← Back to Blog
Compliance

21 CFR Part 11 Compliance for SCADA Systems: What You Need to Know

OptiZeus TeamApril 10, 202611 min read

Introduction

If you manufacture pharmaceuticals, biologics, medical devices, or food products regulated by the FDA, you have probably encountered 21 CFR Part 11. This regulation, first issued in 1997 and still actively enforced, defines the criteria under which the FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records with handwritten signatures.

For SCADA systems, 21 CFR Part 11 compliance is not optional — it is a requirement that affects how you design, configure, validate, and operate your control system. Non-compliance can result in FDA warning letters, consent decrees, product recalls, and in severe cases, facility shutdowns.

This guide explains what Part 11 requires, how it applies to SCADA systems specifically, and what practical steps you should take.

What Does 21 CFR Part 11 Actually Require?

Part 11 has two main sections: requirements for electronic records and requirements for electronic signatures.

Electronic Records (Subpart B)

The regulation requires that systems which create, modify, maintain, archive, retrieve, or transmit electronic records must:

  1. Validate the system — Demonstrate through documented testing that the system performs as intended. This includes installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ).
  1. Generate accurate and complete copies — You must be able to produce complete, human-readable copies of electronic records for FDA inspection. This means your historian data, batch records, and audit trails must be exportable in formats inspectors can review.
  1. Protect records — Electronic records must be protected throughout their retention period to prevent unauthorized alteration, deletion, or loss. This includes both logical protections (access controls, encryption) and physical protections (backups, disaster recovery).
  1. Limit system access — Only authorized individuals should have access to the system, and access levels should be appropriate to the user's role. This is where RBAC becomes a regulatory requirement, not just a best practice.
  1. Maintain audit trails — Computer-generated, time-stamped audit trails must record the date and time of operator entries and actions that create, modify, or delete electronic records. Audit trail entries must not be modifiable by operators and must be retained for at least as long as the records they document.
  1. Use operational system checks — The system must enforce sequencing of steps and events where appropriate (e.g., batch recipe steps must execute in order).
  1. Ensure authority checks — The system must verify that only authorized users can perform specific functions, such as signing a batch record, modifying a recipe, or overriding an alarm.
  1. Use device checks — Where appropriate, the system must verify the source of data input or operational instructions.
  1. Train personnel — All individuals who develop, maintain, or use electronic record/signature systems must have the education, training, and experience to perform their tasks.

Electronic Signatures (Subpart C)

When electronic signatures are used (in place of handwritten signatures on paper), Part 11 requires:

  1. Unique identification — Each electronic signature must be unique to one individual and must not be reused by or reassigned to anyone else.
  1. Identity verification — Before an organization establishes or certifies an electronic signature, the identity of the individual must be verified.
  1. Signature components — Electronic signatures that are not based on biometrics must employ at least two distinct identification components (e.g., username and password). For consecutive signings in a continuous session, the first signing requires both components; subsequent signings may require only one (e.g., password only).
  1. Non-repudiation — Signed electronic records must clearly indicate the printed name of the signer, the date and time of signing, and the meaning of the signature (e.g., "reviewed," "approved," "released").
  1. Signature binding — Electronic signatures must be linked to their respective electronic records so that signatures cannot be excised, copied, or transferred to falsify another record.

How This Applies to SCADA Systems

In a pharmaceutical or food manufacturing facility, the SCADA system generates several categories of records that fall under Part 11:

Process Data and Historian Records

Every data point recorded by the SCADA historian — temperatures, pressures, flow rates, pH values — is an electronic record. These records must be accurate, time-stamped, protected from alteration, and retained for the required period (often several years).

Batch Records

If your SCADA system manages batch execution (ISA-88), the batch record — including phase transitions, parameter values, alarms, and operator actions — is a Part 11 electronic record. It must be complete, accurate, and attributable.

Alarm and Event Logs

Alarm acknowledgments, setpoint changes, and mode transitions are all electronic records. The operator who acknowledged the alarm, the time, and the alarm details must be captured and retained.

Configuration Changes

Recipe modifications, tag configuration changes, alarm limit adjustments, and user account changes are all records that must be audit-trailed.

Practical Implementation Steps

Step 1: Conduct a Part 11 Assessment

Not every electronic record in your SCADA system requires full Part 11 controls. The FDA's 2003 guidance on Part 11 scope states that you should assess risk: which records are critical to product quality and patient safety?

A temperature record for a sterilization process is high-risk and requires full Part 11 controls. A display refresh rate setting is low-risk and probably does not.

Document your assessment and use it to prioritize implementation effort.

Step 2: Implement Access Controls and RBAC

Configure your SCADA system with individual user accounts and role-based permissions:

  • Operator: Can view data, acknowledge alarms, enter manual data
  • Supervisor: Can approve batches, override alarms with justification
  • Engineer: Can modify configurations, recipes, and alarm limits
  • Administrator: Can manage user accounts and system settings
  • Viewer: Read-only access for quality and compliance personnel

OptiZeus implements full RBAC with configurable roles and permissions. Each role can be granted or denied access to specific functions, screens, and data.

Step 3: Configure Audit Trails

Enable comprehensive audit logging for all Part 11-relevant actions:

  • Record creation, modification, and deletion
  • User logins and logouts (including failed attempts)
  • Setpoint changes (with before and after values)
  • Alarm acknowledgments and overrides
  • Recipe modifications and approvals
  • Configuration changes
  • Report generation and data exports

Audit trails must be immutable — operators should not be able to modify or delete audit log entries. OptiZeus writes audit trail data to a protected database table with cryptographic integrity checks, ensuring tamper evidence.

Step 4: Implement Electronic Signatures

For records that require signatures (batch releases, recipe approvals, deviation acknowledgments):

  • Require username and password for the first signature in a session
  • Capture the signer's full name, timestamp, and signature meaning
  • Bind the signature to the specific record version
  • Prevent signed records from being modified without re-signing

OptiZeus includes a built-in electronic signature module that meets Part 11 requirements. When a signature is required, the system prompts for credentials, records the signature with its meaning, and locks the record against modification.

Step 5: Validate the System

Validation is perhaps the most labor-intensive Part 11 requirement. You need:

  • Validation Plan: Document the scope, approach, and acceptance criteria
  • User Requirements Specification (URS): What the system must do
  • Functional Specification (FS): How the system will meet the requirements
  • Installation Qualification (IQ): Verify correct installation
  • Operational Qualification (OQ): Verify correct operation under all conditions
  • Performance Qualification (PQ): Verify sustained correct operation over time
  • Traceability Matrix: Map every requirement to a test and its result

OptiZeus provides GAMP5-aligned validation documentation templates, including pre-written IQ/OQ protocols, traceability matrices, and risk assessments. This significantly reduces the validation effort compared to platforms that provide no compliance documentation.

Step 6: Establish SOPs

Document standard operating procedures for:

  • User account creation, modification, and deactivation
  • Password management and 2FA enrollment
  • Backup and disaster recovery
  • Audit trail review (who reviews, how often, what to look for)
  • Change control for system configuration and recipes
  • Incident response for security events or data integrity issues

Common FDA Findings Related to SCADA

During inspections, FDA investigators commonly cite these Part 11 deficiencies:

  1. Shared user accounts — Multiple operators using the same login credentials
  2. No audit trail — System does not log who changed what and when
  3. Modifiable audit trails — Operators or administrators can edit or delete log entries
  4. No electronic signatures — Critical records approved verbally or by paper sign-off applied to electronic records after the fact
  5. No validation — System deployed without IQ/OQ/PQ documentation
  6. Inadequate backup — No documented backup procedure or untested recovery
  7. No access controls — All users have administrator-level access

The Cost of Non-Compliance

An FDA warning letter citing Part 11 deficiencies does not just create paperwork. It can:

  • Delay new product approvals
  • Require costly remediation projects
  • Trigger consent decrees with ongoing FDA oversight
  • Lead to product recalls if data integrity is questioned
  • Damage your reputation with customers and partners

The cost of building Part 11 compliance into your SCADA system from the start is a fraction of the cost of retrofitting it after an FDA finding.

Conclusion

21 CFR Part 11 compliance for SCADA systems is not a checkbox exercise — it requires thoughtful design of access controls, audit trails, electronic signatures, and validation processes. The regulation is technology-neutral: it does not prescribe specific tools, but it does require specific outcomes.

Modern SCADA platforms like OptiZeus build these capabilities into the core product rather than offering them as expensive add-on modules. With built-in RBAC, 2FA, immutable audit trails, electronic signatures, and GAMP5 validation documentation, the path to compliance is significantly shorter than with platforms that were designed before Part 11 was a concern.

If you are planning a new SCADA deployment in a regulated facility, make Part 11 compliance a selection criterion from day one — not an afterthought.

21 CFR Part 11FDA SCADApharmaceutical SCADAelectronic signaturesaudit trail compliance

Stay Updated on Industrial Automation

Get insights on SCADA, ICS security, and automation trends delivered to your inbox.

Ready to try OptiZeus SCADA?

Download the free trial and see the difference.

Download Free Trial