FDA 21 CFR Part 11: Electronic Records & Data Archiving Requirements for Life Sciences Compliance

One of the biggest FDA 21 CFR Part 11 challenges may already be sitting in a system your organization no longer uses.

A retired LIMS. An archived quality management application. A legacy document repository that nobody has logged into for years.

The records may still be subject to FDA retention requirements. The audit trails may still need to be produced during an inspection. The electronic signatures may still need to be verified. And if that information cannot be retrieved, verified, or defended, compliance questions follow.

That is why FDA 21 CFR Part 11 extends beyond electronic signatures and record creation. It is ultimately about preserving the integrity, accessibility, and trustworthiness of regulated records throughout their entire lifecycle.

This guide explains what FDA 21 CFR Part 11 requires, how those requirements affect data archiving and long-term retention, and what organizations should consider when retiring regulated systems.

What Is FDA 21 CFR Part 11?

FDA 21 CFR Part 11 is a regulation in Title 21 of the Code of Federal Regulations, Part 11, titled “Electronic Records; Electronic Signatures.” Published March 20, 1997 and effective August 20, 1997, it establishes the conditions under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.

The regulation applies to all records created, modified, maintained, archived, retrieved, or transmitted under any FDA requirement. This means Part 11 does not create its own retention periods. It governs how records subject to existing FDA regulations (called predicate rules) must be managed when those records are in electronic form.

Predicate rules such as 21 CFR Part 211 for pharmaceutical manufacturing, 21 CFR Part 820 for medical devices, and 21 CFR Part 58 for good laboratory practice define what records must be kept and for how long. Part 11 defines the technical and procedural controls that must govern those records when they exist electronically.

Why Did FDA Introduce 21 CFR Part 11?

As life sciences organizations moved from paper records to electronic systems during the 1990s, FDA needed a framework to ensure that electronic information could be trusted to the same degree as traditional paper documentation.

Without appropriate controls, electronic records could be altered without detection, deleted accidentally, or accessed by unauthorized individuals.

FDA 21 CFR Part 11 was introduced to address those risks. The regulation establishes the controls necessary to demonstrate that electronic records remain accurate, complete, attributable, and available throughout their lifecycle.

Rather than regulating specific technologies, Part 11 focuses on the integrity, authenticity, and reliability of the records themselves.

For regulated organizations, the objective is not simply digitization. It is ensuring that electronic records can withstand regulatory scrutiny, support product quality decisions, and serve as defensible evidence during inspections and investigations.

Which Industries and Organizations Are Subject to Part 11?

Part 11 applies to FDA-regulated organizations that use electronic record-keeping systems. This includes pharmaceutical manufacturers, biopharmaceutical companies, medical device manufacturers, food and dietary supplement producers, cosmetics companies (for records subject to FDA oversight), contract research organizations (CROs), and clinical trial sites.

It also applies to systems used by any of these organizations, regardless of whether the system is deployed on-premises or hosted in the cloud. A cloud-based LIMS, a SaaS-based document management system, or a vendor-managed electronic batch record system must all meet Part 11 requirements if it contains FDA-regulated records.

Whether a system is deployed internally or through a third-party provider, organizations must understand how FDA classifies the environment in which regulated records are maintained.

Open Systems vs Closed Systems Under Part 11

Part 11 distinguishes between closed systems and open systems. A closed system is one in which system access is controlled by the organization responsible for the records. Examples include internal quality management systems, laboratory systems, manufacturing systems, and enterprise document management platforms operated within the organization’s security controls.

An open system is one in which access may extend beyond the direct control of the organization responsible for the records. Examples can include certain external collaboration environments, partner portals, or systems that exchange regulated information across organizational boundaries.

While both system types must satisfy Part 11 requirements, open systems generally require additional safeguards to protect record authenticity, integrity, and confidentiality during transmission and storage.

Organizations increasingly using cloud and SaaS platforms should evaluate whether additional controls are needed to address these requirements. This distinction becomes particularly important when evaluating how electronic signatures and audit trails are implemented across regulated systems.

What Are the Core Requirements of FDA 21 CFR Part 11?

Whether implemented in open or closed systems, Part 11 controls are organized into three subparts. Subpart A defines scope and key terms. Subpart B covers electronic records requirements. Subpart C covers electronic signatures requirements. The operational requirements are primarily contained in Subparts B and C.

Subpart B: Electronic Records Requirements

Systems that create, modify, or maintain electronic records subject to Part 11 must meet the following controls:

• Validation of computer systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
• Generation of accurate and complete paper copies of records at any time during the retention period.
• Protection of records to enable accurate and ready retrieval throughout the records retention period.
• Limiting system access to authorized individuals through appropriate access controls, including unique user IDs and passwords.
• Use of secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trail data must be retained for a period at least as long as the records they protect and must be available for review and copying by FDA.
• Use of operational system checks to enforce sequencing steps and events where appropriate.
• Use of device checks to determine the validity of data sources.
• Authorization of individuals to use the system, either through training or actual use of the system.
• Written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures.
• Appropriate controls over systems documentation including distribution of, access to, and use of documentation for system operation and maintenance.

Subpart C: Electronic Signatures Requirements

Electronic signatures under Part 11 must meet the following requirements:

• Each electronic signature must be unique to one individual and must not be reused by, or reassigned to, anyone else.
• Organizations must verify the identity of an individual before establishing an electronic signature for that individual.
• Electronic signatures not based on biometrics must use at least two distinct identification components such as an identification code and password.
• Each use of an electronic signature must be linked to its respective electronic record to ensure the signature cannot be excised, copied, or otherwise transferred to falsify an electronic record.
• Organizations using electronic signatures must certify to FDA that their electronic signatures are intended to be legally binding equivalents of traditional handwritten signatures.

FDA 21 CFR Part 11 and Data Archiving: What the Regulation Requires

Part 11 does not specify a retention period for electronic records. Instead, it requires that electronic records be maintained for the period specified by the applicable predicate rule, and that they remain accurate, accessible, and readable for that entire period.

This creates a specific archiving obligation: the archive must not only store the data but must preserve it in a form that is accurate, readable, and capable of producing paper copies throughout the full retention window. An archive that stores records in a proprietary format that becomes unreadable after 5 years is non-compliant, even if the records are technically still present.

Predicate Rule Retention Periods Relevant to Part 11

The archive must support retrieval of any record within its retention window on demand. FDA investigators expect to be able to request an electronic record and receive it in a readable, complete form, including its audit trail, within a reasonable timeframe during an inspection.

These requirements are closely tied to broader FDA expectations around data integrity, which focus on ensuring that regulated records remain complete, accurate, attributable, and available throughout their lifecycle.

Part 11 and Data Integrity: The ALCOA+ Connection

Although ALCOA+ is not part of the regulatory text of 21 CFR Part 11, it is widely used across the life sciences industry as a framework for evaluating data integrity.

ALCOA+ principles require regulated data to be:

• Attributable
• Legible
• Contemporaneous
• Original
• Accurate

The expanded ALCOA+ framework also emphasizes that records should be complete, consistent, enduring, and available throughout the retention period.

Many of the controls required by Part 11 directly support these objectives. Audit trails help establish attribution and change history. Electronic signatures support accountability. Validation helps ensure accuracy and reliability. Long-term archiving supports record availability and endurance.

For this reason, organizations preparing for FDA inspections often evaluate Part 11 compliance and data integrity readiness together rather than as separate initiatives.

Computer System Validation Requirements for Archives

Any system used to archive Part 11 records must itself be validated. Computer System Validation (CSV) under Part 11 requires documented evidence that the archiving system consistently meets its intended specifications, including the ability to store records accurately, retrieve them correctly, and maintain audit trails without modification.

Validation documentation typically includes installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) reports. Organizations that use a commercial archiving solution must either conduct their own validation or obtain validated software documentation from the vendor. A gap in validation documentation is a primary target during FDA data integrity inspections. Validation deficiencies are only one example. FDA Warning Letters related to Part 11 often reveal recurring weaknesses in audit trails, access controls, and system validation practices.

Common FDA 21 CFR Part 11 Violations and Warning Letters

FDA Warning Letters citing Part 11 deficiencies share a consistent pattern. The most common violations, based on publicly available Warning Letters from FDA’s website, fall into three categories.

1. Missing or Incomplete Audit Trails

The most frequent Part 11 citation involves audit trails that do not capture all required elements, specifically the identity of the operator, the timestamp, and the nature of the change. Systems that allow audit trail deletion, that are configured with audit trails disabled, or that do not capture changes made by system administrators are non-compliant. Audit trails for raw analytical data in LIMS systems are a common inspection focus.

One common misconception is that implementing an audit trail alone satisfies Part 11 requirements. In practice, organizations are expected to review audit trail information as part of their quality and compliance processes.

An audit trail only provides value if unusual events, unauthorized changes, deleted records, backdated entries, and other exceptions are routinely examined and investigated when necessary. During inspections, FDA investigators may evaluate not only whether audit trail functionality exists, but also whether the organization has procedures governing audit trail review and evidence that those reviews occur.

This is particularly important for laboratory systems, manufacturing systems, and quality management applications where regulated decisions depend on electronic data.

2. Inadequate Access Controls

FDA expects that access to electronic records is restricted to authorized individuals and that the system prevents unauthorized access, including by IT administrators who should not have the ability to alter record content. Shared user accounts, generic login credentials, and systems that allow record modification without a user-specific authentication event all represent Part 11 access control failures.

3. Lack of Computer System Validation

FDA regularly cites organizations for using unvalidated computer systems to create or manage regulated records. This includes situations where a system was implemented without formal validation, where validation documentation cannot be produced, or where changes were made to a validated system without re-validation. Commercial software that lacks adequate validation evidence, whether supplied by the vendor or generated by the organization, presents a significant compliance risk.

Can Software Be “21 CFR Part 11 Compliant”?

A common misconception is that purchasing a software platform advertised as “Part 11 compliant” automatically satisfies FDA requirements.

In reality, compliance is determined not only by software functionality but also by how the system is implemented, validated, administered, and governed within the regulated organization.

A platform may provide capabilities such as audit trails, electronic signatures, access controls, and reporting, but organizations remain responsible for validating the system, defining procedures, assigning user permissions, and maintaining compliance throughout the system lifecycle.

As a result, software vendors can provide features that support Part 11 compliance, but regulated companies retain ultimate responsibility for demonstrating compliance during inspections. This distinction becomes especially important when evaluating archiving platforms, cloud applications, and legacy system retirement projects.

How to Build a Part 11-Compliant Archive for Electronic Records

When a regulated system reaches end-of-life such as a legacy LIMS, an older batch record system, or a first-generation eDMS, organizations face a Part 11-specific challenge: the records from that system must migrate to an archive that continues to meet all Part 11 requirements for the remainder of the retention window.

A Part 11-compliant archive for electronic records must satisfy the following requirements:

1. Preserve the original record in its complete form, including all associated metadata. For laboratory data, this means raw instrument data, processed results, and analytical methods. For batch records, it means all entries, review signatures, and exception records.
2. Maintain the audit trail as an inseparable component of the archived record. The audit trail must be retained for the same period as the record itself and must be available for inspection.
3. Support role-based access controls that restrict record retrieval to authorized users and log all access events in a tamper-evident audit trail of the archive itself.
4. Produce complete and accurate paper copies of any archived electronic record on demand, including all metadata and audit trail entries, in a format suitable for an FDA inspector.
5. Undergo formal computer system validation, with complete IQ/OQ/PQ documentation available for regulatory review.
6. Operate under a documented change control process so that any modification to the archive system is assessed, approved, and documented before implementation.

Organizations that attempt to archive Part 11 records using generic IT archiving tools, such as file servers, backup systems, or general-purpose cloud storage, typically fail on at least three of these requirements.

The audit trail is not preserved in a linked, tamper-evident form; access is not controlled at the record level; and paper copy generation is not a native capability.

Archon Data Store for FDA 21 CFR Part 11 Compliance

Archon Data Store is designed for life sciences organizations that need to archive electronic records from regulated systems, including legacy LIMS, electronic batch record systems, and clinical data management systems, while maintaining full FDA 21 CFR Part 11 compliance throughout the archive’s lifecycle.

Archon preserves records in their original structure with all associated metadata and audit trail entries stored as an inseparable component of each archived record. Access controls replicate the role-based structure of the source system, ensuring that archived records are only accessible to authorized users and that every access event is logged in a tamper-evident system audit trail.

The Archon platform generates complete paper-equivalent copies of any archived record on demand, including all audit trail entries, electronic signature blocks, and metadata, in formats suitable for FDA inspection response. Archon’s computer system validation documentation package supports customer validation activities and reduces the cost of IQ/OQ/PQ execution.

For life sciences organizations decommissioning legacy regulated systems, Archon ETL provides validated data extraction and transformation from source systems, with reconciliation reporting that documents the completeness and accuracy of the archive against the source system’s records.