21 CFR Part 11 Compliance Checklist: Electronic Records and Electronic Signatures

21 CFR Part 11 is the FDA regulation that defines the conditions under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures in FDA-regulated industries. Published in 1997, it applies to records that FDA requires regulated companies to maintain or submit, when those records are created, modified, maintained, archived, retrieved, or transmitted electronically.

For quality managers implementing or evaluating electronic quality management systems, document management platforms, laboratory information management systems (LIMS), or electronic batch records, Part 11 compliance is not optional. FDA inspectors cite Part 11 deficiencies regularly — and the consequences range from warning letters requiring costly remediation to import alerts that halt product distribution.

This checklist covers the core requirements of 21 CFR Part 11, organized by compliance area, with practical implementation guidance for each requirement.

Scope: when 21 CFR Part 11 applies

Part 11 applies to electronic records that FDA regulations require a company to create or maintain, and to electronic signatures applied to those records. It does not apply to records that companies choose to maintain electronically but that are not FDA-required. However, FDA’s predicate rule requirements — the underlying regulations that require specific records in the first place — remain in effect regardless of the format in which records are kept.

Systems that typically fall within Part 11 scope in regulated life sciences companies include:

  • Electronic quality management systems (eQMS) managing SOPs, CAPAs, deviations, and change control records
  • Electronic batch records for pharmaceutical manufacturing
  • Laboratory information management systems storing analytical test results
  • Electronic document management systems for controlled documents
  • Electronic training management systems tracking employee qualification
  • Computerized manufacturing execution systems (MES) generating production records
  • Clinical trial management systems for FDA-required study records

FDA’s 2003 guidance on Part 11 scope and application clarified that the agency intends to take a risk-based approach to enforcement — focusing on records and signatures whose integrity is most critical to product safety. This guidance reduced the compliance burden for lower-risk records but did not eliminate Part 11 requirements for records whose accuracy and integrity directly affect patient safety and product quality decisions.

Section 11.10: controls for closed systems

The majority of Part 11’s substantive technical requirements appear in section 11.10, which covers closed systems — systems where access is controlled by the owner of the system. Most enterprise eQMS platforms are closed systems under this definition.

Validation (11.10(a))

Systems used to create, modify, maintain, archive, retrieve, or transmit electronic records must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Computer system validation (CSV) under FDA’s Computer Software Assurance (CSA) guidance provides the framework for meeting this requirement.

Checklist items:

  • Validation plan or CSA risk assessment exists and is approved
  • User requirements specifications document intended system use and critical functions
  • Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) protocols are executed and approved
  • Validation summary report is approved by quality management
  • Periodic review schedule is defined and executed
  • System changes go through a documented change control and impact assessment process

Audit trail (11.10(e))

Systems must use computer-generated, time-stamped audit trail records to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trails must be retained for a period at least as long as required for the subject electronic records and must be available for agency review and copying.

Checklist items:

  • Audit trails are system-generated and cannot be modified or deleted by regular users
  • Each audit trail entry captures: user identity, timestamp (date and time), nature of the action (create, modify, delete), and the original and new value for modified fields
  • Audit trail retention period matches or exceeds the retention requirement for the associated records
  • Audit trails are reviewed periodically as part of quality oversight activities
  • Audit trails are accessible for FDA inspection and can be exported in human-readable format

FDA inspectors frequently check audit trail integrity during inspections of electronic systems. The most common finding is an audit trail that exists but is not routinely reviewed — Part 11 requires both the existence of audit trails and periodic review of those trails to detect unauthorized changes.

System access controls (11.10(d))

Systems must limit access to authorized individuals. Access control is fundamental to the integrity of electronic records — if unauthorized users can create, modify, or delete records, the records cannot be considered trustworthy.

Checklist items:

  • Each user has a unique username; shared accounts are prohibited
  • Access levels are role-based and reflect the principle of least privilege — users have access only to the functions their role requires
  • A formal user access management process exists for granting, modifying, and revoking access
  • Access rights are reviewed periodically — typically annually — to identify inactive accounts and inappropriate access levels
  • Account lockout is configured after a defined number of failed login attempts
  • Procedures address what happens when an employee’s access must be revoked immediately (e.g., termination)

Operational system checks (11.10(f)) and authority checks (11.10(g))

Systems must use operational system checks to enforce sequencing of steps and events appropriate to the records. Authority checks must ensure that only authorized individuals can use the system, electronically sign records, access the operation or device, or perform operations at hand.

Checklist items:

  • Workflow enforcement prevents steps from being completed out of sequence where required (e.g., review cannot occur before authoring is complete)
  • Electronic signature permissions are tied to role-based authority — a reviewer cannot sign records they authored where separation of duties is required
  • The system enforces that only users with the appropriate role can approve specific document types or record categories

Device checks (11.10(h)) and documentation (11.10(k))

Systems must use device checks, where applicable, to determine the validity of the source of data input or operational instructions. Documentation of policies and procedures covering system use, security, and electronic signature use must be maintained.

Checklist items:

  • SOPs exist for system use, including electronic signature application procedures
  • SOPs address what to do when system access is compromised (e.g., password sharing discovered, unauthorized access detected)
  • SOPs address record retention and archival for electronic records
  • All SOPs are controlled under the organization’s document management system

Section 11.50 and 11.70: electronic signature requirements

Electronic signatures under Part 11 are not simply typed names or checkboxes. They are binding computer-based equivalents of handwritten signatures that must meet specific technical and procedural requirements to be legally and regulatorily valid.

Signature components (11.50)

Each electronic signature must display: the printed name of the signer, the date and time when the signature was executed, and the meaning associated with the signature (e.g., “Authored by,” “Reviewed by,” “Approved by”).

Checklist items:

  • All electronically signed records display the signer’s full name, timestamp, and signature meaning
  • Signature display is part of the record itself — visible when the record is printed or exported
  • Records cannot be signed by anyone other than the authenticated user (no signing on behalf of another user using their credentials)

Electronic signature linking (11.70)

Electronic signatures must be linked to their respective records in a manner that cannot be excised, copied, or otherwise transferred to falsify an electronic record. This prevents copying a signature from one record and applying it to another.

Checklist items:

  • Electronic signatures are cryptographically or technically linked to the specific record they sign
  • Signature integrity can be verified — a modified record does not retain a valid prior signature
  • System documentation confirms the technical mechanism by which signatures are linked to records

Section 11.100 and 11.200: signature identification and controls

Unique identification (11.100)

Each electronic signature must be unique to one individual and must not be reused or reassigned to anyone else. Prior to granting use of electronic signatures, organizations must certify to FDA that the electronic signatures used are intended to be legally binding — the same as handwritten signatures.

Checklist items:

  • Each electronic signature is uniquely assigned to one individual
  • Username/password combinations (or biometric identifiers) are never shared between individuals
  • The organization has submitted the required certification to FDA (21 CFR 11.100(c)) — a one-time submission certifying that electronic signatures used are legally binding
  • New employees receive training on the legal equivalence of electronic signatures before being authorized to sign electronic records

Signature components for non-biometric signatures (11.200(a))

Non-biometric electronic signatures — username and password combinations, which are the most common type in eQMS platforms — must employ at least two distinct identification components. For transactions performed at a workstation in a continuous session, only the first signing event requires both components; subsequent signings in the same session require only one component (typically the password).

For transactions not performed at a workstation during a single continuous session — for example, when a user signs a record and then walks away from the system — both components are required for each signing action.

Checklist items:

  • Electronic signatures require a minimum of two identification components (e.g., username + password)
  • Session timeout is configured to require re-authentication after a defined period of inactivity
  • After session timeout, the full two-factor authentication is required before a signature can be applied
  • Password complexity and expiration requirements are enforced by the system

Record retention and availability

Part 11 requires that electronic records be protected to enable accurate and ready retrieval throughout the required retention period. This extends to archived records — the archive must be readable and searchable for the duration of the retention period, even if the original software system is replaced.

Checklist items:

  • Electronic records are backed up regularly, with backup procedures documented and tested
  • Long-term archive strategy is documented — records remain accessible in human-readable format for the full retention period
  • Migration plans exist for when systems are decommissioned — records are exported and preserved in formats that will remain accessible
  • Disaster recovery procedures address restoration of electronic records after system failure
  • Record retention schedule aligns with applicable FDA regulations (e.g., 21 CFR Part 211.68, 21 CFR Part 820.180)

Common Part 11 inspection findings

Understanding the most frequently cited Part 11 deficiencies helps quality teams prioritize their compliance review efforts.

Shared user accounts. Using shared logins — a single account used by multiple people — violates the unique identification requirement and makes audit trails meaningless because the system cannot identify which individual took a specific action. This is one of the most common and most serious Part 11 findings because it undermines the integrity of every electronically signed record in the system.

Unreviewed audit trails. Many organizations have systems with audit trail capability that is technically enabled but never reviewed. FDA expects audit trails to be reviewed as part of quality oversight — the frequency and scope of review should be documented in a procedure. An audit trail that no one reads does not fulfill the purpose of the requirement.

Unvalidated system changes. Software updates, configuration changes, and new module deployments that proceed without impact assessment and validation documentation violate section 11.10(a). The most common scenario is a vendor-pushed software update that the organization does not evaluate for Part 11 impact before allowing it to affect a production system.

Missing or inadequate SOPs. Part 11 requires written policies and procedures covering electronic record and signature controls. Systems without accompanying SOPs — or with SOPs that do not address the specific system — lack the procedural foundation that FDA expects to see during inspections.

Inadequate training records. Users of systems covered by Part 11 must be trained on the legal significance of electronic signatures and on the organization’s policies for electronic record management. Training records demonstrating this training must exist and must be current for all active system users.

Part 11 and validated eQMS platforms

Pre-validated eQMS platforms significantly reduce the compliance burden for organizations implementing electronic records and signatures. A platform vendor that provides a validation package — including Installation Qualification, Operational Qualification, and Performance Qualification documentation — allows the customer organization to leverage vendor testing rather than conducting full custom validation from scratch.

However, vendor validation does not replace customer validation responsibilities. The customer organization is responsible for validating that the system is correctly configured and used for its specific intended use, that integrations with other systems do not compromise record integrity, and that all Part 11 controls function as expected in the production environment. Supplier qualification of the eQMS vendor — including review of the vendor’s quality system and validation methodology — is a prerequisite to relying on vendor-supplied validation documentation.

Cloudtheapp’s platform is built for FDA-regulated environments, with built-in audit trail functionality, role-based access control, electronic signature workflows meeting Part 11’s two-component requirement, and validation documentation support. The platform covers 60+ quality and compliance applications — from document control and CAPA to laboratory management and batch records — within a single validated environment, reducing the number of separate systems that each require individual Part 11 compliance assessment.

If your organization is evaluating electronic QMS platforms for Part 11 compliance, request a demo to review Cloudtheapp’s built-in compliance controls and validation approach.

Conclusion

21 CFR Part 11 compliance is not a one-time project — it is an ongoing operational discipline that requires validated systems, maintained access controls, reviewed audit trails, trained users, and current procedures. The organizations that consistently pass FDA inspections with clean Part 11 records are those that treat electronic record integrity as a quality system obligation, not a technology checkbox.

This checklist provides a starting framework for assessing compliance against the regulation’s core requirements. The most common inspection findings — shared accounts, unreviewed audit trails, unvalidated changes — are preventable through straightforward procedural and technical controls. Building those controls into the quality system from the time a system is first deployed is substantially less expensive than remediating them after an inspection finding has been issued.

]]>

Please complete the form to access the Case Study

Please complete the form to access the Case Study

You will receive the webinar link via email once your request has been approved

Sign Up for Cloudtheapp

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study