21 CFR Part 11 is the FDA regulation that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. It applies to all FDA-regulated industries, including pharmaceutical and medical device manufacturers, defining the technical and procedural controls required when using electronic systems in place of paper documentation.
Glossary
21 CFR Part 11

What is 21 CFR Part 11?
The FDA regulation establishing criteria for trustworthy electronic records and signatures in regulated environments.
Compliance requires audit trails that securely record operator entries and actions, authority checks to ensure only authorized individuals access the system, and device checks to validate data input. For Software as a Medical Device (SaMD) and diagnostic AI platforms, Part 11 compliance is integral to the Quality Management System (QMS), ensuring that clinical validation data and design history files maintain legal standing.
Frequently Asked Questions
Clear answers to the most common questions about 21 CFR Part 11 compliance for software as a medical device and diagnostic AI systems.
21 CFR Part 11 is the FDA regulation that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. For Software as a Medical Device (SaMD), this regulation applies whenever the software creates, modifies, maintains, archives, retrieves, or transmits electronic records that are required by FDA predicate rules—such as the Quality System Regulation (21 CFR Part 820). Diagnostic AI systems that generate patient reports, log algorithmic outputs, or capture clinician electronic signatures must implement audit trails, authority checks, and device checks to ensure data integrity. The regulation does not mandate specific technologies but requires that closed systems (those controlled by the same entity) implement procedural controls, while open systems (those exchanging data across organizational boundaries) add encryption and digital signature standards.
How 21 CFR Part 11 Controls Apply to SaMD
21 CFR Part 11 establishes the FDA's criteria for accepting electronic records and signatures as equivalent to paper records, directly impacting the design of audit trails and access controls in Software as a Medical Device.
For Software as a Medical Device (SaMD), Part 11 compliance mandates that all electronic records created, modified, or stored by the software must be demonstrably trustworthy. This requires implementing technical controls such as unique user identification, authority checks, and secure, computer-generated, time-stamped audit trails that independently record the date, time, and operator of every entry or action that creates or alters a regulated record.
The regulation also governs the application of electronic signatures, requiring that they be linked to their respective records to prevent falsification. In a SaMD context, this means the software architecture must include device checks to validate the source of data input and operational system checks to enforce permitted sequencing of steps, ensuring that a diagnostic output or clinical decision support log cannot be repudiated or altered without detection.
Core Requirements of 21 CFR Part 11
The foundational regulation establishing the criteria under which the FDA considers electronic records and signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.
System Validation
Establish documented evidence providing a high degree of assurance that a system consistently produces results meeting predetermined specifications. This is not a one-time event but an ongoing process.
- Objective: Prove the system is fit for its intended use in a production environment.
- Key Activities: Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
- Requirement: Validation must occur before the system is used to process regulated records.
Audit Trails
Secure, computer-generated, time-stamped electronic records that independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
- Immutability: Audit trail records cannot be modified or deleted by the operator.
- Granularity: Must capture the who, what, and when of every data change, including the original value and the new value.
- Retention: Audit trails must be retained for at least as long as the associated electronic records are required.
Operational & Authority Checks
Implement technical and procedural controls to limit system access to authorized individuals and ensure that only qualified personnel perform specific actions.
- Access Control: Use unique user IDs and password/PIN combinations or biometric verification.
- Authority Levels: Define roles and privileges to segregate duties (e.g., a technician who runs a test cannot also approve the result).
- Device Checks: Validate the source of data input (e.g., a specific instrument) to ensure data integrity from the point of origin.
Device & Terminal Checks
The system must be able to determine the validity of the source of data input. This ensures data integrity from the moment of acquisition.
- Instrument Authentication: The system verifies that data is being received from a legitimate, authorized laboratory instrument or terminal.
- Data Integrity: Prevents unauthorized or uncalibrated devices from injecting data into the regulated record system.
- Context: This is critical for SaMD that ingests data directly from DICOM modalities or laboratory information systems.
Electronic Signature Manifestations
Electronic signatures must be linked to their respective electronic records in a way that prevents removal, copying, or transfer to falsify a record.
- Non-Repudiation: The signature must be unique to one individual and not reusable by anyone else.
- Display Requirements: Any human-readable form of the record (e.g., a printed report) must clearly display the signer's printed name, the date/time of signing, and the meaning of the signature (e.g., review, approval, authorship).
- Biometric Option: A method of verification based on the measurement of a unique physical characteristic (e.g., fingerprint, retinal scan) is explicitly permitted.
Record Retention & Availability
Persons must retain electronic records in a manner that protects them for the entirety of their required retention period and ensures they are readily available for FDA inspection.
- Instant Retrieval: Records must be retrievable in both human-readable and electronic form suitable for FDA review and copying.
- Data Integrity: The storage system must protect records from alteration, degradation, or loss through hardware failures or software obsolescence.
- Archival Strategy: This often requires a formal data migration and backup strategy to ensure long-term readability, especially for proprietary medical image formats.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
21 CFR Part 11 vs. EU Annex 11
A comparison of the FDA and EU requirements for electronic records and electronic signatures in regulated GxP environments.
| Feature | 21 CFR Part 11 | EU Annex 11 | Both |
|---|---|---|---|
Jurisdiction | United States (FDA) | European Union (EMA) | |
Scope | Electronic records and signatures | Computerized systems in GxP | |
Risk-based validation required | |||
Audit trail for data changes | |||
Electronic signature legally binding | |||
Periodic system review mandated | |||
Supplier/service provider oversight | |||
Data archival and retrieval requirements |
Related Terms
Understanding 21 CFR Part 11 requires familiarity with the broader quality management and software lifecycle standards that govern medical device development.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us