Guide to FDA 21 CFR Part 11: Electronic Records, e-Signatures and Audit-Ready Compliance

When FDA investigators review your organization’s records, they are looking for more than an end result. They want to see how the record was created, what changed over time, who made those changes and who approved the outcome.

The FDA’s 21 CFR Part 11 rule establishes the controls that make electronic records and electronic signatures compliant, including guidelines for validated systems, secure records and audit trails, and controlled access. Each FDA-regulated system has to meet Part 11 expectations for the records it manages, with a verifiable way to show consistency across processes during an inspection.

So what does Part 11 cover and when does it apply? Below, we give you the ultimate guide to FDA 21 CFR Part 11. 

Contents

What is 21 CFR Part 11?

21 CFR Part 11 scope and exclusions

What is 21 CFR Part 11 compliance?

Why 21 CFR Part 11 is important

Key requirements of 21 CFR Part 11

What industries does Part 11 apply to?

 How to achieve 21 CFR Part 11 compliance 

 Impact of non-compliance 

 The role of QMS software in 21 CFR Part 11 compliance 

 How QT9 software supports 21 CFR Part 11 compliance 

What is 21 CFR Part 11?

21 CFR Part 11 scope and exclusions

21 CFR Part 11 is often described as an electronic documentation regulation, but its scope is more specific. Part 11 does not create new recordkeeping requirements. Instead, it establishes the criteria FDA uses to trust electronic records and electronic signatures when those records are required under other FDA regulations.

What Part 11 covers

Part 11 applies when your organization uses an electronic system to create, modify, maintain, archive, retrieve or transmit records required by FDA regulations and you rely on those electronic records or e-signatures to meet FDA requirements.

That means Part 11 typically comes into play for systems used in FDA-regulated work, such as QMS platforms, manufacturing/production records, laboratory systems, clinical systems and other tools that generate or manage required records.

What “predicate rules” means

Predicate rules are the FDA regulations that require specific records in the first place. Part 11 sits on top of those rules by defining how to control the records if they are electronic. For example, drug CGMP rules require certain production and quality records, and device quality rules require design and production records. Part 11 applies if those required records and signatures are electronic.

What Part 11 does not do

Part 11 is not about best practices for data management, and it does not automatically apply to every business record your company creates. It also does not require companies to use electronic systems or dictate your full quality system design. It simply means that if you use electronic records or e-signatures for FDA-required records, those electronic records must meet Part 11 controls.

Hybrid workflows and Part 11 controls

Many organizations run hybrid processes, where some steps are electronic and others are paper-based. FDA’s Part 11 scope guidance recognizes this reality. The key expectation is that, whichever format you use, you can preserve the content and meaning of the record and maintain appropriate controls so the record remains trustworthy and easily retrievable during review.

What is 21 CFR Part 11 compliance?

To be compliant with 21 CFR Part 11, digital tools must meet several technical and procedural standards that prove your electronic records and signatures are inspection-ready.

Inspection-ready generally means that an organization can show:

• Who created/changed/approved a record

• What was changed

• When it happened (time-stamped)

• Why it happened (when required by your procedures)

• That the system was validated and access was controlled

• That the record is complete, accurate and retrievable

In practice, Part 11 compliance is built on three layers that work together: technology, procedures and ownership.

System controls (technology): The features in your software that protect the record itself. This includes validated systems that perform as intended, secure audit trails that show who did what and when, role-based access so only authorized users can act and reliable retention and retrieval so records can’t be lost and can be produced quickly during an inspection.

Procedural controls (how people use the system): The written rules and routines that keep work consistent. SOPs define how records are created, reviewed, approved and corrected. Training proves users understand their responsibilities, including what an e-signature means. Change control ensures updates to the system or workflows do not break compliance. Periodic reviews confirm controls like access permissions and audit trail review are actually happening, not just documented once.

Governance (accountability and evidence): The structure that makes compliance sustainable. Clear roles assign who owns the process, who administers the system, who approves changes and who reviews audit trails. The evidence is organized and ready: validation documentation, SOPs, training records, access reviews, change records and review logs that demonstrate the controls were followed.

Why 21 CFR Part 11 is important

21 CFR Part 11 underpins the integrity of modern regulated decision-making. When batch records, design files, lab results, complaints, deviations, CAPAs or training records are electronic, the FDA must be confident that:

• Records are complete and retrievable

• Changes are traceable

• Signatures are attributable and not easily repudiated

• Data is protected from improper alteration or loss 

21 CFR Part 11 applies to industries that engage in FDA-regulated activities, when FDA regulations require records and those records are kept electronically, including:

• Pharmaceutical and biologics manufacturing

• Medical device design and manufacturing

• Clinical trials and bioresearch monitoring environments

• Contract development and manufacturing organizations (CDMOs)

• Contract research organizations (CROs)

• Food and beverage processing

• Cosmetics manufacturing

• Laboratories generating regulated results (GLP and GCP contexts)

Part 11 applies when electronic records are required by predicate rules that govern these industries.

How to achieve 21 CFR Part 11 compliance

Part 11 compliance is maintained, not “completed.” It requires repeatable controls that hold up every time a record is created, changed, reviewed or approved, regardless of who is logged in or which site is involved.

1) Define scope

List the records you are required to keep under FDA rules for your product and activities. Then identify which of those records are created, reviewed, approved or stored in electronic systems. Those systems must meet Part 11 controls.

2) Perform a Part 11 gap assessment

Evaluate each in-scope system for validation evidence, audit trail configuration, role-based access, signature controls, backup/restore, retention and retrieval. Document gaps and remediation plans.

3) Establish SOPs

Common standard operating procedures (SOPs) include: system validation, audit trail review, user access management, electronic signature use, data governance, incident management, backup/restore, change control and periodic review.

4) Validate systems based on intended use and risk

Validation should reflect the electronic system’s impact on product quality, patient safety and data integrity. Ensure that you maintain and can demonstrate traceability from requirements to testing to results.

5) Configure and enforce audit trail review

Audit trails are only useful if reviewed. Define what triggers this review, for instance, batch release, deviations or lab exceptions, who reviews and what evidence is retained.

6) Train roles, not just users

Train administrators, reviewers and approvers differently from basic users. Keep training records inspection-ready.

7) Prepare to demonstrate compliance

Practice record retrieval, signature meaning explanations and audit trail demonstrations.

8) Adopt an electronic QMS for centralized, accessible audit-readiness

Impact of non-compliance

Because Part 11 ensures the integrity of digital data, noncompliance is treated as a major data integrity risk. Non-compliance can lead to delayed releases, rework and the kind of regulatory friction that slows growth. It can also trigger more serious outcomes such as warning letters, import controls, recalls and consent decrees depending on the nature and severity of deficiencies.

Beyond regulatory exposure, weak electronic controls often cause operational pain: version confusion, unclear approval status, missing training evidence, slow investigations and disconnected data across departments.

The role of QMS software in 21 CFR Part 11 compliance

Part 11-aligned QMS software turns compliance requirements into consistent workflows and reliable evidence. In a well-designed system, you can centralize:

• Document control with approval routing and effective dates

• Training assignments and completion records tied to SOP revisions

• Deviations, nonconformances and CAPA workflows with approvals

• Change control with risk assessment and implementation evidence

• Audit management and supplier quality records

• Traceable links between records, approvals and supporting attachments

The goal is automated traceability: the ability to show what happened, who approved it and what changed over time without stitching together screenshots and spreadsheets.

How QT9 software supports 21 CFR Part 11 compliance

Part 11 is easiest to maintain when controlled records, approvals and training evidence live in one system with consistent workflows.

QT9 QMS as your compliance hub

QT9 QMS is built to support 21 CFR Part 11 compliance. It is delivered fully validated, giving users a head start on demonstrating to the FDA that your systems consistently perform as intended, with controlled use and retrievable records.

From an operational standpoint, QT9 QMS’s Part 11 support enables:

Standardization across teams and sites: Multi-site capabilities help you apply consistent quality processes, approvals and document controls even when operations are distributed across departments or locations.

Centralized quality workflows in one platform: QT9 QMS includes 28+ modules in a single system, which helps reduce records spread across disconnected tools and improves traceability and audit readiness.

Scalable access for the right stakeholders: QT9 QMS offers unlimited portals for customer, supplier and employees, supporting controlled collaboration and training documentation without creating a patchwork of external systems.

Sustained controls during times of change: Unlimited training and support, plus regular system upgrades, help teams keep procedures current and maintain a consistent way of working as requirements evolve.

Security foundation: QT9 is ISO 27001 certified, supporting a strong security posture that aligns with Part 11 expectations around limiting access and protecting records.

Licensing and usability that supports broad adoption: A concurrent license model can make it easier to roll controlled workflows out to more users without restricting participation to a small group. Intuitive user interface improves system adoption and speeds ROI.

QT9 ERP: Audit-ready operation controls

QT9 ERP also supports 21 CFR Part 11 electronic records that touch operational data, including production, inventory and materials planning. Native integration with QT9 QMS ensures consistency in how records are created, approved and retained across connected workflows.

Final takeaway

21 CFR Part 11 is the FDA’s rulebook for trusting electronic records and electronic signatures used to meet FDA recordkeeping requirements. Compliance comes down to proving three things, consistently: your systems perform as intended (validation), your records are protected and traceable (secure access, audit trails, retention/retrieval) and your organization runs those systems under controlled procedures (SOPs, training, change control and ongoing review).

When those pieces work together, inspections move faster, investigations become easier to support and teams spend less time reconstructing control history. A Part 11–aligned electronic QMS, like QT9, helps by centralizing controlled workflows and evidence so you can show who did what, when and why, then produce complete record histories on demand.