21 CFR Part 11 Compliance for Electronic Records and Signatures — A Practical Guide

21 CFR Part 11 is one of the most cited regulatory requirements in pharmaceutical and biotech, and one of the most misunderstood. Teams that work in regulated industries have heard that their systems need to be 'Part 11 compliant' — but the regulation itself is only a few pages long, and the gap between what it says and what vendors claim it requires is substantial.

This guide covers what 21 CFR Part 11 actually requires for electronic records and electronic signatures, what it doesn't require, and the practical steps clinical teams need to take to meet the standard.

What 21 CFR Part 11 covers

21 CFR Part 11 (Title 21, Code of Federal Regulations, Part 11) establishes FDA requirements for electronic records and electronic signatures that are used to satisfy regulatory requirements. It applies when a paper record or handwritten signature is otherwise required — for example, protocol approvals, batch records, and adverse event reports.

The regulation has two main parts: requirements for electronic records (audit trails, access controls, record integrity) and requirements for electronic signatures (identity capture, non-repudiation, meaning).

Electronic record requirements

For electronic records, Part 11 requires that systems maintain a secure, computer-generated, time-stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records. The audit trail must be retained for the same period as the record it documents.

Critically: audit trail records must be accessible but protected from alteration. This means the system must store them in a way that prevents editing or deletion — append-only storage, not a simple database table that anyone with admin access can UPDATE.

Part 11 also requires operational system checks to enforce permitted sequencing of steps (you can't skip the approval step), authority checks (users can only perform actions their role permits), and device checks (verifying that input devices are functioning correctly).

Electronic signature requirements

For electronic signatures, Part 11 requires three components: the printed name of the signer, the date and time of signing, and the meaning of the signature (approval, review, authorship, etc.). All three must be permanently linked to the record being signed.

Signatures must be non-repudiable — the system must be able to prove who signed, and signers cannot later claim they didn't sign. This requires authentication at the time of signing.

Part 11 distinguishes between biometric signatures (based on physical characteristics like fingerprints) and non-biometric signatures (based on identification codes and passwords). Non-biometric signatures must use at least two distinct identification components — typically username and password.

What Part 11 does NOT require

A common misconception is that Part 11 requires specific technologies (like PKI certificates, blockchain, or specific hardware). It doesn't. It specifies functional requirements, not technical implementations. Any system that satisfies the functional requirements is compliant.

Part 11 also doesn't require that records be in a specific file format, that signatures look like handwritten signatures, or that systems use any particular vendor's solution.

How Avenio meets Part 11 requirements

Avenio's Protocol Hub is built around Part 11 compliance from the ground up. Every data mutation creates an immutable audit trail entry — the audit table is append-only and cannot be modified by any user, including administrators. Records are never hard-deleted; soft deletes are used instead, with the deletion action recorded in the audit trail.

Electronic signatures capture the signer's identity (authenticated via Avenio's identity provider), timestamp with timezone, IP address, and stated meaning of the signature. Multi-step approval workflows enforce sequencing — approvers cannot sign out of order, and the final approval is blocked until all prior steps are complete.

All timestamps are stored in UTC with full timezone information — meeting the date/time requirements and ensuring records are interpretable regardless of where the signer was located.

For teams evaluating clinical protocol software for Part 11 compliance, the key questions to ask vendors are: (1) Is the audit trail truly immutable, or can administrators modify records? (2) What happens to the audit trail if a record is deleted? (3) How is the signature linked to the specific version of the document that was signed? Avenio answers all three directly.