Paper still runs more quality systems than most medtech and pharma teams would admit. Validation binders on a shelf, wet-ink signatures on batch records, printouts filed in a cabinet for the next inspection. 21 CFR Part 11 is the rule that decides whether the electronic versions of those records hold up. Going paperless without understanding is how teams end up with systems an auditor won’t accept.
This is a working guide for the people who must implement Part 11: QA leads, regulatory affairs, validation engineers, and the IT teams who build or buy the systems. It covers what the rule requires, what changed in 2025 and 2026, and how to retire paper across validation, audit trails, and signatures without opening new compliance gaps.
What 21 CFR Part 11 governs
Part 11 lives in Title 21 of the Code of Federal Regulations. The FDA issued it in 1997 to define when electronic records and electronic signatures can be trusted as equivalent to paper records and handwritten signatures. It does not cover every file on your network. It covers records that a predicate rule, the underlying FDA regulation for your product, already requires you to keep, in cases where you choose to keep or submit them electronically.
The rule has two working halves. Subpart B governs electronic records: validation of the system, the ability to produce accurate copies, protection and retrieval of records across the full retention period, access limited to authorized users, secure computer-generated time-stamped audit trails, operational and authority checks, and control over related documentation. Subpart C governs electronic signatures: each one unique to an individual, bound to its record, and carrying a signed manifestation that shows the signer’s name, the date and time, and the meaning of the signature, whether that is review, approval, or authorship.
Strip out the legal phrasing, and Part 11 asks three plain questions. Can you trust the record? Can you prove who did what and when? Can you show both to an inspector years later? Everything else is detailed in the service of those three.
The risk-based reading most teams miss
In 2003, the FDA published a guidance called Part 11, Electronic Records; Electronic Signatures, Scope and Application”. It narrowed how the agency enforces the rule and told industry to apply Part 11 controls according to risk, rather than treating every clause as mandatory for every system. That guidance is the reason a justified, risk-based approach is defensible, and the reason over-validating a low-risk system is wasting effort rather than extra safety.
So, Part 11 compliance is scoped, not absolute. You decide which records fall under a predicate rule, assess the risk each system carries to product quality and patient safety, and apply controls proportionate to that risk. The documented rationale for those decisions is part of the compliance. It is not a way around it.
What changed in 2025 and 2026 for 21 CFR Part 11
For years, going paperless effectively meant Computer System Validation (CSV): broad scripted testing and thick documentation for nearly every function, regardless of risk. That habit made teams slow to adopt new software and even slower to update it.
On September 24, 2025, the FDA issued final guidance titled “Computer Software Assurance for Production and Quality System Software” (Docket FDA-2022-D-0795), and updated it on February 3, 2026. Computer Software Assurance (CSA) replaces the one-size-fits-all reflex with a risk-based, least-burdensome model. You start from the software’s intended use and the risk it carries, then pick an assurance method that fits: scripted testing where risk is high, unscripted or exploratory testing where it is lower, and supplier or vendor evidence where relying on it is justified. The guidance formally superseded Section 6 of the FDA’s 2002 General Principles of Software Validation.
A second shift lands in the same window. The Quality System Regulation (21 CFR Part 820) is being harmonized with ISO 13485:2016 under the Quality Management System Regulation (QMSR), effective February 2026. Software validation expectations now sit inside an ISO-aligned quality system, which favors teams that already reason in terms of risk and intended use.
The practical instruction is simple. If you are scoping a paperless program now, build it on CSA, not legacy CSV. The Part 11 obligations are the same. The documentation burden does not have to be.
Figure: The shift from broad Computer System Validation to risk-based Computer Software Assurance, with the build order for a defensible paperless program.
Going paperless without breaking compliance
Three areas carry most of the risk when records leave paper: validation, audit trails and traceability, and signatures. Each one fails quietly if you treat it as a checkbox.
Validation you can defend
Validation is where teams either save months or lose them. Under CSA, the question is no longer “did we script-test everything?” It is “did we assure the functions that matter, in proportion to their risk.” Classify each system and each significant function by intended use and by the harm a failure could cause. High-risk functions earn rigorous, scripted verification and testing. Lower-risk functions can be covered by unscripted testing, continuous monitoring, or evidence from a qualified vendor. Whatever mix you choose, the rationale is the deliverable: an inspector wants to see why your assurance was enough, not a binder that proves you tested things that never mattered.
Audit trails and traceability
Audit trails are where a paperless system proves its integrity. Part 11 expects them to be secure, computer-generated, and time-stamped, recording operator actions that create, modify, or delete records, in a way the operator cannot quietly overwrite. The trail has to last at least as long as the record it describes and be available when an inspector asks.
Traceability is the larger goal that audit trails serve: an unbroken thread from raw data to released product, so any value can be followed back to its source, its author, and its change history. The data integrity standard regulators apply here is ALCOA+. Records should be Attributable, Legible, Contemporaneous, Original, and Accurate, and on top of that Complete, Consistent, Enduring, and Available.
One discipline separates teams that pass from teams that get findings: reviewing audit trails, not just producing them. An audit trail nobody reads is a control that exists only on paper. Decide which audit trails get reviewed, how often, and who signs off, then capture that review as a record of its own. Data integrity is also where inspections concentrate their attention. The teams that stay clean treat audit trail review as a routine quality activity, not a scramble in the week before an inspection.
Electronic signatures done right
A Part 11 signature is more than a name in a box. It has to be unique to one person, permanently linked to the record it signs, and impossible to lift and reuse on another record. The signed record must show the signer’s printed name, the date and time, and the meaning of the signing. For signatures that are not biometric, the rule expects two distinct components, typically an identifier and a password, with controls that make it hard for one person to act as another.
A common misconception is worth clearing up here. An electronic signature is not automatically a cryptographic digital signature. Part 11 allows identity-and-password signatures and biometric signatures as well. A cryptographic digital signature is one valid way to build a compliant signature, not a requirement of the rule.
The migration problem nobody scopes
The hardest part of going paperless is rarely the new system. It is everything attached to the old one. Years of records in legacy formats, hybrid processes where paper and electronic coexist, and aging platforms, including the AS400 and IBM i systems still running validated workloads inside many manufacturers, that were never built to expose clean audit trails or modern signatures.
Three migration risks come up again. A data migration that loses, truncates, or alters records breaks both the predicate-rule retention requirement and the “original” and “accurate” principles of ALCOA, so migrations need their own validation and a verified mapping from source to target. Hybrid states, part paper and part electronic, tend to multiply controls rather than remove them, and should be time-boxed instead of left to drift for years. And legacy systems often need modernization, or at least a validated interface layer, before they can meet Part 11 at all.
This is the point where compliance turns into an engineering problem. Building audit trails, role-based access, and signature workflows into a modernized system is cheaper and far more defensible than bolting them onto a platform that fights you at every step.
A sequence that works
Most failed paperless programs skip straight to tooling. This order avoids that.
- Scope by predicate rule. List the records you are required to keep, and which of them you will keep electronically. Part 11 applies to those, not to everything.
- Risk-classify each system by intended use and by impact on product quality and patient safety, following the CSA model.
- Choose assurance methods proportional to that risk, and write down why each choice is enough.
- Specify the Part 11 controls each system needs: audit trail, access control, signatures, accurate copies, and retention.
- Validate the system, including any data migration, and keep the evidence in a form you can hand to an inspector.
- Operationalize audit trail review and periodic re-assessment. Compliance is a state you maintain, not a project you close.
Build it in, don’t bolt it on
Going paperless under Part 11 has less to do with buying a pre-approved product and more to do with designing records you can trust and prove. Scope by risk, validate with CSA, make audit trails and traceability part of routine operations, and treat the move off paper and legacy systems as the real project it is.
Nalashaa builds and modernizes software for medtech, pharma, and the ISVs that serve them, with Part 11 controls, audit trails, and validation designed in from the start rather than retrofitted under inspection pressure. Talk to our team about your validation and traceability roadmap.
Frequently asked questions
What is 21 CFR Part 11? It is the FDA regulation, in Title 21 of the Code of Federal Regulations, that sets the conditions under which electronic records and electronic signatures are treated as trustworthy and equivalent to paper records and handwritten signatures for FDA-regulated records.
Does Part 11 require specific software? No. The FDA does not certify or mandate particular products. Compliance depends on how a system is configured, validated, and controlled in your environment, not on a vendor’s “Part 11 compliant” badge. That badge describes capability. It does not deliver your compliance.
Is an electronic signature the same as a digital signature? Not necessarily. Part 11 recognizes electronic signatures based on identifier-and-password combinations or on biometrics. A cryptographic digital signature is one way to implement a compliant signature, not a condition of the rule.
What is the difference between CSV and CSA? Computer System Validation (CSV) applied broad scripted testing and heavy documentation across functions regardless of risk. Computer Software Assurance (CSA), finalized by the FDA in September 2025, is risk-based: assurance effort scales with the software’s intended use and risk, which cuts low-value documentation while keeping the controls that matter.
Does Part 11 apply to cloud and SaaS systems? Yes. If a cloud or SaaS system holds predicate-rule records electronically, Part 11 applies. You stay responsible for validation, audit trails, access control, and signatures. Under CSA, you can use a qualified supplier’s evidence as part of your assurance, paired with your own assessment of that supplier.
