21 CFR 11 Overview of the Final Document and its New Scope Ludwig Huber - Pharmaceutical Technology

Latest Issue

Latest Issue
PharmTech Europe

21 CFR 11 Overview of the Final Document and its New Scope
Ludwig Huber
This article provides an overview of Rule 21 CFR Part 11's key requirements and its new, narrower scope.

Pharmaceutical Technology

Depending on a company's business practices, a record's value over time, and the justified and documented risk assessment, the new interpretation enables companies to copy the electronic records to paper or to standard electronic formats such as portable data format (PDF).

Limited access. "Procedures should be in place to limit the access to authorized users" (Par. 11.10 [d]).

Limited access can be ensured through physical or logical security mechanisms. Most companies already have such procedures in place. For logical security, users typically log onto a system with a user identification (ID) and password. In addition, physical security such as key locks or pass cards is recommended for high-risk areas (e.g., data centers with network servers and archived data). Procedures should be carefully documented and validated.

User-independent, computer-generated time-stamped audit trails. "Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying" (Par. 11.10 [e]).

This paragraph has been the subject of much discussion such as how audit trails should be implemented and about what information should be recorded. An important distinction is that the word independently means independently from the operator. The main purpose of the audit trail is to ensure and prove data integrity. If the data have been changed, the computer should record what has been changed and who made the change.

The audit trail functionality should be built into the software and is especially important for critical computer-related processes with manual operator interaction. Under the new scope of Part 11, the implementation of electronic audit trails should be risk-based, justified, and documented.

Use of secure electronic signatures for closed and open systems. "The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to determine record and signature falsification" (Par. 11.10 [j]).

The main purpose of this requirement is to link electronic signatures to relevant electronic records and the record signer. The system should recognize the signer with a user ID and password. Procedures and technical controls should ensure that the signer is uniquely identified. This rule not only requires the development of procedures, but also necessitates behavioral changes for using ID codes and passwords. Sharing a password with a colleague usually is much less taboo than teaching somebody how to copy a handwritten signature. But under Part 11, both actions have the same consequence. Software also should recognize any change to a signed record, most commonly through linking the electronic signature to the electronic audit trail.

Use of digital signatures for open systems. "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified for closed systems, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality" (Par. 11.30).

This rule requires software for document encryption and may also require hardware and software for generating digital signatures. Typically, computer systems used in pharmaceutical operations are closed systems that do not need digital signatures. Conversely, an example of an open system is analytical data generated by a contract laboratory that are transmitted to a sponsor through the public Internet. Examples of how open systems can be used are described elsewhere (2).

New scope of 21 CFR Part 11

Although 21 CFR Part 11 has been in place for eight years and enforced for six years, companies are still confused about how to implement it.


blog comments powered by Disqus
LCGC E-mail Newsletters

Subscribe: Click to learn more about the newsletter
| Weekly
| Monthly
| Weekly

FDASIA was signed into law two years ago. Where has the most progress been made in implementation?
Reducing drug shortages
Breakthrough designations
Protecting the supply chain
Expedited reviews of drug submissions
More stakeholder involvement
Reducing drug shortages
Breakthrough designations
Protecting the supply chain
Expedited reviews of drug submissions
More stakeholder involvement
View Results
Eric Langerr Outsourcing Outlook Eric LangerTargeting Different Off-Shore Destinations
Cynthia Challener, PhD Ingredients Insider Cynthia ChallenerAsymmetric Synthesis Continues to Advance
Jill Wechsler Regulatory Watch Jill Wechsler Data Integrity Key to GMP Compliance
Sean Milmo European Regulatory WatchSean MilmoExtending the Scope of Pharmacovigilance Comes at a Price
From Generics to Supergenerics
CMOs and the Track-and-Trace Race: Are You Engaged Yet?
Ebola Outbreak Raises Ethical Issues
Better Comms Means a Fitter Future for Pharma, Part 2: Realizing the Benefits of Unified Communications
Better Comms Means a Fitter Future for Pharma, Part 1: Challenges and Changes
Source: Pharmaceutical Technology,
Click here