Don't Let the FDA Catch You Paper-Handed

Why 21 CFR Part 11 Electronic Records and Electronic Signatures Still Trip Up Regulated Industries

21 CFR Part 11 electronic records electronic signatures is the FDA regulation that defines when digital records and e-signatures are legally equivalent to paper records and handwritten signatures in FDA-regulated industries.

Here is what you need to know at a glance:

Topic Quick Answer What is it? FDA regulation establishing trustworthiness criteria for electronic records and signatures Who must comply? Pharma, biotech, medical device, CROs, biologics, and other FDA-regulated organizations What does it cover? Electronic records creation, storage, retrieval, and transmission + e-signature controls Is it fully enforced? No — FDA exercises enforcement discretion on validation, audit trails, and record retention since 2003 What is always enforced? Access controls, electronic signature requirements, and predicate rule compliance

If you work in a regulated industry, you have probably heard "Part 11" more times than you can count. But many organizations still treat it as a checkbox exercise — or worse, they assume their current systems are compliant when they are not.

The stakes are real. The FDA can inspect your computerized systems at any time. And a gap between what your system actually does and what the regulation requires can mean warning letters, data integrity findings, or halted operations.

Part 11 has been around since 1997, but its practical application is still widely misunderstood — especially around what the FDA actively enforces versus where it exercises discretion.

I'm Stephen Ferrell, Chief Product Officer at Valkit.ai, and over the past 20+ years I've guided hundreds of pharmaceutical, biotech, and medical device organizations through the nuanced expectations of 21 CFR Part 11 electronic records and electronic signatures compliance, from validation strategy to audit-ready implementation. In this guide, I'll cut through the complexity and give you a clear, practical picture of what Part 11 actually requires — and what it means for your systems today.

What is 21 CFR Part 11 and Who Must Comply?

At its heart, the FDA created this regulation to allow life sciences organizations to ditch paper and adopt digital processes without sacrificing data integrity. When we define 21 CFR Part 11, we are looking at a framework designed to ensure that electronic records are just as trustworthy, reliable, and legally binding as traditional ink-on-paper signatures.

The official text is housed under PART 11—ELECTRONIC RECORDS; ELECTRONIC SIGNATURES, which lays out the ground rules for how systems must behave when handling regulated data. For anyone operating in the life science space, understanding the 21 Code of Federal Regulations Part 11 is essential for maintaining GxP compliance and keeping your operations running smoothly.

Defining the Core Regulation

The core purpose of Part 11 is to establish the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures.

According to the official scope defined in 21 CFR 11.1 | Scope. | eCFR.io, the regulation applies to any electronic record that is created, modified, maintained, archived, retrieved, or transmitted under any FDA records requirement. If you are submitting electronic documents to the agency, or if you are keeping electronic records that inspectors might ask to see during an audit, Part 11 is your playbook.

However, it is important to note a key distinction: the rule does not apply to paper submissions sent via electronic means, such as a traditional fax. It specifically targets records that exist natively in digital formats and are relied upon to perform regulated activities.

Regulated Industries and Predicate Rules

Who actually has to worry about this? The short answer: almost everyone regulated by the FDA. This includes:

• Drug makers and pharmaceutical companies
• Medical device manufacturers
• Biotech companies and biologics developers
• Contract Research Organizations (CROs) and clinical trial sites
• Food and beverage manufacturers
• Cosmetics manufacturers

To understand how Part 11 applies to these groups, we have to look at "predicate rules." Predicate rules are the underlying FDA regulations—such as Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), and Good Clinical Practices (GCP)—that dictate what records must be kept in the first place.

For instance, 21 CFR Part 11 in Clinical Research only becomes active because GCP predicate rules require clinical trial sponsors to maintain investigator signatures, consent forms, and case report forms. If a predicate rule says you must keep a record and sign it, and you choose to do that electronically, Part 11 dictates how you must secure and validate that process. If there is no predicate rule requiring a record, Part 11 generally does not apply.

Demystifying 21 CFR Part 11 Electronic Records Electronic Signatures

To build a compliant system, we need to break the regulation down into its two main pillars: electronic records and electronic signatures. The official rules are set out in the 21 CFR Part 11 -- Electronic Records; Electronic Signatures - eCFR database. Achieving compliance requires implementing a combination of technical, procedural, and administrative controls to protect data integrity.

Let's look at the core requirements of 21 CFR Part 11 across both closed and open systems.

Key Requirements for 21 CFR Part 11 Electronic Records Electronic Signatures in Closed Systems

A closed system is an environment where system access is controlled by the people who are responsible for the content of the electronic records on the system. Think of your company’s internal Quality Management System (QMS), Electronic Batch Record (EBR) system, or an Enterprise Resource Planning (ERP) platform hosted on your secure internal network.

For closed systems, the FDA mandates strict controls under Section 11.10:

1. System Validation: You must validate your systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. This is where electronic records validation comes into play, proving that your software does exactly what it is supposed to do.
2. Record Generation and Copying: The system must be able to generate accurate and complete copies of records in both human-readable and electronic formats for inspection.
3. Protection and Retention: Records must be protected to enable accurate and rapid retrieval throughout their entire retention period.
4. Strict Access Controls: Only authorized individuals should have access to the system, limiting the risk of unauthorized data manipulation.
5. Audit Trails: The system must utilize secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. These audit trails must not be editable by users.
6. Operational and Authority Checks: The system must enforce permitted sequencing of steps (operational checks) and verify that only authorized users can perform specific tasks, like signing off on a batch record (authority checks).

Key Requirements for 21 CFR Part 11 Electronic Records Electronic Signatures in Open Systems

An open system is an environment where system access is not controlled by the people responsible for the content of the records. A common example is a web-based portal where clinical trial subjects submit data from home over the public internet, or any system where data must traverse public digital spaces.

Because open systems are inherently more vulnerable, Section 11.30 requires all the controls of a closed system, plus additional safeguards. These include:

• Data Encryption: Ensuring that data is encrypted both in transit and at rest to prevent interceptive tampering.
• Digital Signature Standards: Implementing cryptographic methods to guarantee document authenticity and verify that the record has not been altered since it was signed.

Meeting these electronic signature compliance requirements in an open system ensures that even when data travels across untrusted networks, its integrity remains intact.

FDA Guidance, Enforcement Discretion, and Legacy Systems

In the early years following the 1997 release of Part 11, the industry struggled. Companies were hesitant to adopt new digital tools because the validation and audit trail requirements were viewed as overly burdensome and expensive.

To address these concerns, the FDA published a landmark guidance document in August 2003: Part 11, Electronic Records; Electronic Signatures - Scope and Application | FDA. This document introduced "enforcement discretion" and remains the active framework for how the FDA inspects digital systems today in 2026.

The Narrow Interpretation and Enforcement Discretion

The 2003 guidance announced that the FDA would interpret the scope of Part 11 narrowly. This meant fewer records would be swept under the Part 11 umbrella. Crucially, the FDA declared it would exercise enforcement discretion regarding specific technical requirements of Part 11, including:

• Validation
• Audit Trails
• Record Retention
• Record Copying

However, there is a major catch that many companies overlook: enforcement discretion does not mean a free pass.

While the FDA may not strictly enforce the specific technical validation or audit trail rules of Part 11, they still strictly enforce the validation and record-keeping requirements of the predicate rules. For example, if you are a drug manufacturer, GMP predicate rules still require you to validate any computerized system that controls your manufacturing processes.

To navigate this legally, organizations must perform a thorough part 11 risk assessment to justify and document their compliance decisions. By documenting how your systems meet predicate rule requirements, you establish a defensible path for 21 CFR Part 11 compliance.

Legacy Systems and Risk-Based Validation

What about older systems? Systems that were operational before Part 11 took effect on August 20, 1997 are considered "legacy systems."

The FDA exercises enforcement discretion for these legacy systems, meaning they do not have to meet all the technical requirements of Part 11, provided they meet the following criteria:

1. They were operational before August 20, 1997.
2. They met all applicable predicate rule requirements prior to that date.
3. They have documented, historical evidence demonstrating they are fit for their intended use.

For modern systems, the FDA expects a risk-based approach to validation. Rather than validating every single button and background process with equal intensity, you should focus your efforts on functions that directly impact product quality, patient safety, and data integrity.

Following modern 21 CFR Part 11 validation requirements means documenting your risk assessments and tailoring your testing protocols to match the risk level of each system component.

Technical Controls and Platform Compliance (DocuSign, Adobe, REDCap)

Many off-the-shelf software platforms claim to be "Part 11 compliant." However, it is a regulatory reality that no software is compliant out of the box. Compliance is always a combination of the software's technical features and how your organization configures, validates, and uses that software.

Let's look at what is required to turn a standard electronic signature 21 CFR Part 11 tool into a compliant solution.

Technical Controls for Electronic Signatures

To meet the requirements for part 11 compliant signatures, your system must enforce several strict technical controls:

• Two-Component Identification: For non-biometric signatures, the user must employ at least two distinct identification components—typically a unique username (identification code) and a password.
• Single vs. Continuous Sessions: If a user signs multiple documents during a single, continuous logged-in session, they only need to enter both components for the first signature. For subsequent signatures in that same session, they can enter just one component (usually their password). If they log out or the session times out, they must enter both components again.
• Signature Manifestation: Any signed electronic record must contain printed information that is clearly visible to anyone viewing the document. This includes:
  1. The printed name of the signer.
  2. The date and time when the signature was executed.
  3. The meaning (or "signing reason") associated with the signature (e.g., review, approval, authorship).
• Permanent Linkage: The signature must be securely linked to its respective record so that it cannot be cut, pasted, copied, or otherwise transferred to falsify another document.

When deploying these tools, performing a fast signatures validation process ensures that these exact security controls are active and functioning correctly before the system goes live.

Comparing Common E-Signature Tools

Different platforms offer varying levels of support for Part 11. To help you choose the right tool, we have put together a comparison of three widely used platforms:

Feature DocuSign (with Part 11 Module) Adobe Sign (Enterprise/FDA) REDCap (Standard) Two-Component Authentication Yes (Configurable) Yes (Configurable) No (Requires custom setup) Signature Manifestation Yes (Signer name, date/time, reason) Yes (Signer name, date/time, reason) No (Standard e-consent is basic) Audit Trail Yes (Certificate of Completion) Yes (Detailed audit report) Yes (System logging) Part 11 Ready? Yes, with dedicated module Yes, with enterprise settings No (Requires heavy customization) Primary Use Case Clinical contracts, SOPs, HR Vendor agreements, internal approvals Non-IND/IDE academic research

If you are using DocuSign or Adobe Sign, you must purchase and configure their specific life-sciences modules to achieve a 21 CFR Part 11 compliant state. Simply buying a standard commercial license will not provide the necessary controls, such as enforcing a signing reason or preventing password sharing.

Frequently Asked Questions about FDA Compliance

What is the difference between electronic signatures and digital signatures?

While people often use these terms interchangeably, they are technically quite different:

• An electronic signature is a broad legal term. The FDA defines it as a computer data compilation of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of their handwritten signature. It can be as simple as entering a username and password.
• A digital signature is a specific type of electronic signature that uses cryptographic methods (like Public Key Infrastructure, or PKI) to secure the document. It seals the record, making any subsequent tampering immediately visible.

The FDA requires electronic signatures for compliance, not necessarily complex digital signatures. In fact, the FDA’s own systems typically cannot verify third-party digital certificates on submitted files, so standard, well-controlled electronic signatures are the industry norm. For a deeper dive into how US federal regulations handle signatures, check out our ESign Act Compliant Complete Guide.

Can REDCap be used for Part 11 compliant signatures?

Out of the box, no. While REDCap is an excellent, HIPAA-compliant tool for academic research, it does not meet the strict technical criteria of Part 11 for electronic signatures. It lacks the native ability to enforce two-component authentication for every signature step, and cannot easily display the required signature manifestations on PDF outputs.

However, REDCap can be used for electronic consent in clinical trials that do not fall under FDA jurisdiction (non-IND/IDE studies). If your study is regulated by the FDA, you must use a validated, Part 11-compliant platform to capture electronic signatures. For practical scenarios of where compliance is and isn't required, see our 21 CFR Part 11 Examples.

How does Part 11 compare to EU GMP Annex 11?

If you operate globally, you have to satisfy both US and European regulators. While the FDA enforces Part 11, European authorities look to EU GMP Annex 11.

• Part 11 is a formal regulation (law) focused heavily on electronic records and signatures, with specific technical rules.
• Annex 11 is a guideline focused more broadly on computerized systems. It places a stronger emphasis on risk management, personnel training, and the overall lifecycle of the system.

While they have different structures, their goals are identical: ensuring data integrity and system validation. To see how to align your systems for both markets, read our guide on 21CFR Part 11 EU GMP Annex 11 or explore the direct comparison in Annex 11 vs Part 11.

Conclusion

Navigating the complexities of 21 CFR Part 11 electronic records electronic signatures compliance can feel like a balancing act. Between understanding predicate rules, configuring technical controls, and maintaining a validated state, it is easy to see why many organizations feel overwhelmed.

That is where we can help. At Valkit.ai, we provide an AI-powered digital validation platform designed specifically for the pharmaceutical, biotech, and medical device industries.

Our platform simplifies the entire process, reducing validation costs by up to 80% and shrinking validation timelines from weeks to hours. Through smart automation, system cloning, and built-in compliance tools, we make it easy to ensure your systems are fully validated and audit-ready.

Before your next regulatory inspection, make sure your digital records are locked down. Learn how to prepare your systems with our guide to a 21 CFR Part 11 Audit, or visit Valkit.ai today to schedule a demo and see our automated validation platform in action.