21 CFR Part 11: A Conditional Rule, Not a Checklist

At a glance

• 21 CFR Part 11 is the FDA rule that lets electronic records and electronic signatures stand in for paper, on the condition that they are trustworthy and reliable. It is not a feature checklist you buy.
• Part 11 is conditional. It only bites once a separate “predicate rule” requires you to keep or submit the record, and you choose to do so electronically. Many digital files are simply not in scope.
• The rule has two halves that people blur together: electronic records (validation, audit trails, access, copies, retention) and electronic signatures (attributable, multi-component, linked to the record).
• The 2003 Scope and Application guidance narrowed how FDA enforces Part 11, which is why “everything digital is in scope” is wrong.
• “Part 11 compliant software” is a vendor’s claim about capabilities, not a switch. Compliance is a property of how you validate and operate a system, and it stays your responsibility.

If you are new to 21 CFR Part 11, the search results will leave you more anxious than informed. They collapse “what the rule says” with “how to comply” and a vendor pitch, imply Part 11 applies to every electronic record you hold, and blur electronic records and electronic signatures into one undifferentiated “compliance” blob. The most important thing to understand first is the opposite of what those pages imply: Part 11 is a conditional rule, and a good deal of what you store digitally may not be in scope at all.

This guide explains the rule itself, plainly and accurately. It covers what Part 11 is, what it covers and what it does not (including the predicate-rule trigger and the Scope and Application narrowing), the two halves of records and signatures, the core requirements at a high level, why the rule exists, and where to start increasing compliance. It stays deliberately shallow on the how-to, the checklist, validation methodology, the spreadsheet edge cases, and audit-trail mechanics each have their own dedicated guides, linked where relevant.

What is 21 CFR Part 11?

21 CFR Part 11 is the part of US federal regulation governing electronic records and electronic signatures in FDA-regulated activities. Its core idea is trustworthy equivalence: it sets the conditions under which the FDA will treat electronic records and electronic signatures as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures.

The trustworthy-equivalence idea

Part 11 exists so that regulated organizations can go paperless without weakening the integrity of their records. The rule’s opening sets out controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate a signed record as not genuine (§ 11.10). That sentence captures the whole intent: an electronic record should be at least as hard to forge, alter, or disown as a paper one.

What Part 11 covers, and what it does not

This is the section the ranking pages skip, and it is the one that saves you from over-applying the rule.

The predicate-rule trigger: Part 11 only applies once another rule requires the record

Part 11 does not, by itself, require you to keep any record. It governs how you keep records that some other regulation, a “predicate rule,” already requires you to maintain or submit. The 2003 Scope and Application guidance is explicit: when persons choose to use records in electronic format in place of paper format, Part 11 would apply, but the underlying obligation to keep the record comes from the predicate rules, and records required to be maintained or submitted must remain secure and reliable in accordance with those predicate rules (Scope and Application).

The practical consequence is large: ask first whether a predicate rule requires the record at all. If no regulation requires you to keep it, Part 11 is not the question. If a predicate rule does require it and you keep it electronically, Part 11’s controls apply to that record.

How Scope and Application narrowed enforcement

In 2003 the FDA issued guidance narrowing how it interprets and enforces Part 11. The agency stated it would exercise enforcement discretion with respect to certain Part 11 requirements, applying the rule more narrowly than its broadest possible reading (Scope and Application). This is why the blanket claim that “every electronic record is fully in scope for every Part 11 control” is wrong. The rule is real and enforced, but its reach is bounded by the predicate rule and shaped by that guidance. (Note that guidance describes the agency’s current thinking; the binding obligations are the rule and the predicate rules themselves.)

Electronic records vs. electronic signatures (two halves of the rule)

Part 11 has two distinct subjects, and treating them as one “compliance” lump causes confusion.

• Electronic records are the data and documents you keep electronically. Part 11’s record controls (validation, audit trails, access control, copies, retention) govern these.
• Electronic signatures are the electronic equivalent of a handwritten signature applied to a record. Part 11’s signature controls govern how those are made trustworthy and bound to the record.

You can have electronic records without electronic signatures. The signature controls only matter where you actually use electronic signatures. Knowing which half you are dealing with keeps your effort aimed correctly.

The core requirements at a glance

Kept high level here; the checklist sibling turns these into line items.

Records controls (§ 11.10)

For closed systems (where access is controlled by the people responsible for the records), Part 11 calls for, among other controls:

• Validation of systems to ensure accuracy, reliability, and consistent intended performance, and the ability to discern invalid or altered records (§ 11.10(a)).
• Accurate and complete copies of records in human-readable and electronic form for inspection (§ 11.10(b)), and protection of records for ready retrieval throughout the retention period (§ 11.10(c)).
• Limiting system access to authorized individuals (§ 11.10(d)) and authority checks so only authorized people can use the system or sign records (§ 11.10(g)).
• Secure, computer-generated, time-stamped audit trails that independently record the date, time, and author of entries that create, modify, or delete records, without obscuring previously recorded information, retained as long as the record (§ 11.10(e)).
• Operational and device checks, training, and written accountability policies (§ 11.10(f), (h)-(k)).

Open systems (where access is not controlled by those responsible for the records) require the § 11.10 controls plus additional measures such as encryption and digital signatures as appropriate (§ 11.30).

Signature requirements

Where electronic signatures are used:

• Signed records must show the printed name of the signer, the date and time of signing, and the meaning of the signature (such as review, approval, or authorship) (§ 11.50).
• Signatures must be linked to their records so they cannot be excised, copied, or transferred to falsify a record (§ 11.70).
• Each electronic signature must be unique to one individual and not reused or reassigned (§ 11.100), and non-biometric signatures must use at least two distinct identification components such as an ID and password (§ 11.200).

Why Part 11 exists

Part 11 was created so the regulated industries could adopt electronic records and signatures without sacrificing the trust that paper systems provided. Paper has natural integrity properties (a crossed-out entry still shows what was there; a wet-ink signature is hard to forge). Electronic systems can be far more efficient, but only if they are built and operated so that records cannot be silently altered and signatures cannot be repudiated. The rule encodes the conditions that make electronic equivalence trustworthy.

How to increase your compliance with Part 11 (where to start)

Directionally, not as a deliverable:

1. Scope first. Identify which of your records are actually required by a predicate rule and kept electronically. That set is what Part 11 governs; do not boil the ocean.
2. Separate records from signatures. Determine where you use electronic signatures, since the signature controls only apply there.
3. Map your systems to the core controls (validation, audit trail, access, copies, retention) and find the gaps. The checklist sibling helps here.
4. Treat validation as ongoing. Compliance is a property of how a system is validated and operated, not a one-time purchase. The CSV guides cover the how.
5. Read vendor claims carefully. “Part 11 compliant” is a claim about a product’s capabilities, a starting point, not a finish line. The compliant-software sibling explains the responsibility split.

A note on tooling: purpose-built clinical software can make the records, access, and audit-trail controls easier to operate than ad hoc files. TrialTrack, for example, is a clinical project management tool whose vendor describes it as offering a Part 11-aligned audit trail; that is TrialTrack’s own claim about its capabilities, and as with any tool it does not by itself confer Part 11 compliance on your organization. That work, and the responsibility, stay with you.

Frequently asked questions

What is 21 CFR Part 11? The FDA rule setting the conditions under which electronic records and electronic signatures are treated as trustworthy and generally equivalent to paper records and handwritten signatures.

What does Part 11 cover, and what does it not? It covers records that a predicate rule requires you to keep or submit and that you choose to keep electronically, plus the electronic signatures applied to them. It does not, by itself, require any record, and the 2003 Scope and Application guidance narrowed how FDA enforces it.

What is a predicate rule? Another regulation that actually requires the record. Part 11 governs how you keep such required records electronically; without a predicate-rule requirement, Part 11 is not triggered.

What is the difference between an electronic record and an electronic signature? An electronic record is the data or document kept electronically; an electronic signature is the electronic equivalent of a handwritten signature applied to a record. Part 11 has separate controls for each, and the signature controls only apply where you use electronic signatures.

Does buying “Part 11 compliant software” make me compliant? No. That phrase describes a product’s capabilities. Compliance depends on how you validate, configure, and operate the system, and on your procedures, which remain your responsibility.

The bottom line

21 CFR Part 11 is a conditional rule about trustworthy electronic records and signatures, not a checklist you purchase. It applies only once a predicate rule requires the record and you keep it electronically, its enforcement was narrowed by the 2003 Scope and Application guidance, and it splits cleanly into record controls and signature controls. Get the scope right first, separate the two halves, then map your systems to the core controls. And remember that “compliant software” is a vendor’s starting point, never your finish line.

Sources

• 21 CFR Part 11, Electronic Records; Electronic Signatures
• FDA Guidance: Part 11, Electronic Records; Electronic Signatures — Scope and Application