The Manufacturer's Guide to 21 CFR Part 11 Compliance

21 CFR Part 11 compliance is the FDA regulation that governs how pharmaceutical, biotech, and medical device manufacturers create, sign, and maintain electronic records and electronic signatures — ensuring they carry the same legal weight as paper-based records. Any manufacturer using a computerised system to generate, modify, maintain, archive, retrieve, or transmit records that FDA regulations require must comply with Part 11. Non-compliance can trigger FDA warning letters, consent decrees, and — in the most serious cases — product recalls that cost tens of millions of dollars. According to the FDA's guidance on Part 11 scope and application, the regulation is not about the format of the record — it is about the integrity, traceability, and accessibility of that record.

Key Takeaways

• Part 11 applies wherever electronic records replace paper: If your facility is subject to any FDA predicate rule — cGMP, QSR, GLP — and uses a computerised system to maintain those records, Part 11 applies to that system.
• Audit trails are the most scrutinised requirement: FDA investigators routinely test audit trail functionality directly during inspections and look for evidence of routine review — not just that the feature exists.
• The four non-negotiables are: system validation, audit trail management, access control enforcement, and documented procedural controls with training records.
• A CMMS architected for Part 11 removes the largest manual compliance burden: Equipment maintenance logs, calibration records, and PM completion records are among the most frequently audited predicate rule records in pharma manufacturing.

What Is 21 CFR Part 11?

Title 21 of the Code of Federal Regulations, Part 11 — commonly written as 21 CFR Part 11 — was finalised by the FDA in 1997 as the first federal rule to explicitly address electronic records and electronic signatures in regulated industries. The regulation sits under 21 CFR Chapter I, Subchapter A, and applies to any record that FDA regulations require you to keep or submit — batch records, maintenance logs, calibration records, equipment cleaning records, deviation reports, CAPA documentation, and any other quality or operational record that falls under a predicate rule such as cGMP (21 CFR Parts 210/211), QSR (21 CFR Part 820), or GLP (21 CFR Part 58).

Closed vs. Open Systems

Part 11 distinguishes between two types of computerised systems, each carrying different compliance obligations. Most internal CMMS platforms qualify as closed systems, but the distinction matters for how you design your compliance controls.

Key Requirements of 21 CFR Part 11

The regulation is organised around two major areas: electronic records (Subpart B) and electronic signatures (Subpart C). Each carries specific technical and procedural controls that manufacturers must implement and document.

Electronic Records Requirements (Subpart B)

• Audit Trails (§11.10(e)): Systems must create computer-generated, time-stamped audit trails capturing the date and time of every operator entry or action that creates, modifies, or deletes an electronic record. Audit trails must be retained for the full required retention period of the underlying record and must be available for FDA review on demand.
• Access Controls (§11.10(d)): Only authorised individuals may access, create, modify, or sign electronic records. Access must be limited through system-level controls — not just procedural policy alone.
• System Validation (§11.10(a)): All computerised systems used to create or manage required records must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
• Record Retention and Retrieval (§11.10(c)): Systems must protect records to enable accurate and ready retrieval throughout the required retention period — including protection against data loss from system failure or obsolescence.
• Authority Checks (§11.10(g)): Systems must use authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access operation or computer system input or output devices, alter a record, or perform an operation.
• Device Checks (§11.10(h)): Where appropriate, the source of input or operational instruction must be checked for validity — particularly relevant for laboratory instruments feeding data directly into electronic records.

Electronic Signatures Requirements (Subpart C)

• Unique to One Individual (§11.100(a)): Each electronic signature must be unique to one individual and must not be reused by, or reassigned to, anyone else. Shared credentials are explicitly prohibited.
• Verification of Identity (§11.100(b)): Before establishing or sanctioning an individual's electronic signature, organisations must verify the identity of that individual.
• Two-Component Signatures (§11.200(a)): Electronic signatures not based on biometrics must use at least two distinct identification components — typically a user ID and a password. When a person signs a record continuously in the same session, only the first signing requires both components; subsequent signings in the same session require at least one component.
• Non-Repudiation and Meaning (§11.50(a)): Signed electronic records must contain the printed name of the signer, the date and time of signing, and the meaning associated with the signature — review, approval, responsibility, or authorship.
• Certification to FDA (§11.100(c)): Organisations using electronic signatures must certify in writing to the FDA that their electronic signatures are intended to be the legally binding equivalent of traditional handwritten signatures.

The Four Pillars of a Defensible Part 11 Compliance Program

Understanding the requirements is only the first step. Passing an FDA inspection requires a program built on four interconnected pillars. Missing any one of them creates an exposure that a good audit trail alone cannot fix.

1. System Validation (IQ, OQ, PQ)

Validation is the foundation. Every computerised system subject to Part 11 must be validated before use in production, and revalidated whenever changes could affect its Part 11-relevant functions. The standard approach follows three sequential protocols:

• Installation Qualification (IQ): Documents that the system is installed correctly, all required components are present, and hardware and software match the approved specifications.
• Operational Qualification (OQ): Tests that the system performs as intended across its specified operating range — including edge cases and failure modes. For a CMMS, OQ testing covers audit trail generation, access control enforcement, and signature integrity.
• Performance Qualification (PQ): Demonstrates that the system consistently performs according to user requirements in the actual production environment over time.

The ISPE GAMP 5 framework is the most widely recognised guidance for pharmaceutical computer system validation. It categorises systems by complexity and provides risk-based validation requirements for each category.

2. Audit Trail Management

An audit trail that cannot be retrieved, read, or defended in an inspection is worthless. Effective audit trail management requires more than turning on the feature — it requires a documented policy covering what is captured, how long it is retained, who can access it, and how it is reviewed during normal operations. FDA investigators specifically look for evidence that audit trails are reviewed regularly, not just available on demand. The report builder in Cryotos supports scheduled audit trail review reports, creating a documented evidence trail that routine review is occurring.

3. Access Control and User Management

Access control failures are the most common Part 11 observation cited in FDA warning letters. The most frequent problems are shared user IDs, inactive accounts that remain open, insufficient role-based permissions, and lack of formal procedures for account creation, modification, and termination. A strong program requires technically enforced role-based access — not just a policy that says users should not share credentials. User role level access controls built into the CMMS prevent unauthorised actions at the system level, regardless of what users might otherwise attempt.

4. Procedural Controls and Training

Technical controls alone are not sufficient. Part 11 explicitly requires written policies governing the use of the system, the handling of electronic records, and the management of electronic signatures. Every person who creates, signs, or manages required records must be trained on those procedures — and that training must be documented. According to the FDA's inspection guidance for computerised systems, investigators routinely ask to see training records for system users as part of any Part 11 inspection.

If your pharmaceutical manufacturing CMMS is not yet architected to support all four pillars, now is the time to close those gaps — before your next inspection finds them.

Most Common 21 CFR Part 11 Failures in Manufacturing

FDA warning letters and 483 observations related to Part 11 cluster around five recurring failures. Knowing them in advance is the most efficient way to close gaps before an inspection finds them.

• Audit trail disabled or incomplete: Some CMMS and lab systems ship with audit trail functionality available but not enabled by default. Manufacturers who do not verify that audit trails are active — and capturing all required fields — routinely discover the gap only when an investigator asks to see the trail for a specific record.
• Shared user IDs and credentials: Workshop-floor environments where multiple technicians work the same terminal often develop informal shared-login practices. This directly violates §11.100(a) and makes the signatures on any record created during those sessions legally questionable.
• Insufficient validation documentation: Using a commercial off-the-shelf CMMS or quality system does not eliminate the validation requirement. Manufacturers must still perform and document IQ, OQ, and PQ for their specific configuration and use of the system.
• Lack of routine audit trail review: The FDA expects audit trails to be reviewed as part of normal operations — not only when a problem is suspected. Companies that cannot show documented periodic audit trail reviews are routinely cited during inspections.
• Predicate rule gaps: Some manufacturers focus on Part 11 requirements without ensuring the underlying predicate rule records are complete. Part 11 governs the electronic format of those records — if the underlying record is incomplete or inaccurate, Part 11 compliance is irrelevant.

How Cryotos CMMS Supports 21 CFR Part 11 Compliance

A CMMS is one of the most critical systems for Part 11 compliance in pharmaceutical manufacturing because it generates many of the records that FDA predicate rules require — equipment maintenance logs, calibration records, cleaning records, and PM completion records. A CMMS architected for Part 11 removes much of the manual burden and human error risk from these requirements. Here is how each major requirement maps to CMMS functionality.

Audit Trails

Every creation, modification, or deletion of a maintenance record in Cryotos is automatically captured in a tamper-evident, time-stamped audit log. The log records the user who performed the action, the exact field that was changed, the old value, the new value, and the timestamp — at the field level, not just at the record level. Field-level granularity is what Part 11 requires and what FDA investigators look for when reviewing audit trail functionality during inspections.

Access Controls and Electronic Signatures

Cryotos enforces role-based access controls at the system level. User accounts are unique to each individual, credentials cannot be shared, and permissions are configured by role to restrict access to only the functions each user type requires. When a maintenance technician completes a work order or a quality manager approves a deviation, the electronic signature is captured with the user's identity, timestamp, and the meaning of the signature — completion, review, or approval. The maintenance checklists module enforces step-by-step sign-off at the task level, creating a granular execution record.

Work Order Documentation

Maintenance and calibration work orders in Cryotos capture every step of the execution process — task completion, parts used, actual start and end times, technician ID, attachments, and deviations from standard procedure. The work order management module creates an end-to-end record that satisfies both the cGMP record-keeping requirements of 21 CFR Part 211 and the electronic record integrity requirements of Part 11 simultaneously.

Preventive Maintenance Scheduling and Compliance Tracking

The preventive maintenance software in Cryotos schedules equipment PMs based on time intervals, usage meters, or condition triggers. Each scheduled PM generates a work order automatically, and the system records whether each PM was completed on time, late, or missed entirely — creating the PM compliance rate data FDA investigators review to assess whether a manufacturer's maintenance programme is effective.

Document Control and Procedure Access

SOPs, calibration procedures, and equipment manuals attach directly to equipment records and work orders through the document management feature. Technicians access the current approved version of a procedure directly from the work order on their mobile device — eliminating the version control risk that arises when printed SOPs are used on the shop floor.

BI Dashboard and Compliance Reporting

The BI Dashboard tracks PM compliance rates, overdue work orders, calibration expiry dates, and open deviations in real time. QA and maintenance teams generate audit-ready reports on demand, filtered by date range, asset, department, or user — reducing pre-inspection preparation from days to minutes.

21 CFR Part 11 Compliance Checklist for Manufacturers

Use this checklist to assess your current compliance status against the regulatory compliance checklist. Each gap you identify represents a potential FDA observation — address them before your next inspection, not during it.

• All computerised systems used to create, maintain, or transmit required records are identified and documented in a system inventory.
• Each system in the inventory has a completed validation package (IQ, OQ, PQ) with documented test evidence.
• Audit trail functionality is enabled and verified as active in all Part 11-relevant systems.
• Audit trails capture the date, time, user, and nature of every action that creates, modifies, or deletes a required record.
• Audit trail records are retained for at least as long as the underlying record they document.
• Each user account is unique to a single individual — no shared user IDs exist in any Part 11-relevant system.
• User access is role-based with documented procedures for account creation, modification, and termination.
• Electronic signatures include the signer's name, the date and time of signing, and the meaning of the signature.
• A written certification that electronic signatures are the legal equivalent of handwritten signatures has been submitted to the FDA (21 CFR §11.100(c)).
• Training records for all system users are current and accessible for inspection review.
• Audit trails are reviewed periodically, and those reviews are documented.
• Change control procedures exist for all changes to Part 11-relevant systems, including revalidation triggers.
• Backup and disaster recovery procedures are documented, tested, and current.

Frequently Asked Questions

Does 21 CFR Part 11 apply to all pharmaceutical manufacturers?

Part 11 applies to any person who, in fulfilment of a requirement in an FDA regulation, uses electronic records in place of paper records or uses electronic signatures. If your facility is subject to any FDA predicate rule — including cGMP under 21 CFR Parts 210 and 211 — and you use any computerised system to maintain the records those rules require, Part 11 applies to those systems. The scope is based on whether you are using an electronic record to fulfil an FDA requirement, not on the size or type of your facility.

What is the difference between 21 CFR Part 11 and EU Annex 11?

Both regulations address computerised systems and electronic records in the pharmaceutical industry, but they originate from different regulatory bodies. 21 CFR Part 11 is a US FDA regulation; EU Annex 11 is a European GMP requirement. The two share significant overlap — particularly around validation, audit trails, access controls, and electronic signatures — but EU Annex 11 has a stronger explicit risk management emphasis and provides more detailed guidance on supplier and service provider management.

Does using a cloud-based CMMS affect our Part 11 compliance obligations?

Using a cloud-based CMMS does not eliminate your Part 11 obligations — it transfers some technical controls to the vendor but does not transfer compliance responsibility. You remain responsible for ensuring the vendor's system is validated, audit trails function correctly in your configuration, and access controls are implemented appropriately. Your supplier qualification programme must include an assessment of the vendor's quality system, and you should obtain a vendor validation documentation package as part of your compliance evidence.

How often should we revalidate our CMMS under Part 11?

There is no fixed revalidation interval in Part 11. Revalidation is required when changes are made to the system — software upgrades, configuration changes, or changes to the hardware or operating environment — that could affect Part 11-relevant functions. Best practice is a change control process that identifies which changes require revalidation, defines the scope, and documents the results. Annual routine revalidation reviews are also common even in the absence of specific changes, as documented evidence that the system remains in a validated state.

What does an FDA inspector typically look for during a Part 11 inspection?

FDA investigators typically request the system inventory, validation documentation, audit trail samples for specific records, user access lists showing active accounts and role assignments, training records, change control records, and backup and recovery test results. They frequently test audit trail functionality directly by making changes in the system and verifying those changes are captured correctly. They also look for evidence of routine audit trail review — not just the existence of the audit trail functionality.

21 CFR Part 11 compliance is an ongoing operational discipline, not a one-time project. The manufacturers who consistently pass FDA inspections treat Part 11 as part of their normal quality management system — not as a separate exercise revisited only before an audit. Schedule a free demo to see how Cryotos supports a defensible, audit-ready Part 11 programme — from field-level audit trails and role-based access controls to PM compliance reporting and electronic signature capture.