21 CFR Part 11 Compliance Checklist

11 requirements your batch record system must meet before an FDA inspection — audit trails, e-signatures, access controls, system validation, and more. One page. Free.

Free Resource

21 CFR Part 11 Compliance Checklist

11 key requirements for electronic records and electronic signatures in pharmaceutical manufacturing. Use this as a self-assessment before an FDA inspection or when evaluating a new QMS.

Covers 21 CFR §11.10, §11.50, §11.70 Updated 2026 Print / Save as PDF

§11.10(e) Electronic Audit Trail

Audit trail captures every record creation, modification, and deletion

Every change to an electronic record must be logged with: the original value, the new value, timestamp (with time zone), and the identity of the user who made the change.

Common gap: system logs that a change occurred but doesn't capture before/after values

Audit trail is computer-generated, not user-modifiable

The audit trail must be generated automatically by the system and stored in a location that users cannot access or modify. An audit trail that an admin can edit or delete does not meet Part 11.

Timestamps use standardized format with time zone offset

Local time without time zone notation creates ambiguity across manufacturing sites and shift changes. UTC or local time with explicit offset (e.g., 14:32 UTC-5) is required.

§11.10(d) Access Controls and User Authentication

System enforces unique user accounts — no shared logins

Every individual who creates or signs electronic records must have a unique system login. Shared accounts invalidate the uniqueness requirement of electronic signatures.

Most common Part 11 violation in FDA warning letters

Role-based access controls limit record access by job function

Only authorized personnel can create, modify, or approve records within their role. A production operator should not have QA approval permissions; an auditor should have read-only access.

System enforces password requirements and session timeouts

Password complexity requirements, periodic expiration, and automatic session termination after inactivity reduce the risk of unauthorized access using unattended terminals.

§11.50 / §11.70 Electronic Signatures

Electronic signatures are unique to each individual and cannot be reused or reassigned

Each e-signature must be permanently linked to the individual who created it. A signature cannot be borrowed, delegated, or applied by a supervisor on behalf of another person.

Signatures are linked to their respective electronic records

The electronic signature must be permanently bound to the record it signs. A signature that can be copied and applied to a different record violates §11.70's linking requirement.

ClearBatch: cryptographically linked, immutable

Signature manifestations display signer's name, date/time, and meaning

Any printed or displayed representation of an electronic signature must show: the full name of the signer, the date and time of signing, and the meaning of the signature (e.g., "reviewed," "approved," "authored").

§11.10(a) System Validation

Validation master plan (VMP) documents the validation approach

The VMP defines the scope, strategy, and responsibilities for validating the system. It should reference all relevant IQ, OQ, and PQ protocols and establish acceptance criteria before testing begins.

IQ, OQ, and PQ protocols are documented and executed

Installation Qualification confirms the system is installed correctly. Operational Qualification verifies it functions as specified. Performance Qualification demonstrates consistent performance under real-use conditions.

Gap: cursory IQ with no OQ/PQ documentation is not a complete validation

Change control process covers software updates and configuration changes

Any change to the validated system — software updates, configuration changes, new integrations — requires a change control assessment and potentially re-validation before the system returns to production use.

§11.10(c) Record Protection and Data Integrity

Closed/approved records are protected from unauthorized modification

Once a batch record is closed and approved, the system must prevent modification — even by administrators — without generating a visible audit event. Record protection is a system control, not a policy.

Records are retrievable throughout their required retention period

Electronic batch records must remain accurate and accessible for FDA-required retention periods (typically 1 year after product expiry or 3 years after production date, whichever is longer under 21 CFR §211.180).

§11.10(k) Training Records

Personnel with system responsibilities have documented training records

Everyone who uses the electronic record system must be trained on its use and the relevant regulatory requirements. Training must be documented with completion dates and trainer/supervisor signatures.

Training covers Part 11 requirements specific to their job function

Generic "computer training" is insufficient. Training must be role-specific and address the Part 11 implications of their work — e.g., QC reviewers must understand the legal weight of their electronic signatures.

§11.10(g) Authority Checks

System uses authority checks to ensure only authorized individuals can use the system

The system must verify that the individual attempting to create, modify, or sign a record has the authority to do so. This goes beyond authentication (proving who you are) to authorization (proving you're allowed to perform this action).

§11.10(j) Sequence of Steps

System enforces required sequencing for document steps

For records requiring sequential review or approval steps, the system must enforce the correct order. A QA disposition cannot be signed before a QC review is complete; a batch cannot be released before all required reviews are captured.

§11.10(h) Device Checks

Input device checks are used where appropriate to determine validity of source data

When data is entered via input devices (barcode scanners, balances, instruments), the system should validate that the source is authorized and the data format is acceptable before it enters the electronic record.

§11.10(b) Accurate and Complete Copies

System can generate accurate and complete paper copies of electronic records

Upon FDA request, the system must be able to produce human-readable paper copies of electronic records that are accurate, complete, and include all audit trail data. The printout must be a true representation of the electronic record.

§11.10(i) Scope Determination

Determination of which records fall under Part 11 scope is documented

Part 11 applies to electronic records that are required by FDA regulations or submitted to FDA. Your organization should have a documented assessment identifying which electronic records are in scope and why — this is often the first thing inspectors ask for.

Tip: err toward broader scope — underdeclaring is an inspection risk

Checklist Score Interpretation

11/11 checked: Your system is well-positioned for FDA inspection. Run an internal gap assessment annually and before any major system update.

7–10 checked: Review unchecked items with your QA team. Prioritize gaps involving audit trails, electronic signatures, and shared accounts — these appear most frequently in FDA warning letters.

Under 7 checked: Material compliance gaps. Consider a formal Part 11 gap assessment with your QA director before your next FDA inspection cycle.

See 21 CFR Part 11 compliance enforced automatically

ClearBatch builds all 11 requirements into the system architecture — audit trail, access controls, e-signatures, validation documentation, and record protection. No bolt-ons.

Watch the Demo → Request a Demo