21 CFR Part 11 is the regulation pharmaceutical companies either get right — or discover they got wrong during an FDA inspection. For electronic batch records specifically, Part 11 compliance is not a configuration checkbox. It is a set of technical controls and procedural requirements that your software, your processes, and your people must satisfy together.

This guide covers what 21 CFR Part 11 actually requires for electronic batch records, the compliance gaps most pharma companies encounter, and how AI-powered batch record systems maintain compliance without slowing down the review process.

§11
Title 21 CFR Part 11 — FDA's electronic records rule
1997
Year Part 11 was enacted — still fully enforced today
483s
Part 11 violations consistently appear in FDA inspections

What Is 21 CFR Part 11? A Plain-English Overview

21 CFR Part 11 establishes the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures. It was enacted in 1997 as pharmaceutical manufacturers began transitioning from paper-based systems to electronic ones.

The regulation applies to any record required by FDA regulations that is created, modified, maintained, archived, retrieved, or transmitted electronically. For pharmaceutical manufacturers, this includes electronic batch records, deviation reports, CAPA documentation, and any other quality record that exists in digital form as part of a regulated process.

Part 11 is enforced under 21 CFR Parts 210 and 211 (Current Good Manufacturing Practice). Non-compliance does not exist in a vacuum — it directly implicates your cGMP compliance posture. A batch record system that fails Part 11 creates records of questionable regulatory standing, which means the batches those records represent are also at risk.

The core principle: Electronic records must be at least as trustworthy as the paper records they replace. Part 11 defines exactly what "at least as trustworthy" means — and it goes well beyond a password-protected login screen.

Want to see how ClearBatch handles 21 CFR Part 11 compliance? See the full audit trail, e-signature enforcement, and access controls in a live walkthrough of the batch review system.
Request a Demo →

Key Requirements for Electronic Batch Records

Part 11 has two main subparts: Subpart B (Electronic Records) and Subpart C (Electronic Signatures). Both apply to electronic batch record systems. Here are the requirements that matter most in practice.

§11.10(e)
Audit Trail
Computer-generated, time-stamped audit trail capturing record creation, modification, and deletion. Must include who made the change, when, and the previous value.
§11.10(d)
Access Controls
System access limited to authorized individuals. Must enforce authority checks and limit system access to authorized personnel only.
§11.50 / §11.70
Electronic Signatures
Signatures must be unique to one individual, not reusable by others, and permanently linked to their respective electronic records.
§11.10(a)
System Validation
Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
§11.10(c)
Record Protection
Records must be protected to enable accurate and ready retrieval throughout the records retention period. Closed records must be tamper-evident.
§11.10(k)
Training Records
Personnel who develop, maintain, or use electronic record and electronic signature systems must have the education, training, and experience to perform their assigned tasks.
Free Resource

Get Your Free FDA Inspection Checklist

21 CFR Part 11 compliance checklist — 11 audit-trail, e-signature, and access control requirements mapped to the exact FDA citation. Used by QC teams preparing for inspections.

✓ Check your inbox — or view it here now.

No spam. Unsubscribe anytime.

The audit trail requirement in detail

The audit trail is the most frequently cited Part 11 requirement in FDA 483 observations. Section 11.10(e) requires a computer-generated, time-stamped audit trail that documents record creation and modification activities. Critically, the regulation specifies that this audit trail must capture the date and time of operator entries and actions that create, modify, or delete electronic records — and the audit trail itself must be protected against modification.

What this means in practice: your batch record system must log every change, including what the value was before the change, what it was changed to, who changed it, when, and if your SOPs require it, a reason code. If a QC reviewer modifies an AI-generated finding, that modification must appear in the audit trail with full traceability.

Electronic signature requirements

Part 11 Subpart C requires that electronic signatures be unique to one individual and not reusable by or reassignable to anyone else. Each electronic signature must be linked to its respective electronic record. Non-biometric signatures (the kind most pharmaceutical software uses) must employ at least two distinct identification components, such as an identification code and password.

The practical consequence: shared user accounts are a Part 11 violation. If two reviewers share a login because "it's more convenient," every record signed under that account has a compliance problem. This is basic, but it comes up repeatedly in inspection observations.

Common Compliance Gaps Pharma Companies Face

Part 11 compliance issues cluster in predictable places. These are the gaps that appear most frequently in FDA warning letters and 483 observations:

Incomplete audit trails

Many systems log that a change was made but fail to capture the before-and-after state. If a batch temperature value is corrected from 24.1°C to 23.8°C, the audit trail must show both values — not just that an edit occurred. Systems that only record "field X was modified" without capturing what it changed from fail this requirement.

  • Audit trail captures only the final value, not the original
  • Modifications to closed records are possible without generating a new audit entry
  • Audit trail data is stored in a location that users can access and modify
  • Time stamps are in local time without time zone notation, creating ambiguity

Shared or generic user accounts

The electronic signature uniqueness requirement is absolute. System accounts shared between multiple reviewers — even if individually initialed in a paper log — do not meet Part 11. This is a systemic gap in facilities that implemented electronic systems quickly without reconsidering access control practices from the paper era.

Insufficient system validation

Part 11 requires that systems be validated to ensure they perform consistently and as intended. Many facilities perform a cursory installation qualification but lack documented operational qualification (OQ) and performance qualification (PQ) protocols. FDA expects to see a validation master plan, IQ/OQ/PQ test scripts, and completed execution records. "We tested it and it works" is not a validation package.

Lack of access controls on closed records

Once a batch record is closed and the batch has been released, that record should be effectively locked. Systems that allow modification of closed records — even with administrative credentials — without generating a clear audit event fail Part 11's tamper-evidence requirement. Record protection is a system-level control, not just a policy.

Inspection reality: FDA investigators are trained to look for Part 11 gaps specifically. They will ask to see audit trail logs for specific records, test whether closed records can be modified, and verify that user access controls prevent unauthorized system access. "Our policies prohibit this" is not a substitute for technical controls.

How AI-Powered Batch Record Systems Achieve Compliance

AI-powered batch record review introduces a new category of electronic action that Part 11 must account for: the AI review itself. When an AI system reads a batch record, flags a deviation, and generates a review report, those actions are creating and modifying electronic records in a regulated environment. The audit trail must capture them.

This is not a reason to avoid AI in regulated environments — it is a design requirement. Systems built for pharmaceutical use handle this correctly by capturing the following for every AI review event:

  • The identity of the user who initiated the review
  • The timestamp of the review initiation and completion
  • The version of the AI model used
  • The input data (batch record identifier and version)
  • Every finding generated by the AI, with deviation classification and regulatory citation
  • Any modifications made by the human reviewer to AI findings, with the reviewer's identity and timestamp
  • The electronic signature of the QA reviewer at disposition

This creates a complete, traceable record of the entire review process — from AI analysis through human verification to final disposition. An FDA investigator examining the batch record can see exactly what the AI concluded, exactly what the human reviewer changed or approved, and exactly when the disposition decision was made and by whom.

The human reviewer retains final disposition authority. This is non-negotiable under current FDA regulations — a qualified person must make the batch release decision. AI review handles the data analysis; the QA professional owns the disposition. See our article on AI batch record review for how this workflow operates in practice.

ClearBatch's Approach to 21 CFR Part 11

ClearBatch was built from the ground up for regulated pharmaceutical environments. Every feature in the system was designed with Part 11 requirements as a constraint, not an afterthought.

Immutable audit trail

Every action in ClearBatch — batch record upload, AI review initiation, deviation flag creation, reviewer modification, QA disposition — is captured in an immutable audit trail. The audit trail cannot be modified by any user, including administrators. Each entry includes user identity, timestamp, action type, and the before/after state of any modified record.

Role-based access controls

ClearBatch enforces role-based permissions that control what each user can do at a granular level. QC reviewers can view and annotate AI findings. QA reviewers can make disposition decisions. Administrators can manage users and system configuration. No role can modify closed batch records without generating a documented amendment record.

Electronic signature compliance

Electronic signatures in ClearBatch require re-authentication at the point of signing — users must enter their credentials again to confirm the signature is intentional and theirs. Signatures are permanently linked to the record they sign and appear in the audit trail with full traceability. Shared accounts are technically prevented by system design.

Validation documentation

ClearBatch provides a complete validation package including a Validation Master Plan, Installation Qualification (IQ) protocol and report, Operational Qualification (OQ) test scripts, and Performance Qualification (PQ) scenarios based on your batch record types. This documentation is designed to be executed as-is or adapted to your facility's specific validation requirements. The professional and enterprise tiers include validation support from our team.

If you want to evaluate ClearBatch against your Part 11 requirements directly, the demo environment shows the audit trail, access controls, and electronic signature workflow in a live pharmaceutical batch review. The comparison page covers how ClearBatch's compliance approach stacks up against enterprise QMS platforms.

See Part 11-compliant AI batch review in action

Watch ClearBatch process a pharmaceutical batch record — with the full audit trail, deviation flagging, regulatory citations, and QA disposition workflow visible. Bring your Part 11 checklist.

Watch the Demo → Request a Demo
Free Download

21 CFR Part 11 Compliance Checklist

11 requirements, FDA citations, and a before-your-inspection action list. One page. Free. Used by pharma QC teams to close gaps before an investigator finds them.

✓ Check your inbox — or view it here now.

No spam. Unsubscribe anytime.

Frequently Asked Questions

What is 21 CFR Part 11?
21 CFR Part 11 is the FDA regulation that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. It applies to any record required by FDA regulations that is created, modified, maintained, archived, retrieved, or transmitted electronically — including electronic batch records in pharmaceutical manufacturing.
What are the key requirements of 21 CFR Part 11 for electronic batch records?
The key requirements are: (1) a complete electronic audit trail that captures every record creation, modification, and deletion with timestamp and user identity; (2) electronic signatures that are unique to the individual, cannot be reused by others, and are linked to their respective records; (3) access controls with role-based permissions and user authentication; (4) data integrity controls ensuring records cannot be altered without detection; and (5) system validation with documented IQ/OQ/PQ protocols.
Does 21 CFR Part 11 apply to AI batch record review systems?
Yes. Any AI system that creates, modifies, or stores electronic batch records in a regulated pharmaceutical environment must comply with 21 CFR Part 11. This means the AI review actions must be captured in the audit trail, the system must enforce access controls, and every AI-generated finding that becomes part of the batch record must be traceable — including the model version used and any human reviewer modifications.
What is the most common 21 CFR Part 11 compliance gap in pharma?
The most common gap is an incomplete or non-compliant audit trail. Many systems log record changes but fail to capture the "before and after" state of a modification, the reason for the change, and the identity of the individual making the change. Other common gaps include shared user accounts (which break the uniqueness requirement for electronic signatures), lack of system validation documentation, and insufficient access controls allowing unauthorized modification of closed records.
How long does 21 CFR Part 11 validation take for a batch record system?
Validation timeline depends heavily on whether the vendor provides pre-written IQ/OQ/PQ documentation. Purpose-built pharmaceutical software with existing validation packages typically completes validation in 30–60 days. Systems that require custom validation protocols from scratch — including most enterprise QMS platforms — typically take 3–6 months. The key question to ask vendors: do you provide a validation master plan and pre-written test scripts?