What is 21 CFR PART 11?

21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that sets out the United States Food and Drug Administration’s (FDA) guidelines on using electronic records and electronic signatures.

Each title of the CFR addresses a different regulated area.

The title Title 21 relates to Pharmaceutical and Medical Devices with “Part 11” being applicable to electronic records and electronic signatures specifically.

At a high level, Part 11 is a law that ensures that companies and organizations implement good business practices by defining the criteria under which electronic records and signatures are considered to be accurate, authentic, trustworthy, reliable, confidential, and equivalent to paper records and handwritten signatures on paper.

Part 11 therefore allows any paper records to be replaced by an electronic record, and allows any handwritten signature to be replaced by an electronic one.

In fact, there is a requirement under 21 CFR Part 11, that manufacturers implement procedures and checks, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data.

Quote from the standard……FDA regulation 21 CFR 11.10(a)

“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”



Computer systems which are used in the creation or transmission of electronic records which are used to meet regulatory requirements must have a collection of technological and procedural controls to protect data within the system.

Validation is required for computer systems or process control systems that are involved in the creation or transmission of electronic records which are used to meet regulatory requirements. This may include process control PC’s, line control PLC’s & HMI’s, Excel spread-sheets, databases etc.

The validation requirements for a computerised system which is used to create, store or transmit electronic records of the type referenced in 21 CFR part 11, may include testing that demonstrates that the system is adequately protected against unauthorised changes (access control) and that the system can protect against or identify any changes made to a record.

Computer systems that control processes may however not be subject to the 21 CFR 11 regulations where paper documents are considered the authoritative document for regulatory purposes however these systems will still require validation.

In order to determine what features a particular computerised control system may need in order to allow an organisation to comply with 21 CFR 11 the following should be considered:

  • Determine if the system is used to create or report any electronic data required by FDA Predicate Rules.
  • Where electronic records are used they must be treated identically to paper records; they must be retained for up to seven years and an appropriate data back-up procedure in place.
  • Confirm if “hard copies” of all FDA required records are kept by the organisation (if so then those paper documents can be considered the “authoritative document” for regulatory purposes and the computer system is not in scope for electronic records requirements).
  • Verify if the computer system allows data-records to be modified by the user.

Tekpak can help

For more information, the full Title 11 can be read on the FDA site at the link below.  If you have any questions on compliance in relation to this article, please contact us on info@tekpak.ie