11 were driving huge compliance costs, FDA issued the 2003 guidance Part 11, Electronic Records; Electronic Signatures — Scope and Application (availability announced in the Federal Register, September 5, 2003). Three moves matter:

Read the fine print before relaxing, though. Enforcement discretion is not repeal: predicate rules still fully apply, records must still be trustworthy and available, and FDA can and does cite data-integrity failures under the predicate rules themselves (missing batch data, shared passwords, deleted results). The signature requirements of Subpart C were never covered by the discretion at all. Treat the 2003 guidance as permission to be risk-based, not permission to skip controls.

What does “Part 11 compliant software” actually mean?

Less than the brochure implies. FDA does not certify, approve, or endorse software, so no product can be “Part 11 certified,” and no software is compliant on its own. Compliance is a property of your implementation: the technical controls the software provides, plus the procedural controls, validation, SOPs, training, account management, that only your organization can supply. A vendor claiming Part 11 compliance is really claiming its product has the technical capability to support your compliance.

So translate the marketing into questions. Does the system enforce unique logins and role-based permissions? Does it keep a secure, time-stamped, unalterable audit trail of record changes? Can it produce complete human-readable and electronic copies for an inspector? Do signed records show name, date/time, and meaning of signature? Can records be retained and exported for the full predicate-rule retention period? Will the vendor support your validation with documentation? Any honest vendor of QMS software or plant systems for regulated environments should answer all six without flinching, and put the answers in writing.

Why does Part 11 matter for plants going paperless?

Because digitizing regulated paperwork changes the rules that apply to it, and the plants moving fastest to tablets and connected-worker tools are exactly the ones creating electronic records. The good news: done right, electronic records are not a compliance burden but a compliance upgrade. Paper logs get backfilled, lost, and signed illegibly; a well-controlled digital record is time-stamped, attributed to a logged-in individual, and searchable in seconds, which is the same quality that makes records useful for running the plant day to day. That is the design philosophy behind Harmony's paperwork digitization: capture at the station, attributed and immediately available, layered onto the systems you already run (see the platform modules). No rip-and-replace.

Part 11 sits in a family of record-integrity rules worth knowing together: GMP regulations supply most of the predicate records in manufacturing, and FSMA 204 is about to force lot-level electronic recordkeeping across much of the food industry. The common thread is simple: regulators trust records they can verify. Build systems that make verification easy and the audits take care of themselves.