A Practical Guide for Lab Software in 2026
| This guide is based on the official 21 CFR Part 11 regulatory text (eCFR), FDA’s Scope and Application Guidance (2003), FDA’s final Electronic Systems Q&A guidance (October 2024), and the finalized Computer Software Assurance (CSA) guidance (September 2025). It is for informational purposes and does not constitute legal or regulatory advice. |
What Is 21 CFR Part 11?
21 CFR Part 11 is the section of Title 21 of the United States Code of Federal Regulations that governs electronic records and electronic signatures in FDA-regulated environments. Published in final form in March 1997 and effective from August 1997, it establishes the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and legally equivalent to paper records and handwritten signatures.
In plain terms: if your laboratory is regulated by the FDA and you use software to create, manage, or store records that the FDA requires you to keep, those records and any digital signatures associated with them must meet Part 11’s requirements. Non-compliance exposes your organization to FDA observations, warning letters, and — in serious cases — injunctions or import bans.
The full regulatory text is available at: eCFR.gov — 21 CFR Part 11
Who Does 21 CFR Part 11 Apply To?
Part 11 applies to any organization regulated by the FDA that uses electronic systems to fulfill regulatory record-keeping or submission requirements. This includes:
- Pharmaceutical manufacturers (drug products, APIs, excipients)
- Biotechnology and biopharmaceutical companies
- Medical device manufacturers
- Clinical research organizations (CROs) and sponsors of clinical trials
- Food and beverage manufacturers subject to FDA oversight
- Cosmetics and personal care product manufacturers
- Contract research and manufacturing organizations (CDMOs, CMOs)
- Diagnostic and in-vitro diagnostics (IVD) manufacturers
The key concept is the “predicate rule”: Part 11 activates when electronic records replace paper records that would otherwise be required by another FDA regulation — called the predicate rule. For example, 21 CFR Part 211 (pharmaceutical cGMP) requires certain manufacturing records. If those records are stored electronically, Part 11 governs how they are created, secured, and signed.
| Important: Part 11 does not apply to paper records. If your organization maintains authorized paper copies as the official record and only uses electronic systems for convenience (not as the authoritative record), Part 11’s scope may not fully apply. However, any system controlling a regulated process — even if it doesn’t store the authoritative record — may still require validation under predicate rules such as 21 CFR 820.70(i). |
The Core Requirements of 21 CFR Part 11
Part 11 is organized into two subparts that cover electronic records (Subpart B, §11.10) and electronic signatures (Subpart C, §§11.100–11.300). The table below summarizes every key requirement from the official regulatory text.
| Section | Requirement | What It Means in Practice |
|---|---|---|
| §11.10(a) | System validation | Software must be validated to ensure accuracy, reliability, consistent performance, and ability to detect altered records |
| §11.10(b) | Accurate copies | Ability to generate exact, human-readable and electronic copies for inspection |
| §11.10(c) | Record retention | Records remain accessible and accurate throughout the required retention period |
| §11.10(d) | Audit trails | Secure, computer-generated, time-stamped audit trails recording all creation, modification, and deletion — cannot be edited |
| §11.10(e) | Sequence controls | System controls ensuring only authorized sequences of steps are executed |
| §11.10(f) | Authority checks | System confirms user is authorized to perform the specific action before executing |
| §11.10(g) | Device checks | Valid inputs at all entry points to ensure data integrity |
| §11.10(h) | Training | Personnel trained to understand the development and use of computerized systems under their responsibility |
| §11.10(i) | Accountability | Written policies covering sign-off responsibilities, training, and system protection consequences |
| §11.10(j) | Documentation | System documentation: development, maintenance history, and change control records |
| §11.50 | Signed records | Electronic records containing: the signature, meaning of signature, date and time — all permanently linked to the record |
| §11.100 | Signature uniqueness | Each electronic signature unique to one individual, never reused or reassigned to another |
| §11.200 | Signature components | Non-biometric signatures require at least two components (e.g., username + password); biometric signatures require unique biometric data |
| §11.300 | Safeguards | Controls including unique combinations, periodic checks, forced password changes, loss management, and use by authorized holders only |
Source: eCFR — 21 CFR Part 11 (official text)
Closed Systems vs Open Systems
One of the most practically important distinctions in Part 11 is between closed and open systems, because the two have different compliance requirements.
Closed system (§11.3(b)(4)): an environment in which system access is controlled by persons responsible for the content of electronic records. Most LIMS, ELN, and laboratory software platforms deployed under the vendor’s cloud infrastructure are closed systems — access is controlled by the vendor and the customer organization, not available to arbitrary external parties.
Open system (§11.3(b)(9)): an environment in which system access is not controlled by the persons responsible for the content, such as public internet-facing systems or shared external data repositories. Open systems require all the closed-system controls plus additional measures including encryption and digital signatures to ensure record authenticity and confidentiality.
| In practice, virtually all commercial LIMS and ELN platforms operate as closed systems. When evaluating vendor Part 11 claims, confirm they are specifically addressing the closed-system requirements of §11.10 — not just making a general ‘Part 11 compliant’ claim. |
What 21 CFR Part 11 Means for LIMS and ELN Software
For laboratories evaluating LIMS and ELN platforms, Part 11 translates into a concrete checklist of capabilities that the software must support and that the organization must implement correctly. Vendor claims and actual validated compliance are not the same thing.
1. System Validation
The software must be validated for its intended use. Validation demonstrates that the system reliably does what it claims to do: accurately captures data, correctly controls access, preserves audit trails, and maintains record integrity. Validation is documented in an Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) — collectively called IQ/OQ/PQ. Reputable LIMS and ELN vendors provide validation documentation packages (VDPs) to support this process, but the validation itself must be performed and owned by your organization.
Note on CSA (September 2025): The FDA’s finalized Computer Software Assurance (CSA) guidance — published September 24, 2025 — replaces the previous rigid documentation-heavy validation approach with a risk-based framework. Organizations can now focus validation effort on software functions that directly impact record integrity and product quality, rather than testing everything uniformly. Read the FDA CSA Guidance.
2. Audit Trails
Audit trails must be computer-generated, time-stamped, and secure. They must record who created, modified, or deleted a record, what was changed, and when. They cannot be editable by users — not even administrators. When evaluating a LIMS or ELN, verify: are audit trails generated automatically? Are they stored separately from the records they reference? Can they be exported for inspection? Can any user — including a superuser — edit or delete an audit trail entry?
3. Electronic Signatures
An electronic signature under Part 11 is not simply a typed name or a scanned image of a handwritten signature. It must be unique to the individual, verifiably linked to the record being signed, include a printed name, date and time, and the meaning of the signature (e.g., “Reviewed by”, “Approved by”). Non-biometric signatures must use at least two identification components — typically a username and a password. Once a record is signed, it must be locked against modification unless a new signing event is triggered.
4. Access Controls and User Management
Each user must have a unique identifier — no shared accounts. Access must be granted on a need-to-know, role-based basis. The system must prevent unauthorized access and be able to detect unauthorized attempts. When a user’s employment or project role ends, their access must be revoked promptly. These user management requirements must be implemented as organizational SOPs, not just software features.
5. Record Integrity and Retention
Electronic records must remain accurate, complete, and accessible for the entire required retention period — often 10 to 15 years or longer in pharmaceutical environments. Records must be retrievable and readable even if the software that created them is no longer in use. When evaluating a LIMS or ELN, ask the vendor: what happens to your data if the company is acquired, discontinued, or if you end your subscription? What format does data come out in for long-term archival? Can it be read without their software?
The 2003 FDA Guidance: Risk-Based Enforcement
After Part 11 became effective in 1997, many organizations interpreted it as requiring Part 11 controls for every electronic system used in any way in a regulated environment. This led to disproportionate compliance burden for lower-risk systems.
In 2003, the FDA issued its Scope and Application Guidance clarifying that it would exercise enforcement discretion for certain Part 11 requirements — particularly around system validation documentation and audit trail requirements for systems that do not directly contain the authoritative required record. The guidance introduced the risk-based principle: apply Part 11 controls proportionate to the impact of the system on product quality and patient safety.
What this means practically: a word processor used for general correspondence in a regulated company is not subject to the same Part 11 rigor as the LIMS containing batch release records. Focus your compliance effort on systems where a data integrity failure would impact a regulatory decision or patient safety.
| The 2003 guidance is not a waiver. Predicate rule requirements still apply regardless of enforcement discretion. If 21 CFR Part 211 requires a batch record to exist, that record must exist in a trustworthy form — enforcement discretion on Part 11 validation documentation does not excuse the absence of the record itself. |
Recent FDA Guidance: What Changed in 2024 and 2025
October 2024: Electronic Systems Q&A (Final Guidance)
On October 1, 2024, the FDA published final guidance on electronic systems in clinical investigations — replacing the 2017 draft. The guidance consolidates FDA’s current thinking for sponsors, CROs, and clinical investigators. Key clarification: FDA will not assess Part 11 compliance for some external data sources such as electronic health records (EHRs), but still expects reliable capture, traceability, and certified copies of any data used in regulatory submissions.
September 2025: Computer Software Assurance — Final Guidance
The most significant recent change for lab software compliance is the FDA’s final Computer Software Assurance (CSA) guidance published September 24, 2025. This guidance formally replaces Section 6 of the General Principles of Software Validation and applies to all production and quality system software — including cloud/SaaS platforms explicitly named for the first time.
The CSA framework introduces a least-burdensome, risk-based approach: organizations should scale their assurance activities to the risk of each software function rather than applying uniform scripted testing to everything. High-risk functions (directly impacting product release or patient safety) require rigorous validation. Lower-risk functions can be assured through exploratory testing, automated regression, or documented review of vendor-supplied test evidence.
Practically for lab software: an organization using a cloud-based LIMS for batch release in a GMP environment must still fully validate the batch release workflow — but may apply lighter assurance to lower-risk administrative features like user preference settings or dashboard layouts.
| Critical note: The CSA guidance’s enforcement discretion for validation documentation does NOT eliminate the validation requirement under 21 CFR 820.70(i) for production/QMS software. You must still validate — the framework just allows you to do it more efficiently. |
21 CFR Part 11 Compliance Checklist for Lab Software
Use this checklist when evaluating a LIMS, ELN, or any laboratory software platform for Part 11 compliance. Both the software capabilities and your organizational controls must satisfy each point.
Software / System requirements:
- Unique user accounts — no shared logins permitted
- Role-based access controls with configurable permissions
- Automatic, computer-generated, tamper-proof audit trails
- Time-stamped audit trails with user ID, action type, and timestamp
- Electronic signatures with printed name, date/time, and signature meaning
- Two-component authentication for non-biometric e-signatures (username + password minimum)
- Record locking after electronic signature — modifications trigger a new signing event
- Ability to generate accurate, human-readable copies of records for inspection
- System validation documentation or vendor-supplied validation package (VDP)
- Change control system for tracking software modifications
- Backup and recovery procedures with documented retention policy
Organizational requirements:
- Written SOPs for system access management, including onboarding and offboarding
- Training records documenting user training on the system and associated SOPs
- Completed IQ/OQ/PQ validation (or CSA-equivalent risk-based assurance activities)
- Validation Plan, Test Protocols, and Validation Summary Report on file
- Signature authority matrix defining who can sign what types of records
- Annual system review and periodic access audit
- Incident management procedure for unauthorized access events
- Written agreement with cloud vendor covering data security, retention, and portability
| Best practice: request the vendor’s Validation Documentation Package (VDP) before purchasing any regulated lab software. A reputable LIMS or ELN vendor will provide IQ/OQ protocols, a validation summary, traceability matrices, and a pre-configured compliance configuration guide. If a vendor cannot provide this, reconsider. |
ALCOA+ and Its Relationship to Part 11
ALCOA+ is the data integrity framework used alongside 21 CFR Part 11 across regulated pharmaceutical and biotech environments. Originally developed by the FDA and adopted by the PIC/S (Pharmaceutical Inspection Cooperation Scheme) in its data integrity guidelines, ALCOA+ defines the qualities that all laboratory records — paper or electronic — must demonstrate.
ALCOA stands for: Attributable (who performed the action?), Legible (can it be read?), Contemporaneous (was it recorded at the time?), Original (is this the first capture or a certified copy?), Accurate (does it reflect what actually happened?). The ‘+’ adds: Complete, Consistent, Enduring, and Available.
21 CFR Part 11 provides the regulatory requirements for how electronic records and signatures are structured and controlled. ALCOA+ provides the quality standard that those records must meet. Both are required simultaneously in a GxP environment. An audit trail that records every change (Part 11 requirement) but is stored in a format that becomes unreadable after 5 years (violates Enduring and Available from ALCOA+) fails both frameworks.
Official Sources and Reference Documents
All claims in this article are based on the primary regulatory sources listed below. We recommend bookmarking the eCFR link — it reflects the continuously updated, live version of the regulation.
| Source | Description | Type |
|---|---|---|
| eCFR — 21 CFR Part 11 (full text) | Official regulatory text, continuously updated | Regulatory text (US Gov.) |
| FDA Guidance: Scope and Application (2003) | FDA’s authoritative risk-based interpretation of Part 11 enforcement scope | FDA Official Guidance |
| FDA: Electronic Systems Q&A (Oct. 2024) | Final FDA guidance for electronic records in clinical investigations — current FDA thinking | FDA Official Guidance |
| FDA CSA Guidance (Sept. 2025) | Final Computer Software Assurance guidance — replaces old CSV approach | FDA Official Guidance |
| EMA: Good AI Practice (Jan. 2026) | Joint EMA-FDA principles for AI in drug development | Regulatory guidance |
| ISPE GAMP 5 (2nd ed.) | Industry gold standard for computerized system validation methodology | Industry standard (ISPE) |
| ALCOA+ principles — PIC/S | Pharmaceutical Inspection Cooperation Scheme data integrity guidance | Regulatory guidance |
Frequently Asked Questions
Does 21 CFR Part 11 apply to cloud-based lab software?
Yes. Cloud-based LIMS and ELN platforms operating as closed systems — where access is controlled by the vendor and the customer organization — are subject to Part 11 when they store required records. The September 2025 CSA guidance explicitly includes SaaS, PaaS, and IaaS platforms in its scope. When using cloud-based lab software in a regulated environment, your organization (not the vendor) is responsible for ensuring the validated state is maintained, including validating the specific configuration you use.
Can a vendor certify that their software is ’21 CFR Part 11 compliant’?
No. The FDA does not certify software as Part 11 compliant. Compliance is determined by how the software is configured and used within your organization, not by a vendor declaration. A vendor can accurately state that their software “supports” Part 11 requirements by providing the necessary technical controls — but the compliance determination requires your organization’s validated implementation, SOPs, and training.
What is the difference between Part 11 and GxP?
GxP is a collective term for Good Practice quality guidelines — GMP (Good Manufacturing Practice), GLP (Good Laboratory Practice), GCP (Good Clinical Practice), and others. These GxP guidelines are the predicate rules that create the underlying record-keeping requirements. 21 CFR Part 11 then specifies how those records must be managed when stored electronically. GxP tells you what records you must keep; Part 11 tells you how to keep them electronically.
What is EU Annex 11 and how does it relate to Part 11?
EU Annex 11 is the European Union’s equivalent regulation for computerized systems in pharmaceutical manufacturing (part of the EU GMP guidelines). It covers broadly the same ground as 21 CFR Part 11 — validation, audit trails, electronic signatures, access controls — but with some differences in terminology and emphasis. Organizations operating in both the US and EU markets must comply with both. Most reputable LIMS and ELN platforms that claim Part 11 support also document Annex 11 compliance; verify this separately.
How often must a validated system be re-validated?
There is no fixed re-validation frequency in the regulation. However, re-validation (or re-qualification under a CSA approach) is triggered by: software version upgrades, changes to your configuration, changes to the operating environment, changes to the predicate rules your records must satisfy, or any deviation event that calls the validated state into question. Your change control SOP should define the trigger conditions and required assurance activities for each type of change.
Summary
21 CFR Part 11 is the foundational FDA regulation for electronic records and electronic signatures in laboratory and manufacturing environments. For any lab software — whether a LIMS, ELN, QMS, or instrument data system — operating in an FDA-regulated context, Part 11 defines a non-negotiable set of technical controls: validated systems, immutable audit trails, verified electronic signatures, role-based access, and documented record retention.
The regulation itself has not changed materially since 1997, but the FDA’s interpretation and enforcement approach has evolved significantly — from the risk-based 2003 Scope and Application Guidance through to the October 2024 Electronic Systems Q&A and the landmark September 2025 Computer Software Assurance final guidance, which brings cloud and SaaS systems explicitly into scope with a more efficient, risk-proportionate validation framework.
For laboratories evaluating software platforms in 2026, Part 11 compliance is a necessary condition for any regulated deployment — but it is a starting point, not a differentiator. The quality of your validation implementation, the robustness of your SOPs, and the practical depth of your audit trail configuration are what determine whether your compliance will hold up to an FDA inspection.
| This article is part of labsoftwareguide.com’s regulatory compliance series for laboratory software. Related reading: ALCOA+ in the Lab: A Data Integrity Guide | Best LIMS for FDA-Regulated Environments | EU Annex 11 vs 21 CFR Part 11: Key Differences | How to Validate a LIMS: An IQ/OQ/PQ Guide |
This article is for informational purposes only and does not constitute legal, regulatory, or compliance advice. Regulations and FDA guidance are subject to revision. Always consult current official sources (eCFR.gov, FDA.gov) and qualified regulatory counsel for compliance decisions specific to your organization and products.
