An Easy To Understand Guide To 21 CFR Part 11

An Easy to Understand Guide
21 CFR Part 11
By Orlando López
askaboutValidation.com
Connecting the Life Sciences
An Easy to Understand Guide
21 CFR Part 11
Published by Premier Validation
An Easy to Understand Guide | 21 CFR Part 11

21 CFR Part 11
First Edition
© Copyright 2011 Premier Validation
All rights reserved. No part of the content or the design of this book maybe
reproduced or transmitted in any form or by any means without the express
written permission of Premier Validation.
The advise and guidelines in this book are based on the experience of the
authors, after more than a decade in the Life Science industry, and as such is
either a direct reflection of the "predicate rules" (the legislation governing
the industry) or are best practices used within the industry. The author takes
no responsibility for how this advice is implemented.
Visit Premier Validation on the web at www.premiervalidation.com or visit

or forum at www.askaboutvalidation.com
ISBN 978-1-908084-01-9

So what's this book all about?
Hey there,
If you've decided to invest some time in reading this book, I am making the
assumption that you are pretty tired of wading through the regulations
developed by the FDA that were designed to confuse the hell out of
everyone!
This may sound quite dramatic, but how many people out there can really
say that they fully understand the 21 CFR Part 11 regulations. I know many
people claim to know what they are talking about, but why trust someone
when you can use this book to bring clarity to the regulations in seconds.
We are confident that if you use this book, as a reference guide next time you
are testing a system for Part 11 compliance it will make the project so much
easier. Of course if you need to refer to the FDA website to check for each
regulation feel free, but if you need each one explained in plain English this is
the book for you.
Understanding the Part 11 regulations is an invaluable weapon in your

arsenal. Next time you are validating or trying to explain a certain aspect of
Part 11 to an auditor refer to this book and all will be revealed very quickly.
So I think it's pretty clear, you've just purchased the 21 CFR Part 11 bible.
Enjoy!

The brains behind the operation!
Program Director: Graham O'Keeffe

Content Author: Orlando Lopez
Technical Editor: Mark Richardson
Editor: Anne-Marie Smith
Printing History: First Edition: February 2011
Cover and Graphic Design: Louis Je Tonno
Notes of Rights
All rights reserved. No part of this book may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the
prior written permission of the copyright holder, except in the case of brief
quotations embedded in critical articles or reviews.
Notes of Liability
The author and publisher have made every effort to ensure the accuracy of
the information herein. However, the information contained in this book is
sold without warranty, either express or implied. Neither the authors and
Premier Validation Ltd, nor its dealers or distributors will be held liable for
any damages to be caused either directly or indirectly by the instructions
contained in this book
The Validation Specialists
Published by Premier Validation Ltd

Web: www.premiervalidation.com
Forum: www.askaboutvalidation.com
Email: query@premiervalidation.com
ISBN 978-1-908084-01-9
Print and bound in the United Kingdom

Table of Contents
The Starting Point
What is 21 CFR Part 11? 2
History of 21 CFR Part 11 3
Benefits 4
Why you should read this Book? 4
E-Signatures and E-Records Explained

The Regulation 6
E-Records 8
Sample Regulatory Action 9
E-Records not impacted by Part 11 10
E-Signatures 11
E-Signatures not impacted by Part 11 11
Enforcement 12
General Rules of System Access

System Access to Authorized Individuals 14
Operational System Checks 16
Electronic Signatures 17
Multi-signing 18

Unauthorized use of user IDs and Passwords 19
Automatic log out 20
Signature/record linkage 20
Validating Operational Checks 20
Authority Checks 21
Device Checks 23
Qualifications of Electronic Systems Developers and Users 24
E-Signatures
E-sig Written Policies 27
Authentication and non-repudiation 28
Methods of Authentication 29
E-sig Certification 30
Documentation and Regulation Controls

System Documentation Control 32
The Difference between Open and

Closed Systems
Open System Controls 35
Closed System Controls 36

Computer System Validation
Computer Systems Validation 38
Elements to Successful Validation 40
Validation Documentation 39
SampleRegulatory Action 39
Audit Trails
Audit Trails 41
E-Records
Record Retention 44
Records Archiving 45
Record Copying 47
Sample regulatory action 47
Hybrid & Legacy Systems

Hybrid Systems 49
Legacy Systems 49
Summary 51
Appendix A: References 52
Correlation between Part 11 and Annex 11 55

The Starting Point
What is Part 11?
History of Part 11
Benefits
Why you should read this Book
1
What is 21 CFR Part 11?
21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that

sets forth the United States Food and Drug Administration's (FDA) guidelines
on using electronic records (e-recs) and electronic signatures (e-sigs). Part
11, as it's commonly called, defines the criteria under which electronic
records and electronic signatures are considered to be accurate, authentic,
trustworthy, reliable, confidential, and equivalent to paper records and
handwritten signatures on paper. Currently, the scope of this regulation is all
FDA program areas.
2
History of 21 CFR Part 11
In the late 1980s, drug and medical device manufacturers, biotech

companies, and other FDA-regulated industries requested FDA guidelines
for the use of e-sigs in paperless batch record systems. Part 11 was published
in 1997. After it was published, however, its enforcement was put on hold as
the result of discussions among industry, contractors, and the FDA
concerning the interpretation and implementation of the regulation.
In August 2003, the FDA published FDA Guidance for Industry Part 11,
Electronic Records; Electronic Signatures — Scope and Application, which
describes how Part 11 should be implemented and how the FDA would
enforce the regulation. These guidelines acknowledged that the need for
security measures was not the same for every piece of electronic
information. It also introduced the concept of risk analysis and promoted
the formal process of risk assessment to determine appropriate security
measures.
The regulation has never been fully enforced, but in 2011 the FDA will
begin conducting audits to ensure understanding of and compliance with
Part 11 as an element of routine quality inspections.
3
The FDA also intends to begin rulemaking to revise Part 11 to provide
further clarifications and adjustments consistent with the principles and
enforcement policies described in the August 2003 guidance document.
Benefits
In its quest to protect public health, Part 11 ensures that companies are
using good software and systems engineering practices as it pertains to the
use of electronic technology.
Why you should read this Book?

Because the FDA intends to enforce Part 11, organizations that use e-
recs and/or e-sigs, but fail to comply with Part 11 will be cited. This book
describes how to comply successfully with Part 11 for activities covered in
the August 2003 guidance document.
4
E-Signatures and
E-Records Explained
The Regulation
E-Records
Sample Regulatory Action
E-Records not impacted by Part 11
E-Signatures
E-Signatures not impacted by Part 11
Enforcement
5
THE REGULATION
The scope of Part 11 is visually summarized shown in Figure 1.

Areas 4 All electronic records created, modified,
maintained, archieved, retrieved, or transmitted
Scope under FDA regulation.
4 No grandfathering of legacy systems.
Electronic 4 Computer system validation

Create criteria that permit the widest
possible use of electronic technology
4 System-enforced workflow sequencing

record 4 Accurate, complete record access troughout record
management retention period.
Industry
4 Computer generated, date and time stamp for all
Audit trail changes
4 Available throughout record retention period
Purpose:
Collaboration 4 Role based access control

4 Prevent unauthorized access and urgent reporting
of such attempts
Security
4 Training record
4 SOPs for ID/password management, electronic
signatures, syste documentation control.
FDA
4 Must certify fo FDA binding authority of electronic
signature prior to use
4 Unique to one individual not reuseable
Electronic 4 Signature manifestation in human readable form
If not biometric, must use at least two distinct
signatures identification components
4 Different requirements for multiple signings during
continuous and noun-continuous period of
controlled access.
Figure 1: Part 11 Summary
Note: A legacy system is a computer system already in operation before the effective
date of Part 11 (August 1997). The term "grandfathering" means that, even the
regulation came into effect on August 1997, the regulation is applicable to
legacy systems. The actual interpretation of Part 11 by the FDA, means there is
no grandfathering to the legacy systems.
6
Part 11 contents is as follows:
Subpart A - General Provisions
11.1 Scope.
11.2 Implementation.
11.3 Definitions.
Subpart B - Electronic Records
11.10 Controls for closed systems.

11.30 Controls for open systems.
11.50 Signature manifestations.
11.70 Signature/record linking.
Subpart C - Electronic Signatures
11.100 General requirements.

11.200 Electronic signature components and controls.
11.300 Controls for identification codes/passwords.
You can read the entire regulation at

http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11.
7
E-Recs
Part 11 applies to records required to be maintained under the

applicable regulation requirements:
· That are maintained in electronic format in place of paper format;

· That are maintained in addition to paper format and that are relied
upon to perform regulated activities;
· Not specifically identified in FDA regulations but are submissions
the FDA accepts in electronic format (the electronic submission
program can be found at http://www.fda.gov/ForIndustry/
FDAeSubmitter/default.htm).
For example, if records in Section 111.180 in 21 CFR Part 111 (Current

Good Manufacturing Practice in Manufacturing, Packaging, Labeling, or
Holding Operations for Dietary Supplements; Final Rule) are to be
maintained in electronic format, then Part 11 is applicable to these records.
8
The FDA recommends that, for each record in your
organization required to be maintained under the applicable
regulation, you should determine in advance whether it will be
an e-rec or paper record and this should be documented in a
Standard Operating Procedure (SOP) or specification
document.

An inspection was made at a drug manufacturer. An FDA-483
Inspectional Observation was not issued but several items were discussed
verbally with the firm and recorded in the Establishment Inspection Report
(EIR), including Part 11 computer systems compliance. The inspector
explained that computerized records required under Food and Drug Good
Manufacturing Practices (GMPs) must comply with Part 11 regulations.
Computerized records that the firm keeps to make it easier to sort or

find certain information, however, would not need to comply with Part 11
regulations. For example, if the firm has a database for complaints but still
records everything on paper (and the paper copy is the official record), the
database would not need to comply with Part 11. If the database was the
only record, however, it must comply with Part 11.
9
E-Recs not impacted by Part 11
FDA considers Part 11 not to be applicable to:
· Records maintained in electronic format that are not required to be

retained under applicable regulation;
· Records used in generating a submission, but is not itself submitted
(unless it is otherwise required to be maintained under a predicate
rule and it is maintained in electronic format).
The requirements that can be found in part 21 CFR Food and Drugs
regulations.
The integrity, accuracy, and reliability of e-recs not impacted by Part 11

can be assured by the validation of the computer system containing those
records, and the associated supporting programs such as configuration
management and security.
10
E-Sigs
Part 11 is applicable to e-sigs that are intended to be the equivalent of:
· Handwritten signatures;
· Handwritten Initials;
· Other general signings required by the applicable regulations
impacting a computer system.
For example, CFR 820.30 (d) (Design Output) requires approval, via date
and signature, of the design output. If data in design output files are kept
electronically, the files can be signed electronically.
Part 11 signatures also include e-sigs used, for example, to document

that certain events or actions occurred in accordance with applicable
regulations impacting the computer system (approved, reviewed, verified,
and so on).
E-Sigs not impacted by Part 11

FDA considers Part 11 to be not applicable to e-sigs that are not
required to be retained under applicable regulations, but that are
maintained in electronic format.
11
Enforcement
The FDA intends to enforce the following Part 11 provisions:
· System access to authorized individuals;

· Operational system checks;
· Authority checks;
· Device checks;
· Qualifications of electronic systems developers and users;
· E-sig written policies;
· System documentation control;
· Open system control;
· E-sig requirements.
12
General Rules of System Access
System Access to Authorized Individuals
Operational System Checks
Electronic Signatures
Multi-signing
Unauthorized use of user IDs and passwords
Automatic log out
Signature/record linkage
Validating Operational Checks
Authority Checks
Device Checks
Qualifications of Electronic Systems
Developers and Users
13
System Access
to Authorized Individuals
Access must be limited to authorized individuals. The FDA recommends

that:
· Each user of the system have an individual account;

· User should log into their accounts at the beginning of a data entry
session, input information (including changes) on the electronic
record, and log out at the completion of the data entry session;
· The system be designed to limit the number of log-in attempts and
to record unauthorized access log-in attempts;
· Users should work only under their own user profiles
encompassing unique user IDs and individual passwords or other
access keys and not share these with others;
14
· The system not allow an individual to log into the system to provide
another person access to the system;
· Passwords or other access keys be changed at established intervals
commensurate with a documented risk assessment;
· When leaving a workstation, users should log off the system.
Alternatively, an automatic log off may be appropriate for long idle
periods;
· For short periods of inactivity, an automatic protection (for
example, an automatic screen saver) be installed against
unauthorized data entry.

An inspection for compliance with 21 CFR 211 in November 1997
resulted in a warning letter for a company because there were insufficient
controls in place to ensure the integrity of data calculated by software in its
quality control laboratory. Specifically:
· There was no audit trail to track the number of templates accessed

to generate data calculations;
· Password protection could be bypassed in the system;
· Data files were automatically deleted after a hardcopy was
generated and there wasn’t a requirement to identify the analyst or
time/date stamp spreadsheet hardcopies.
15
Operational
System Checks
Part 11 requires operational checks that enforce the sequencing of

steps and events. These checks consist of operation sequencing algorithms,
operator instructions, critical embedded requirements, and safety-related
precautions built into computer systems. This topic discusses some of the
more critical operational system checks.
16
E-sigs
Display, in any human readable form (including printouts and videos),

the:
· Signature;
· Printed name of the signer;
· Date and time of signing;
· Meaning associated with the signing.
Display these immediately after the signature is executed, after

displaying a signed record and when printing signed electronic records. For
example, a hand-signed document would have wet-signatures on the cover
page; an electronically signed document would display these components
on a equivalent page.
17
Multi-Signing
When someone signs one or more records but not during a single,
continuous period of controlled system access, each signing must be
executed as follows:
· First signing: require both a user ID and password;

· Second and subsequent signings during a period of continuous,
controlled access: require either the re-entry of the password or
both a user ID and password.
One signature can apply to multiple data entries on a screen as long the
items the signature applies to are indicated clearly.
18
Unauthorized use of
user IDs and Passwords
Systems which use e-sigs must be designed so that unauthorized

attempts to use the signature are detected and reported to security
management. The security system should:
· Be capable of identifying situations where misuse occurs;

· Notify security management appropriately;
· Disable access to the software application after repeated attempts
at unauthorized access and log a message to a historical file or to
send a message to a system administrator workstation;
· Have a defined process for investigating attempted security
violations so they are handled promptly.
19
Automatic log out
The application must be able to detect when a workstation experiences
a long idle period and automatically log a user out.
Signature/record linkage
Signature/record linkage can be achieved by linking a user ID obtained
from a secure password file. Signatures must not be able to be removed,
copied, changed, or transferred. The signer's full name doesn't have to be
embedded in the record itself; the name field can point to a file containing
the full name of the signer.
The link must be retained for as long as the record is kept, just as a
handwritten signature stays with the paper. Although a user ID/password
can be removed from a current user database, it must still be retained in an
archive to maintain the signature and record linkage.
Validating Operational Checks

Validating operational checks includes:
· Documenting the program (including a requirements specification,

which describes what the software is intended to do);
· Performing of inspections and testing so that no step or
specification can be missed or poorly executed/assigned;
· Documenting initial and final steps.
20
Authority Checks
An authority check is considered to be an operational check. The system

must implement authority checks to ensure that only authorized individuals
can:
· Use the system to sign records;

· Access the operation or device;
· Alter records;
· Perform the operation at hand.
The computer system must be designed to make distinctions between

system access, system functions, and the input and output devices used by
the system. Authority checks are based on the various roles and
responsibilities assigned to individuals.
21
Sample
Regulatory Action
An inspection of a pharmaceutical manufacturer revealed serious

regulatory problems with electronic records. The FDA found that computer
data, including analysis results, could be changed after they were approved
by a supervisor. It was documented in an FDA report that the computer
system did not have the functionality of an electronic audit trail as required
for Part 11 compliance.
The company responded with a three-step corrective action plan

committing to upgrade its computer system to address the concern, totally
update the system to comply with Part 11, and record the date and time of
operator entries and actions to create an audit trail.
22
Device Checks
A device check is also considered to an be an operational check.

Systems must be designed to implement device checks, including recording
the location (node) of the workstation where each entry was made.
Device checks enable a software application to determine whether the

input being generated by a particular device is appropriate (device checks
are not performed in all cases). These checks can be used when certain
devices are selected to be legitimate sources of data input or commands. For
example, in a networked environment it may be necessary for security
reasons to limit critical commands to a particular authorized workstation.
23
Qualifications of
Electronic Systems
Developers and Users
Organizations that use computer systems in an FDA-regulated

environment must determine that individuals (employees and contractors)
who develop, maintain, or use computer systems have the education,
training, and experience necessary to perform their assigned tasks. Training
should:
· Be provided to individuals in the specific operations of computer

systems that they will use;
· Be conducted by qualified individuals on a continuing basis as
needed to ensure familiarity with the computer system, associated
procedures, and with any changes to the system during the course
of the operation;
· Cover system operation, bugs, regulatory requirements, system
changes, security procedures, manual operation, and
documentation of system errors.
24
Training conducted online must be performed in a controlled (secure)
environment to ensure that production systems and data are not adversely
impacted. E-sigs
The FDA recommends that computer education, training, and

experience be documented.
25
E-Signatures
E-sig Written Policies
Authentication and non-repudiation
Methods of Authentication
E-sig Certification
26
E-sigs Written Polies
The use of an e-sig refers to the act of attaching a signature by electronic

means. The same legal weight associated with original signatures on a paper
documents is applicable to e-sigs. Organizations using e-sigs must ensure
that each e-sig is:
· Unique to one individual;

· Not be reused by or reassigned to anyone else;
· Authenticated.
27
Authentication and
non-repudiation
The authentication process is used to verify the identity of a person or

the integrity of specific information. For an e-rec, authentication involves
ascertaining its source (authenticity) and that it has not been modified or
replaced in transit (non-repudiated).
Authentication and non-repudiation:
· Are critical building blocks of computer security because they are

the basis for most types of access control and for establishing user
accountability;
· Prevent unauthorized people (or unauthorized processes) from
entering a computer system.
Access control usually requires that the system be able to identify and
differentiate among users and is based on “least privilege,” which refers to
granting users only those functions required to perform their duties.
User accountability requires linking activities on a system to specific

individuals and, therefore, requires the system to identify users.
28
Methods of
Authentication
There are three user authentication methods:
· PIN (Personal Identification Number) and static passwords;

· PIN and dynamic passwords;
· Biometric devices.
Typically, the authentication process starts when a user enters a PIN

into a system and authenticates his or her identity by providing a second
piece of information which is known or can be produced only by the user (a
password, typically).
The most common methods for providing a strong authentication

include automatic password generators (tokens) and smartcards. Tokens
and smartcards store information about a person and require the use of a
reader device. To protect against theft, the person must enter a password or
PIN before the information in the token or smartcard can be accessed.
29
E-sig certification
The FDA requires organizations to certify that the e-sigs used (on or
after August 20, 1997) in its systems are a legally binding equivalent of
traditional handwritten signatures. Instead of individual certifications,
usually one certification is submitted by the organization representing all
employees. All employees must be trained regarding the meaning of this
certification to the FDA.
30
Documentation
and Regulatory Controls
System Documentation Control
31
System Documentation
Control
Computer system documentation includes records that relate to an

established system—from high-level design documents to end user manuals
to support the computer system validation effort. System documentation
may be:
· Printed material;
· E-recs such as computer files, storage media, or film.
The documentation must reflect the computer system as in the

operational environment.
Computer systems documentation is regarded as software. All

regulatory provisions applicable to software are also applicable to its
documentation. For example, obsolete documentation must be archived or
destroyed in accordance with a written record retention plan.
System documents must be available, if needed, for review during

inspection.
32
An inspection for compliance at a device manufacturer revealed that
there was no documentation associated with the electronic data that
collected analytical results.
33
The Difference
between Open and Closed Systems
Open System Controls
Closed System Controls
34
Open System Controls
The FDA intends to enforce two controls for open system:
· Document encryption;
· Digital signature standards.
Because the authenticity, integrity, and confidentiality of records are
threatened not only by improper access but the interception of information
during electronic transmission, it’s recommended that encryption be
implemented for transmission of e-recs over open systems. Digital
signatures, if properly implemented and used, offer promising solutions to
the integrity of e-recs and open systems because they retain a high degree of
information security.
You can read an introduction to encryption at http://www.

i t s e c u r i t y. co m / fe at u re s /e n c r y p t i o n - 1 0 1 - 0 1 0 3 0 8 / .
Information about the legal implications of digital signatures
can be found at http://www.abanet.org/scitech/ec/isc/dsg-
tutorial.html.
35
Closed System Controls
According to the regulations, closed systems are environments in which
system access is controlled by persons who are responsible for the content
of electronic records that are on the system. Controls associated with closed
systems are defined in 21 CFR Part 11.10.
21 CFR Part 11.10. contains the following requirements that must be

implemented physically, technically or utilising a hybrid of physical and
technical controls, such as:
· Systems Validation;
· The ability to reproduce the e-rec in human readable form;
throughout the retention period;
· Permitting access to only authorized personnel;
· Audit trails are maintained showing date/time stamps against any
operations performed on the e-rec (such as creation, modification
or deletion of e-recs);
· Operational checks.
36
Computer System Validation
Computer Systems Validation

Elements to Successful Validation
Validation Documentation
37
Computer Systems
Validation
Computer systems validation, an element of the system development

life cycle, is one of the most important regulatory requirements for
computer systems in the good manufacturing practices (GMP) environment.
The objective of the validation process is to ensure the accuracy, reliability,
consistency, and intended performance of a computer system. Validation of
computer systems establishes conformance to the user, regulations, safety,
and intended functions that have been allocated to the computer. The FDA
requires that organizations comply with all applicable regulatory validation
requirements including validation:
· Of design (including software validation and risk analysis, where

appropriate);
· Of computer software for its intended use;
· Based on a written and approved protocol;
· Of software changes before approval and issuance;
The validation process must also take into account risk and the
potential of the system to affect product quality and safety.
38
After demonstrating the system suitability to system requirements and
regulations, an on-going monitoring program maintains the system in a
“validated” state.
There are plenty regulatory of requirements to validate

computer systems.
For example:
Medicines and Healthcare products Regulatory Agency
(MHRA) (UK)
IEEE.
- EU PIC/S PI 011-3.
- 21 CFR 211.68.
- 21 CFR 820.30(g).
- 21 CFR 820.70(i).
- 21 CFR §11.10(a)
- Q7A Good Manufacturing Practice Guidance for Active
Pharmaceutical Ingredients
39
Elements to
Successful Validation
The elements to successfully validating a computer system include:
· Selecting a development methodology that best suits the nature of

the system;
· Selecting hardware based on capacity and functionality;
· Identifying operational limits to establish production procedures;
· Identifying operational functions associated with the users,
processes, regulations, company standards, and safety
requirements;
· Identifying and testing worst-case production scenarios;
· Reproducing test results based on statistics;
· Documenting the validation process;
· The availability of written procedures to maintain the validated
state of the computer system.
40
Validation
Documentation
Validation documentation demonstrates that e-recs controls and e-sigs

are implemented as designed. Validation documentation consists of:
· A written design specification that describes what the software is

intended to do and how it is intended to do it;
· A written test plan based on the design specification, including both
structural and functional analysis;
· Test results and an evaluation of how these results demonstrate
that the predetermined design specification has been met.

During an inspection for compliance, a company received a warning
letter for failing to establish and maintain proper procedures for validating a
device’s design to ensure that it conformed to user needs and intended uses.
41
Audit Trails
Audit Trails
42
Audit Trails
Audit trails are journals or records of modifications—by users or by

processes operating on the user’s behalf—to e-recs. Data needs to be
protected from unauthorized modification and destruction to enable
detection and after-the-fact investigations of security violations. This
operational check provides the capability for modified data to be
reconstructed in its previous form. Audit trails indicate the time of the
record modification and the types of modifications performed. Audit trails:
· Must be computer generated;

· Can be either part of the electronic record itself or a separate
record;
· Cannot be modified by the individual who created them;
· Must indicate when the data was first entered and by whom;
· Must indicate when and who made any changes.
43
Additionally, the date and time attached to the audit trail and to the e-
signature should be:
· Synchronized to a trusted date and time (National Institute of

Standards) source;
· Confirmed upon every boot-up;
· Changed and documented by authorized personnel only;
· Local to the activity being documented.
There are a number of third-party programs that will

synchronize any computer’s clock to the NIST clock. It is free
and available at http://www.40tude.com/time/lite/index.htm

During an inspection for compliance, a warning letter was issued to a
company because it had not exercised appropriate controls over a computer
system to ensure that changes in master production and control records
were performed by authorized personnel only.
44
E-Records
Record Retention
Records Archiving
Record Copying
45
Record Retention
Part 11 defines how required e-recs must be managed. The retention

requirements of records are contained in the applicable regulation. In
addition, current GMP establishes the relationship between e-recs and the
applicable regulation impacting those e-recs.
Part 11 should not impose additional records retention for those

records impacted by Part 11. The organization owning the e-recs, however,
may want to impose more stringent retention requirements that may be
based on legal requirements.
46
Records Archiving
Records archiving is the process of moving data that is no longer actively

used to a separate data storage device for long-term retention. Records
archives include:
· Older data that is still important and necessary for future reference;
· Data that must be retained for regulatory compliance;
· Content and meaning of the records.
Required records can be archived in electronic format to non-electronic

media (microfilm, microfiche, and paper) or to a standard electronic file
format (such as PDF, XML, or SGML).
Additional considerations for archival of records include:
· Archived records should be secured by physical and/or electronic

means against willful or accidental damage, as applicable;
· Storage areas used as archives should have regular, recorded
inspections to ensure that temperature and humidity levels comply
with published standards (paper, microfilm, and so on) or
manufacturer recommendations (electronic media);
47
· Archived records should be checked for accessibility, accuracy, and
completeness by methods appropriate to the format;
· For e-recs, if changes are proposed to the computer equipment or
its programs, the above mentioned checks should be performed at
a frequency appropriate to the storage medium being used;
· Where e-recs are accurately and completely transcribed from the
obsolete system to another, it may not be necessary to maintain the
obsolete system. Documentation is to be maintained and available
for systems that were retired;
· Archived e-recs should be protected by backing them up at regular
intervals. Backups of archived e-recs should be stored as long as
required by the retention schedule at a separate and secure
location.
Records archiving requirements for required records are covered in the

applicable regulation must be fully satisfied.
48
Record Copying
The FDA recommends that the copying process used to produce copies
preserves the content and meaning of the e-rec. The copy process may use
common portable formats and, for consistency, consider automated
conversion or export methods.

An inspection for compliance made at a device manufacturer revealed
that data was copied onto the server from one system to the next via floppy,
so neither limited access nor data protection had been established.
49
Hybrid & Legacy Systems
Hybrid System
Legacy System
Summary
Appendix A
Appendix B
50
Hybrid Systems
The updated interpretation of hybrid systems takes into account that

paper and electronic record and signature components can co-exist as long
as the regulatory requirements applicable to the system are met and the
content and meaning of those records are preserved.
Legacy Systems
A legacy system is a computer system already in operation before the
effective date of Part 11 (August 1997). A legacy system must:
· Meet all regulatory requirements applicable to the system before

and after the August 1997 effective date;
· Have documented evidence and justification that the system is fit
for its intended use. This includes having an acceptable level of
record security and integrity, as applicable.
51
If a legacy system was modified after August 1997 and the
modifications excluded the system from meeting regulatory requirements
applicable to the system, Part 11 controls should be applied to Part 11
records and signatures pursuant to the enforcement policy expressed in the
August 2003 guidance document.
Legacy systems performing functions in the applicable regulation will

be assessed for compliance with Part 11. As a pre-requisite to enter the
baseline state, a gap analysis and a plan for bringing these systems into
compliance must be completed. The gap analysis and associated plan should
be consistent with the August 2003 guidance document. A gap analysis is the
first step in identifying the inconsistencies with the regulation for each
system. Once the evaluation is completed, corrective action plans should be
generated and the system updated to bring it into regulatory compliance.
52
Summary
After more than 13 years from its inception, the FDA is ready to fully
enforce Part 11. The most critical activity a company can do is to identify and
define the records and/or signatures impacted by the applicable regulation.
Risk assessment is fundamental in determining the impact of product
quality and safety in the implementation of these technologies.
53
Appendix A; References
- ABA, “Digital Signature Guideline,”

(http://en.wikipedia.org/wiki/ABA_digital_signature_guidelines).
Annex 11 to Volume IV of the Rules Governing Medicinal
Products in the European Community, Computerized Systems,
January 11, 2011.
· FDA, “Electronic Records; Electronic Signatures Final Rule,” 62
Federal Register 13430, March 20, 1997.
· FDA, “FDA To Conduct Inspections Focusing on 21 CFR 11 (Part
11) requirements relating to human drugs,”
(http://www.fda.gov/AboutFDA/CentersOffices/CDER/ucm20401
2.htm).
· FDA, “Glossary of Computerized System and Software
Development Terminology,” Division of Field Investigations, Office
of Regional Operations, Office of Regulatory Affairs, Food and
Drug Administration, August 1995.
· FDA, "General Principles of Software Validation Guidance," Office
of Device Evaluation Center for Devices and Radiological Health,
January 2002.
54
· FDA, “Part 11, Electronic Records; Electronic Signatures — Scope
and Application,” August 2003,
(http://www.fda.gov/RegulatoryInformation/Guidances/ucm125
067.htm).
· FDA, “Pharmaceutical cGMPS for the 21st Century — A Risk-
Based Approach: Second Progress Report and Implementation
Plan,”
(http://www.fda.gov/Drugs/DevelopmentApprovalProcess/Manu
facturing/QuestionsandAnswersonCurrentGoodManufacturingPr
acticescGMPforDrugs/UCM071836).
· J. Andrew (Editor), “Validating Pharmaceutical Systems – Good
Computer Practice in Life Science Manufacturing,” Sue Horwood
Publishing, 2005, (www.crcpress.com).
· MetricStream, 21 CFR Part 11 Compliance Roadmap,
(http://www.metricstream.com/insights/21CFR_Part11.htm).
· O. López, “Implementing Applications Compliant with 21 CFR Part
11,” Pharmaceutical Technology, March 2000.
· O. López, 21 CFR Part 11 - A Complete Guide to International
Compliance,” published by Sue Horwood Publishing Limited,
(www.crcpress.com).
· O. López, “Computer Systems Validation,” Encyclopedia of
Pharmaceutical Technology, ISBN: 0-8247-2826-2, Marcel Dekker,
Inc.
55
· O. López, “FDA Regulations of Computer Systems in Drugs
Manufacturing – 13 Years Later,” Pharmaceutical Engineering,
May/June 2001.
· O. López, “Overview of Technologies Supporting Security
Requirements in 21 CFR Part 11,” Pharmaceutical Technology,
February (Part I) and March (Part II) 2002.
· Pharmaceutical Inspection Convention PIC/S Guidance, “Good
Practices for Computerised Systems in Regulated “GxP”
Environments”, PI 011-3, September 2007.
56
Appendix B;
Correlation between
Part 11 and Annex 11
211.68 21 CFR Part 11 Annex 11
Computers may be used and require a 11.10 (a) 11-2

validation program. 11.10 (f) 11-3
11-4
11-5
11-6
11-7
Computers systems and validation 11.10 (k)(2) 11-2

documentation shall be maintained. 11-11
There must be a system to control changes 11.10 (d) 11-11

to the computer hardware and software, 11.10 (e)
including documentation.
57
211.68 21 CFR Part 11 Annex 11
Based on the complexity and reliability of 11.10 (d) 11-8

the system there must be programs to 11.10 (e) 11-9
ensure the accuracy and security of 11.10 (g) 11-10
computer inputs, outputs, and data. This
program includes prevention of
unauthorized program changes and how
data are secure from alteration, inadvertent
erasures, or loss.
Computer electronic records must be 11.10 (c) 11-8

controlled, and this includes record backup, 11-13
security, and retention. 11-14
There must be a written program detailing 11.10(k) 11-2

the maintenance of the computer system,
including performance evaluation and
periodic reviews of the computer system.
Specifically for Sections 211.101(c),

211.103, 211.182, and 211.188(b)(11), No related 11-9
verification by a second individual may not Part 11 11-19
be necessary when automated equipment requirement
is used as described under Section 211.68
58
21 CFR Part 11 Quiz
1. What is Title 21 CFR Part 11?
2. What are the two main components concerned with the 21 CFR Part 11
Ruling.
3. When non-biometric measures are used; how many components are

required at a minimum to comprise an electronic signature?
4. Computer systems are suitably equipped to deal with manage and store
electronic records and signatures, as long as this information is
retrievable it is sufficient in its native form. True or False?
5. Electronic records and signatures are deemed to be equivalent to

traditional handwritten signatures. What exceptions are permissible by
FDA?
59
6. The FDA intends to enforce specific Part 11 provisions. List 3 of this
enforcement provisions.
7. Sharing usernames and passwords is favorable by FDA and

pharmaceutical companies because this saves money on user licenses
for software. True or False.
8. What year was Title 21 CFR Part 11 first issued by FDA to Industry?
9 . Electronic signatures must contain (in human readable form) a

minimum of which characteristics?
10. Why does 21 CFR Part 11 control record retention periods for electronic
records?
60
Answer
1. Part 11, as it’s commonly called, defines the criteria under which
electronic records and electronic signatures are considered to be
accurate, authentic, trustworthy, reliable, confidential, and equivalent
to paper records and handwritten signatures on paper. Currently, the
scope of this regulation is all FDA program areas.
2. Electronic Records and Electronic Signatures (e-recs and e-sigs).
3. At least two distinct identification components are required to comprise

an electronic signature; this is usually a username and password.
4. False, any electronic data must be retrievable in a human readable

format.
5. None, all systems must utilise electronic records and/or electronic

signatures; traditional paper-based records or signatures or a
combination of both (a hybrid system).
61
6. Any of the following 3:
· System access to authorized individuals;
· Operational system checks;
· Authority checks;
· Device checks;
· Qualifications of electronic systems developers and users;
· E-sig written policies;
· System documentation control;
· Open system control;
· E-sig requirements.
7. False. It is completely forbidden / illegal to purport to be another

individual, regardless of the innocence of the intention. You would share
the signature on the back of your ATM card?
8. 1997
9. All of the following:

· Signature;
· Printed name of the signer;
· Date and time of signing;
· Meaning associated with the signing.
10. Title 21 CFR Part 11 does not control record retention periods for
electronic records; record retention is controlled by the predicate rules.
62
SCORE
True False
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Your score
63
askaboutValidation
The Validation Specialists Connecting the Lifesciences

An Easy To Understand Guide To 21 CFR Part 11

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

An Easy To Understand Guide To 21 CFR Part 11

Încărcat de

Drepturi de autor:

Formate disponibile

An Easy to Understand Guide

Published by Premier Validation

An Easy to Understand Guide | 21 CFR Part 11

© Copyright 2011 Premier Validation

Visit Premier Validation on the web at www.premiervalidation.com or visit

An Easy to Understand Guide | 21 CFR Part 11

Understanding the Part 11 regulations is an invaluable weapon in your

An Easy to Understand Guide | 21 CFR Part 11

Program Director: Graham O'Keeffe

The Validation Specialists

Published by Premier Validation Ltd

Print and bound in the United Kingdom

An Easy to Understand Guide | 21 CFR Part 11

E-Signatures and E-Records Explained

General Rules of System Access

An Easy to Understand Guide | 21 CFR Part 11

Documentation and Regulation Controls

The Difference between Open and

An Easy to Understand Guide | 21 CFR Part 11

Hybrid & Legacy Systems

An Easy to Understand Guide | 21 CFR Part 11

21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that

In the late 1980s, drug and medical device manufacturers, biotech

Why you should read this Book?

The scope of Part 11 is visually summarized shown in Figure 1.

Electronic 4 Computer system validation

4 System-enforced workflow sequencing

Collaboration 4 Role based access control

Figure 1: Part 11 Summary

Subpart A - General Provisions

11.10 Controls for closed systems.

11.100 General requirements.

You can read the entire regulation at

Part 11 applies to records required to be maintained under the

· That are maintained in electronic format in place of paper format;

For example, if records in Section 111.180 in 21 CFR Part 111 (Current

Sample Regulatory Action

Computerized records that the firm keeps to make it easier to sort or

· Records maintained in electronic format that are not required to be

The integrity, accuracy, and reliability of e-recs not impacted by Part 11

Part 11 is applicable to e-sigs that are intended to be the equivalent of:

Part 11 signatures also include e-sigs used, for example, to document

E-Sigs not impacted by Part 11

The FDA intends to enforce the following Part 11 provisions:

· System access to authorized individuals;

Access must be limited to authorized individuals. The FDA recommends

· Each user of the system have an individual account;

Sample Regulatory Action

· There was no audit trail to track the number of templates accessed

Part 11 requires operational checks that enforce the sequencing of

Display, in any human readable form (including printouts and videos),

Display these immediately after the signature is executed, after

· First signing: require both a user ID and password;

Systems which use e-sigs must be designed so that unauthorized

· Be capable of identifying situations where misuse occurs;

Validating Operational Checks

· Documenting the program (including a requirements specification,

An authority check is considered to be an operational check. The system

· Use the system to sign records;

The computer system must be designed to make distinctions between

An inspection of a pharmaceutical manufacturer revealed serious

The company responded with a three-step corrective action plan

A device check is also considered to an be an operational check.