Evaluating 21 CFR Part 11 Compliance in Lab Systems

Introduction

If your FDA-regulated work relies on electronic records, whether that means experiment data, sample records, or safety documentation, those records need to hold up under scrutiny the same way a signed paper document would.

That standard does not change because the record is digital. What changes is the regulatory framework that defines what "trustworthy" means in that context. 21 CFR Part 11 is the FDA regulation that establishes exactly that: the criteria under which electronic records and electronic signatures are considered reliable, attributable, and legally equivalent to their paper counterparts. It applies across FDA-regulated industries, including pharmaceutical, biotech, and clinical research organizations, wherever electronic systems are used to create, modify, maintain, or transmit records that fall under FDA requirements. 

And the stakes are concrete: electronic records that do not meet Part 11 requirements may be questioned during an FDA inspection, putting your data integrity and regulatory standing at risk.

What is 21 CFR Part 11?

21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration, sitting within Title 21 of the Code of Federal Regulations under Part 11: Electronic Records and Electronic Signatures. It establishes the technical and procedural criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures in the eyes of the FDA.

The regulation applies to any organization operating in an FDA-regulated industry that uses electronic systems to create, modify, maintain, archive, retrieve, or transmit records that are required under FDA regulations. In practice, that scope covers pharmaceutical manufacturers, biotech companies, contract research organizations, clinical research sites, and any other regulated entity whose records fall under FDA oversight. It does not apply only to drug manufacturers. If your organization uses electronic systems for record keeping, you need to understand where Part 11 requirements apply to your workflows. That includes teams managing laboratory data, sample records, or safety documentation. Practically, the key question is not only what system holds the record, but whether the record is required under FDA predicate rules or submitted to the FDA in electronic form.

The regulation itself is organized around two core areas: controls for closed and open systems used to create and maintain electronic records, and requirements for electronic signatures, including how they are created, applied, and protected from reuse or falsification. Achieving 21 CFR Part 11 compliance means the electronic systems a lab uses must meet those controls consistently, not selectively. The scope depends on whether the electronic record is required under FDA predicate rules or submitted to the FDA, not simply on the size of the organization generating it.

What 21 CFR Part 11 compliance requires

Part 11 includes several practical control areas: validated systems, accurate and complete record copies, reliable record retention and retrieval, access controls, audit trails, and authority checks. It also includes electronic signature controls and system documentation controls.

One accuracy point worth stating clearly here: system validation is the regulated lab's responsibility. It must be performed and documented for the lab's own specific intended use. A software vendor can support that process by providing documentation such as validation protocols, test scripts, and technical specifications, but a vendor cannot complete validation for the customer's specific intended use.  That responsibility stays with the organization generating the records. The same principle applies across GLP and GMP compliance frameworks, where validated systems and documented procedures are consistently the lab's obligation to establish and maintain.

The 21 CFR Part 11 compliance checklist below breaks down what each requirement means in practice and what to check for in a system that is expected to meet it.

How Part 11 applies differently to research and EHS records

Part 11 does not apply by record label alone. When a record is in scope, the same requirements apply whether it’s an experiment entry or an inspection report. Those requirements include validated systems, attributable audit trails, controlled signatures, and retention for the applicable required period. . What changes is what "the record" actually refers to in each context, and that distinction has practical implications for how labs assess the systems managing those records.

On the research side, the records that fall under Part 11 scrutiny are experiment data, sample records, and protocol sign-offs captured in an electronic lab notebook or LIMS. Each of those record types needs to be created in a validated system, logged with a secure audit trail that preserves previous entries, and signable in a way that locks the record and attributes the signature to a specific individual. A sample record that can be altered after the fact without leaving a trace, or an experiment entry signed under a shared login, does not meet that standard, regardless of how accurate the underlying data is.

On the EHS side, the records in scope look different: safety data sheets, inspection reports, training completions, and incident documentation. These are the record types that lab safety software is responsible for capturing and maintaining. EHS records can be in scope when they are predicate-rule records, submitted electronically to FDA, or relied on for FDA-regulated activities.  An inspection report that cannot be traced back to the individual who completed it, or a training completion record stored in a system without proper access controls, carries the same compliance risk as a deficient experiment record.

This distinction matters when evaluating systems. The research stack and the EHS stack each need to meet Part 11 on their own terms. When assessing EHS software for your lab, apply the same Part 11 evaluation criteria you would use for any research records system: validated use, secure audit trails, attributable signatures, and reliable retention.

‍

Common Part 11 compliance gaps to watch for

The most common Part 11 compliance gaps usually come from using tools that were never designed for governed electronic records.

Spreadsheets are the clearest example. Excel is widely used for tracking samples, reagents, and inventory across research and EHS functions, but a standard spreadsheet setup is not designed to provide Part 11 audit trails, signature controls, or protected record locking without additional governed controls. The same applies to general-purpose note-taking tools like Microsoft OneNote. They can capture data, but they are not designed to attribute a regulated electronic signature to a specific individual, enforce Part 11 record controls, or produce the kind of audit trail expected for regulated electronic records.

Shared logins create a separate but equally concrete problem. Part 11 requires that electronic signatures be uniquely linked to one person and cannot be reused or reassigned. If your team shares a single login to access a records system, that requirement becomes impossible to satisfy, regardless of how well the underlying system is built.

Finally, exported copies can be acceptable if controlled, complete, accurate, and not used as an uncontrolled working record. When records are exported or copied into an uncontrolled spreadsheet,  shared drives, or an email attachment, and those copies become the working record, the audit chain can break. The exported copy has no record of who handled it after the transfer, making it unsuitable as a Part 11-compliant record even if the source system was fully configured and validated to support Part 11-compliant use.

Euroimmun US experienced this directly before implementing SciSure, relying on Excel spreadsheets and undocumented institutional knowledge for sample management, with sample status spread inconsistently across multiple document versions. While this isn’t a Part 11 case study by itself, it illustrates the operational risk behind uncontrolled spreadsheet workflows.

Read the full Euroimmun US story.

How SciSure supports 21 CFR Part 11 compliance

SciSure supports configurations and workflows that can help customers operate Part 11-compliant electronic records when the system is validated and governed for its intended use. 

On the research side, SciSure's ELN captures experiment documentation in structured, version-controlled records with automatic audit trails. Signed experiments are locked read-only, digital signature and timestamp are visible, two-step verification is available, and witness signatures can be required. Relevant actions taken on a record, including edits, comments, and status changes, are logged with a timestamp and attributed to the individual user who performed them. Those logs are designed to preserve change history and user attribution. When an experiment is ready to be finalized, electronic signatures lock the record from further changes. An optional second signature supports approval workflows where a supervisor or principal investigator needs to countersign before a record is considered complete.

SciSure's LIMS software applies the same audit trail and access control logic to sample records and inventory data. Relevant sample actions, including sample information changes, location moves, and dispatch events  are logged automatically with user attribution and timestamp. Role-based access controls determine which users can view, edit, or approve specific records, making it possible to enforce the access restrictions Part 11 requires without relying on informal conventions or shared credentials.

Role-based permissions apply across both systems, allowing organizations to configure access at a granular level based on user role and group. 

Arctic Therapeutics, a biotechnology and drug development company, uses SciSure's controlled access, signing, and record locking to maintain audit-ready records in its ISO 15189 certified environment. ISO 15189 is not the same framework as FDA 21 CFR Part 11, but the underlying record integrity requirements overlap significantly: attributable actions, locked records, and traceable access. The features that support Arctic Therapeutics' regulatory environment are the same ones SciSure provides to support Part 11-compliant use. R

ead the full Arctic Therapeutics story.

What SciSure does not do is perform system validation on a customer's behalf. Validation remains the regulated lab's responsibility, performed and documented for its own intended use. SciSure supports that process by providing the technical documentation organizations need to conduct their own validation, but the obligation to validate sits with the organization operating the system.

‍

Part 11 compliance is a system property over a one-time checklist

Part 11 compliance is an operating state supported by the system, procedures, training, access controls, and validation documentation. If your lab selects a compliant system, completes its initial validation, and then makes no further checks, that doesn't mean you're staying compliant. Part 11 compliance should also be revisited when the system or its intended use changes. Software updates, new modules, revised workflows, additional record types, or changes to user roles can affect whether the original validation still reflects how the system is being used. Regulated teams should handle those changes through documented change control and, where needed, perform targeted revalidation or testing before relying on the updated workflow for in-scope electronic records. 

What that means practically is that compliance needs to be verified as an ongoing condition rather than confirmed once at implementation. The questions worth returning to regularly are whether audit trails are still capturing every relevant action, whether access controls reflect current team structures and roles, whether signatures are still attributable to specific individuals, and whether any records are leaving the system in ways that break the audit chain.

If any of those checks surface a gap, the fix may need to start with system configuration, SOPs, training, validation documentation, or data handling practices.

‍

FAQ

What is 21 CFR Part 11 compliance?

21 CFR Part 11 is the FDA regulation that defines when electronic records and electronic signatures are considered trustworthy and legally equivalent to paper records and handwritten signatures. It applies to any organization in an FDA-regulated industry that creates, modifies, maintains, or transmits records under FDA requirements, including pharmaceutical, biotech, and clinical research organizations. Compliance means the electronic systems used to manage those records meet the technical and procedural controls the regulation specifies.

What does my ELN/LIMS need to do to be 21 CFR Part 11 compliant?

The system needs to support validated and documented use for its intended purpose, maintain secure audit trails with timestamps and user attribution, and retain records in a format that remains accessible and readable by people for as long as required. It also needs electronic signature controls that tie each signature to one individual, show the signer's name, date, time, and meaning of the signature, and link the signature to the signed record. Access controls that restrict who can create, modify, or sign records are also required.

Is SciSure 21 CFR Part 11 compliant?

SciSure supports Part 11-compliant use, but compliance depends on configuration, SOPs, training, access controls, validation, and the customer's intended use. It supports this through automatic audit trails that log relevant record actions with timestamps and user attribution, role-based access controls that enforce record-level permissions, and electronic signatures that lock experiment records from further changes once signed.

‍