Part 11: History, Current Trends, and Evolving Regulatory Landscape

Background and Evolution of 21 CFR Part 11

21 CFR Part 11 (hereinafter “Part 11”) originated from a request by the U.S. pharmaceutical industry to implement paperless operations. The FDA initiated the development of guidelines for the use of electronic signatures to facilitate this digital transformation. Part 11 was published on March 20, 1997, and remains unchanged to this day—the regulation has never been formally amended in its nearly 28-year history.

However, in the rapidly evolving world of computer technology, rules created almost three decades ago cannot adequately address current needs without interpretation and guidance. Initially, the focus was primarily on electronic signatures, but through practical implementation, the industry and FDA recognized that electronic records were of even greater importance. Following the implementation of Part 11, new insights regarding electronic records and electronic signatures emerged. Rather than revising the regulation itself, the FDA has adapted its expectations and enforcement approach through guidance documents and compliance policies.

Because Part 11 has not been formally revised, the regulation text itself does not reflect the FDA’s current expectations and guidance. The complexity of interpreting Part 11’s requirements and the difficulty of achieving compliance—particularly regarding compliance costs—led the industry to repeatedly request that the FDA withdraw or relax Part 11 requirements. Ironically, many companies, fearful of Part 11 citations, reverted to paper-based systems, essentially taking a step backward from the intended digitalization.

From the FDA’s perspective, this was an undesirable outcome. The agency prefers to conduct inspections electronically, as this enables faster searching and more comprehensive review of records. When companies hesitate to digitize their operations, it runs counter to both the FDA’s modernization efforts and patient interests.

Today, the FDA’s primary concern is not whether records are electronic or paper-based, but rather data integrity. The focus has fundamentally shifted from the medium of record-keeping to the reliability, completeness, and trustworthiness of the data itself, embodied in principles such as ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate + Complete, Consistent, Enduring, Available).

The Scope and Application Guidance: A Risk-Based Approach

In September 2003, the FDA issued “Part 11, Electronic Records; Electronic Signatures – Scope and Application,” a guidance document that introduced a risk-based approach to Part 11 compliance. This guidance recognized that excessively burdensome compliance costs would ultimately be passed on to patients through increased product prices. The FDA, mindful of healthcare affordability concerns, sought to balance compliance requirements with practical implementation.

The risk-based approach requires companies to focus their compliance efforts on areas that directly impact patient safety, product efficacy, and product quality. Part 11 is most strictly applied to raw data—original observations and measurements that form the basis for quality decisions. Document management, while important, requires different controls because malicious actors can create fraudulent documents regardless of security features or audit trails implemented in document management systems.

It is crucial to understand that both Part 11 and the Scope and Application guidance remain in effect and must be followed. A common misconception among companies is that printing electronic records to paper and treating the paper copy as the “official record” satisfies compliance requirements. This approach is fundamentally flawed—Part 11 applies from the moment electronic records are created, regardless of whether they are subsequently printed. Converting electronic records to paper does not exempt them from Part 11 requirements.

Current Enforcement Trends and Regulatory Focus

Since 2001, the FDA has not issued Warning Letters citing Part 11 by name as the primary violation. It is important to note that there is no such thing as a “Part 11 inspection” as a standalone inspection category. Part 11 requirements are evaluated as part of broader CGMP, GCP, or GLP inspections.

Around 2010, the FDA resumed focused review of Part 11 compliance during inspections, but this increased scrutiny was initially limited to human pharmaceuticals. The primary objective was monitoring for Out-of-Specification (OOS) results—situations where test results fall outside established acceptance criteria. Whether through intentional manipulation or accidental error, any alteration of records that could affect patient safety warranted heightened attention.

However, recent trends show that data integrity violations have become one of the most frequently cited issues in FDA Warning Letters. Analysis of FDA enforcement actions from 2021-2024 reveals that data integrity concerns appear in approximately 60% of Warning Letters. While inspectors rarely cite 21 CFR Part 11 by number in Warning Letters, they consistently cite violations of predicate rules—such as 21 CFR 211.68(b) (controls over computer systems), 21 CFR 211.160 (laboratory controls), and 21 CFR 211.180 (records and reports)—that fundamentally relate to Part 11 principles.

Recent Warning Letters (2023-2024) have documented serious violations including:

• Torn and discarded original CGMP documents found in scrap areas and on trucks
• Laboratory personnel with administrative privileges enabling deletion or alteration of raw data
• Shared passwords for accessing analytical software, preventing proper user attribution
• Unvalidated electronic worksheets resulting in erroneous data generation
• Gas chromatography systems lacking audit trails and individual login access
• Files found in computer recycling bins, indicating unauthorized data deletion
• UV-Vis spectrophotometer systems without audit trails or defined user access levels

These findings demonstrate that Part 11 compliance remains critically important for any organization using electronic records in FDA-regulated activities.

Data Integrity: The Current Regulatory Priority

The FDA’s current emphasis on data integrity represents an evolution beyond the original focus of Part 11. Data integrity encompasses not only compliance with Part 11 technical requirements but also the broader principles that ensure data reliability throughout its lifecycle.

The ALCOA+ principles have become the de facto industry standard for data integrity:

Core ALCOA Principles:

• Attributable: Data must be clearly linked to the individual who created or modified it, with proper identification and timestamps
• Legible: Data must be readable and understandable throughout its retention period
• Contemporaneous: Data must be recorded at the time of observation or performance, not reconstructed later
• Original: Records must be the first capture of data, or true copies of the original
• Accurate: Data must be correct, truthful, and free from errors

Extended ALCOA+ Principles:

• Complete: All data must be retained, including failed results, out-of-specification results, and invalidated data with scientific justification
• Consistent: Timestamps must be reconcilable across systems; data must follow logical sequences
• Enduring: Records must remain available and readable throughout their required retention period
• Available: Data must be accessible for review throughout its lifecycle, including during regulatory inspections

Some organizations have further extended these to ALCOA++ or ALCOA-C, adding principles such as Traceable, Integrity, Robustness, Transparency, Accountability, and Reliability. The FDA’s December 2018 guidance “Data Integrity and Compliance With Drug CGMP: Questions and Answers” explicitly references ALCOA principles and provides extensive detail on the agency’s expectations.

Computer Software Assurance (CSA): The Modern Validation Paradigm

In September 2022, the FDA issued draft guidance on “Computer Software Assurance for Production and Quality System Software,” which was finalized on September 24, 2025. This guidance represents a significant evolution in the FDA’s approach to software validation, moving away from traditional Computer System Validation (CSV) toward a more streamlined, risk-based approach called Computer Software Assurance (CSA).

The CSA framework introduced several important changes:

Key Principles of CSA:

1. Risk-Based Validation: Validation efforts should be scaled according to the risk a system poses to patient safety, product quality, and data integrity. High-risk functions require rigorous testing, while low-risk functions can be qualified using vendor documentation and unscripted testing.
2. Leveraging Vendor Testing: Companies can and should rely on testing performed by software vendors rather than repeating all testing internally. This represents explicit FDA endorsement of a practice that was previously ambiguous.
3. Scripted vs. Unscripted Testing: The guidance introduces new terminology aligned with IEEE standards. Scripted testing (traditional test cases with predefined steps and expected results) remains appropriate for high-risk functions. Unscripted testing (exploratory testing, scenario testing, error-guessing) is acceptable for lower-risk functions.
4. Critical Thinking Approach: Rather than generating extensive documentation for its own sake, companies should focus on what matters for patient safety, product quality, and data integrity. The emphasis shifts from “how much paperwork” to “what evidence demonstrates fitness for intended use.”
5. Modern Documentation: System logs, audit trails, and other electronically generated data can serve as validation records. Screenshots are not necessary if other electronic evidence is available.

The CSA guidance applies directly to medical device and biologics manufacturers. While it is not formally binding on pharmaceutical manufacturers (who fall under CDER rather than CDRH/CBER), the underlying principles are expected to influence FDA expectations across all regulated industries. Many pharmaceutical companies have already begun adopting CSA principles in their validation programs.

It is important to note that CSA does not replace Part 11 requirements—it complements them. CSA addresses how to validate systems, while Part 11 establishes requirements for trustworthy electronic records and signatures. Both frameworks must be satisfied.

Recent FDA Guidance on Electronic Records in Clinical Trials

On October 1, 2024, the FDA finalized guidance titled “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers.” This guidance, which had been in draft since May 2017, provides clarity on how Part 11 applies to electronic records in clinical trials for drugs, devices, biologics, foods, tobacco products, and animal drugs.

Key aspects of this guidance include:

• Application of Part 11 principles to sponsors, Contract Research Organizations (CROs), clinical investigators, and Institutional Review Boards (IRBs)
• Expectations for electronic data capture systems, including Electronic Data Capture (EDC), electronic Clinical Outcome Assessments (eCOA), and electronic Patient-Reported Outcomes (ePRO)
• Requirements for remote data acquisition and source data verification
• Integration with Digital Health Technologies (DHTs) such as wearables and sensors
• Expectations for electronic Trial Master Files (eTMF) and electronic consent (eConsent)

This guidance reaffirms that Part 11’s core principles apply even as technology evolves. The risk-based approach emphasized in the 2003 Scope and Application guidance remains central—organizations should focus validation and control efforts where they matter most for data integrity and patient safety.

International Regulatory Alignment

While Part 11 is a U.S. regulation, similar principles govern electronic records and signatures globally:

EU GMP Annex 11 (Computerised Systems): The European Medicines Agency’s Annex 11, revised in 2011, establishes requirements for computerized systems in GMP environments. While organized differently from Part 11, Annex 11 addresses similar concepts including validation, audit trails, data integrity, and access controls.

WHO Guidance: The World Health Organization has issued various guidance documents on computerized systems and data integrity that align with ALCOA principles and emphasize risk-based validation approaches.

PIC/S: The Pharmaceutical Inspection Co-operation Scheme, representing over 50 regulatory authorities worldwide, has issued guidance on data integrity that harmonizes expectations across member countries.

ISO 13485: The FDA’s February 2024 final rule aligning 21 CFR Part 820 with ISO 13485:2016 (effective February 2, 2026) will further harmonize U.S. requirements with international standards for medical device quality management systems.

Organizations operating in multiple jurisdictions must develop compliance strategies that satisfy the most stringent applicable requirements while recognizing areas of harmonization.

Cloud Computing and Modern Technology Platforms

The rapid adoption of cloud-based systems, Software as a Service (SaaS) platforms, and hybrid infrastructures has raised questions about Part 11 compliance in modern technology environments. The FDA has clarified that:

• Part 11 is technology-agnostic—it applies regardless of whether systems are cloud-based, on-premises, or hybrid
• The company using the system (not the cloud vendor) remains responsible for validation, data integrity, security, and audit trail availability
• Vendor assessments should include reviewing certifications (ISO, SOC2), development practices, cybersecurity controls (including Software Bill of Materials and threat modeling), and data integrity controls (encryption, access control, backup and recovery)
• Service Level Agreements (SLAs) should address Part 11 requirements including data availability, retention, and ability to provide data to FDA upon request

Cloud systems can actually enhance compliance when properly implemented, as they often provide built-in security features, automated audit trails, and robust disaster recovery capabilities that would be costly to implement in legacy on-premises systems.

Practical Implementation Considerations

For organizations implementing Part 11 compliance programs, several practical considerations warrant attention:

System Categorization: Not all electronic systems require the same level of Part 11 controls. The Scope and Application guidance introduced the concept of focusing on systems that directly support predicate rule requirements. Risk assessments should consider the system’s impact on patient safety, product quality, and data integrity.

Hybrid Paper-Electronic Systems: Organizations using both paper and electronic records must clearly define which is the “official record.” Hybrid systems create particular challenges because data integrity gaps can occur during transitions between media. The FDA generally discourages hybrid systems but recognizes they may be necessary during transition periods.

Audit Trail Review: Having an audit trail is not sufficient—organizations must establish procedures for regular review of audit trails to detect and investigate anomalies. The frequency of review should be risk-based, with more critical systems reviewed more frequently.

System Validation Lifecycle: Validation is not a one-time event. Systems must be maintained in a validated state through change control, periodic review, and revalidation when significant changes occur.

Training and Competency: Personnel using validated systems must be trained not only on system operation but also on the importance of data integrity and their role in maintaining it.

Common Compliance Pitfalls

FDA inspections continue to identify recurring data integrity issues:

1. Shared Login Credentials: Using shared passwords or login credentials prevents proper attribution of actions to individuals
2. Inadequate Access Controls: Providing users with administrative privileges when not necessary, or failing to restrict access based on job functions
3. Incomplete Audit Trails: Systems that don’t capture all relevant information (who, what, when, why) or allow audit trail data to be modified or deleted
4. Unvalidated Spreadsheets: Microsoft Excel and other spreadsheet applications used for GxP purposes without appropriate validation and control
5. Data Deletion Without Justification: Deleting data from systems without documented, scientifically sound justification
6. Inadequate System Administration: Failing to properly configure, maintain, and monitor computerized systems
7. Poor Documentation: Inadequate validation documentation, missing procedures, or procedures that aren’t followed in practice

Looking Forward: Trends and Expectations

Several trends are shaping the future of electronic records compliance:

Artificial Intelligence and Machine Learning: As AI/ML tools become integrated into quality and manufacturing systems, questions arise about validation, bias detection, and explainability. While the 2024 clinical trials guidance explicitly avoided addressing AI, this will likely be an area of future FDA guidance development.

Continuous Monitoring and Real-Time Release: Technologies enabling real-time monitoring and adaptive manufacturing will require new approaches to validation and data integrity.

Blockchain and Immutable Records: Blockchain technology offers potential advantages for creating tamper-evident records, though implementation questions remain.

Integration of Manufacturing and Quality Systems: As digital transformation progresses, the integration of manufacturing execution systems (MES), enterprise resource planning (ERP), quality management systems (QMS), and laboratory information management systems (LIMS) creates new data integrity challenges and opportunities.

Regulatory Harmonization: Continued efforts toward international harmonization will help reduce duplicative compliance efforts for global organizations.

Conclusion

Part 11 remains a cornerstone of electronic records compliance in FDA-regulated industries nearly 28 years after its publication. While the regulation text has not changed, FDA expectations have evolved significantly through guidance documents, enforcement patterns, and engagement with industry.

The fundamental principle underlying Part 11—that electronic records must be trustworthy, reliable, and equivalent to paper records—remains as relevant today as in 1997. However, the implementation approach has matured from a checklist mentality to a risk-based, critical thinking approach embodied in CSA and modern data integrity principles.

Organizations should focus their compliance efforts on what matters most: ensuring that data supporting product quality and patient safety decisions is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available. This is achieved not through excessive paperwork but through thoughtful system design, appropriate controls, regular monitoring, and a strong organizational culture of data integrity.

As technology continues to evolve, the FDA’s approach will continue to adapt while maintaining its core focus on protecting public health. Organizations that embrace risk-based compliance, leverage modern validation approaches like CSA, and maintain robust data integrity programs will be well-positioned for successful regulatory inspections and, more importantly, for consistently delivering safe, effective, high-quality products to patients.

Note: This article reflects current understanding as of January 2025. Organizations should consult FDA guidance documents, regulatory experts, and legal counsel for specific compliance questions. The FDA’s expectations continue to evolve, and staying informed through official FDA communications, industry organizations (ISPE, PDA, RAPS), and qualified consultants is essential for maintaining compliance.