FDA 21 CFR Part 11
21 CFR Part 11 (62 FR 13430 March 20 1997) establishes the criteria under which the FDA considers electronic records + electronic signatures to be trustworthy + reliable + equivalent to paper records + handwritten signatures. The regulation applies to ALL electronic records + signatures created + modified + maintained + archived + retrieved + transmitted under any records requirement set forth in any FDA regulation or any electronic records submitted to FDA under the Federal Food + Drug + and Cosmetic Act + Public Health Service Act + Tobacco Control Act. STRUCTURE - 3 Subparts: SUBPART A General Provisions (§11.1 scope + §11.2 implementation + §11.3 definitions); SUBPART B Electronic Records (§11.10 controls for closed systems + §11.30 controls for open systems + §11.50 signature manifestations + §11.70 signature / record linking); SUBPART C Electronic Signatures (§11.100 general requirements + §11.200 signature components + controls + §11.300 controls for identification codes + passwords). Risk-based implementation: per the August 2003 FDA Scope and Application Guidance the agency intends to exercise enforcement discretion regarding specific Part 11 requirements + apply Part 11 requirements based on risk + criticality + intended use. Computer System Validation (CSV) under Part 11 + the GAMP 5 framework + ICH Q9 risk + ICH Q10 PQS coordinate to operationalise the regulation. The 2023 FDA Computer Software Assurance (CSA) draft guidance + the related FDA Software Bill of Materials (SBOM) expectations modernise the validation approach for medical device software + production software. Part 11 is the US counterpart to EU GMP Annex 11 (which covers computerised systems in GMP-regulated pharmaceutical manufacturing) + EMA Q&A on Annex 11 + the EU Medical Device Regulation (MDR) + In Vitro Diagnostic Regulation (IVDR) digital records provisions. Part 11 enforcement examples include FDA warning letters citing inadequate audit trails + lack of validation + electronic-signature controls failures + closed-system control deficiencies in pharmaceutical manufacturing sites + clinical trial sponsors + medical device manufacturers + contract research organisations (CROs).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
21 CFR Part 11 - Implementation, Guidance, Risk-Based Approach and Status
| Code | Title |
|---|---|
| Part11.Status | 21 CFR Part 11 - corpus status, FDA enforcement landscape, CSA transition |
21 CFR Part 11 - Validation, Audit Trail, Operational Controls (§11.10(a) + (e) + (f))
| Code | Title |
|---|---|
| Part11.AccessAndAuth | Access control + authority + device checks (21 CFR §11.10(d) + (f) + (g) + (h)) |
| Part11.AuditTrail | Audit trail requirements - secure computer-generated time-stamped (21 CFR §11.10(e)) |
| Part11.CSV | Computer system validation + risk-based approach (21 CFR §11.10(a) + 2003 FDA Scope and Application Guidance + 2023 CSA draft) |
| Part11.RecordRetention | Record protection + retention + readiness for inspection (21 CFR §11.10(b) + (c)) |
21 CFR Part 11 Subpart A - General Provisions (Scope, Implementation, Definitions)
| Code | Title |
|---|---|
| Part11.Definitions | Definitions (21 CFR §11.3) |
| Part11.Scope | Scope and implementation (21 CFR §§11.1-11.2) |
21 CFR Part 11 Subpart B - Electronic Records (§11.10 Closed Systems)
| Code | Title |
|---|---|
| Part11.10 | Controls for closed systems (21 CFR §11.10) |
21 CFR Part 11 Subpart B - Electronic Records (§11.30 Open Systems, §11.50 + §11.70 Signature Manifestations and Linking)
| Code | Title |
|---|---|
| Part11.30 | Controls for open systems (21 CFR §11.30) |
| Part11.50_70 | Signature manifestations + signature / record linking (21 CFR §§11.50 + 11.70) |
21 CFR Part 11 Subpart C - Electronic Signatures (§11.100 General Requirements)
| Code | Title |
|---|---|
| Part11.100 | Electronic signatures - general requirements (21 CFR §11.100) |
21 CFR Part 11 Subpart C - Electronic Signatures (§11.200 + §11.300 Components, Controls, ID Codes and Passwords)
| Code | Title |
|---|---|
| Part11.200 | Electronic signature components and controls (21 CFR §11.200) |
| Part11.300 | Controls for identification codes and passwords (21 CFR §11.300) |
Your Compliance Coverage
If you comply with FDA 21 CFR Part 11, you already cover:
Annex 11 to EU GMP - Computerised Systems
69%
9 controls mapped
Compare →AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)
54%
7 controls mapped
Compare →Azure Security Benchmark
46%
6 controls mapped
Compare →+ 83 more: AWS Well-Architected Security Pillar (46%), ASD Strategies to Mitigate Cyber Security Incidents (46%)
See all 86 mapped frameworks ↓Maps to 86 other frameworks
Frequently Asked Questions
What is FDA 21 CFR Part 11?
FDA 21 CFR Part 11 is a compliance framework from United States with 7 domains and 13 controls. 21 CFR Part 11 (62 FR 13430 March 20 1997) establishes the criteria under which the FDA considers electronic records + electronic signatures to be trustworthy + reliable + equivalent to paper records + handwritten signatures. The regulation applies to ALL electronic records + signatures created + modified + maintained + archived + retrieved + transmitted under any records requirement set forth in any FDA regulation or any electronic records submitted to FDA under the Federal Food + Drug + and Cosmetic Act + Public Health Service Act + Tobacco Control Act. STRUCTURE - 3 Subparts: SUBPART A General Provisions (§11.1 scope + §11.2 implementation + §11.3 definitions); SUBPART B Electronic Records (§11.10 controls for closed systems + §11.30 controls for open systems + §11.50 signature manifestations + §11.70 signature / record linking); SUBPART C Electronic Signatures (§11.100 general requirements + §11.200 signature components + controls + §11.300 controls for identification codes + passwords). Risk-based implementation: per the August 2003 FDA Scope and Application Guidance the agency intends to exercise enforcement discretion regarding specific Part 11 requirements + apply Part 11 requirements based on risk + criticality + intended use. Computer System Validation (CSV) under Part 11 + the GAMP 5 framework + ICH Q9 risk + ICH Q10 PQS coordinate to operationalise the regulation. The 2023 FDA Computer Software Assurance (CSA) draft guidance + the related FDA Software Bill of Materials (SBOM) expectations modernise the validation approach for medical device software + production software. Part 11 is the US counterpart to EU GMP Annex 11 (which covers computerised systems in GMP-regulated pharmaceutical manufacturing) + EMA Q&A on Annex 11 + the EU Medical Device Regulation (MDR) + In Vitro Diagnostic Regulation (IVDR) digital records provisions. Part 11 enforcement examples include FDA warning letters citing inadequate audit trails + lack of validation + electronic-signature controls failures + closed-system control deficiencies in pharmaceutical manufacturing sites + clinical trial sponsors + medical device manufacturers + contract research organisations (CROs). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FDA 21 CFR Part 11 have?
FDA 21 CFR Part 11 has 13 controls organised across 7 domains. The largest domains are 21 CFR Part 11 - Validation, Audit Trail, Operational Controls (§11.10(a) + (e) + (f)) (4 controls), 21 CFR Part 11 Subpart A - General Provisions (Scope, Implementation, Definitions) (2 controls), 21 CFR Part 11 Subpart B - Electronic Records (§11.30 Open Systems, §11.50 + §11.70 Signature Manifestations and Linking) (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FDA 21 CFR Part 11 map to?
FDA 21 CFR Part 11 maps to 86 other compliance frameworks. The top mapping partners are Annex 11 to EU GMP - Computerised Systems (69% coverage), AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association) (54% coverage), Azure Security Benchmark (46% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FDA 21 CFR Part 11 compliance?
Start your FDA 21 CFR Part 11 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FDA 21 CFR Part 11 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 13 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required