21 CFR Part 11 outlines FDA regulations for electronic records and electronic signatures. It requires that electronic records be trustworthy, reliable, and equivalent to paper records. It also requires that electronic signatures be equivalent to handwritten signatures. The document then outlines the key subparts and sections of 21 CFR Part 11, including requirements for controls on closed and open systems, electronic signature components and controls, and validation of electronic records and signatures.

1. Dipak Patel
21 CFR PART 11

2. What is 21CFR11?
 21CFR = FDA, Code of Federal Regulations
 21CFR Part11 = ELECTRONIC RECORDS; ELECTRONIC
SIGNATURES
 21CFR58 = GLP
 21CFR210 = GMP, Drugs (General)
 21CFR211 = GMP, Drugs (Finished Pharmaceuticals)
 21CFR312 = Inv. New drug Application (GCP)
 21CFR314 = FDA Approval of new drug (GCP)
 21CFR6xx = GMP, biologics
 21CFR820 = GMP, Devices
 21CFR…… = Food, nutrients and cosmetics

3. PART 11 ELECTRONIC RECORDS; ELECTRONIC
SIGNATURES
 Subpart A--General Provisions
11.1- Scope.
11.2 - Implementation.
11.3 - Definitions
 Subpart B--Electronic Records
11.10 - Controls for closed systems.
11.30 - Controls for open systems.
11.50 - Signature manifestations.
11.70 - Signature/record linking.
 Subpart C--Electronic Signatures
11.100 - General requirements.
11.200 - Electronic signature components and controls.
11.300 - Controls for identification codes/passwords

4. 11.1 Scope
 a) electronic records to be trustworthy, reliable,
and generally equivalent to paper records
 b) records in electronic form that are created,
modified, maintained, archived, retrieved, or
transmitted,
 c) electronic signatures to be equivalent to full
handwritten signatures, initials, and other general
signings........ effective on or after August 20,
1997.
 d) Electronic records may be use in lieu of paper
records
 e) Computer systems (includinghardware and

5. 11.2 Implementation.
 a) For records required to be maintained but not
submitted to the agency,
-- provided that the requirements of this part are
met.
 b) For records submitted to the agency
1) The requirements of this part are met
2) document to be submitted have been identified
in public docket No. 92S–0251

6. 11.3 Definitions.
 Agency means the Food and Drug
Administration.
 Biometrics means a method of verifying an
individual’s identity based on measurement of the
individual’s physical feature(s) or repeatable
action(s) where those features and/or actions are
both unique to that individual and measurable
 Closed system means an environment in which
system access is controlled by persons who are
responsible for the content of electronic records
that are on the system

7. 11.3 Definitions.
 Digital signature means an electronic signature
based upon cryptographic methods of originator
authentication, computed by using a set of rules
and a set of parameters such that the identity of
the signer and the
 Electronic record means any combination of
text, graphics, data, audio, pictorial, or other
information representation in digital form that is
created, modified, maintained, archived,
retrieved, or distributed by a computer system.

8. 11.3 Definitions.
 Electronic signature means a computer data
compilation of any symbol or series of symbols
executed, adopted, or authorized by an individual to
be the legally binding equivalent of the individual’s
handwritten signature.
 Handwritten signature means the scripted name or
legal mark of an individual handwritten by that
individual and executed or adopted with the present
intention to authenticate a writing in a permanent
form. The act of signing with a writing or marking
instrument such as a pen or stylus is preserved. The
scripted name or legal mark, while conventionally
applied to paper, may also be applied to other devices
that capture the name or mark.
 Open system means an environment in which
system access is not controlled by persons who are
responsible for the content of electronic records that
are on the system

9. Subpart B—Electronic Records
 11.10 Controls for closed systems.
 11.30 Controls for open systems.
 11.50 Signature manifestations.
 11.70 Signature/record linking

10. 11.10 Controls for closed
systems
controls designed to ensure the authenticity, integrity and, when
appropriate, the confidentiality of electronic records
a) Validation of systems
b) Accurate and complete copies
c) Protection of records by ready retrieval
d) Limiting system access
e) Audit trails
f) Operational system checks
g) Authority checks
h) Device (e.g., terminal) checks
i) Education, training, and experience
J) Written policies
K) Documentation
 1) Distribution of, access and system operation and maintenance.
 2) Revision and change control

11. a) Validation of systems
 Validation of systems
to ensure accuracy,
reliability, consistent
intended
performance, and the
ability to discern
invalid or altered
records.
 Waters Corporation
has structurally
validated Empower 2
software and supplies
a certificate of
structural validation
with the Empower 2

12. b) Accurate and complete copies
 The ability to generate
accurate and
complete copies of
records in both human
readable and electronic
form suitable for
inspection, review, and
copying by the agency.
Persons should contact
the agency if there are
any questions regarding
the ability of the agency
to perform such review
and copying of the
electronic records.

13. c) Protection of records by ready
retrieval
 Protection of records
to enable their
accurate and ready
retrieval throughout
the records retention
period.

14. d) Limiting System Access
 Limiting system
access to authorized
individuals

15. e) Audit Trails
 Use of secure, computer-generated, time-stamped
audit trails to independently record the date and time
of operator entries and actions that create, modify, or
delete electronic records. Record changes shall not
obscure previously recorded information. Such audit
trail documentation shall be retained for a period at
least as long as that required for the subject electronic
records and shall be available for agency review and
copying.

16. f) Operation Check
 Use of operational
system checks to
enforce permitted
sequencing of steps
and events, as
appropriate.
 Empower 3 software
uses Wizards to
ensure proper
sequencing.
 Using the New
Chromatographic
System Wizard
 New Project Wizard
 Processing Method
Wizard
 Sample Set Method
Wizard
 Backup Project
Wizard
 Restore Project
Wizard

17. g) Authority Check
 Use of authority
checks to ensure that
only authorized
individuals can use
the system,
electronically sign a
record, access the
operation or computer
system input or output
device, alter a record,
or perform the
operation at hand.

18. h) Device Check
 Use of device (e.g.,
terminal) checks to
determine, as
appropriate, the
validity of the source
of data input or
operational
instruction.
 If it is a requirement of
the system that data
input or instructions
can only come from
specific input devices
(e.g. instruments,
terminals); does the
system check for the
correct device?

19. i) Education, training, and experience
 Determination that
persons who develop,
maintain, or use
electronic
record/electronic
signature systems
have the education,
training, and
experience to perform
their assigned tasks.

20. j) Written Policies
 The establishment of,
and adherence to,
written policies that
hold individuals
accountable and
responsible for
actions initiated under
their electronic
signatures, in order to
deter record and
signature falsification
 Written policies shall
be party of user
account open with
user sign and
statement “I am
accountable and
responsible for
actions initiated under
my electronic
signature in order to
deter record and
signature falsification”
.

21. k) Documentation
Use of appropriate controls
over systems
documentation including:
(1) Adequate controls over
the distribution of,
access to, and use of
documentation for system
operation and
maintenance.
(2) Revision and change
control procedures to
maintain an audit trail that
documents time-
sequenced development
and modification of
systems documentation
 Distribution of access
annexure
 System operation and
maintenance log
 Revision procedure
 Change control procedure
 Audit trial with Time
sequenced

22. 11.30 Controls for open
systems.
 Persons who use open systems to create, modify,
maintain, or transmit electronic records shall
employ procedures and controls designed to
ensure the authenticity, integrity, and, as
appropriate, the confidentiality of electronic
records from the point of their creation to the point
of their receipt. Such procedures and controls
shall include those identified in § 11.10, as
appropriate, and additional measures such as
document encryption and use of appropriate
digital signature standards to ensure, as
necessary under the circumstances, record
authenticity, integrity, and confidentiality.

23. 11.50 Signature
manifestations.
 a) Signed electronic
records shall contain
information associated
with the signing that
clearly indicates all of
the following:
 (1) The printed name
of the signer;
 (2) The date and time
when the signature was
executed; and
 (3) The meaning (such
as review, approval,
responsibility, or
authorship) associated
with the signature

24. 11.50 Signature
manifestations.
 b) The items identified
in paragraphs (a)(1),
(a)(2), and (a)(3) of
this section shall be
subject to the same
controls as for
electronic records and
shall be included as
part of any human
readable form of the
electronic record
(such as electronic
display or printout).

25. 11.70 Signature/record linking.
 Electronic signatures
and handwritten
signatures executed
to electronic records
shall be linked to their
respective electronic
records to ensure that
the signatures cannot
be excised, copied,
or otherwise
transferred to falsify
an electronic record
by ordinary means.

26. Subpart C—Electronic
Signatures
 11.100 General requirements.
a) Unique
b) Verify the identity
c) Certify
 11.200 Electronic signature components and controls
a) Non biometrics
 Code and password
 Genuine owners
 Other than its genuine owner requires collaboration
a) Biometrics
 11.300 Controls for identification codes/ passwords
a) Uniqueness
b) Code and password Periodically Checked
c) Loss management
d) Safeguard to prevent unauthorized
e) Periodic testing of devices

27. 11.100 General requirements.
a) Unique
 a) Each electronic
signature shall be
unique to one
individual and shall
not be reused by, or
reassigned to, anyone
else.

28. 11.100 General requirements.
b)Verify the identity
 b) Before an
organization
establishes, assigns,
certifies, or otherwise
sanctions an
individual’s electronic
signature, or any
element of such
electronic signature,
the organization shall
verify the identity of
the individual.
 At the time of joining
that activity done by
HR Department
 For vendor in service
agreement need to be
clarification.

29. 11.100 General requirements.
c) Certify to the agency
C) Persons using electronic signatures
shall, prior to or at the time of such
use, certify to the agency that the
electronic signatures in their system,
used on or after August 20, 1997,
are intended to be the legally
binding equivalent of traditional
handwritten signatures.
1) The certification shall be submitted
in paper form and signed with a
traditional handwritten signature, to
the Office of Regional Operations
(HFC–100), 5600 Fishers Lane,
Rockville, MD 20857.
2) Persons using electronic signatures
shall, upon agency request, provide
additional certification or testimony
that a specific electronic signature is
the legally binding equivalent of the
signer’s handwritten signature.
For 11.2 Implementation.
b) For records submitted to the
agency

30. 11.200 ES components and
controls
a) Non Biometric
 (a) Electronic signatures that
are not based upon biometrics
shall:
 (1) Employ at least two distinct
identification components
such as an identification code
and password.
 (i) When an individual executes a
series of signings during a
single, continuous period of
controlled system access, the first
signing shall be executed using all
electronic signature components;
subsequent signings shall be
executed using at least one
electronic signature component
that is only executable by, and
designed to be used only by, the
individual.
 (ii) When an individual executes
one or more signings not
performed during a single,
continuous period of controlled
system access, each signing shall
be executed using all of the
electronic signature components.

31. 11.200 ES components and
controls
a) Non Biometric
 (2) Be used only by their genuine owners; and
 (3) Be administered and executed to ensure that
attempted use of an individual’s electronic signature by
anyone other than its genuine owner requires
collaboration of two or more individuals.

32. 11.200 ES components and
controls
b) Biometric
 (b) Electronic
signatures based
upon biometrics shall
be designed to ensure
that they cannot be
used by anyone
other than their
genuine owners.

33. 11.300 Controls for identification
codes/
passwords
 Persons who use
electronic signatures
based upon use of
identification codes in
combination with
passwords shall
employ controls to
ensure their security
and integrity. Such
controls shall include:

34. a) Uniqueness
 (a) Maintaining the
uniqueness of each
combined
identification code
and password, such
that no two individuals
have the same
combination of
identification code
and password.

35. b) Code and password Periodically
Checked
 (b) Ensuring that
identification code
and password
issuances are
periodically checked,
recalled, or revised
(e.g., to cover such
events as password
aging).

36. c) Loss management
 (c) Following loss
management
procedures to
electronically
deauthorize lost, stolen,
missing, or otherwise
potentially compromised
tokens, cards, and other
devices that bear or
generate identification
code or password
information, and to
issue temporary or
permanent
replacements using
suitable, rigorous

37. d) Safeguard to prevent unauthorized
 (d) Use of transaction
safeguards to prevent
unauthorized use of
passwords and/or
identification codes, and
to detect and report in
an immediate and
urgent manner any
attempts at their
unauthorized use to the
system security unit,
and, as appropriate, to
organizational
management.

38. e) Periodic testing of devices
 (e) Initial and periodic
testing of devices,
such as tokens or
cards, that bear or
generate identification
code or password
information to ensure
that they function
properly and have not
been altered in an
unauthorized
manner.

39. 21 CFR PART 11
Subpart B—Electronic
Records
Subpart C—Electronic
Signatures
 11.10 Controls for closed systems.
a) Validation of systems
b) Accurate and complete copies
c) Protection of records by ready
retrieval
d) Limiting system access
e) Audit trails
f) Operational system checks
g) Authority checks
h) Device (e.g., terminal) checks
i) Education, training, and experience
J) Written policies
K) Documentation
 1) Distribution of, access
 2) Revision and change control
 11.30 Controls for open systems.
 11.50 Signature manifestations.
 11.70 Signature/record linking
 11.100 General requirements.
a) Unique
b) Verify the identity
c) Certify
 11.200 Electronic signature components and
controls
a) Non biometrics
 Code and password
 Genuine owners
 Other than its genuine owner requires collaboration
b) Biometrics
 11.300 Controls for identification codes/
passwords
a) Uniqueness
b) Code and password Periodically Checked
c) Loss management
d) Safeguard to prevent unauthorized
e) Periodic testing of devices

40. Scope and Application
 After part 11 became effective in August 1997, significant
discussions ensued among industry, contractors, and the
Agency concerning the interpretation and implementation
of the regulations
 FDA has
 (1) spoken about part 11 at many conferences
 (2) published a compliance policy guide, CPG 7153.17
 (3) published numerous draft guidance
 21 CFR Part 11; Electronic Records; Electronic Signatures,
Validation
 21 CFR Part 11; Electronic Records; Electronic
Signatures, Glossary of Terms
 21 CFR Part 11; Electronic Records; Electronic
Signatures, Time Stamps
 21 CFR Part 11; Electronic Records; Electronic
Signatures, Maintenance of Electronic Records
 21 CFR Part 11; Electronic Records; Electronic
Signatures, Electronic Copies of Electronic Records

41. Withdrawal draft guidance
 In the Federal Register of February 4,2003 (68
FR 5645), we announced the withdrawal of the
draft guidance for industry.
 In the Federal Register of February 25, 2003 (68
FR 8775), we announced the withdrawal of the
part 11 draft guidance documents on validation,
glossary of terms, time stamps, maintenance of
electronic records, and CPG 715.3.17.

42. Approach outlined in this
guidance
The approach outlined in this guidance is based on
three main elements
1) Part 11 will be interpreted narrowly; we are now
clarifying that fewer records will be considered subject
to part 11.
2) For those records that remain subject to part 11, we
intend to exercise enforcement discretion with regard
to part 11 requirements for validation, audit trails,
record retention, and record copying in the manner
described in this guidance and with regard to all part
11 requirements for systems that were operational
before the effective date of part 11 (also known as
legacy systems).
3) We will enforce all predicate rule requirements,
including predicate rule record and recordkeeping
requirements.

43. Narrow Interpretation of Scope
 We understand that there is some confusion about the scope of
part 11. Some have understood the scope of part 11 to be very
broad. We believe that some of those broad interpretations could
lead to unnecessary controls and costs and could discourage
innovation and technological advances without providing added
benefit to the public health. As a result, we want to clarify that the
Agency intends to interpret the scope of part 11 narrowly
 when persons choose to use records in electronic format in
place of paper format, part 11 would apply
 When persons use computers to generate paper printouts of
electronic records, and those paper records meet all the
requirements of the applicable predicate rules and persons
rely on the paper records to perform their regulated activities,
FDA would generally not consider persons to be "using
electronic records in lieu of paper records" under §§ 11.2(a) and
11.2(b). In these instances, the use of computer systems in the
generation of paper records would not trigger part 11.

44. Definition of Part 11 Records
 Records (and any associated signatures) that are
not required to be retained under predicate
rules, but that are nonetheless maintained in
electronic format, are not part 11 records.
 We recommend that you document such
decisions based on the predicate rules, whether
specific records are part 11 records.
 you use a computer to generate a paper printout
of the electronic records, but you nonetheless
rely on the electronic record to perform
regulated activities. part 11 applies.

45. Definition of Part 11 Records
 Records submitted to FDA, under predicate rules
in electronic format. However, a record that is not
itself submitted, but is used in generating a
submission, is not a part 11 record unless it is
otherwise required to be maintained under a
predicate rule and it is maintained in electronic
format.
 Electronic signatures that are intended to be the
equivalent of handwritten signatures, initials, and
other general signings required by predicate
rules. Part 11 signatures include electronic
signatures that are used, for example, to
document the fact that certain events or actions
occurred in accordance with the predicate rule
(e.g. approved, reviewed, and verified).

46. Approach - Part 11 Requirements
Validation
 § 11.10(a) and corresponding requirements in §
11.30
 21 CFR 820.70(i)
 Accuracy, reliability, integrity, availability, and
authenticity of required records and signatures
 risk assessment and a determination of the
potential of the system to affect product quality
and safety, and record integrity.
 For further guidance on validation of
computerized systems, General Principles of
Software Validation and GAMP-5

47. Audit Trail
 § 11.10 (e), (k)(2) and any corresponding
requirement in §11.30
 § 58.130(e)
 documentation of, date, time, or sequencing of
events
 ensuring that changes to records do not obscure
previous entries

48. Legacy Systems
 Operational prior to August 20, 1997
 Agency does not intend to take enforcement
action if all the following criteria are met
 The system was operational before the effective
date.
 The system met all applicable predicate rule
requirements before the effective date.
 The system currently meets all applicable predicate
rule requirements.
 You have documented evidence and justification
that the system is fit for its intended use

49. Copies of Records
 § 11.10 (b) and any corresponding requirement in
§11.30
 § 211.180(c), (d), and 108.35(c)(3)(ii)
 You should provide useful access to investigator
during an inspection
 Producing copies of records held in common
portable formats
 Using established automated conversion or
export methods, where available, to make copies
in a more common format (examples of such
formats include, but are not limited to, PDF, XML,
or SGML)