Feb 26, 2026
Peter Busk
21 CFR Part 11 in practice: Requirements for electronic signatures
Introduction
21 CFR Part 11 is the FDA's regulation of electronic records and electronic signatures. It was issued in 1997 - an eternity in technology years - but is still fully valid and actively enforced.
Any pharmaceutical company operating in the U.S. market must comply with Part 11 when using electronic systems for GxP activities. However, the rules are written in broad, often vague language. What does "secure, computer-generated, time-stamped audit trail" actually mean in practice?
At Hyperbolic, we regularly implement Part 11-compliant systems. Here’s a practical guide to what the regulations actually require and how to implement them.
What is 21 CFR Part 11?
Part 11 has two main sections:
Subpart B - Electronic Records: Requirements for how electronic records must be created, modified, maintained, and archived.
Subpart C - Electronic Signatures: Requirements for electronic signatures to be equivalent to handwritten signatures.
Scope: Part 11 applies only to records that are:
Required by FDA regulation (predicate rules)
Used instead of paper records
Submitted to the FDA
Critical: Part 11 does NOT automatically apply to all software in pharma. Only GxP records.
Electronic Records requirements (Subpart B)
§11.10 - Controls for closed systems
This is the heart of the matter. "Closed system" means the system where access is controlled by the persons responsible for the content.
Validation (§11.10(a)):
The requirement: "Validation of systems to ensure accuracy, reliability, consistent intended performance..."
In practice: Computer System Validation (CSV) per GAMP 5 or similar framework. Document that the system does what it is supposed to do, consistently.
Deliverables:
Validation Plan
Risk Assessment
Test Scripts and Execution
Validation Report
Traceability Matrix
Audit Trail (§11.10(e)):
The requirement: "Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions..."
In practice:
What is logged: All creation, modification, deletion of GxP records
Who: User ID of the person
When: Date and timestamp
What: What was changed, before/after values
Why: Reason for change (often required input)
Audit trail must be:
Immutable: Cannot be deleted or altered
Always on: Cannot be disabled
Readily available: Can be reviewed during audits
Best practice: Separate audit trail table in the database, write-only access for the application.
Authority Checks (§11.10(g)):
The requirement: "Determination that persons who develop, maintain, or use electronic record/signature systems have the education, training, and experience to perform their assigned tasks."
In practice:
Training records for all users
Competency assessments
Periodic retraining
Role-based access aligned with qualifications
Device Checks (§11.10(h)):
The requirement: "Determination of, and appropriate controls for, authorized use of devices..."
In practice:
Authentication: User ID + password (minimum), better: MFA
Session management: Auto-logout after inactivity
Device controls: Restrict access to authorized devices if needed
Electronic Signatures requirements (Subpart C)
§11.50 - Signature manifestations
The requirement: "Signed electronic records shall contain information associated with the signing... name, date/time, meaning of signature."
In practice:
An electronic signature must be a permanent part of the record and show:
Printed name: "John Smith"
Date and time: "2024-02-18 14:32:15 UTC"
Meaning: "Approved by Production Manager" or "Reviewed by QA"
Implementation: When the document is displayed, the signature must be clearly visible, not just in the database.
§11.70 - Signature/record linking
The requirement: "Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records..."
In practice: Signature cannot be cut-and-paste or copy-and-paste to another record. It must be cryptographically bound to the specific record.
Implementation:
Hash of document content + signature data
Stored together
Any change to the document invalidates the signature
§11.200 & §11.300 - Signature types
Part 11 allows two types of electronic signatures:
§11.200 - "Regular" electronic signatures:
Minimum: User ID + password
May be used for all GxP signatures
§11.300 - Biometric or token-based:
Fingerprint, retina scan, smart card, etc.
More secure, but not required
In practice: The vast majority use §11.200 (user/password). Biometrics are rare in pharma.
§11.300(d) - Password requirements
For user/password signatures, the FDA requires:
Unique: Each user has a unique ID
Periodic change: (FDA guidance says "at least annually", but best practice is 90 days)
Complexity: Not explicitly in Part 11, but guidance suggests a minimum of 8 characters, mix of types
Reuse prevention: Cannot reuse the last X passwords
Implementation patterns
Pattern 1: Two-factor authentication for signature
Even if normal login is user/password, the signature may require re-authentication.
Implementation:
User works in the system with a normal session
When they need to sign, a pop-up requires re-entry of password (or second factor)
Signature only applied if authentication succeeds
Benefit: Higher assurance, separates "I'm working" from "I'm committing to this decision."
Pattern 2: Signature reason
The FDA often expects to know why something was signed.
Implementation:
Signature action requires selection of predefined reason from dropdown
Or free-text comment field
Reason stored with signature in the audit trail
Example: Document approval with reasons: "Approved as written", "Approved with comments", "Rejected - needs revision"
Pattern 3: Sequential signatures
Some workflows require multiple signatures in a specific order.
Implementation:
Workflow engine enforces sequence
Document "locked" after the first signature (no edits)
Next signer can only approve or reject, not edit
If rejected, returns to previous step
Example: Batch record review: Supervisor → QA → QP (Qualified Person). Each must sign in order.
Common compliance pitfalls
Pitfall 1: Inadequate audit trail
Problem: System logs some actions but not all.
Example: User edits a critical parameter, but the audit trail only shows "record modified", not before/after values.
Solution: Log ALL GxP-relevant actions with complete before/after state.
Pitfall 2: Audit trail can be deleted
Problem: System has an admin function to "clean up old logs" that includes the audit trail.
Example: IT department deletes old data including the audit trail to save storage.
Solution:
Separate audit trail storage with NO delete capability
Archive to read-only media for long-term retention
Access controls: NOBODY can delete the audit trail
Pitfall 3: Generic user accounts
Problem: Shared logins such as "production1" or "QAreviewer".
Example: Multiple operators use the same login. When an error occurs, it is impossible to determine who actually did it.
Solution: Unique user ID for every individual. No shared accounts for GxP systems.
Pitfall 4: Weak password policy
Problem: Passwords like "password1" or "123456" are accepted.
Example: Easy to guess, high risk for unauthorized access.
Solution:
Minimum complexity (8+ chars, mix of character types)
Password expiry (90 days)
Account lockout after X failed attempts
Prevent password reuse
Pitfall 5: Signatures not linked to record
Problem: Signature stored separately, can be moved to another document.
Example: QA signature on one batch record cut-pasted to another.
Solution: Cryptographic binding of the signature to the exact record content via hash.
Audit readiness
During FDA audits, inspectors will specifically check for Part 11 compliance:
What they will see:
Documentation:
Validation documentation for the system
SOPs for electronic signatures and records
Training records for users
Password management procedures
System demonstration:
Create and modify a record, show the audit trail
Demonstrate the signature process
Show access controls
Demonstrate audit trail review process
Records review:
Pull random electronic records
Verify signatures present and valid
Check audit trail completeness
Verify before/after values for changes
Preparation:
Run internal mock audits
Verify audit trail review is conducted periodically
Ensure all SOPs are up-to-date and followed
Training records complete
Case: LIMS Part 11 compliance
Scenario: Lab implementing a new LIMS with electronic lab notebooks and test results.
Challenges:
Legacy LIMS was not compliant (no audit trail, weak passwords)
50+ lab analysts need to be trained
FDA audit planned in 12 months
Our approach:
Phase 1 - Gap analysis:
Assessed new LIMS against Part 11 requirements
Identified gaps: Audit trail configuration, password policy, signature workflow
Phase 2 - System configuration:
Enabled comprehensive audit trail (all field changes)
Configured strong password policy (10 chars, complexity, 90-day expiry)
Built approval workflow: Analyst enters → Supervisor reviews → QA approves
Phase 3 - Validation:
Full CSV per GAMP 5
Specific test cases for Part 11: Audit trail accuracy, signature binding, access controls
Phase 4 - Training and cutover:
Role-based training for analysts, supervisors, QA
Parallel run: Paper and LIMS simultaneously for 1 month
Cutover with full backup plan
Outcome:
FDA audit: Zero Part 11 findings
Inspector specifically commended audit trail completeness
Lab efficiency increased (faster test result availability)
Conclusion
21 CFR Part 11 compliance is not optional for pharma. It requires:
Robust audit trails that log everything
Secure electronic signatures with proper authentication
Validation of systems per CSV best practices
Training of all users
Ongoing compliance monitoring
It doesn’t have to be enormously complex, but it must be taken seriously and implemented systematically.
At Hyperbolic, we ensure Part 11 compliance in all GxP systems we build or implement. We combine regulatory expertise with technical know-how to deliver solutions that both comply and are user-friendly.
Contact us for assistance with Part 11 compliance in your systems.
By
Peter Busk
CEO & Partner
[ HyperAcademy ]
