21 CFR Part 11 Software: Electronic Records and Signatures for FDA Compliance

Part 11 by architecture. Not by configuration.

21 CFR Part 11 Compliant Software: Audit Trail, Electronic Signature, and Validation Requirements Met by Architecture

21 CFR Part 11 compliance in a QMS software system is not a settings toggle or a checklist item checked by a vendor’s marketing team. It is a set of specific technical and procedural requirements that the system must satisfy by design — in its audit trail architecture, in its electronic signature implementation, in its access controls, in its data integrity protections, and in the validation documentation that supports the regulated user’s obligation to validate the system before using it for FDA-required records.

This page is written for validation engineers, quality systems managers, and regulatory affairs professionals who understand what Part 11 requires and need to evaluate whether a specific software platform satisfies those requirements technically. If you are looking for a plain-language introduction to Part 11 requirements, the 21 CFR Part 11 compliance checklist page covers the regulatory framework in detail and holds the current AI Overview position for that term. This page covers how eLeaP implements each Part 11 requirement at the system architecture level.

The Structure of 21 CFR Part 11: Two Regulatory Areas, Specific Technical Requirements

21 CFR Part 11 covers two distinct areas: electronic records and electronic signatures. Each area has its own subpart in the regulation, its own technical requirements, and its own enforcement history. A QMS system that satisfies the electronic record requirements but implements electronic signatures that do not meet Subpart C fails Part 11 in the area most commonly scrutinised by FDA investigators. Understanding the two areas separately is a prerequisite to evaluating any Part 11 compliance claim.

Subpart B, Sections 11.10 through 11.30, covers electronic records. The central requirement is that electronic records used in place of paper records under FDA regulations must be accurate, reliable, authentic, and trustworthy. Section 11.10 specifies the controls required for closed systems: validation, audit trails, record protection, access controls, audit trail review, operational system checks, authority checks, device checks, appropriate personnel training, and written policies for accountability. Subpart C, Sections 11.50 through 11.300, covers electronic signatures. The central requirement is that electronic signatures are the legal equivalent of traditional handwritten signatures and must satisfy specific technical and procedural requirements to maintain that equivalence.

21 CFR Part 11.10(e): Audit Trail Requirements and How eLeaP Implements Them

Section 11.10(e) requires that persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls to ensure the authenticity, integrity, and confidentiality of electronic records. Specifically, 11.10(e) requires the use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The section further requires that record changes shall not obscure previously recorded information and that audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Each of these requirements maps to a specific technical characteristic that the QMS system must implement.

Computer-Generated and Time-Stamped

The audit trail must be generated by the computer system itself, not manually entered by a user. In eLeaP, audit trail entries are generated by the system automatically on every qualifying action — record creation, field modification, status change, electronic signature application, document access, and configuration change. No user action is required to trigger the audit trail entry, and no user action can suppress it. Timestamps are generated by the server at the time the action is processed, not by the client device, preventing timestamp manipulation through client clock adjustment. Server timestamps are maintained in UTC with offset recording, satisfying the requirement for accurate time-stamping across time zones.

Records the Date, Time, Operator Identity, and Nature of the Action

Each audit trail entry in eLeaP captures four elements: the unique identifier of the operator who performed the action, the server-generated timestamp of the action, the specific record affected including its record type and unique identifier, and the nature of the action — the specific field or fields changed, the prior value, and the new value for modification events; the record identifier and initial field values for creation events; and the record identifier and archival destination for deletion or archival events. The captured data satisfies Section 11.10(e)’s requirement that the audit trail independently record the date, time, and operator of entries and actions, and the Section 11.10(e) requirement that prior values not be obscured by changes.

Tamper-Evident and User-Inaccessible for Modification

The audit trail in eLeaP is written to a separately secured audit log database that is not accessible through the application’s user interface for modification. No user role in the system — including the system administrator role — has write or delete access to the audit trail database. The audit trail is readable and exportable for review and copying by authorised personnel and by FDA investigators, but it is not modifiable by any means available through the application. The database-layer separation between the operational data and the audit trail data is the technical implementation of the Section 11.10(e) requirement that the audit trail be secure and computer-generated rather than subject to user manipulation.

Retained for the Required Duration and Available for Agency Review

Section 11.10(e) requires that audit trail documentation be retained for at least as long as the subject electronic records. In eLeaP, audit trail entries are retained for the life of the record they document and for any additional retention period required by the applicable regulation. Audit trail records for GMP batch records are retained for the period required under 21 CFR Part 211.180, which specifies retention of at least one year after the expiry date of the batch. Audit trail export for FDA review produces a formatted report of the audit trail entries for specified records, specified users, or specified time periods, in a format suitable for submission to the agency.

21 CFR Part 11.50 and 11.100: Electronic Signature Requirements and eLeaP Implementation

The electronic signature requirements in Part 11 are more frequently misimplemented than the audit trail requirements, because the technical bar for a compliant electronic signature is higher than a simple checkbox or workflow acknowledgment. Sections 11.50, 11.100, and 11.200 together define what a compliant electronic signature must contain, how it must be bound to its record, and what identification components it must require.

Section 11.50: Required Signature Components

Section 11.50 requires that signed electronic records contain information associated with the signing that clearly indicates the printed name of the signer, the date and time when the signature was executed, and the meaning, such as review, approval, responsibility, or authorship, associated with the signature. In eLeaP, the signature record embedded in every signed document and workflow step contains the signer’s full name as registered in the user account, the server-generated timestamp of the signature action, and the meaning of the signature as configured in the workflow. The meaning is not free-text entered by the signer — it is a predefined term from the workflow configuration, such as ‘Approved,’ ‘Reviewed,’ or ‘Released,’ ensuring that the meaning is consistent across all uses of the same signature type and cannot be altered by the signer.

Section 11.100: Uniqueness and Non-Reuse of Electronic Signatures

Section 11.100(a) requires that each electronic signature be unique to one individual and not be reused by or reassigned to anyone else. Section 11.100(b) requires that organisations verify the identity of individuals before their electronic signature is established and that this verification be documented. In eLeaP, each user account is associated with a single individual. The account credentials — the unique identifier and the password — are not shared, reassigned, or transferred. User provisioning procedures required by the validated system operation include identity verification before account creation, documentation of the verification, and a signed attestation by the user acknowledging that their electronic signature is the legal equivalent of their handwritten signature, as required by Section 11.100(c).

Section 11.200: Two Identification Components at Time of Signing

Section 11.200(a)(1) requires that electronic signatures not based on biometrics employ at least two distinct identification components, such as an identification code and a password. For signing events that are not the first signing event in a single continuous session, Section 11.200(a)(2) requires that the electronic signature employ at least one electronic signature component. In eLeaP, every electronic signature event, regardless of session context, requires the user’s unique identification code and a password confirmation at the time of signing. The password confirmation is a re-authentication event, not a session token validation — the user must actively enter their credentials at each signature point. This consistent two-component requirement simplifies validation documentation by eliminating the need to define and test the session boundary conditions that determine when a single-component signature is permitted.

Cryptographic Binding of Signature to Record

Section 11.70 requires that electronic signatures and handwritten signatures executed to electronic records be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. In eLeaP, electronic signatures are bound to the specific record version at the time of signing through a cryptographic hash. Any subsequent modification to the record content after a signature is applied produces a hash mismatch that is detectable by the system and flagged in the audit trail. A record that has been modified after signing cannot present a valid signature state — the modification invalidates the signature and requires re-signing, with both the modification and the re-signing event captured in the audit trail.

Section 11.10(d): Access Control Requirements and Role-Based Implementation

Section 11.10(d) requires limiting system access to authorised individuals. Section 11.10(g) requires the use of authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. In eLeaP, these requirements are implemented through the role-based access control system described in the validation support package.

Access controls in eLeaP operate at three levels. System access is controlled by account authentication — a user without valid credentials cannot access the system. Record-type access is controlled by role assignment — a user can only view, create, or modify record types that their assigned role permits. Workflow authority checks control which actions a user can perform on a specific record in a specific workflow state — a user without approval authority for a document type cannot apply a signature at the approval stage, even if they can view the document. The authority check is enforced at the application layer, not by procedural expectation. A user cannot approve a record they are not authorised to approve, regardless of whether a supervisor permits it.

Periodic access review is supported by a system report showing all active user accounts, their assigned roles, and their access permissions at the time of the report. This report is generated on demand for internal access reviews and for FDA inspection access control verification. Changes to user access — role changes, account deactivation, and new account provisioning — are captured in the audit trail with the identity of the administrator who made the change and the timestamp.

System Validation: What eLeaP Provides and What the Regulated User Is Responsible For

Section 11.10(a) requires validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The validation requirement applies to the complete system used to maintain FDA-required electronic records, including the eLeaP application, the hosting infrastructure, and the customer’s configured workflows and access controls. Validation responsibility is apportioned between eLeaP as the vendor and the regulated user as the system owner.

eLeaP provides:

The regulated user is responsible for:

Data Integrity Under Part 11: ALCOA+ and the Architecture That Supports It

FDA’s data integrity guidance, while not codified as a separate regulation, applies ALCOA+ principles — Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available — to electronic records in GxP contexts. These principles are the operational expression of the Section 11.10 requirements for accuracy, reliability, and trustworthiness. Each ALCOA+ attribute maps to a specific system capability.

Attributable: Every record entry and modification is associated with the individual who made it through the audit trail. Legible: electronic records are stored in structured formats that are readable without the original creation software, with export capabilities to PDF and CSV. Contemporaneous: timestamp generation at the server at the time of action, not retrospective entry. Original: the first captured version of a record is preserved in the audit trail and cannot be overwritten. Accurate: System validation demonstrates that the application correctly processes and stores the data it is intended to manage. Complete: required fields enforce completeness at the workflow level; incomplete records cannot advance to states that require completion. Consistent: timestamps are maintained in UTC with consistent formatting. Enduring: records are retained for the regulatory retention period and are protected from deletion through the access control and audit trail architecture. Available: records are accessible for review and export by authorised personnel and by the FDA on demand.

Evaluating 21 CFR Part 11 Compliant Software: Six Technical Questions

A validation engineer or quality systems manager evaluating a QMS platform for Part 11 compliance should ask these six questions and request technical documentation, not marketing assertions, in response.

eLeaP’s answers to all six questions are yes, with supporting technical documentation available as part of the validation support package. The demo for validation engineers includes a live audit trail review demonstrating tamper-evidence, an electronic signature walk-through with credential re-authentication at each signature point, and a review of the Part 11 traceability matrix. Request a technical demo at eleapsoftware.com.

Related resources: