Life sciences / Regulatory compliance

What 21 CFR Part 11 actually requires from your ERP system

FDA 21 CFR Part 11 governs electronic records that support GMP decisions. For a life sciences ERP, that is most of the system. Here is what compliance actually requires, translated into NetSuite configuration.

Published May 22, 2026 · By Archer Insights | NetSuite Alliance Partner

What Part 11 is and what it is not

21 CFR Part 11 applies to electronic records that are required by FDA predicate rules and electronic signatures used in place of handwritten signatures. For an ERP system in a life sciences company, that means any transaction that supports a GMP decision is in scope. Batch release. Quality review. Inventory adjustment for GMP material. Supplier qualification. Change control. Deviation handling. Stability testing data.

What Part 11 is not: a checklist of features. It is a set of requirements about the integrity, authenticity, and confidentiality of electronic records. Different systems can meet the requirements through different configurations. The question is whether the system, as configured, actually meets them.

Most ERP implementations treat Part 11 as something the quality system handles. For a life sciences company, the ERP is part of the validated environment. Per Oracle NetSuite's Life Sciences ERP documentation, the platform supports validation-ready audit trails and Part 11-compliant electronic records and signatures. The configuration work is making the platform's capabilities actually work for the operating model.

Part 11 is not about the software. It is about whether the software, as you have configured and operated it, produces records you can defend.

The 3 substantive requirements: audit trail, e-signature, validation

Requirement 01: Audit trail

Subpart B requires that the system generate accurate and complete copies of records, retain records for the required period, and use computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

In NetSuite, this translates to 5 configuration points:

  1. System Notes audit trail is enabled on every Part 11-relevant record type. This is a system-level setting that captures every change to every field on the record.
  2. The audit trail is protected from edit and deletion by role permissions. Administrators do not have the ability to alter the audit trail.
  3. The timestamp on every audit trail entry uses the NetSuite server time, not the user's local time, eliminating timezone drift as a source of audit issue.
  4. The user identifier on every entry is the NetSuite user account, not a generic shared account. Shared accounts violate the standard.
  5. Audit trail data is retained for the regulatory retention period, typically 6 years post product life for pharmaceutical records, or as defined by the applicable predicate rule.

Requirement 02: Electronic signatures

Subpart C requires that electronic signatures be unique to one individual, that the system verify the identity of the individual at the time of signing, and that signed electronic records contain information associated with the signing (printed name, date and time, and meaning).

In NetSuite, this translates to 4 configuration points:

  1. The signature workflow uses NetSuite's approval routing with explicit signature meaning (released, rejected, reviewed, approved). Archer's Approvals App handles the routing and meaning capture.
  2. Identity verification at signing uses two-factor authentication or the user's existing password depending on the risk classification of the workflow.
  3. The signed record carries the signer's printed name, the date and time of signature, and the meaning of the signature in a way that cannot be detached from the record.
  4. For workflows with high regulatory risk (batch release, change control approval), a second factor or biometric authentication is required.

Requirement 03: Validation

Part 11 requires validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

Validation is documentation, not configuration. The deliverables Archer produces as part of a Part 11-relevant implementation:

  1. Validation plan describing the scope, approach, and acceptance criteria
  2. User requirements specification defining what the system needs to do
  3. Functional specification defining how the system does it
  4. Risk assessment per ICH Q9 principles identifying which functions need formal testing
  5. IQ (Installation Qualification) protocol and report
  6. OQ (Operational Qualification) protocol and report
  7. PQ (Performance Qualification) protocol and report, where applicable
  8. Validation summary report
  9. Change control procedure for post launch changes

These documents are maintained for the life of the system. Periodic review reassesses the validated state, particularly after NetSuite releases or material configuration changes.

Scope: what falls under Part 11 in a life sciences NetSuite implementation

The validation plan defines scope. The general principle: if the record supports a GMP decision, it is in scope. The following table is a starting point for scoping discussions.

NetSuite transaction or featureTypical Part 11 scope
Item master for GMP materialIn scope
Lot recordsIn scope
Work order and batch record referencesIn scope
Inventory adjustment for GMP materialIn scope
Quality release approvalIn scope
Supplier qualification statusIn scope
Sales order for clinical supplyOften in scope
Purchase order for GMP raw materialOften in scope
General ledger entries for non-GMP transactionsOut of scope
Customer master, vendor master (non-GMP)Out of scope
Standard financial reportingOut of scope

Common gaps Archer finds in pre-existing implementations

Gap 01: Audit trail enabled but not protected

The audit trail is enabled at the system level but administrators retain the ability to alter it. The configuration appears compliant but the actual control is missing. Role permissions need to be restricted.

Gap 02: Electronic signatures without meaning

Approval workflows are configured but the meaning of the approval is not captured on the record. The standard requires that the signed record state what the signature means: released, reviewed, approved, rejected.

Gap 03: Shared user accounts

Generic accounts used for system processes or for after-hours work. Part 11 requires that every signature trace to an individual. Service accounts for between systems integration are acceptable when documented; human users sharing accounts is not.

Gap 04: No periodic review of validated state

The system was validated at go-live and has not been formally reviewed since. NetSuite has released multiple times. The validated state may no longer be accurate. Periodic review on a defined cadence (typically annual) restores the validation.

Gap 05: Change control treated as IT change management

Configuration changes are tracked in an IT ticketing system, but not in a validation-grade change control process. Part 11 expects that changes to validated systems follow a controlled process with risk assessment, testing, and documentation.

What an inspection-ready Part 11 implementation looks like

When an FDA inspector requests records, the response is a query, not a project. The audit trail prints. The signature record is complete. The validation documents are current. The change control history is intact. The system performs as documented.

Most companies are not there. Most companies have audit trail data but not audit trail protection. Most companies have electronic approvals but not Part 11-compliant signatures. Most companies have validation documents from go-live but not periodic review. The gap is configuration and process discipline, not platform capability. NetSuite's foundation supports Part 11 compliance. Archer's implementation services deliver the configuration and documentation that make it real.

Related on archerinsights.com

  1. Biotech and pharmaceuticals industry page. Archer's configuration approach for GMP-regulated life sciences operations.
  2. Cell and gene therapy industry page. Part 11 application in advanced therapy operations.
  3. CDMO industry page. Part 11 compliance for contract manufacturing.
  4. Quality Management System. Quality workflows configured for Part 11 compliance.
  5. Approvals App for SOX-ready workflows. Electronic signature routing with meaning capture.
  6. NetSuite Implementation services. Validation documentation delivered with the implementation.

External references

  1. FDA 21 CFR Part 11: Electronic Records and Signatures
  2. FDA Quality System Regulation (21 CFR Part 820)
  3. ICH Q9 Quality Risk Management
  4. NetSuite Life Sciences ERP

Working session

Configure NetSuite for Part 11 compliance, not just for go-live

A discovery call with an Archer implementation lead. Bring your current validation approach and your inspection history.

Contact sales