What Is 21 CFR Part 11 and How Does It Apply to Electronic Signatures

If your organization operates in a regulated industry, one FDA regulation shapes how you manage every electronic document and signature. That’s none other than 21 CFR Part 11. 

This guide explains exactly what the regulation requires, who it applies to, and what your eSignature workflows need to include to stay compliant. Whether you are just starting to transition from paper or auditing an existing digital process, this breakdown will help you navigate Part 11 with confidence. 

What Is 21 CFR Part 11? 

21 CFR Part 11 refers to Title 21 of the Code of Federal Regulations, Part 11. The FDA published this regulation in 1997 to define the conditions under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. 

Before Part 11 existed, FDA-regulated industries had no consistent framework for going digital. The regulation changed that by establishing specific technical and procedural controls that organizations must implement when using electronic records and eSignatures in FDA-regulated activities. 

The core principle is simple: if you want to replace paper and ink with digital workflows in an FDA-regulated context, your electronic records and signatures must meet the same integrity and accountability standards that paper and handwritten signatures provide. 

Who Does 21 CFR Part 11 Apply To? 

Part 11 applies to any organization subject to FDA oversight that uses electronic records or electronic signatures in regulated activities. Industries directly affected include: 

• Pharmaceutical manufacturing and drug development 

• Biotechnology and life sciences research 

• Medical device manufacturers 

• Clinical research organizations (CROs) and sponsors of clinical trials 

• Biologics manufacturers 

• Food and beverage companies regulated by the FDA 

• Cosmetics manufacturers 

• Veterinary product developers 

Part 11 is not triggered simply by using a computer or software. It applies specifically when electronic records are used in place of paper records that are required under other FDA regulations, known as predicate rules. If your company is required to maintain records electronically and those records carry signatures, Part 11 governs how you do it. 

Understanding Predicate Rules and Why They Matter 

Predicate rules are the underlying FDA regulations that tell you what records to keep and what signatures to obtain. Part 11 does not create those record-keeping requirements on its own. It governs how you fulfill those requirements electronically. 

Examples of predicate rules include: 

• 21 CFR Part 211: Current Good Manufacturing Practice (CGMP) for pharmaceutical manufacturers 

• 21 CFR Part 820: Quality System Regulation for medical device manufacturers 

• 21 CFR Part 58: Good Laboratory Practice (GLP) for nonclinical laboratory studies 

• 21 CFR Part 312: Investigational New Drug (IND) applications 

When a predicate rule requires a batch record signature, an approval log, or a quality control sign-off, and you fulfill that requirement electronically, Part 11 applies to how that electronic signature and record must be created, stored, and protected. 

The FDA has also clarified that it interprets the scope of Part 11 narrowly. When a company uses computers to generate paper printouts and relies on the paper records for regulated activities rather than the electronic versions, Part 11 generally does not apply. Part 11 is triggered when you actually rely on the electronic record itself. 

The Two Pillars of 21 CFR Part 11 Compliance 

Compliance under Part 11 comes down to two areas: electronic records and electronic signatures. Both have distinct requirements. 

Electronic Records Requirements 

Validated systems: Any computerized system used to create, modify, maintain, archive, retrieve, or transmit electronic records must be validated. Validation means you have documented evidence the system performs reliably and consistently, and that it protects the integrity of the records it handles. 

Limiting system access: Only authorized individuals may access the system. Access controls must prevent unauthorized creation, modification, or deletion of records.

Each user must have a unique identity that cannot be shared. 

Audit trails: Systems must generate computer-generated, time-stamped audit trails that record when records are created, modified, or deleted. Crucially, these logs must be written so that previous entries are preserved and cannot be obscured by later changes. 

Record retention: Electronic records must be retained for the period required by the applicable predicate rule and must remain retrievable in a readable format throughout the entire retention period. 

System documentation: Adequate controls must govern how system documentation is distributed, maintained, and accessed. Policies for system operation and maintenance must be documented and followed. 

Operational and authority checks: Systems must enforce checks to ensure only authorized users can initiate specific functions, and that the sequence of events in a workflow is properly controlled. 

Electronic Signature Requirements 

Unique to each individual: Every electronic signature must be unique to a single person and may not be reused or reassigned to anyone else. 

Identity verification at the time of signing: The signer's identity must be verified at the moment of signing, not just at login. This is a critical distinction that many organizations overlook. 

Two distinct identification components: Signatures applied in more than one signing session must use at least two identification components, such as a password and a physical token, or a password and a one-time verification code. 

Non-repudiation: The signature must be linked to the signed record in a way that makes any tampering immediately apparent. The signer cannot later deny having signed. 

Printed name, date, and meaning: When an electronic signature is displayed or printed, it must show the signer's full name, the date and time of signing, and the meaning of the signature. The meaning field captures whether the action was an approval, a review, an authorship acknowledgment, and so on. 

FDA certification: Organizations using eSignatures under Part 11 must submit a one-time written certification to the FDA confirming that their eSignatures are intended to be legally binding and equivalent to handwritten signatures. This is a specific requirement many organizations skip. 

Open Systems vs Closed Systems Under Part 11 

Part 11 distinguishes between two types of electronic record environments, and the controls required differ between them. 

A closed system is one where access is controlled by the persons who are responsible for the content of the electronic records. A company's internal quality management system or a cloud-based platform where only credentialed employees can log in and access records is a closed system. 

An open system is one where access is not entirely controlled by the persons responsible for the content. This can include public networks, external collaboration platforms, or systems that allow third parties to access or transmit records without full control over who can participate. 

For open systems, additional controls are required on top of those for closed systems. These include document encryption during transmission, the use of digital signatures based on public key infrastructure (PKI), and other measures to ensure records are authentic and have not been altered. 

Most FDA-regulated organizations using cloud-based eSignature tools operate within a closed system environment. However, if you are transmitting records outside your organization through open networks, you must apply the additional open system controls and document your approach. 

What Makes an eSignature 21 CFR Part 11 Compliant? 

Not every eSignature tool on the market is built with regulated industries in mind. Here is what to look for to confirm a platform meets Part 11 requirements. 

Two-factor or multi-factor authentication at signing. The system must require a second form of identity verification at the moment of signing. A general login at the start of a session is not enough; the signer must confirm their identity again when applying their signature. 

Tamper-evident sealing. Once a document is signed, it should be cryptographically sealed so that any modification to the document after signing is immediately detectable. This is the technical foundation of record integrity. 

Comprehensive, time-stamped audit trails. The platform must log every action taken on a document throughout its lifecycle. This includes who accessed it, when, what was changed, who signed, and from where. All entries must be time-stamped and protected from alteration. 

Granular access controls. Administrators must be able to set roles and permissions, restrict who can initiate or approve documents, and revoke access immediately when someone leaves the organization. 

Validation documentation support. The vendor should provide documentation to support your system validation activities, including Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) protocols. 

Compliant record retention. The platform must store signed records and their associated audit trails securely for the duration required by your predicate rules, and enable retrieval and export in a human-readable format. 

Audit Trails and Why They Matter for Part 11 

The audit trail is one of the most scrutinized aspects of Part 11 during FDA inspections. An incomplete or improperly configured audit trail is one of the most common findings cited in FDA warning letters related to electronic records. 

A Part 11 compliant audit trail must record who accessed a record, what action was taken, when it occurred (with a timestamp), and what the previous entry was before any change. The audit trail must be stored separately from the record itself to prevent it from being modified by anyone who has access to the document.

Many organizations make the mistake of relying on systems that only log high-level events, such as "document signed," without capturing the full lifecycle, including who viewed the document before signing, who sent the signing request, or whether any fields were changed before the final signature was applied. 

During an FDA inspection, auditors may request audit trail data going back months or years. If your system cannot produce that data in a complete, tamper-proof, and readable format, you face serious compliance risk. 

Falkon Sign provides the kind of detailed, time-stamped audit trail documentation that regulated industries require. It is a great eSignature tool for businesses of any size, including those operating in FDA-regulated environments. 

For a deeper look at how audit trails protect both your records and your business, see our guide on audit trails for eSignature security. 

System Validation Under 21 CFR Part 11 

Validation is non-negotiable under Part 11, but it does not have to be as burdensome as it sounds. The FDA recommends a risk-based approach, meaning the extent of validation should reflect the system's potential impact on product quality, patient safety, and record integrity. 

A simple routing tool for low-risk internal documents carries different risk than a system managing batch release records or clinical trial data. The higher the risk, the more rigorous the validation evidence you need. 

A solid validation approach for eSignature systems includes the following components: 

• User Requirements Specification (URS): Document what the system must do from a business and compliance perspective before validation begins. 

• Risk assessment: Identify potential failure modes and evaluate the impact of each on your records, signatures, product quality, and regulatory submissions. 

• Installation Qualification (IQ): Confirm the system is installed correctly and matches its intended configuration. 

• Operational Qualification (OQ): Test and document that the system performs as designed under normal operating conditions. 

• Performance Qualification (PQ): Confirm the system consistently performs as required in your specific regulated environment. 

• Change control: Any updates to the system must go through a documented change control process to ensure changes do not introduce compliance gaps. 

  
  

Many eSignature vendors that serve regulated industries offer pre-validated platforms with ready-made validation packages. This can significantly reduce the time and internal resources needed to meet Part 11 validation requirements. 

21 CFR Part 11 Compliance Checklist 

Use this checklist as a starting point for evaluating your current eSignature and electronic records practices against Part 11 requirements. 

Electronic Records 

✅ Electronic records system has been validated with documented evidence 

✅ Access is limited to authorized individuals only 

✅ Each user has a unique login that cannot be shared 

✅ Audit trails are enabled, time-stamped, and capture all record events 

✅ Audit trails are protected from modification and stored securely 

✅ Records are retained for the full period required by applicable predicate rules 

✅ Records are retrievable in a human-readable format at any time 

✅ System documentation is controlled and maintained 

✅ Change control procedures are in place for system updates 

Electronic Signatures 

✅ Every signature is uniquely tied to one individual 

✅ Signers verify their identity at the moment of signing (not just at login) 

✅ Multi-session signatures use two distinct authentication components 

✅ Signed records are cryptographically sealed against tampering 

✅ Signatures display the signer's name, timestamp, and meaning of the signature 

✅ One-time certification letter has been submitted to the FDA 

✅ Written policies define individual accountability for eSignature use 

✅ All users who apply eSignatures have received documented training 

Common 21 CFR Part 11 Compliance Mistakes 

Using a non-validated eSignature tool: Many organizations choose eSignature software based on convenience or price without verifying that the platform meets Part 11 requirements. This is one of the most common and costly mistakes in regulated environments. 

Incomplete audit trail configuration: Audit trail features are often disabled by default or only partially configured. Out-of-the-box settings rarely capture every required event. Always verify that the audit trail captures the full document lifecycle. 

Shared user credentials: If two employees share a login, there is no way to attribute a specific signature to a specific individual. This directly violates Part 11 and is a straightforward inspection finding. 

Skipping the FDA certification letter: Part 11 requires organizations to submit a one-time written certification to the FDA declaring that their eSignatures are intended to be legally binding. Many organizations are unaware of this requirement and never submit it. 

No written policies for eSignature accountability: Part 11 requires that individuals be held accountable for actions performed under their eSignatures. This demands formal written policies, procedures, and training documentation, not just a working software system. 

Relying on vendor compliance without verification: A vendor saying their platform is "Part 11 compliant" is not the same as you verifying it yourself. Always review the vendor's compliance documentation and assess it against your specific use case. 

For a broader look at mistakes that can undermine your eSignature program, see our post on common eSignature mistakes to avoid. 

How to Choose a Part 11 Compliant eSignature Solution 

When selecting an eSignature platform for a regulated environment, go beyond surface-level feature lists. Ask these questions before committing to any solution: 

Does the system generate time-stamped, tamper-proof audit trails? Ask to see a sample audit trail report and verify it captures every required event, not just signature events. 

Does the platform enforce two-component authentication at the time of signing? Confirm the system requires identity verification specifically at signing, not just at login. 

Is validation documentation available? Ask whether the vendor provides IQ/OQ/PQ documentation or a validation package you can use in your own compliance activities. 

How does the platform handle long-term record retention? Confirm that both the signed records and the associated audit trails are retained for the required duration and can be exported in a readable format. 

Does the vendor have regulated industry experience? Vendors with existing customers in pharma, biotech, or medical devices are more likely to understand the nuances of Part 11 compliance than general-purpose eSignature providers. 

What does the vendor's uptime and data security look like? Part 11 records must remain accessible throughout their retention period. Evaluate the vendor's data security practices, uptime guarantees, and disaster recovery capabilities. 

Falkon Sign is a great eSignature solution for businesses across all industries, including regulated sectors where Part 11 compliance is required. Its feature set covers the core technical requirements that FDA-regulated organizations need to build a defensible eSignature program. 

For additional guidance, see our posts on how to choose an eSignature tool for your business and why eSignature security matters for business. 

Final Thoughts 

21 CFR Part 11 is not a compliance checkbox. It is the foundation of how FDA-regulated organizations can trust their electronic records and signatures as much as their paper counterparts. 

The regulation covers a lot of ground, from system validation and access controls to audit trails, two-factor authentication, and written accountability policies. Meeting these requirements takes deliberate planning, the right technology, and ongoing procedural discipline. 

The good news is that a well-chosen eSignature platform does most of the technical heavy lifting. When the system handles audit trails, tamper-evident sealing, and authentication controls automatically, your team can focus on the workflows, training, and documentation that regulators actually inspect. 

For more on how eSignatures work and their legal standing, see our guides on what is an electronic signature and how it works, eSignature laws, and the difference between eSignatures and digital signatures.