Skip to main content

Records, Signatures, and the Law: 21 CFR Part 11 and EU Annex 11

πŸ“ Where we are: We have the principles that make data trustworthy; now we meet the laws that make a trustworthy electronic record count, legally, as much as ink on paper.

In the last chapter we met data integrity β€” the idea that a record must be trustworthy enough to stand in for the medicine itself β€” and the ALCOA+ principles that spell out what "trustworthy" means: a record should be Attributable, Legible, Contemporaneous, Original, and Accurate, plus Complete, Consistent, Enduring, and Available. Those are good principles. But principles do not, by themselves, make a digital signature legally binding or a database entry admissible to a regulator. For that you need law.

This chapter is about the law. Two documents dominate it: the United States' 21 CFR Part 11 and the European Union's GMP Annex 11. Together they answer one question: when is a computer record as good as a piece of paper?

Layered diagram showing predicate rules at the base, with 21 CFR Part 11 and EU Annex 11 sitting on top to make electronic records trustworthy. Part 11 and Annex 11 don't create records β€” they make the electronic versions trustworthy, on top of the predicate rules. Original diagram by the authors, created with AI assistance.

The simple version

For centuries, a signed, dated paper record was the gold standard of "this really happened, and a named person stands behind it." When pharma went digital, regulators faced a problem: a database row is trivially easy to silently change, and a typed name is not a signature. Part 11 and Annex 11 are the rulebooks that make an electronic record behave like good paper β€” unforgeable, time-stamped, attributable, and impossible to quietly erase. They are the legal bridge from the filing cabinet to the server.

What this chapter covers​

We start with why these rules were written, then walk through the core requirements of Part 11 β€” validation, audit trails, copies, retention, access controls, and electronic signatures. We meet Annex 11, Europe's parallel framework, and the global data-integrity guidance that grew up around both. We untangle the crucial idea of predicate rules and risk-based scope. Finally, we translate all of it into what a real data system β€” a historian, a LIMS, an MES β€” must actually do.

Why the law exists: making digital records as good as paper​

In the 1990s, the pharmaceutical industry wanted to stop printing everything. Paper batch records ran to thousands of pages; paper signatures had to be physically chased across a plant. Going paperless promised speed and fewer transcription errors β€” but only if regulators would accept electronic records and electronic signatures as legitimate.

So in 1997 the US FDA issued 21 CFR Part 11 β€” Title 21 of the Code of Federal Regulations, Part 11 β€” formally titled Electronic Records; Electronic Signatures[1]. Its core promise is equivalence: an electronic record and a properly executed electronic signature can be just as legally valid as a paper record and a handwritten signature β€” provided the system meets a list of trustworthiness controls[1]. Part 11 did not lower the bar; it set the conditions under which "the computer says so" is allowed to mean something.

The core requirements of Part 11​

Part 11 distinguishes two settings. A closed system is one where access is controlled by the same people responsible for the records β€” your validated factory historian, for instance. An open system is one where the people in control of access are not responsible for the content β€” think records traveling across the public internet to an outside party. Open systems carry extra duties, such as encryption, precisely because you cannot trust the surrounding environment[1]. Open systems are rare in a manufacturing plant but common at its edges: a cloud-hosted LIMS run by a software vendor, or stability and release-test data transmitted to a contract testing laboratory β€” scenarios where the manufacturer owns the record but does not control the infrastructure holding it.

For closed systems, the regulation lists a now-familiar set of controls[1]:

  • Validation. The system must be validated β€” formally demonstrated to do what it is supposed to do, reliably, including the ability to detect invalid or altered records. (We devote the entire next chapter to how this is done.)

  • Audit trails. The system must keep a secure, computer-generated, time-stamped audit trail that records who did what and when β€” every create, change, or delete β€” without overwriting the previous value. The old value must remain visible[1]. An audit trail is the digital equivalent of crossing out an error with a single line so the original is still readable.

  • Accurate copies. The system must be able to generate accurate and complete copies of records, in both human-readable and electronic form, for inspection and review[1]. In practice this means two outputs of the same record: a human-readable rendering (a PDF printout of a batch record page showing the signature block) and a full electronic export β€” a CSV or XML file that carries the underlying values plus their metadata, so nothing is lost in translation. A historian export of a single tag, for instance, keeps the value, its units, and its full audit context:

    timestamp_utc,tag,value,unit,quality,operator,modified
    2026-06-13T08:00:01Z,BR101.Temp.PV,37.02,degC,Good,jdoe,false

    A copy that drops the timestamp, the quality flag, or the audit-trail link is not an "accurate and complete" copy, no matter how readable it looks.

  • Retention and retrieval. Records must be protected and retrievable throughout their required retention period β€” which for many GMP (Good Manufacturing Practice) records means years or decades[1].

  • Access controls. The system must limit access to authorized individuals, with unique log-ins, so that actions can be traced to a real person[1].

Then come electronic signatures. Part 11 says a typed-and-clicked signature can be legally binding, but only with safeguards[1]:

  • Each signature must be unique to one individual and never reused.
  • A non-biometric signature must use at least two components β€” typically a user ID plus a private password. (Within a single continuous login session, only the first signing needs both components; each later signing needs at least one component unique to the user.)
  • The signature must be permanently linked to its record, so it cannot be copied, cut, or transferred to a different record.
  • The signed record must display, in human-readable form, the printed name of the signer, the date and time, and the meaning of the signature (such as reviewed, approved, or authored).

This last point β€” signature-to-record linking β€” is what stops a signature from being "lifted" and pasted onto a different document, the digital version of forging a signature.

A trustworthy electronic record passes through identity, authorization, audit trail, signature, binding, and protected retention β€” the chain Part 11 requires. Credit: Diagram by the authors, after 21 CFR Part 11.

A peer-reviewed example shows this is not abstract. The setting is clinical-research documentation rather than GMP manufacturing β€” a useful precedent rather than a biomanufacturing case study β€” but the engineering is identical: researchers building a clinical-documentation system implemented exactly these features β€” unique log-ins, a tamper-evident audit trail, digital-signature safeguards, formal validation, and protected backups β€” to make their electronic system Part 11 compliant[9]. The same control set is what a manufacturing historian or LIMS must provide.

Europe's parallel: GMP Annex 11​

The European Union reaches the same destination by a slightly different road. Annex 11 of the EU GMP guide β€” Computerised Systems β€” sets out the EU's expectations for any computerized system used in regulated manufacturing[3]. It covers risk management, supplier and service-provider responsibilities, validation, data security and integrity, audit trails, electronic signatures, and business continuity[3].

The differences are mostly of emphasis and structure. Part 11 is a regulation focused tightly on the records and signatures themselves; Annex 11 is structured as a guideline within EudraLex Volume 4, the EU GMP guide, framing computerized systems within the broader GMP lifecycle and leaning heavily on risk management and on the idea that the depth of controls should match the system's impact on patient safety, product quality, and data integrity[3]. Do not mistake "guideline" for "optional," though: Annex 11 is enforced as part of the legally binding EU GMP requirements, so failing it means failing a GMP inspection and losing market access. In practice, a company selling on both sides of the Atlantic designs one system to satisfy both β€” the overlap is large.

Note

Annex 11 is explicitly linked to Chapter 4 of EU GMP, which governs documentation. That linkage is the European echo of a key US concept we meet next: these computer rules sit on top of the underlying requirement to keep good records in the first place.

The data-integrity overlap​

Part 11 and Annex 11 do not stand alone. After a wave of inspection findings revealed manipulated and missing data across the industry, regulators worldwide issued data-integrity guidance that fleshes out the same expectations in the ALCOA+ language of the previous chapter. The UK's MHRA published its GxP Data Integrity Guidance, defining ALCOA(+) principles and the controls β€” audit trails, access controls, lifecycle management β€” that protect them[5]. The international inspectorate body PIC/S issued PI 041-1, harmonizing risk-based data-governance expectations across many regulators[6]. The WHO set out good data and record-management practices for both paper and electronic systems[8]. And the FDA's own Data Integrity and CGMP questions-and-answers guidance spelled out current expectations for audit-trail review, retention, and access controls[7].

The message across all of them is consistent: an electronic record is only trustworthy if you can prove who made it, that it was unaltered (or that every alteration is visible), and that it is complete and retrievable for as long as the law requires.

Predicate rules and risk-based scope​

One point trips up almost everyone new to the field: Part 11 does not create the requirement to keep a record. That requirement comes from the underlying GMP regulations β€” what the FDA calls the predicate rules[2]. A predicate rule is the real-world law that says "you must record the batch temperature" or "a qualified person must approve release." For US drug GMP these live in the CFR: 21 CFR 211.68 governs automatic, mechanical, and electronic equipment and demands that such systems be controlled and checked; 21 CFR 211.192 requires that every batch's production and control records be reviewed and approved by the quality control unit before the batch is released. Tellingly, 21 CFR 211.68(a) requires that automatic, mechanical, and electronic equipment be routinely calibrated, inspected, or checked and that written records of those checks be maintained, and 21 CFR 211.182 requires individual equipment logs of major cleaning, maintenance, and use β€” which is precisely why audit trails and equipment records carry legal weight, not just engineering convenience. Part 11 only governs how you may keep and sign those records electronically. No predicate-rule requirement, no Part 11 obligation.

This matters because of history. When Part 11 first landed, industry read it so broadly β€” every spreadsheet, every timestamp β€” that compliance became paralyzing and costly. In 2003 the FDA issued its Scope and Application guidance, narrowing interpretation and announcing enforcement discretion over four core requirement areas[2]:

  • Validation of Part 11 systems;
  • Audit trails (the Part 11 audit-trail clause specifically);
  • Record retention; and
  • Generation of copies of records.

(The guidance also set legacy systems predating the rule aside.) The agency adopted a risk-based approach: focus controls where an inaccurate or lost record could genuinely harm a patient or compromise product quality, rather than applying maximum rigor to everything equally[2]. Effort should follow risk.

Caution

"Enforcement discretion" is not a loophole. The FDA chose not to enforce those four Part 11 provisions as Part 11 requirements while it reconsidered scope[2] β€” but the predicate rules and current data-integrity guidance still demand the same controls. Audit trails are the clearest example: even though Part 11's audit-trail clause falls under discretion, the predicate rules (such as 21 CFR 211.68 and 211.192) and modern data-integrity guidance still require them, so skipping audit trails is a fast route to a regulatory finding.

This risk-based philosophy is exactly what the industry framework GAMP 5 operationalizes β€” using critical thinking to scale validation and integrity controls to a system's risk and complexity[4] β€” which is the bridge to our next chapter.

Why it matters​

For anyone building or running a data system, Part 11 and Annex 11 turn vague good intentions into a concrete specification. A compliant system cannot merely store data; it must store it in a way that can be defended to an inspector years later. That single requirement cascades into every design decision: unique user accounts instead of shared log-ins, an audit trail that can never be switched off, time stamps from a trusted clock, backups that are themselves protected and tested, and signatures welded to the records they approve. Get these wrong and the data β€” however scientifically perfect β€” may be legally worthless, and a batch may never reach a patient.

In the real world​

In a modern biomanufacturing plant, three system types carry the regulatory weight. A historian is a database that records every sensor reading β€” pH, temperature, dissolved oxygen β€” second by second; the AVEVA PI System (formerly OSIsoft PI) and AspenTech InfoPlus.21 are the common commercial historians, and features such as AVEVA PI's event frames and both systems' audit trails are what capture who acknowledged or changed a value, and when. A LIMS (Laboratory Information Management System) tracks samples and test results; products such as LabVantage LIMS and Thermo Scientific SampleManager are marketed with Part 11 features such as unique log-ins, audit-trail capability configured to be always-on in validated deployments, and electronic-signature workflows β€” rather than bolting them on afterward. An MES (Manufacturing Execution System) runs the electronic batch record and enforces the steps of the recipe; systems like Siemens Opcenter Execution Pharma (formerly SIMATIC IT eBR) and Rockwell FactoryTalk PharmaSuite are positioned by their vendors as supporting Part 11 electronic signatures and an as-executed batch record that ties each step to the operator who performed it. Each must provide Part 11 and Annex 11 controls natively: locked-down access, an immutable audit trail, electronic signatures bound to each approval, and accurate copies on demand[1][3].

This is also why interoperability work like the NIIMBL-supported, real-time lab-data integration efforts cannot ignore compliance. When data flows automatically from an instrument, across a standard interface β€” OPC UA for live process data, AnIML (the ASTM XML format for analytical results) carried over SiLA, the lab-instrument communication standard, and ISA-95 (B2MML) messages between the plant floor and the business layer β€” into a historian and onward to analytics, every hop has to preserve attribution and the audit trail. A standards-based pipeline that loses track of who measured what, when, and whether it changed is not just poor engineering β€” it breaks the chain that Part 11 and Annex 11 exist to protect. The same audit trail that satisfies an inspector is what makes the integrated data safe to reuse downstream.

Key terms​

  • 21 CFR Part 11 β€” US FDA regulation making electronic records and signatures legally equivalent to paper, under specified controls.
  • EU GMP Annex 11 β€” the EU's computerized-systems guideline within EudraLex Volume 4; the EU parallel to Part 11, and enforced as part of binding GMP requirements.
  • Closed / open system β€” a system controlled by those responsible for its records (closed) versus one where access is controlled by outsiders (open), which needs extra protection.
  • Audit trail β€” a secure, time-stamped log of who created, changed, or deleted a record, keeping old values visible.
  • Electronic signature β€” a computer-based signing method that is legally binding when unique, multi-component, and permanently linked to its record.
  • Signature-to-record linking β€” the requirement that a signature cannot be copied onto a different record.
  • Predicate rule β€” the underlying GMP requirement to keep a record; Part 11 governs only how it may be kept electronically.
  • Enforcement discretion β€” the FDA's choice not to act on certain Part 11 specifics while applying a risk-based scope.
  • Risk-based approach β€” scaling controls to the patient-safety and quality impact of the record or system.
  • Historian / LIMS / MES β€” plant data systems that must implement these controls natively.

Where this leads​

Notice how often one word has appeared above: validation. A regulated data system must be proven fit for purpose before anyone may trust its records or its signatures. How that proof is built β€” through Computerized System Validation, the GAMP 5 risk-based framework with its software categories and V-model, and the industry's shift toward the leaner, critical-thinking philosophy of Computer Software Assurance (CSA) β€” is the subject of the next chapter, Validating Computerized Systems: GAMP 5 and the Move to CSA.