Depending on a company's business practices, a record's value over time, and the justified and documented risk assessment,
the new interpretation enables companies to copy the electronic records to paper or to standard electronic formats such as
portable data format (PDF).
Limited access. "Procedures should be in place to limit the access to authorized users" (Par. 11.10 [d]).
Limited access can be ensured through physical or logical security mechanisms. Most companies already have such procedures
in place. For logical security, users typically log onto a system with a user identification (ID) and password. In addition,
physical security such as key locks or pass cards is recommended for high-risk areas (e.g., data centers with network servers and archived data). Procedures should be carefully documented and validated.
User-independent, computer-generated time-stamped audit trails. "Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date
and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure
previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required
for the subject electronic records and shall be available for agency review and copying" (Par. 11.10 [e]).
This paragraph has been the subject of much discussion such as how audit trails should be implemented and about what information
should be recorded. An important distinction is that the word independently means independently from the operator. The main purpose of the audit trail is to ensure and prove data integrity. If the
data have been changed, the computer should record what has been changed and who made the change.
The audit trail functionality should be built into the software and is especially important for critical computer-related
processes with manual operator interaction. Under the new scope of Part 11, the implementation of electronic audit trails
should be risk-based, justified, and documented.
Use of secure electronic signatures for closed and open systems.
"The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions
initiated under their electronic signatures, in order to determine record and signature falsification" (Par. 11.10 [j]).
The main purpose of this requirement is to link electronic signatures to relevant electronic records and the record signer.
The system should recognize the signer with a user ID and password. Procedures and technical controls should ensure that the
signer is uniquely identified. This rule not only requires the development of procedures, but also necessitates behavioral
changes for using ID codes and passwords. Sharing a password with a colleague usually is much less taboo than teaching somebody
how to copy a handwritten signature. But under Part 11, both actions have the same consequence. Software also should recognize
any change to a signed record, most commonly through linking the electronic signature to the electronic audit trail.
Use of digital signatures for open systems.
"Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and
controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from
the point of their creation to the point of their receipt. Such procedures and controls shall include those identified for
closed systems, as appropriate, and additional measures such as document encryption and use of appropriate digital signature
standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality" (Par. 11.30).
This rule requires software for document encryption and may also require hardware and software for generating digital signatures.
Typically, computer systems used in pharmaceutical operations are closed systems that do not need digital signatures. Conversely,
an example of an open system is analytical data generated by a contract laboratory that are transmitted to a sponsor through
the public Internet. Examples of how open systems can be used are described elsewhere (2).
New scope of 21 CFR Part 11
Although 21 CFR Part 11 has been in place for eight years and enforced for six years, companies are still confused about how to implement