← Blog Guide · Compliance

21 CFR Part 11 checklist: what food and supplement teams actually need

21 CFR Part 11 is the FDA rule that makes electronic records and electronic signatures legally equivalent to paper. If you're a dietary supplement manufacturer or a food company in an FDA-regulated category, your QA, R&D, and document control systems need to meet it. Here's a working checklist - written for the people who actually have to pass the audit.

The short version

Part 11 boils down to three questions an auditor will ask of any system that holds GxP records:

Can you prove who did what, when, and why? (Audit trail.)
Can you prove the record hasn't been tampered with? (Integrity.)
Are signatures legally binding and uniquely tied to a person? (Authentication + e-sig manifestation.)

Everything else on the checklist exists to back up one of those three answers.

The checklist

1. Validation

Written validation plan, executed before go-live.
IQ / OQ / PQ documentation on file.
Change control process for every update after go-live.
Periodic review (annual is typical).

2. Audit trail

Every create, modify, and delete is captured automatically - never user-controllable.
Trail records timestamp (server time, not user clock), user ID, old value, new value, and reason if required.
Audit trail itself is read-only and cannot be disabled or edited.
Exportable as a human-readable report for inspection.

3. Access control

Unique user IDs - no shared accounts, ever.
Role-based permissions, least privilege.
Account lockout after failed login attempts.
Password complexity and rotation policy enforced.
Documented onboarding and offboarding procedure for system access.

4. Electronic signatures

Two distinct identification components (e.g. user ID + password) for the first signing in a session; password alone for subsequent signings.
Signature manifestation on the record shows printed name, date, time, and meaning of signature (approved, reviewed, etc.).
Signature is permanently linked to the record - you can't copy the signature to another record.
Signed statement on file from each user that their e-signature is the legal equivalent of a handwritten one (§11.100(c)).

5. Record integrity

Records are protected during the entire retention period.
Backups are tested, not just scheduled.
System can produce accurate, complete copies in both human-readable and electronic form for FDA inspection.

6. SOPs and training

SOPs cover system use, security, change control, and incident response.
Training records prove every user has been trained on the SOPs.
Training is current - revisit on every material system change.

7. Vendor / supplier qualification

If you use a cloud system, you have the vendor's Part 11 compliance documentation and a quality agreement.
SOC 2 Type II or equivalent on file.
Subprocessor list and data residency understood.

What auditors actually look for

The checklist is the spec. The audit is theater. The pattern that gets companies dinged isn't missing features - it's missing evidence. Specifically:

Shared logins ("the QA team uses one account") - instant finding.
Audit trail that can be disabled, even by an admin.
Signed records where the signature shows up as just "User123" with no name, date, or meaning.
No validation documentation for a system that's been live for years.
SOPs that reference a system the company replaced two years ago.

Where SKUsafe fits

SKUsafe is built so the Part 11 controls aren't features you have to configure - they're how the system works. Every record has an immutable audit trail, every signature carries name + timestamp + meaning, every user has a unique account, and validation documentation ships with the platform.

If you're scoping a Part 11–capable system for formulation, specs, supplier documents, or labeling, that's exactly what we built.

See Part 11 controls on your own workflow

A 30-minute walkthrough of audit trails, e-signatures, and validation - on your real specs and formulas.

Book a demo →