Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

21 CFR Part 11

21 CFR Part 11 is the United States FDA regulation that sets the criteria under which electronic records and electronic signatures are considered trustworthy, reliable and equivalent to paper.

CASRAI research-methods explainer — 21 CFR Part 11

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What Part 11 governs

Part 11 applies when records that an FDA regulation (a “predicate rule”) requires a company to keep are created, modified, maintained, archived, retrieved or transmitted electronically, and when electronic signatures are used in place of handwritten ones. It does not create new record-keeping obligations; instead it sets conditions for trusting the electronic form of records the predicate rules already demand. Understanding this dependency on predicate rules is essential: Part 11 is about the trustworthiness of the electronic medium, not about which records must exist.

Core requirements

For closed systems, Part 11 requires validation of the system to ensure accuracy and reliability; the ability to generate accurate, complete copies of records; protection of records throughout their retention period; limiting system access to authorised individuals; and secure, computer-generated, time-stamped audit trails that record who did what and when, without obscuring previous entries. For electronic signatures it requires that signatures are unique to one individual, cannot be reused or reassigned, and are linked to their records so they cannot be excised or copied.

The scope and enforcement-discretion guidance

After Part 11 was issued in 1997, industry concern about its broad scope led the FDA to publish a 2003 guidance on “Scope and Application”, narrowing interpretation and exercising enforcement discretion over certain provisions while still expecting compliance with predicate-rule requirements and core controls such as audit trails and validation. Part 11 remains in force, and a risk-based approach — focusing controls where record integrity matters most — is now the accepted way to apply it. Equivalent expectations exist in the EU under EudraLex Annex 11.

Key facts

At a glance

  • Definition: FDA regulation on trustworthy electronic records and electronic signatures
  • Applies to: predicate-rule records kept electronically and e-signatures
  • Core controls: validation, audit trails, access controls, accurate copies
  • E-signature rules: unique, non-transferable, linked to the record
  • Key clarification: 2003 FDA “Scope and Application” guidance (risk-based)
  • EU counterpart: EudraLex Annex 11

Common misconceptions

What people often get wrong

Often heard: Part 11 dictates which records a company must keep.

Actually: Part 11 does not create record-keeping obligations. Those come from predicate rules (other FDA regulations). Part 11 only sets the conditions under which the electronic form of those required records and signatures can be trusted.

Often heard: Once software is “Part 11 compliant”, you are automatically compliant.

Actually: Compliance is a property of the validated system, its configuration and how it is used, not of software alone. Audit trails, access controls and procedures must be implemented and maintained; a vendor’s claim of Part 11 features does not by itself ensure compliance.

Often heard: The FDA withdrew Part 11, so it no longer applies.

Actually: Part 11 remains in force. The 2003 “Scope and Application” guidance narrowed interpretation and applied enforcement discretion to some provisions, but core controls such as validation and audit trails, and predicate-rule requirements, still apply.

Going deeper

Related CASRAI guidance

Data integrityALCOA / ALCOA+Electronic batch recordGAMP 5Standards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →