21 CFR Part 11
21 CFR Part 11 is the US Food and Drug Administration regulation governing electronic records and electronic signatures for FDA-regulated industries — pharmaceutical manufacturing, medical devices, biotechnology, food and dietary supplements. In force since 1997 with scope-narrowing 2003 guidance, 21 CFR Part 11 establishes the requirements that make electronic records and signatures trustworthy and equivalent to paper-and-ink records for regulatory purposes. For DACH pharmaceutical and medical-device manufacturers exporting to the US, 21 CFR Part 11 compliance is mandatory; the EU equivalent is EU Annex 11.
Core requirements
- System validation — demonstrated ability to perform intended functions accurately, reliably and consistently. Standard methodology: GAMP-5 framework
- Audit trails — secure, computer-generated, time-stamped records of operator entries and changes; cannot be modified or deleted by the operator
- Access controls — access limited to authorised individuals with appropriate authority for the actions performed
- Electronic signatures — unique to one individual, not reusable, with biometric, two-factor or password-protected mechanisms
- Operator accountability — trained operators who certify electronic signatures are equivalent to handwritten
- Documentation — system documentation including standard operating procedures, user training records, validation records, change-control logs
- Record retention — electronic records readable and retrievable for the required retention period
Relationship to GxP
21 CFR Part 11 is a regulation about how electronic records are kept; GxP (GMP, GLP, GCP, GDP) is about how the regulated activities themselves are performed. They interlock: GxP-regulated activities increasingly use electronic systems, and those systems must meet 21 CFR Part 11. The combination drives the deep validation burden of pharma manufacturing IT. Computerised System Validation (CSV) under GAMP-5 demonstrates compliance with both GxP and 21 CFR Part 11 simultaneously. EU Annex 11 provides the EU-side equivalent specifically for computerised systems in GMP-regulated activities. Modern DACH pharma ERP deployments target both 21 CFR Part 11 and EU Annex 11 in one validation programme.
ERP-side implementation
21 CFR Part 11 affects almost every aspect of pharma and medical-device ERP. User management: unique user IDs, password complexity rules, periodic password change, session timeouts, account lockout after failed logins. Audit trail: every change to GxP-relevant data captured with user, timestamp, old value, new value, reason for change. Cannot be edited or disabled. Electronic signatures: e-signature workflows for batch release, material disposition, deviation closure, change-control approval. Each signature recorded with user, timestamp, meaning of signature (approved, reviewed, witnessed). Validation documentation: user requirements specification (URS), functional and design specifications, IQ/OQ/PQ test execution records, traceability matrices. Major pharma ERPs (SAP S/4HANA Pharma, Microsoft Dynamics 365 with industry add-ons, Infor M3 Pharma) include 21 CFR Part 11 features natively but require customer-side validation evidence.
Practical considerations
Three patterns. (1) Risk-based scope: the 2003 FDA guidance narrowed Part 11 application; not every electronic record needs full Part 11 controls. A GxP-impact assessment classifies each system into in-scope or out-of-scope. Disciplined scoping reduces validation burden materially. (2) Continuous compliance: validation is not a one-time event. Patches, version upgrades, configuration changes and data migrations all trigger re-validation activities. Annual periodic review verifies ongoing compliance. (3) Inspection readiness: FDA inspections may demand evidence of Part 11 compliance with little notice. Validation documentation, training records and audit-trail extracts must be retrievable within hours. Pre-inspection mock audits identify gaps before they become findings. Mature pharma operations treat Part 11 compliance as continuous discipline rather than periodic project.
Related Topics
Frequently Asked Questions
Does 21 CFR Part 11 apply only to US-sold products?
Effectively. Part 11 is FDA regulation, enforcing US-relevant compliance. DACH manufacturers exporting to US must comply. Manufacturers producing only for EU markets follow EU Annex 11, which has broadly similar but not identical requirements. Most major pharma operations comply with both simultaneously.
Can off-the-shelf ERP be 21 CFR Part 11 compliant?
Yes — major pharma ERPs (SAP S/4HANA Pharma, Microsoft Dynamics 365 F&O with pharma add-ons, Oracle Cloud ERP for Life Sciences) provide native Part 11 capabilities. The customer-side responsibility is correctly configuring, validating and operating the system. Pure off-the-shelf without customer-side validation effort is not sufficient; the ERP becomes Part 11 compliant only through the documented validation process.
How long does CSV (Computerised System Validation) take?
For mid-size pharma ERP implementation: 120-350 person-days of validation work on top of regular ERP-implementation effort, adding 25-50% to project cost. Larger enterprise implementations can require 1,000-3,000 person-days of validation deliverables. The validation effort persists through the system lifecycle as re-validation work for every change.