What is 21 CFR Part 11?
This article covers the six core Part 11 requirements. We also have deeper dives into the audit trail implementation checklist, the open vs closed system distinction, and a full Annex 11 vs Part 11 comparison.
Title 21 of the Code of Federal Regulations, Part 11, is the FDA regulation that defines the conditions under which electronic records and electronic signatures are considered equivalent to paper records and handwritten signatures in FDA-regulated environments.
If you're delivering a SCADA system to a pharmaceutical client in the US — or to any client selling into the US market — Part 11 compliance is expected. It's also increasingly expected in EU GMP environments, where Annex 11 covers similar ground under European law. The two regulations are not identical, but they are closely aligned.
Part 11 applies to any electronic record that is required by FDA regulation — batch records, audit trails, calibration records, production data. If your system generates, modifies, or stores any of these records electronically, Part 11 applies to those records.
The Six Requirements Your System Must Meet
Part 11 breaks into two areas: closed systems (where access is controlled by the people responsible for the content) and open systems. Almost all pharmaceutical SCADA falls into the closed system category. For closed systems, the practical requirements are:
The Audit Trail — The Most Important Requirement in Practice
Of all Part 11 requirements, the audit trail is the one that causes the most engineering work and the most OQ test cases. The regulation requires that any action that creates, modifies, or deletes a GMP record is captured in a tamper-evident, time-stamped log — and that this log cannot be modified or deleted by operators.
For a SCADA system, the audit trail must capture at minimum:
- Setpoint changes — who changed it, from what value, to what value, when
- Mode changes — manual/auto/cascade changes, operator acknowledgement
- Alarm acknowledgements — which alarm, acknowledged by whom, at what time
- Login and logout events — user ID, timestamp, workstation
- Recipe changes — any modification to a batch recipe or process parameter set
- Configuration changes — any modification to the SCADA application itself
FDA inspectors consistently cite incomplete or inaccessible audit trails as the most frequent Part 11 finding. The issue isn't usually that the audit trail doesn't exist — it's that it can be disabled, that it doesn't capture all required event types, or that it can't be exported in a readable format during inspection.
Access Control in Practice
Part 11 requires that system access is limited to authorised individuals via unique user IDs. In SCADA terms this means:
- No shared logins — every operator, engineer, and administrator must have their own account
- Role-based access — operators can acknowledge alarms and enter data but cannot change setpoints above their access level; engineers can configure but cannot approve batch records
- Password controls — complexity requirements, expiry periods, lockout after failed attempts
- Inactive session timeout — automatic logout after a defined period of inactivity
All of these must be tested in your OQ with documented evidence. A typical OQ will have 10–15 test cases covering access control alone — testing each role, each permission boundary, and each lockout scenario.
Electronic Signatures vs Electronic Records
Many engineers conflate electronic records (the data the system generates) with electronic signatures (the formal act of signing off a record). They are separate Part 11 obligations.
Electronic signatures under Part 11 require: the printed name of the signer, the date and time of signing, and the meaning of the signature (e.g. "Reviewed and Approved" or "Executed by"). The signature must be permanently linked to the record it signs — it cannot be cut and pasted to another record.
Not every SCADA system requires electronic signatures. The requirement only kicks in when a signature is required by regulation — typically for batch record release, protocol approval, or deviation closure. Check with your client's QA team which records require formal signature in their quality system.
EU GMP Annex 11 — The European Equivalent
If your client is based in or selling into the EU, Annex 11 applies alongside or instead of Part 11. The practical requirements are closely aligned — audit trails, access control, data integrity, validation — but there are differences in emphasis. Annex 11 places greater weight on data integrity principles (ALCOA+) and specifically addresses cloud computing and remote access in ways that Part 11 predates.
For most PLC/SCADA projects, building a system that satisfies Part 11 will also satisfy Annex 11. The QLean framework's OQ protocol templates include test cases structured to evidence compliance with both. For a full breakdown of where the two regulations diverge, see our Annex 11 vs 21 CFR Part 11 comparison.
If your project involves cold chain storage, stability chambers, or cleanroom environmental control, the requirements above apply specifically to your monitoring system. See our dedicated guide: 21 CFR Part 11 for Temperature Monitoring Systems and Data Loggers.
The OQ protocol template includes a dedicated Part 11 / Annex 11 compliance section with pre-written test cases covering audit trail integrity, access control, electronic signature behaviour, and record export. Each test case references the specific regulatory clause it evidences.