21 CFR Part 11 Compliance Guide for Labs

What Is 21 CFR Part 11?

Title 21, Code of Federal Regulations, Part 11 (21 CFR Part 11) is the FDA regulation that defines the criteria for electronic records and electronic signatures to be considered trustworthy, reliable, and equivalent to paper records. First published in 1997, it remains the foundational regulation for digital data management in FDA-regulated environments.

While Part 11 originates from the FDA, its principles have influenced regulations worldwide and are relevant to any laboratory producing data for markets regulated by the FDA.

Scope and Applicability

Part 11 applies when you use electronic records to satisfy requirements under any FDA predicate rule. If an FDA regulation requires you to maintain certain records or sign certain documents, and you choose to do so electronically, Part 11 applies.

Important nuance: Part 11 does not require you to use electronic records. It defines the conditions under which electronic records are acceptable. The predicate rule determines what records you must keep; Part 11 determines how electronic versions of those records must be managed.

What Counts as an Electronic Record?

Any combination of text, graphics, data, audio, or other information created, modified, maintained, archived, retrieved, or distributed by a computer system. This includes:

LIMS records (sample data, test results, reports)
Instrument data files
Electronic batch records
Electronic lab notebooks
Validated spreadsheets containing regulated data

Key Requirements

Validation (11.10(a))

Systems used to create, modify, maintain, or transmit electronic records must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

In practice: This means Computerized System Validation (CSV) for your LIMS, ELN, and other systems that handle regulated data.

Audit Trails (11.10(e))

Systems must generate secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trails must:

Not be modifiable by any user
Be available for FDA review and copying
Record changes without obscuring previously recorded information

Access Controls (11.10(d))

Limit system access to authorized individuals. This includes:

Individual user accounts (no shared accounts)
Procedures to ensure only authorized users can access the system
Procedures to deactivate accounts when personnel leave or change roles
Device checks to determine the validity and authenticity of source data

Electronic Signatures (Subpart C)

When electronic signatures replace handwritten signatures, they must:

Be unique to one individual (never shared or reassigned)
Be verified before use is established
Include the printed name, date/time, and meaning of the signature (e.g., review, approval, responsibility)
Be linked to their respective electronic records so that signatures cannot be transferred to other records

Biometric signatures (e.g., fingerprint) require the unique identification of the user.

Non-biometric signatures must employ at least two distinct identification components (e.g., user ID and password). For signatures executed during a continuous session, only the first signature requires both components; subsequent signatures within the same session may use only one component.

Record Retention (11.10(c))

Electronic records must be protected throughout their required retention period. This means:

Records must remain accessible, readable, and retrievable
Data migration between systems must preserve record integrity
Backup and recovery procedures must be documented and tested
Format obsolescence must be managed (data must be readable even as technology changes)

FDA Guidance on Part 11

The FDA issued a guidance document in 2003 ("Scope and Application") that clarified the agency's enforcement approach. Key points:

FDA exercises enforcement discretion and focuses on predicate rule requirements
Validation, audit trails, copies of records, and record retention remain enforced
Legacy systems (pre-1997) that meet predicate rule requirements need not be retroactively updated
Risk-based approaches to compliance are acceptable

This guidance significantly reduced the compliance burden and aligned Part 11 expectations with practical, risk-based implementation.

Practical Steps for Laboratories

Identify which predicate rules apply to your lab and which records they require
Inventory your electronic systems that create or manage those records
Assess each system against Part 11 requirements using a gap analysis
Prioritize based on risk - focus first on systems handling the most critical regulated data
Implement controls - audit trails, access controls, electronic signatures, backup procedures
Validate your systems using a CSV approach proportionate to risk
Train your staff on both the regulatory requirements and the specific system procedures
Document everything - your compliance strategy, validations, training records, and ongoing maintenance

Common Misconceptions

"Part 11 means we cannot use Excel." Not true. You can use spreadsheets if appropriate controls are in place (validation, access control, audit trail for changes, backup).
"Every electronic record needs an electronic signature." Only records that require a signature under the predicate rule need one. Many records simply need to be maintained with integrity.
"Compliance requires expensive software." While dedicated systems help, compliance is about controls and processes, not specific products.

Assessing your compliance readiness? Take our free Lab Digitization Assessment to evaluate how your systems measure up against regulatory expectations.

Bottom line: 21 CFR Part 11 sets the bar for trustworthy electronic records. Focus on validation, audit trails, access controls, and electronic signature integrity. A risk-based approach, aligned with FDA guidance, keeps compliance practical without compromising data integrity.