The document outlines 21 CFR Part 11 regulations governing electronic records and signatures, which apply to records created or transmitted under FDA regulations. It details the requirements for electronic records and signatures, including security measures, audit trails, and the necessity for both to be legally binding equivalents of traditional methods. Additional discussions cover compliance steps, challenges organizations face, and the distinction between open and closed systems for electronic data management.

1. Electronic Record & Electronic
Signature

2. Content
 21 CFR Part 11 History
 21 CFR Part 11 Basics
 Electronic Record & Electronic Signature
 Approach to Part 11 Requirements
 Open & Closed system
 Controls for Open & Closed system
 Security & Controls
 Steps to achieve IT compliance
 Problem Areas

3. Historic overview
 FDA:
 Final Draft i 1994
 Final Rule 20.March.1997, effective from 20.Aug.1997
 August 2003 FDA: Guidance for Industry Part 11,
Electronic Records; Electronic Signatures — Scope
and Application

4. 21 CFR Part 11 Subpart
 Subpart A – Scope, Implementation, Definitions
 Subpart B – Electronic Records
 Subpart C – Electronic Signatures

5. What is 21 CFR Part 11
 21 CFR Part 11 (Part 11) applies to electronic records
and electronic signatures that persons create, modify,
maintain, archive, retrieve, or transmit under any records
or signature requirement set forth in the Federal Food,
Drug, and Cosmetic Act, the Public Health Service Act, or
any FDA regulation.

6. 21 CFR Part 11 Intent
 The 21 CFR 11 criteria are designed to:
 Prevent accidental alterations to electronic records
 Deter deliberate falsification
 Help to detect such changes when they do occur.

7. 21 CFR Part 11 Basics
• Electronic records equivalent with paper records
• Storage, retrieval and copying in full retention period
• Submitting to FDA
• Protection of electronic records
• Security (physical and logical)
• Validation
• Audit trail (who did what, when including reason where req.)
• Permission to use of electronic signature
• Equivalent with handwritten signatures
• Name, date and meaning
• Linking of signature to record
• Unique for an individual

8. Electronic Record
 “Any combination of text, graphics, data, audio,
pictorial, or other information representation in
digital form that is created, modified, maintained,
archived, retrieved, or distributed by a computer
system”.

9. Components of Electronic Records
• Audit Trails (11.10e)
• Limited Access (11.10d)
• Authority Checks (11.10g)
• Document Controls (11.10k)
• Generate copies of data
(11.10a-b)
All Electronic Records fall under Part 11
• Operational Workflow (11.10f)
• Data Validity Checks (11.10h)
• Training (11.10i)
• Written Policies (11.10j)
• Validation of Systems (11.10a)
• Closed system plus encryption
and protection for records (11.30)

10. General Requirements of Electronic
Record
 System must discern invalid or altered records
 System must generate accurate and complete copies of records in both
printed hardcopy and electronic format.
 Only authorized individuals to access electronic records
 Electronic record & Audit trail must be protected from unauthorized
deletion or alteration
 Audit trail records must be automatically generated.
 Electronic records must be secured & time-stamped
 Electronic records including audit trails are to be retained as long as
Electronic data is required to be retained.
 Electronic record must be available for inspection, review, and copying
the records in both human-readable and electronic form.

11. General Requirements of Audit Trail
 The identity of the person who making the change.
 The time and date that the change was effected.
 The action that creates modifies and / or deletes a
record.
 The reason for modification to a record.
 The change may not delete or obscure the previous
data.

12. Electronic Signature
 A computer data compilation of any symbol or series
of symbols executed, adopted, or authorized by an
individual to be the legally binding equivalent of the
individual’s handwritten signature.”

13. Components of Electronic Signatures
 Biometric (retina scans, voice recognition, fingerprint)
(11.200 b)
 User ID/Password (11.200a)
 Record Binding - signature is embedded /linked to the
record (11.70)
 Security - Controls, uniqueness, periodic checks,
management, safeguards (11.300 )

14. General Requirements of Electronic
Signature
 Must be unique to an individual and not reassigned
 Identity of individual must be verified by organization
 Must certify electronic signature system to the agency
prior to or at the time of use of the system
 Certification must be submitted in paper form and,
upon agency request, provide certification that
signature is legally binding.

15. Handwritten Signature
• “The scripted name or legal mark of an individual
handwritten by that individual and executed or
adopted with the present intention to authenticate a
writing in a permanent form.”
Biometrics
 “A method of verifying an individual’s identity based
on measurement of the individual’s physical feature(s)
or repeatable action(s) where those features and/or
actions are both unique to that individual and
measurable”

16. Overall Approach to Part 11 Requirements
 Limiting system access to authorized individuals
 Use of operational system checks
 Use of authority checks
 Use of device checks
 Determination that persons who develop, maintain, or use
electric systems have the education, training, and
experience to perform their assigned tasks
 Establishment of and adherence to written policies that
hold individuals accountable for actions initialed under
their electronic signatures
 Appropriate controls over system documentation
 Controls for open system corresponding to controls for
closed system
 Requirement related to electric signatures

17. Closed System
 “An environment in which system access is controlled
by persons who are responsible for the content of
electronic records that are on the system.”
Open System
 “An environment in which system access is not
controlled by persons who are responsible for the
content of electronic records that are on the
system.”

18. Controls for Closed Systems
 Must develop procedures and controls to ensure
authenticity, integrity and confidentiality, and that signer
cannot repudiate the signed record.
 The controls must:
 Be validated
 Maintain accurate and complete records
 Limit the system to authorized persons
 Protect records through retention period
 Contain audit trails that are secure, operator independent,
computer-generated, time-stamped, cover the creation ,
modification and deletion of records and do not obscure
previous information

19. Controls for Closed Systems
 Allow for the performance of operational system
checks, authority checks, and device checks to ensure
system, record, and data integrity
 Ensure appropriate personnel qualifications
 Policies written and followed to hold personnel
accountable for actions and to deter records
falsification
 Control over system documentation including
distribution, access, use, revision and change control.

20. Controls for Open Systems
 Must develop procedures and controls that ensure
authenticity, integrity, and confidentiality of electronic
records and comply with all other parts of Section 11.10
 Must use additional measures (e.g. document
encryption, digital signature standards) to ensure
authenticity, integrity, and confidentiality

21. Signature Manifestation
 Signed electronic records must include the printed
name of the signer, date and time of signature, and the
purpose of the signature (e.g. review, approval etc.)
Each of these must be readable by display or printout
Signature/Record Linking
 Electronic signature and handwritten signatures
must be linked to ensure signatures cannot be
excised, copied, transferred or falsified.

22. Security and Control
 Procedural
 Physical
 Logical

23. Procedural - Verification
 Obtain and Review Corporate Security policy, security
standards and procedures
 Evaluate the effectiveness of the security organization
 Evaluate the effectiveness of the process for
requesting, granting and removing access.

24. Physical Security
 Review Physical Access Policy
 Identify sensitive areas (Computer Room, Data Rooms,
Wiring closets).
 Determine process for granting, reviewing, monitoring
and removing access
 Verify that process is operating effectively

25. Logical Security
 Obtain and review data access policy
 Identify access “Paths” to cGMP data
 Local Area Network
 Operating System
 Database Security
 Application Security

26. Steps to achieve IT compliance
 Identify and register systems
 Prioritise systems
 Evaluate ”high-risk” systems
 Evaluate ”medium- and low-risk” systems
 Evaluate corrections/solutions
 Prepare implementation plan
 ”Quick fixes”
 ”Full compliance, technical and procedural
 Implement solutions

27. Problem Areas
 Lack of knowledge in the organisation on
 Computer Validation
 21 CFR Part 11
 Maintenance of computer systems
 Purchase of non-compliant systems are ongoing
 ”Part 11 compliant systems” do not exist
 Administrative controls (= Company policies)
 Procedural controls (= Company SOP’s)
 Technical controls (= Supplier SW controls)

28. Any Question ?

29. Thank You