The document outlines the key objectives and requirements of 21 CFR Part 11 regulations concerning electronic records and signatures, emphasizing the need for record integrity, security, and validation. It also addresses equivalent requirements in EU legislation, the GAMP framework for automated systems validation, and common problem areas organizations face regarding compliance. Additionally, it discusses the critical aspects that FDA inspectors evaluate during inspections, including data integrity, accountability, and validation processes within regulated environments.

1. Page 1
21 CFR PART 11 REGULATIONS ON
ELECTRONIC RECORDS &
ELECTRONIC SIGNATURES &
REGULATORY PERSPECTIVE
ON ITS REQUIREMENTS
&
GAMP Requirements
May 22, 2015

2. Page 2
Original intended key objectives of Part 11 Regulations
 Retention/documentation of records
 Integrity/security of Records
 FDA Access to Records
 Authentication of Electronic Signatures
 Accountability for Maintaining Records / System
 Validation

3. Page 3
Contents
 21 CFR Quality Management System Regulations
 What is 21CFR11
 The important aspects of 21CFR11
 21CFR Basics
 Equivalent requirements in EU legislation & PICs
 Problem Area’s
 Examples
 FDA Inspector Questions
 FDA Checks based on their training & experience
 GAMP requirements & catagories

4. Page 4
QUALITY SYSTEM REGULATION
PART 11 REGS.
- 21 CFR 11.10(a)
Validation of Systems
- 21 CFR 11.10(b)
Controls – Closed Systems
-Generate copies of
records for inspection
-21 CFR 11.10(c)
Protection of Records to enable retrieval

5. Page 5
QUALITY SYSTEM REGULATION
PART 11 REGS.
- 21 CFR 11.10(a)
Validation of Systems
- 21 CFR 11.10(b)
Controls – Closed Systems
-Generate copies of
records for inspection
-21 CFR 11.10(c)
Protection of Records to enable retrieval

6. Page 6
QUALITY SYSTEM REGULATION
PART 11 REGS.
-21 CFR 11.10(i)
Education - personnel
-21 CFR 11.10(j)
Accountability
-21 CFR 11.10(k)
Controls – system documentation

7. Page 7
QUALITY SYSTEM REGULATION
GOOD LAB. PRACTICE REG.
- 21 CFR 58.15 Inspection of records
- 21 CFR 58.29 Personnel – education and training
- 21 CFR 58.33 Study Director – responsibility for
documentation
- 21 CFR 58.35 Quality Assurance Unit
- 21 CFR 58.81 Written standard operating
procedures
- 21 CFR 59.190 Storage and retrieval
of records
- 21 CFR 58.195 Retention of records

8. Page 8
What is 21CFR11?
 21CFR = FDA, Code of Federal Regulations
 21CFR58 = GLP
 21CFR210 = GMP, Drugs (General)
 21CFR211 = GMP, Drugs (Finished Pharmaceuticals)
 21CFR312 = Inv. New drug Application (GCP)
 21CFR314 = FDA Approval of new drug (GCP)
 21CFR6xx = GMP, biologics
 21CFR820 = GMP, Devices
 21CFR…… = Food, nutrients and cosmetics
 21CFR11 = Electronic Records; Electronic
Signatures

9. Page 9
The important aspects of 21CFR11:
 Substantive rule from 20 August 1997
 Applies to any e-record in any FDA regulated
work including legacy systems
 Criteria for e-records and e-signatures:
- Trustworthy and reliable
 E-signatures = hand-written signatures
 Minimum requirements / fraud prevention

10. Page 10
21 CFR Part 11, Basics
Electronic records equivalent with paper records
• Storage, retrieval and copying in full retention period
• Submitting to FDA
Protection of electronic records
• Security (physical and logical)
• Validation
• Audit trail (who did what, when including reason where
req.)
Permission to use of electronic signature
• Equivalent with handwritten signatures
• Name, date and meaning
• Linking of signature to record
• Unique for an individual

11. Page 11
Equivalent requirements in EU legislation
 Annex 11, Computerised Systems
 Personnel
 Validation
 System
• Descriptions and SOP’s
• Change control and configuration management
• Records; entry, storage, retrieval
• Audit trail
• Security and Disaster recovery
• etc.

12. Page 12
PIC/S Guidance
Good Practices for Computerised Systems in
regulated ”GXP” environment
Computer System Life cycle, incl.
Electronic Records and Signatures
Security, and
Audit trail
Checklists for Inspection
Links ISO and IEEE standards, 21CFR11, APV
guides, PDA Technical Reports together

13. Page 13
Problem areas
 Lack of knowledge in the organisation on
 Computer Validation
 21 CFR Part 11
 Maintenance of computer systems
 Purchase of non-compliant systems are ongoing
 ”Part 11 compliant systems” do not exist
• Administrative controls (= Company policies)
• Procedural controls (= Company SOP’s)
• Technical controls (= Supplier SW controls)

14. Page 14
Example of 483 given by FDA investigator:
Below 483 is leaded to issuance of Warning Letter by FDA:
A review of the High Performance Liquid Chromatograph
(HPLC) electronic records from July 3, 2013, for (b)(4) batch
#(b)(4) revealed an Out-of-Trend (OOT) result. The sample
preparation raw data was discarded and not reported. A QC
analyst indicated that these results were discarded due to
some small extra peaks identified in the chromatogram
fingerprint and an unexpected high assay result. The QC
test data sheet reported two new results that were obtained
from samples tested on July 4, 2013 and July 5, 2013, using
a different HPLC instrument.

15. Page 15
FDA 21CFR11 inspection questions
Who is allowed to input data?
Who is allowed to change data?
How can you tell who entered the data?
How do you know which data had been changed?
When do you lock down the data input?
Can you do the following actions?
“Show me some data, show me you can see the history of the
data, show me you control the data life cycle.”
Is the system validated and are the requirements met?
Can you show me the results of the validation activities?
Does the validation include: “Pass/fail, signature, date/time
stamp”; and “objective evidence - screen prints or page
printouts with a link to the direction that generated the output.”?

16. Page 16
What FDA Inspectors are Trained to Look For…
To effectively prepare for a visit from FDA, you must learn to look at your operations
through the eyes of an FDA investigator. For your computerized systems, some items
FDA investigators are trained to observe include:
– Is data is being collected concurrently with the performance of your operations?
– Are systems designed to record non-conformances?
– Do systems question out-of-specification results but not borderline results?
– Are passwords shared, maintained on “Post-Its”, or found in the middle desk drawer?
– Are password restrictions logical (e.g., not re-used, not the same as user IDs, not just one
character or space, or easily guessed)?
– Are adequate protections in place when employees leave or transfer — or IDs are
compromised?
– Are systems left on and unattended?
– Are electronic signatures being used and, if so, has the firm filed a Part 11.100(c)
notification?
– Are hybrid systems being used and, if so, how are handwritten signatures linked to electronic
records?

17. Page 17
What FDA Inspectors are Trained to Look For…
To effectively prepare for a visit from FDA, you must learn to look at your operations
through the eyes of an FDA investigator. For your computerized systems, some items
FDA investigators are trained to observe include:
– Are electronic copies of electronic records available?
– Does the firm truly understand “system validation”?
– Can records be altered without leaving a trace?
– Are changes to electronic records obvious and clearly flagged to indicate a change?
– Is the original data readable?
– Have system administrators been trained in network operations and security?
– Are systems open or closed — and what is being done to ensure the security of open
systems?

18. Page 18
Note:
Note that this enforcement is not based on what system or process the manufacturer says is
being used — but on the investigator’s actual observation and evidence collection of
what system is being used. Citations, usually referencing the predicate rules and not always
mentioning Part 11, are appearing in both FDA-483s as well as Warning Letters.

19. Page 19
Automating GMP Areas: GAMP
 Good Automated Manufacturing Practices (GAMP) provides the Framework for
Automated System Validation
 Current version GAMP 5 emphasizes Risk Based Approach to Software Validation
with Life Cycle Model
GAMP Categories
Category Software Type CSV Criticality
1 Operating System Low
2 Firmware Removed in GAMP 5
3 Standard Software Packages Medium - High
4 Configurable Software Packages Medium - High
5 Custom or Bespoke Systems High

20. Page 20
Automating GMP Areas:
Personnel Qualifications (211.25)
Consultants (211.34)
Equipment Cleaning and Maint. (211.67)
Automated Equipment (211.68)*
Written Procedures (211.100)
Materials Examination and Usage (211.122)
Packaging and Labeling Oper. (211.130)
Drug Product Inspection (211.134)
Distribution Procedures (211.150)
Reserve Samples (211.170)
Records and Reports (211.180)
Equipment Cleaning and Use (211.182)
Component, Container, Closure and Labeling
Records (211.184)
Master Production Records (211.186)
Batch Production Records (211.188)
Production Record Review (211.192)
Laboratory Records (211.194)
Distribution Records (211.196)
Complaint Files (211.198)
Returned Drug Products (211.204)
Drug Product Salvaging (211.208)

21. Page 21
Automating GMP Areas:
 Process Control Systems
• PLC / DCS / SCADA / BMS
• Laboratory Computerized Systems
• Application Software Like HPLC /GC /FTIR etc
 Global Information Systems
• ERP Systems Like SAP / BaaN
• Document Management Systems

22. Page 22
Process Control Systems:
 Access Control & Password Management
 Program Back Up for PLC / HMI / SCADA
 Set Parameter Ranges To Be Restricted / Defined
 Alarm Management
 System Clock Synchronization
 System Design Documents V/s Configuration Check
 Printers & Reports
 Electronic Records & Signatures – Wherever Applicable
 Life Cycle Management

23. Page 23
Laboratory Computerised Systems:
 Access Control & Password Management
 Adequate User Ids
 Data Back Up & Restore
 Data Security
 Laboratory Network & Server Qualification
 System Clock Synchronization
 Printers & Records
 Electronic Signatures & Records
 Life Cycle Management

24. Page 24
Global Information Systems like ERP, SAP & DMS
& Agile etc., :
 cGMP vs. System Configuration
 Interfacing of Quality Management System (BMRs) vs. ERP Records
 Access Control & Password Management
 Adequate User Ids
 Data Back Up & Restore
 Data Security
 Network & Server Qualification
 Paper Records vs. Electronic Records
 Electronic Signatures
 Life Cycle Management

25. Page 25
Maintaining Control in Operation (Post Validation) Program should ensure the following –
All up-dates / new development / implementation are in line with the Change Control
Procedures
Risk Assessment is carried out for all up-dates / new development / implementation
Validation documents (SOPs / Protocols / Specifications) are reviewed and updated
periodically
Audit the Validation Status of various systems
Monitor the Performance of Systems Periodically
Maintaining Control in operation:

26. Page 26
 Formulate Computer System Validation Policy – Top Line Statement
 Form the Core Team
 Formulate Validation Master Plan
 Define IT policies & Procedures
 For New Systems Follow GAMP V Model – URS to PQ
 For Existing Systems
• Take the inventory of Systems
• Carry Out Impact Analysis
• Carry Out Risk Assessment for each System
• Close the Gaps
• Update the URS and follow GAMP v Model
 Maintain Control in Operation
Approach towards Compliance:

27. Page 27