21 CFR 11 Overview of the Final Document and its New Scope Ludwig Huber - Pharmaceutical Technology

Latest Issue

Latest Issue
PharmTech Europe

21 CFR 11 Overview of the Final Document and its New Scope
Ludwig Huber
This article provides an overview of Rule 21 CFR Part 11's key requirements and its new, narrower scope.

Pharmaceutical Technology

Depending on a company's business practices, a record's value over time, and the justified and documented risk assessment, the new interpretation enables companies to copy the electronic records to paper or to standard electronic formats such as portable data format (PDF).

Limited access. "Procedures should be in place to limit the access to authorized users" (Par. 11.10 [d]).

Limited access can be ensured through physical or logical security mechanisms. Most companies already have such procedures in place. For logical security, users typically log onto a system with a user identification (ID) and password. In addition, physical security such as key locks or pass cards is recommended for high-risk areas (e.g., data centers with network servers and archived data). Procedures should be carefully documented and validated.

User-independent, computer-generated time-stamped audit trails. "Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying" (Par. 11.10 [e]).

This paragraph has been the subject of much discussion such as how audit trails should be implemented and about what information should be recorded. An important distinction is that the word independently means independently from the operator. The main purpose of the audit trail is to ensure and prove data integrity. If the data have been changed, the computer should record what has been changed and who made the change.

The audit trail functionality should be built into the software and is especially important for critical computer-related processes with manual operator interaction. Under the new scope of Part 11, the implementation of electronic audit trails should be risk-based, justified, and documented.

Use of secure electronic signatures for closed and open systems. "The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to determine record and signature falsification" (Par. 11.10 [j]).

The main purpose of this requirement is to link electronic signatures to relevant electronic records and the record signer. The system should recognize the signer with a user ID and password. Procedures and technical controls should ensure that the signer is uniquely identified. This rule not only requires the development of procedures, but also necessitates behavioral changes for using ID codes and passwords. Sharing a password with a colleague usually is much less taboo than teaching somebody how to copy a handwritten signature. But under Part 11, both actions have the same consequence. Software also should recognize any change to a signed record, most commonly through linking the electronic signature to the electronic audit trail.

Use of digital signatures for open systems. "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified for closed systems, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality" (Par. 11.30).

This rule requires software for document encryption and may also require hardware and software for generating digital signatures. Typically, computer systems used in pharmaceutical operations are closed systems that do not need digital signatures. Conversely, an example of an open system is analytical data generated by a contract laboratory that are transmitted to a sponsor through the public Internet. Examples of how open systems can be used are described elsewhere (2).

New scope of 21 CFR Part 11

Although 21 CFR Part 11 has been in place for eight years and enforced for six years, companies are still confused about how to implement it.


blog comments powered by Disqus
LCGC E-mail Newsletters

Subscribe: Click to learn more about the newsletter
| Weekly
| Monthly
| Weekly

What role should the US government play in the current Ebola outbreak?
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Jim Miller Outsourcing Outlook Jim MillerOutside Looking In
Cynthia Challener, PhD Ingredients Insider Cynthia ChallenerAdvances in Large-Scale Heterocyclic Synthesis
Jill Wechsler Regulatory Watch Jill Wechsler New Era for Generic Drugs
Sean Milmo European Regulatory WatchSean MilmoTackling Drug Shortages
New Congress to Tackle Health Reform, Biomedical Innovation, Tax Policy
Combination Products Challenge Biopharma Manufacturers
Seven Steps to Solving Tabletting and Tooling ProblemsStep 1: Clean
Legislators Urge Added Incentives for Ebola Drug Development
FDA Reorganization to Promote Drug Quality
Source: Pharmaceutical Technology,
Click here