← Back to blog

GMP & 21 CFR Part 11: What Manufacturers Need to Know About FDA Compliance

By Veritas Core Team

GMP21 CFR Part 11FDACompliance

GMP & 21 CFR Part 11: What Manufacturers Need to Know About FDA Compliance

If you manufacture products regulated by the FDA — pharmaceuticals, food, dietary supplements, cosmetics, or medical devices — two sets of requirements shape your quality system: Good Manufacturing Practice (GMP) regulations and 21 CFR Part 11, which governs electronic records and electronic signatures.

These two work hand in hand. GMP tells you what to do to ensure product quality and safety. 21 CFR Part 11 tells you how to do it digitally in a way the FDA considers trustworthy. As more manufacturers move from paper to digital systems, understanding both is essential.

What Is GMP?

Good Manufacturing Practice is a set of regulations enforced by the FDA (and equivalent agencies worldwide) that establishes minimum requirements for manufacturing, processing, and packaging products. The goal: ensure products are consistently safe, pure, and effective.

GMP regulations vary by industry:

  • Pharmaceuticals: 21 CFR Parts 210 and 211 (Current Good Manufacturing Practice, or cGMP)
  • Medical devices: 21 CFR Part 820 (Quality System Regulation)
  • Food: 21 CFR Part 117 (Current Good Manufacturing Practice and Preventive Controls)
  • Dietary supplements: 21 CFR Part 111

The "c" in cGMP stands for "current" — the FDA expects you to use up-to-date systems and technologies, not practices from decades ago.

Core GMP Principles

Despite the variations across industries, GMP regulations share common themes:

Facility and equipment controls. Your facility must be designed to prevent contamination. Equipment must be maintained, cleaned, and calibrated on documented schedules.

Personnel qualifications and training. Employees must be qualified for their roles and trained on the procedures they perform. Training records must be documented and current.

Process validation. You must demonstrate that your manufacturing processes consistently produce products meeting predetermined specifications. This goes beyond testing the final product — you need to prove the process itself is reliable.

Documentation and record-keeping. Every batch, every deviation, every corrective action must be documented. GMP is sometimes described as "if you didn't document it, it didn't happen."

Quality control and testing. Raw materials, in-process samples, and finished products must be tested against specifications. Out-of-spec results trigger investigations.

Complaint handling and adverse events. Customer complaints must be investigated. Serious adverse events must be reported to the FDA within prescribed timeframes.

Change control. Changes to processes, equipment, or materials must be evaluated, approved, documented, and validated before implementation.

What FDA Inspectors Look For

During a GMP inspection, FDA investigators (typically following their Compliance Program Guidance Manual) focus on:

  • Deviations and CAPAs: How do you handle things that go wrong? Do you investigate root causes or just document symptoms?
  • Training records: Can you prove that the person who ran a batch was trained on the SOP?
  • Batch records: Are they complete, accurate, and reviewed by quality?
  • Equipment logs: Is calibration current? Are cleaning records maintained?
  • Supplier controls: How do you qualify and monitor your material suppliers?

The most common FDA observations (483s) relate to documentation failures — incomplete records, missing signatures, and procedures that don't match actual practice.

What Is 21 CFR Part 11?

21 CFR Part 11 is the FDA regulation that defines the criteria for electronic records and electronic signatures to be considered trustworthy, reliable, and equivalent to paper records with handwritten signatures.

Published in 1997 and updated through guidance documents since, Part 11 applies whenever you use electronic systems to create, modify, maintain, archive, retrieve, or transmit records required by FDA regulations.

Key Requirements

Validation. Electronic systems must be validated to ensure accuracy, reliability, and consistent intended performance. You need documented evidence that your software does what it claims.

Audit trails. The system must create a secure, computer-generated, time-stamped audit trail that records who did what and when. Audit trails must be retained for at least as long as the underlying records and must be available for FDA review.

Access controls. The system must limit access to authorized individuals. This means unique user accounts — no shared logins — with role-based permissions that control who can view, create, modify, or approve records.

Electronic signatures. When electronic signatures are used (to approve batch records, sign off on SOPs, release products), they must be:

  • Linked to the signer and not reusable
  • Unique to one individual (no shared credentials)
  • Include the printed name, date/time, and meaning of the signature (e.g., "authored," "reviewed," "approved")

System security. Controls to prevent unauthorized access, including password policies, session timeouts, and device checks.

Record retention. Electronic records must be retrievable throughout their required retention period in a format that can be reviewed by the FDA.

What Part 11 Means in Practice

If you're moving from paper to digital systems — or already using them — here's what Part 11 requires you to think about:

Your compliance software must have an audit trail. Every change to a record (who changed it, what changed, when, and why) must be logged automatically. Spreadsheets don't do this. Email attachments don't do this. You need a system designed for it.

No shared logins. Every user needs their own account. "QualityDept@company.com" as a shared login violates Part 11.

SOPs for your electronic systems. You need documented procedures for how your electronic systems are used, maintained, backed up, and secured.

Signatures must mean something. When someone electronically signs a document, the system must capture who they are, what they're signing, and what their signature means.

How GMP and 21 CFR Part 11 Work Together

Think of it this way:

  • GMP says: "You must document batch production records and have them reviewed and approved by your quality unit."
  • Part 11 says: "If you do that electronically, here's how the system must work for the FDA to trust those records."

Every time a GMP regulation requires a record, signature, or approval, Part 11 governs how that requirement is met digitally. They're inseparable in a modern manufacturing environment.

Common Scenarios

| GMP Requirement | Part 11 Implication | |---|---| | Batch record review and approval | Electronic signature with audit trail | | SOP version control | System must track all revisions with timestamps | | Training record sign-off | Individual e-signature, not shared account | | Deviation investigation | Audit trail showing who documented what and when | | Equipment calibration log | Records must be tamper-evident and retrievable | | Change control approval | Workflow with e-signatures and role-based access |

The Spreadsheet Problem

Many small manufacturers start with spreadsheets for GMP records. This works until it doesn't:

  • No audit trail. Excel doesn't log who changed cell B7 from "Pass" to "Fail" at 2:47 PM on Tuesday.
  • No access control. Anyone with the file can edit anything.
  • No electronic signatures. Typing your name in a cell isn't a compliant e-signature.
  • No validation evidence. You can't validate a spreadsheet the same way you validate a purpose-built system.

During an FDA inspection, spreadsheet-based records are a red flag. Investigators know the limitations and will probe for data integrity gaps.

Getting Compliant as a Small Manufacturer

  1. Audit your current records. Which GMP records are you keeping electronically? Which are still on paper? Identify where Part 11 applies.
  2. Eliminate shared logins. Every person who touches regulated records needs their own user account with appropriate permissions.
  3. Implement audit trails. If your current systems don't log changes automatically, you need different systems. This is non-negotiable under Part 11.
  4. Document your system procedures. Write SOPs for how your electronic systems are used, who administers them, how backups are performed, and how access is managed.
  5. Validate your systems. Documented evidence that your software works as intended. For commercial off-the-shelf software, this can be streamlined — you don't need to test every feature, just the ones you use for GMP records.
  6. Train your team. Everyone who uses electronic systems for GMP records should understand their Part 11 responsibilities — don't share passwords, don't let sessions stay logged in, always sign what you review.

Choose Tools Built for Compliance

The fastest path to GMP and Part 11 compliance isn't adding controls to general-purpose tools — it's using software designed with these requirements built in. Look for:

  • Automatic, tamper-evident audit trails
  • Role-based access controls with individual user accounts
  • Electronic signature workflows with signer identification and meaning
  • Version-controlled document management
  • Training record tracking linked to SOPs

Veritas Core was built for manufacturers who need audit-ready compliance without the overhead of enterprise systems. With built-in audit trails, access controls, and document management, it helps small FDA-regulated manufacturers meet both GMP and 21 CFR Part 11 requirements — so your next FDA inspection is a conversation, not a crisis.

Ready to simplify compliance?

Veritas Core gives small manufacturers a single workspace for SOPs, evidence, and audit readiness.