MedDeviceGuideMedDeviceGuide
Back
Quality SystemsRegulatoryeQMSFDA QMSRUS

21 CFR Part 11 Compliance Guide: Electronic Records and Signatures for Medical Devices

Complete guide to FDA 21 CFR Part 11 for medical device companies — electronic records, electronic signatures, audit trails, system validation, CSA guidance, and how Part 11 connects to ISO 13485 and the new QMSR.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-04-1626 min read

What Is 21 CFR Part 11

21 CFR Part 11 is the FDA regulation that establishes the criteria under which the agency considers electronic records and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures. Enacted in 1997, it applies to every FDA-regulated entity — drug manufacturers, biologic sponsors, medical device manufacturers, and food facilities — that creates, modifies, maintains, archives, retrieves, or transmits electronic records required by FDA regulations.

For medical device companies specifically, Part 11 applies whenever electronic records are used to fulfill any requirement under the Federal Food, Drug, and Cosmetic Act, the Public Health Service Act, or any FDA regulation. This includes quality system records (21 CFR Part 820 / QMSR), design history files, device master records, complaint files, CAPA records, and any other documentation that FDA regulations require you to maintain.

The regulation is divided into three subparts:

  • Subpart A — General Provisions (Sections 11.1–11.3): Scope, definitions, and implementation requirements
  • Subpart B — Electronic Records (Sections 11.10–11.30): Controls for closed and open systems, signature manifestations, and record linking
  • Subpart C — Electronic Signatures (Sections 11.50–11.300): General requirements, electronic signature components and controls, and controls for identification devices

Important scope clarification: The FDA's 2003 "Part 11 Scope and Application" guidance significantly narrowed the scope of Part 11 enforcement. The agency stated it would exercise enforcement discretion regarding certain Part 11 requirements and would take a risk-based approach. However, the underlying regulation remains in effect, and medical device companies are still expected to comply with its core requirements for systems that store electronic records subject to FDA oversight.

Why Part 11 Matters for Medical Device Companies

Every medical device manufacturer that uses software to manage quality system records is subject to Part 11. This is not optional. If your company uses an electronic quality management system (eQMS), an electronic document management system (EDMS), a complaint handling database, a CAPA tracking tool, or any other software system that stores records required by FDA regulations, Part 11 applies.

The proliferation of cloud-based eQMS platforms, electronic batch record systems, and automated quality tools has made Part 11 compliance more relevant than ever. In fiscal year 2025, FDA issued 44 warning letters to medical device manufacturers — 38 of which cited violations of the Quality System Regulation (21 CFR 820) — with CAPA deficiencies, complaint file gaps, and inadequate process validation among the recurring themes. Data integrity and software validation remain significant areas of enforcement focus.

Common Part 11-Regulated Systems in Medical Device Companies

System Type Part 11 Applicable Records Examples
eQMS SOPs, CAPA records, audit reports, management review records, training records Greenlight Guru, Qualio, MasterControl, SIMPLERQMS
Document Management Controlled documents, specifications, drawings, work instructions Veeva Vault, Documentum, SharePoint (validated)
Complaint/MDR Systems Complaint records, MDR reports, vigilance submissions TrackWise, MedWatch systems
Design Control Tools DHF records, design inputs/outputs, V&V records JAMA Connect, Polarion, Helix ALM
ERP/MES Device history records, batch records, inventory records SAP, Oracle, Siemens Opcenter
LIMS Test results, stability data, environmental monitoring LabWare, STARLIMS, Thermo SampleManager
Training Management Training records, competency assessments eQMS training modules, LMS platforms

Subpart A: General Provisions

Scope (11.1)

Part 11 applies to electronic records and electronic signatures that persons create, modify, maintain, archive, retrieve, or transmit under any records or signature requirement set forth in the Federal Food, Drug, and Cosmetic Act, the Public Health Service Act, or any FDA regulation.

The regulation explicitly states that electronic records and electronic signatures that meet the requirements of Part 11 are considered the equivalent of paper records and handwritten signatures. Once a company chooses to use electronic records instead of paper, Part 11 requirements apply. A company that continues to use paper records with handwritten signatures is not subject to Part 11 for those records.

Key Definitions (11.3)

Term Definition
Electronic Record Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system
Electronic Signature A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature
Digital Signature An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified
Closed System An environment in which system access is controlled by persons who are responsible for the content of electronic records on the system
Open System An environment in which system access is not controlled by persons who are responsible for the content of electronic records on the system
Biometrics A method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable
Recommended Reading
Best eQMS Software for Medical Devices 2026: Unbiased Comparison of Top Platforms
eQMS ISO 134852026-04-04 · 15 min read

Subpart B: Electronic Records

Controls for Closed Systems (11.10)

Closed systems are the most common environment for FDA-regulated electronic records. A closed system is one where the people responsible for the electronic records also control who can access the system. The regulation requires the following controls:

1. Validation of Systems (11.10(a))

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records. This requires validating systems to ensure they perform as intended.

Validation must demonstrate that the system:

  • Accurately and reliably performs its intended functions
  • Consistently produces accurate and complete electronic records
  • Prevents unauthorized access or changes to records
  • Can reproduce accurate and complete copies of records in both human-readable and electronic form
  • Protects records throughout their retention period

2. Ability to Generate Accurate and Complete Copies (11.10(b))

The system must be able to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the FDA. This means the system should be able to export or print records in a format that shows all associated metadata, audit trail entries, and signature manifestations.

3. Protection of Records (11.10(c))

Records must be protected to enable their accurate and ready retrieval throughout the records retention period. This includes:

  • Regular backups with verified restoration capability
  • Disaster recovery procedures
  • Migration planning when systems are upgraded or replaced
  • Archival procedures for records that must be retained beyond the life of the system

4. Limiting System Access (11.10(d))

Access to the system must be limited to authorized individuals. This requires:

  • User account management with unique user IDs
  • Role-based access controls (RBAC)
  • Periodic access reviews
  • Procedures for revoking access when employees leave or change roles
  • Password policies (complexity, expiration, lockout after failed attempts)

5. Audit Trail (11.10(e))

This is one of the most critical and frequently cited Part 11 requirements. The system must use secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

The audit trail must:

  • Not allow operators to modify or disable it
  • Capture the old value, new value, who made the change, when, and why
  • Be available for review and copying by FDA
  • Be retained for the same duration as the electronic record itself

The audit trail requirement applies to all GMP-relevant changes. It is not sufficient to track only that "a change was made" — the audit trail must capture sufficient detail to reconstruct the history of the record.

6. Operational System Checks (11.10(f))

The system must enforce sequencing of steps and events, as appropriate. This means the system should enforce business rules — for example, preventing a document from being approved before it has been reviewed, or preventing a CAPA from being closed before effectiveness verification has been completed.

7. Authority Checks (11.10(g))

The system must enforce authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system, alter a record, or perform the operation at hand.

8. Device Checks (11.10(h))

The system must determine, as appropriate, the validity of the source of data input or operational instruction. This applies to systems that receive data from instruments or other external devices.

9. Training and Qualification (11.10(i))

Persons who develop, maintain, or use electronic record/electronic signature systems must have the education, training, and experience to perform their assigned tasks. Training records must be available for FDA review.

10. Written Procedures (11.10(j))

Adequate controls over systems documentation must be established, including:

  • Distribution, access, and use of documentation for system operation and maintenance
  • Revision and change control procedures
  • Documentation of all modifications to the system

Controls for Open Systems (11.30)

Open systems — where system access is not controlled by the persons responsible for the electronic records — require all the controls for closed systems plus additional measures to ensure record authenticity, integrity, and confidentiality. These additional measures include:

  • Encryption of electronic records to prevent unauthorized reading
  • Digital signatures to verify record authenticity and integrity
  • Message authentication to detect unauthorized modifications

In practice, open system controls apply to electronic records transmitted over the internet or through networks outside the organization's control. For medical device companies, this might include electronic submissions to FDA (e.g., through the FDA ESG or electronic 510(k) submissions), cloud-based systems where the vendor controls access, and email communications containing regulated records.

Signature Manifestations and Record Linking (11.50–11.70)

Signature Manifestations (11.50)

When a person signs an electronic record, the signed electronic record must contain information associated with the signing that clearly indicates:

  • The name of the signer
  • The date and time of the signing
  • The meaning of the signing (e.g., review, approval, responsibility, authorship)

This information must be clearly displayed on any printed or displayed copy of the electronic record.

Record Linking (11.70)

Electronic signatures and handwritten signatures that are linked to their respective electronic records must be linked in such a manner that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Subpart C: Electronic Signatures

General Requirements (11.100)

Each electronic signature must be unique to one individual and not reused by, or reassigned to, anyone else. Before establishing or assigning an electronic signature, the organization must verify the identity of the individual.

Electronic Signature Components and Controls (11.200)

Non-Biometric Electronic Signatures

Non-biometric electronic signatures must employ at least two distinct identification components, such as an identification code and a password. The first use of an electronic signature must be witnessed and documented.

When an individual signs a series of signings during a single continuous session, the first signing must use all identification components. Subsequent signings during the same session must use at least one identification component.

When an individual signs a series of signings that are not performed during a single continuous session, each signing must use all identification components.

Biometric Electronic Signatures

Biometric electronic signatures must be designed so that they cannot be used by anyone other than their genuine owner.

Controls for Identification Devices/Passwords (11.300)

Part 11 requires specific controls for devices (such as tokens or cards) and passwords used in electronic signatures:

  • Device generation: Devices must be generated using a process that ensures they cannot be guessed or forged
  • Password confidentiality: Passwords must be kept confidential and not shared
  • Periodic testing: Devices and passwords must be periodically checked, recalled, or revised (e.g., periodic password changes)
  • Loss management: Procedures must exist for promptly deauthorizing lost, stolen, or compromised devices or passwords
  • Transaction safeguards: Systems must prevent unauthorized use of passwords and/or devices, detect and report attempts at unauthorized use, and provide appropriate safeguards

Part 11 and the New FDA QMSR

Effective February 2, 2026, the FDA transitioned from the legacy Quality System Regulation (21 CFR Part 820) to the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference. This transition has implications for how Part 11 intersects with medical device quality systems.

Under the QMSR, ISO 13485:2016 clause 4.1.6 requires organizations to document procedures for the validation of software used in the quality management system. This validation must be performed before initial use and after changes to the software. The QMSR also retains specific FDA requirements related to electronic records, including:

  • Complaint handling records
  • Medical device reporting (MDR) records
  • Corrections and removal records

All of these records, when maintained electronically, remain subject to Part 11 requirements. The QMSR does not replace or modify Part 11 — it coexists with it.

How QMSR and Part 11 Work Together

QMSR Requirement Part 11 Implication
ISO 13485 clause 4.2 (Document requirements) Electronic documents in eQMS must comply with Part 11 controls
ISO 13485 clause 4.1.6 (Software validation) QMS software validation must satisfy both ISO 13485 and Part 11 requirements
ISO 13485 clause 7.5 (Production and service provision) Electronic batch records and production records must comply with Part 11
ISO 13485 clause 8.2 (Monitoring and measurement) Electronic complaint records, audit records, and CAPA records must comply with Part 11
FDA-retained complaint handling requirements Electronic complaint records must have Part 11-compliant audit trails and e-signatures
Recommended Reading
HIPAA Compliance for Medical Device Companies (2026 Security Rule Update)
Cybersecurity Digital Health & AI2026-04-19 · 18 min read

Computer Software Assurance (CSA): The New FDA Approach

On September 24, 2025, the FDA published the final guidance "Computer Software Assurance for Production and Quality System Software." An updated version, titled "Computer Software Assurance for Production and Quality Management System Software," was released on February 3, 2026, aligning the guidance with the new QMSR. This guidance represents a fundamental shift from traditional Computer System Validation (CSV) to a modernized, risk-based approach called Computer Software Assurance (CSA).

How CSA Differs from Traditional CSV

Aspect Traditional CSV CSA (Risk-Based Approach)
Focus Documentation-heavy validation protocols Assurance that software is fit for intended use
Approach Prescriptive testing of all functions Risk-based testing of high-impact functions
Testing Scripted testing for everything Mix of scripted testing, unscripted testing, and vendor assessment
Vendor leverage Limited use of vendor documentation Significant reliance on vendor documentation and assessments
Effort Proportional to system size Proportional to risk and complexity
Records Extensive validation documentation Streamlined records focused on critical functions

CSA Risk Framework

The CSA guidance establishes a risk-based framework for evaluating software:

  1. Identify intended use: Clearly define what the software is supposed to do and its role in production or quality systems
  2. Determine risk level: Evaluate the potential impact of software failure on product quality and patient safety
  3. Select assurance activities: Choose appropriate testing and verification activities based on risk level
  4. Execute and document: Perform the assurance activities and create records documenting the results

For software functions that could directly impact product quality, patient safety, or data integrity, the CSA approach requires more rigorous testing. For lower-risk functions, the approach allows for reduced testing effort, potentially leveraging vendor testing documentation and assessments.

CSA and Part 11 Alignment

The CSA guidance does not replace Part 11 — it provides a modernized approach to validating the software systems that must comply with Part 11. When implementing CSA for a system that handles electronic records and electronic signatures:

  • Part 11 requirements (audit trails, e-signatures, access controls) define what the system must do
  • CSA defines how you verify the system does it reliably
  • Together, they provide a complete framework for compliant software in medical device quality systems

GAMP 5 Categories and Part 11

The ISPE's GAMP 5 (Good Automated Manufacturing Practice) framework provides a widely used categorization system for software that helps organizations determine the appropriate level of validation effort. Understanding GAMP categories is essential for Part 11 compliance because the level of validation rigor should be proportional to the software's complexity and risk.

GAMP Category Description Part 11 Validation Approach Examples
Category 1 Infrastructure software Minimal validation — verify installation and configuration Operating systems, databases, network infrastructure
Category 3 Non-configured products Verify intended use through testing COTS software with no configuration
Category 4 Configured products Validate configuration and business processes eQMS, ERP, LIMS with configured workflows
Category 5 Custom applications Full validation of requirements, design, code, and testing Custom-built applications, bespoke software

Most Part 11-regulated systems in medical device companies fall into Category 4 (configured products). These systems — eQMS, EDMS, complaint management — require validation of both the underlying platform and the specific configurations that implement the organization's quality processes.

Building a Part 11 Compliance Program

Step 1: System Inventory

Create a comprehensive inventory of all software systems that create, modify, maintain, archive, retrieve, or transmit electronic records subject to FDA regulations. For each system, document:

  • System name and version
  • Vendor/provider
  • Types of electronic records stored
  • Whether electronic signatures are used
  • Current validation status
  • Part 11 compliance gaps

Step 2: Gap Assessment

For each system in the inventory, assess compliance with each Part 11 requirement:

  • Is the system validated?
  • Does it generate accurate and complete copies?
  • Are records protected throughout retention?
  • Is access limited to authorized individuals?
  • Is there a compliant audit trail?
  • Are operational system checks enforced?
  • Are authority checks implemented?
  • Are personnel trained?
  • Are procedures documented and controlled?

Step 3: Remediation Planning

Prioritize gaps based on risk and develop a remediation plan:

  • Critical gaps (no audit trail, no access controls, no validation): Immediate action required
  • Major gaps (incomplete audit trail, inadequate password controls): Address within 90 days
  • Minor gaps (documentation deficiencies, training gaps): Address within 180 days

Step 4: Validation and Implementation

Execute validation activities using the CSA risk-based approach:

  • Develop a validation plan that defines scope, approach, and acceptance criteria
  • Perform risk assessment to identify critical functions
  • Execute testing (scripted and unscripted) based on risk
  • Document results and maintain validation records

Step 5: Ongoing Compliance

Establish procedures for maintaining Part 11 compliance:

  • Change control procedures for system modifications
  • Periodic review of system compliance
  • Incident management for Part 11 deviations
  • Training for all system users
  • Annual review of user access and privileges
Recommended Reading
Single-Use Device Reprocessing & Remanufacturing: FDA & EU MDR Regulatory Guide (2026)
Regulatory Quality Systems2026-04-15 · 32 min read

Common Part 11 Audit Findings

Based on FDA inspection data and industry experience, the following are the most frequently cited Part 11 violations in medical device companies:

1. Inadequate Audit Trails

The most common finding. Specific issues include:

  • Audit trails that do not capture the reason for changes
  • Audit trails that can be modified or disabled by administrators
  • Audit trail data that is not reviewed during routine quality operations
  • Missing audit trails for critical record modifications

2. Inadequate Electronic Signature Controls

Common issues:

  • Shared user accounts that make it impossible to attribute actions to specific individuals
  • No identification code and password combination (single-factor only)
  • Electronic signatures that do not clearly indicate the meaning of the signature
  • No procedures for lost or compromised passwords or devices

3. Insufficient System Validation

Validation deficiencies include:

  • No validation documentation for electronic record systems
  • Validation that does not cover all critical system functions
  • No revalidation after system changes or upgrades
  • Validation protocols that do not address Part 11-specific requirements

4. Inadequate Access Controls

Findings related to:

  • No periodic review of user access privileges
  • Inactive user accounts not promptly deprovisioned
  • Excessive administrative privileges granted to users who do not need them
  • No password complexity or expiration requirements

5. Inadequate Record Protection

Issues with:

  • No backup and recovery procedures tested on a regular schedule
  • No disaster recovery plan for electronic record systems
  • Records stored in formats that may become inaccessible over time
  • No migration plan for records when systems are retired

Part 11 Compliance Checklist

Use this checklist to assess your organization's Part 11 compliance status:

System Validation

  • All Part 11-regulated systems have been validated
  • Validation documentation includes Part 11-specific requirements
  • Revalidation is performed after system changes
  • Validation records are maintained and accessible

Audit Trail

  • Systems generate computer-generated, time-stamped audit trails
  • Audit trails capture old value, new value, who, when, and why
  • Audit trails cannot be modified or disabled by any user
  • Audit trail data is reviewed during routine quality operations
  • Audit trails are retained for the same period as the associated records

Electronic Signatures

  • Each electronic signature is unique to one individual
  • Non-biometric signatures use at least two components (ID + password)
  • Signatures clearly indicate the name, date/time, and meaning of signing
  • Signatures are linked to their records and cannot be excised or transferred
  • Initial use of electronic signatures was witnessed and documented

Access Controls

  • Each user has a unique user ID
  • Role-based access controls are implemented
  • Access privileges are reviewed periodically
  • Inactive accounts are promptly deprovisioned
  • Password policies are enforced (complexity, expiration, lockout)

Record Protection

  • Backup and recovery procedures are established and tested
  • Disaster recovery procedures exist for all electronic record systems
  • Records can be accurately and completely reproduced throughout retention
  • Migration plans exist for records when systems are retired

Procedures and Training

  • Written procedures exist for all Part 11-regulated activities
  • Procedures are controlled documents subject to change control
  • All system users are trained on Part 11 requirements
  • Training records are maintained and available for review

Part 11 and International Regulations

Medical device companies that market products globally must also consider how Part 11 interacts with international regulations:

Regulation Region Key Part 11-Equivalent Requirements
EU Annex 11 European Union Computerized systems validation, audit trails, electronic signatures — broadly aligned with Part 11 but has some additional requirements
ISO 13485:2016 clause 4.1.6 Global Software validation requirements for QMS software
EU MDR Article 10(4) European Union Obligation to maintain records in electronic form compliant with data protection requirements
PIC/S PI 041-1 PIC/S members Good practices for computerized systems in GxP regulated environments
MHLW Ordinance 169 Japan QMS requirements including computer system controls

EU Annex 11 is the closest international equivalent to Part 11. While the two regulations are broadly aligned, Annex 11 has some requirements that go beyond Part 11 (e.g., requirements for source code verification, data migration testing, and periodic evaluation). Companies marketing in both the US and EU should design their compliance programs to meet the more stringent requirements of each regulation.

Recommended Reading
Mobile Medical Applications: FDA & EU MDR Regulatory Guide (2026)
Digital Health & AI Regulatory2026-04-19 · 17 min read

ALCOA+ Data Integrity Principles

Part 11 compliance is ultimately about data integrity — ensuring that electronic records are accurate, reliable, and trustworthy. The pharmaceutical industry's ALCOA+ framework has become the de facto standard for data integrity in FDA-regulated environments, and it applies equally to medical device companies:

Principle Meaning Part 11 Connection
Attributable Every action traceable to a specific individual 11.10(d) access controls, 11.10(e) audit trails, 11.50 signature manifestations
Legible Records readable throughout their lifecycle 11.10(b) accurate and complete copies, 11.10(c) record protection
Contemporaneous Records created at the time activities occur 11.10(e) time-stamped audit trails
Original Electronic records represent original data 11.10(b) ability to generate copies, 11.10(c) record protection
Accurate Records correctly represent actual events 11.10(a) validation, 11.10(f) operational system checks
Complete All relevant information included 11.10(e) audit trails that do not obscure prior information
Consistent Reliable timestamps and formatting 11.10(e) secure, computer-generated, time-stamped audit trails
Enduring Records accessible throughout retention periods 11.10(c) protection throughout retention period
Available Readily available for review and inspection 11.10(b) inspection-ready copies, 11.10(c) accurate retrieval

The ALCOA+ framework is not a regulation itself — it is a set of principles that underpin the specific requirements of Part 11. When FDA inspectors cite data integrity violations, they are evaluating electronic records against these principles, whether they reference ALCOA+ explicitly or not.

The Cost of Non-Compliance

Part 11 non-compliance carries significant financial and operational consequences:

  • The average cost of remediating significant Part 11 deficiencies can range from tens of thousands to hundreds of thousands of dollars depending on scope, system complexity, and the severity of findings
  • FDA enforcement actions can result in facility shutdowns, product recalls, delayed or denied approvals, import bans, and in extreme cases, criminal prosecution
  • Data integrity violations have been a consistent theme in FDA enforcement actions across both pharmaceutical and medical device industries, with data integrity cited in a significant proportion of warning letters in recent years

Practical Implementation Tips

For Companies Implementing a New eQMS

  1. Include Part 11 requirements in your User Requirements Specification (URS): Every requirement from 11.10 and 11.30 should be reflected in your URS document
  2. Evaluate vendors' Part 11 capabilities early: Not all eQMS platforms are equally capable of meeting Part 11 requirements. Ask vendors for their Part 11 compliance statements and validation documentation
  3. Plan your validation using CSA principles: Use the risk-based CSA approach to focus validation effort on critical functions
  4. Define your signature manifestations: Determine how electronic signatures will display signer name, date/time, and meaning
  5. Establish audit trail review procedures: Determine who will review audit trails, how often, and what they will look for

For Companies with Existing Systems

  1. Conduct a gap assessment: Use the checklist above to identify compliance gaps
  2. Prioritize based on risk: Address critical gaps (audit trails, access controls) first
  3. Engage your software vendor: Many Part 11 requirements can be met through system configuration. Work with your vendor to enable features like audit trails, e-signatures, and access controls
  4. Document everything: Part 11 is about documentation. If it is not documented, it does not exist
  5. Train all users: Every person who uses a Part 11-regulated system must understand their responsibilities

Key Takeaways

  • 21 CFR Part 11 applies to every medical device company that uses electronic records to fulfill FDA regulatory requirements
  • The regulation requires validated systems, audit trails, electronic signature controls, access controls, and documented procedures
  • The FDA's CSA guidance (finalized September 2025, updated February 3, 2026) provides a modernized, risk-based approach to validating Part 11-regulated systems
  • Part 11 coexists with the new QMSR — the transition to ISO 13485-based quality system requirements does not reduce Part 11 obligations
  • Common audit findings include inadequate audit trails, insufficient e-signature controls, and lack of system validation
  • A systematic compliance program — inventory, gap assessment, remediation, validation, and ongoing maintenance — is essential for sustained compliance

Frequently Asked Questions

Does Part 11 apply to my company?

Part 11 applies if your medical device company uses electronic records to fulfill any requirement under FDA regulations. If you maintain any of your quality system records electronically — in an eQMS, a database, a spreadsheet, or any other electronic format — Part 11 applies.

Does Part 11 apply to Microsoft Excel spreadsheets?

If Excel spreadsheets are used to maintain records required by FDA regulations (e.g., design verification matrices, complaint tracking logs, calibration records), then Part 11 applies. However, many companies use Excel for preliminary analysis and transfer the final results to a validated system. In that case, Part 11 would not apply to the preliminary spreadsheets but would apply to the validated system where the final records reside.

What is the difference between electronic signatures and digital signatures?

An electronic signature is any computer data compilation of symbols executed by an individual to be the legally binding equivalent of a handwritten signature. A digital signature is a specific type of electronic signature that uses cryptographic methods to authenticate the signer and verify the integrity of the signed data. All digital signatures are electronic signatures, but not all electronic signatures are digital signatures. Part 11 does not require digital signatures specifically — it requires electronic signatures that meet its control requirements.

How long must Part 11 records be retained?

Part 11 records must be retained for the same duration as the underlying regulatory requirement. For medical device quality system records, the QMSR (via ISO 13485:2016 clause 4.2.5) requires records to be retained for at least the lifetime of the medical device or as specified by regulatory requirements, whichever is longer. Some records (e.g., complaint files, MDR records) may have specific retention requirements.

Does using a cloud-based eQMS change my Part 11 obligations?

No. Your Part 11 obligations remain the same regardless of whether the system is on-premises or cloud-based. However, cloud-based systems may introduce open system considerations (Section 11.30) if the vendor controls system access. You should verify that your cloud vendor provides adequate controls (encryption, access controls, audit trails) and that you have a service level agreement that addresses Part 11 requirements. You remain responsible for compliance even though the system is hosted by a third party.

Related Articles

Reimbursement & Market AccessRegulatory

Health Technology Assessment (HTA) for Medical Devices: Complete Guide to Market Access and Reimbursement

A comprehensive guide to Health Technology Assessment (HTA) for medical devices — EU HTA Regulation 2026, NICE evaluations, Joint Clinical Assessments, economic modeling, evidence requirements, and strategies for securing reimbursement and market access globally.

2026-04-20·15 min read
Standards & TestingQuality Systems

IEC 62133 Battery Safety for Medical Devices: Testing, Compliance & Regulatory Requirements

A complete guide to IEC 62133 battery safety compliance for medical devices — test requirements, regulatory pathways (FDA, EU MDR), UN 38.3 transport, Battery Management Systems, risk management, and practical steps for global market access.

2026-04-20·14 min read
Digital Health & AICybersecurity

Cloud-Based Medical Devices & SaaS: Regulatory Compliance Guide (FDA, EU MDR 2026)

How cloud-based medical devices and SaaS health platforms are regulated in the US and EU — FDA and EU MDR classification of cloud-connected devices, SaMD vs SiMD distinction for cloud software, IEC 62304 Edition 2 lifecycle requirements, cybersecurity (SPDF, SBOM, IEC 81001-5-1), FDA CSA guidance for QMS cloud tools, EU Cyber Resilience Act impact, data integrity and validation challenges, and practical compliance strategies for manufacturers.

2026-04-19·15 min read