If you work in biotech IT and someone mentions "Part 11," you know the conversation is about to get complicated. 21 CFR Part 11 is simultaneously one of the most cited regulations in FDA warning letters and one of the least well-understood by the IT teams responsible for implementing it. This guide strips away the jargon.
The One-Sentence Version
21 CFR Part 11 says: if you use electronic records or electronic signatures in place of paper records and wet signatures for anything FDA requires you to document, those electronic records and signatures must meet specific technical and procedural requirements.
Where It Came From
The regulation was finalized in 1997, when the biggest "electronic" concern was floppy disks and local databases. FDA issued it to establish rules for accepting electronic records as equivalent to paper — previously, regulated companies had to print and sign paper copies of everything. Part 11 made it legal to go paperless, but with conditions.
In 2003, FDA issued a guidance document that narrowed the scope of Part 11 enforcement and emphasized a risk-based approach. That guidance is still in effect. It doesn't change the requirements — it tells you to focus your validation efforts on systems where the risks are highest.
Which Systems Does It Apply To?
Part 11 applies to electronic records that are "created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in agency regulations." In plain English: any system you use to create or maintain records that FDA regulations require you to keep.
Common examples in biotech:
- Electronic lab notebooks (ELN) used to document GLP or GCP study data
- LIMS used for sample management and quality control in regulated testing
- Quality management systems (QMS) for batch records, deviations, and CAPAs
- Electronic trial master files (eTMF) for clinical trial documentation
- Manufacturing execution systems (MES) for GMP batch records
- Environmental monitoring systems collecting data for regulated facilities
Systems used purely for business operations (HR software, accounting, email) generally don't fall under Part 11. The question is always: does FDA regulation require you to maintain this record?
The Three Core Requirements
Audit Trails
Every change to a regulated electronic record must be captured in a tamper-evident audit trail that records who made the change, what was changed (original and new value), and when. The audit trail must be enabled permanently — users can't turn it off. Most modern LIMS and ELN platforms have audit trail functionality; the question is whether it's correctly configured and whether anyone is actually reviewing it.
Access Controls
Only authorized individuals should be able to access, create, or modify regulated records. This requires unique user credentials (no shared accounts), role-based access aligned to job function, and documented procedures for granting and revoking access. When someone leaves the company, their account must be disabled immediately. FDA 483s frequently cite departures whose accounts were still active weeks or months after they left.
System Validation
Every Part 11-covered system must be validated — meaning you've documented that it does what it's supposed to do, consistently and reliably. Validation isn't a one-time certification; it requires ongoing change control so that software updates, configuration changes, and new integrations are assessed for their impact on the validated state.
Common Misconceptions
"Our software vendor says it's Part 11 compliant." Vendors can provide software that's capable of satisfying Part 11 requirements, but the validation obligation always rests with you as the system owner. A vendor's compliance claim tells you the software can be configured to meet Part 11 — it doesn't mean your installation is validated.
"We're pre-IND, so Part 11 doesn't apply yet." If you're running IND-enabling studies under 21 CFR Part 58 (GLP), Part 11 applies to your electronic records right now. And even if you're not running GLP studies yet, building Part 11-compliant systems from the start is far cheaper than retrofitting them later.
"We use cloud software, so this is the vendor's problem." Cloud hosting doesn't transfer the validation responsibility. You're still the regulated entity. You're still responsible for validating the system in your environment, maintaining change control, and ensuring audit trails are enabled and reviewed.
Next Steps
The best first step is a regulatory system mapping: a documented inventory of every system your team uses to create or maintain FDA-required records, along with an honest assessment of each system's current Part 11 compliance status. That gap assessment tells you exactly what to fix and in what order.
If you want to go deeper, read our full pillar guide on IND-ready IT infrastructure, which covers validation methodology, audit trail requirements, and a 90-day implementation roadmap.
This article is part of Propellio's series on IT for life sciences and biotech. See related: Ind Ready It 21 Cfr Part 11.
← Back to all posts