21 CFR Part 11 Requirements Explained Simply

21 CFR Part 11 is one of those regulations everyone in medtech has heard of but few have actually read. It's the FDA's rule governing electronic records and electronic signatures, and it applies to any company that uses computer systems to create, modify, maintain, archive, retrieve, or transmit records required by FDA regulations.

In plain English: if you use software to manage quality records — and you almost certainly do — Part 11 applies to you. Here's what that actually means.

What Part 11 covers

The regulation has two main sections:

• • Subpart B — Electronic Records: Requirements for systems that create and store electronic records
• • Subpart C — Electronic Signatures: Requirements for using electronic signatures as legally binding equivalents of handwritten signatures

The core idea is straightforward: if you're going to replace paper records and wet-ink signatures with electronic systems, those systems need to be trustworthy. The FDA needs to know that your electronic records are reliable, authentic, and haven't been tampered with.

The key requirements (in plain English)

1. Audit trails

Your system must create a computer-generated, time-stamped audit trail that records who created, modified, or deleted any record, and when. These audit trails must be retained for at least as long as the records themselves and must be available for FDA review.

What this means practically: every document approval, every CAPA update, every change to a quality record needs to be logged automatically. Users shouldn't be able to modify or disable the audit trail.

2. Access controls

The system must limit access to authorized individuals. This includes unique user identification (no shared logins), role-based permissions, and procedures for handling lost or compromised credentials. The FDA expects you to control who can create, edit, approve, and view records.

3. System validation

You need to validate that your computerized systems do what they're supposed to do. This doesn't mean you need to validate every feature of Microsoft Word. It means you need documented evidence that the systems you use for regulated records work correctly and consistently.

For commercial QMS software, the vendor typically provides validation documentation (IQ/OQ protocols, traceability matrices). Your job is to verify the system works in your environment and document that verification.

4. Electronic signatures

When you use electronic signatures, they must:

• • Be unique to one individual (no shared signature credentials)
• • Include the printed name, date/time, and meaning of the signature (e.g., "approved," "reviewed")
• • Be linked to their respective electronic records so signatures can't be copied or transferred
• • Use at least two distinct identification components (e.g., username + password)

5. Record retention and retrieval

Electronic records must be retrievable throughout their required retention period. If you're storing quality records for 10 years (common for medical devices), you need to ensure the system — or a migration path — will keep those records accessible and readable for the full period.

Common misconceptions

"Part 11 only applies to large companies." No. It applies to any organization subject to FDA regulations that uses electronic records. A three-person startup submitting a 510(k) is subject to the same requirements as a Fortune 500 medical device company.

"We use paper, so Part 11 doesn't apply." If you use any electronic system in conjunction with paper records — even just storing PDFs of signed documents — Part 11 may apply to those electronic components. The FDA's 2003 guidance clarified a risk-based approach, but the regulation itself is broad.

"Our QMS vendor handles Part 11 for us." Partially. Your vendor provides a system capable of Part 11 compliance, but compliance is your responsibility. You need to configure the system properly, validate it, train your users, and maintain SOPs for electronic records and signatures.

What the FDA actually looks for

In practice, FDA investigators focus on a few things during inspections:

• • Can you demonstrate an unbroken audit trail for critical quality records?
• • Are electronic signatures properly attributed and meaningful?
• • Do you have SOPs for system access, backup, and recovery?
• • Is there evidence of system validation?
• • Are user accounts managed properly (no shared logins, deactivated accounts for departed employees)?

They're not looking for perfection. They're looking for a system that's trustworthy and a team that understands their responsibilities.

How to get started

If you're building your QMS and Part 11 feels overwhelming, start here:

• • Use a purpose-built system. General tools like SharePoint or Google Drive weren't designed for Part 11. A QMS platform like ArvoDocs includes audit trails, electronic signatures, and access controls by default.
• • Write an SOP for electronic records. Document how your organization creates, reviews, approves, and retains electronic records.
• • No shared accounts. Every user gets their own login. This is non-negotiable.
• • Keep validation simple. For commercial software, a user acceptance test protocol that documents key workflows is usually sufficient for small teams.

Part 11 isn't meant to be a barrier. It's meant to ensure that electronic systems are as trustworthy as paper ones. If you choose the right tools and follow basic hygiene, compliance becomes a natural byproduct of doing good work — not a separate project.

For a deeper dive into setting up document control for ISO 13485, check out our step-by-step guide. And if you want to see how ArvoDocs handles Part 11 requirements out of the box, take a look at our features page.