21 CFR 11

ELECTRONIC RECORDS AND

ELECTRONIC SIGNATURES
BY
POORNA BASURI.P
M.PHARMACY, I ST YEAR
WHAT DOES IT MEAN?

21 Chapter of US Federal Law Food, Drug &

Cosmetics Act circa 1906,
CFR - Code of Federal Regulation US Federal
Government Law,
Part 11 That part of 21 CFR that deals with electronic
records & electronic signatures.
WHAT IS PART 11

21 CFR Part 11 (Part 11) applies to electronic

records and electronic signatures that persons create,
modify, maintain, archive, retrieve, or transmit under
any records or signature requirement set forth in the
Federal Food, Drug, and Cosmetic Act, the Public
Health Service Act, or any FDA regulation.
HISTORY
In response to requests from the industry, the USFDA issued
a regulation that provides criteria for acceptance of
electronic records, electronic signatures and handwritten
signatures by the FDA in 1997 .
With this regulation, titled Rule 21 CFR Part 11, electronic
records can be equivalent to paper records and
handwritten signatures.
 Such a regulation was important because electronic data
handling offers noteworthy benefits in the manufacturing
area and also for the huge amount of data generated in
analytical laboratories. The use of fully electronic data
acquisition, evaluation, management and archiving
promises major improvements in the workflow.
IMPORTANCE
The use of electronic records is expected to be more cost
effective for the industry and the FDA.
The approval process is expected to be shorter and access
to documentation will be faster and more productive.
In many situations using computers cannot be avoided, for
example in analytical laboratories for automated data
acquisition and evaluation. In this case the laboratories
must comply with Part 11.
 There may come a time when the FDA will no longer
accept paper records and; Electronic records have some
significant advantages vs. paper records: tangibly lower
space requirements and easier retrieval are just two of
those advantages.
The rule applies to all industry segments regulated by the
FDA that includes Good Laboratory Practice (GLP), Good
Clinical Practice (GCP) and current Good Manufacturing
Practice (cGMP).
REQUIREMENTS OF PART 11:

Use of validated existing and new computerized systems.

Secure retention of electronic records and instant retrieval.
User-independent computer generated time-stamped audit
trails.
System and data security, data integrity and confidentiality
through limited authorized access to systems and records.
Use of secure electronic signatures for closed and open systems
 Use of digital signatures for open systems.
Use of operational checks.
Use of device checks.
Determination that the persons who develop, maintain or
use electronic systems have the education, training and
experience to perform their assigned task
TERMINOLOGY
Electronic Records
Electronic records are "any combination of text, graphics,
data, audio, pictorial, or other information representation in
digital form that is created, modified, maintained, archived,
retrieved, or distributed by a computer system".
Closed system
A closed system is defined as an environment in which
system access is controlled by persons who are responsible for
the content of electronic records that are on the system.
 Open system
An open system means an environment in which system
access is not controlled by persons who are responsible for the
content of electronic records that are on the system.
Practically all systems in analytical laboratories are closed
systems. With an appropriate security system in place, the
laboratory has full control on who will access the system. An open
system in a laboratory would be one where the data is stored on
a server that is under the control of a 3rd party. Other examples
for open systems are websites where everyone has access.
 Electronic Signature
An electronic signature is "a computer data compilation of any
symbol or series of symbols executed, adopted, or authorized by an
individual to be the legally binding equivalent of the individual's
handwritten signature".
Electronic signatures are the electronic equivalent to handwritten
signatures on paper. They may be based on biometric identification
methods like fingerprint scanners or facial and voice recognition, but a
simple combination of a user I.D. and password is also sufficient. Within
a company, the user I.D. must be unique to a specific person. Electronic
signatures are sufficient for closed systems.
 Digital signature
A digital signature is "an electronic signature based
upon cryptographic methods of originator authentication,
computed by using a set of rules and a set of parameters
such that the identity of the signer and the integrity of the
data can be verified".
Digital signatures are required for open systems and
as such need higher security levels. Therefore, in addition to
electronic signatures, cryptographic methods have to be
applied for authentication of the user and integrity of the
record.
WHEN DOES IT APPLY ?
The new narrow scope of the guidance states that Part 11
applies when:
The record is required by a predicate rule, e.g., electronic
batch records for 21 CFR Part 211 and electronic training
records in 21 CFR Part 58.
The electronic records are used to demonstrate
compliance with a predicate rule, e.g., electronic training
records for compliance with 21 CFR Part 211.
(predicate rule=all other 21 CFR Part regulations)
WHEN DOES IT APPLY ?
When Electronic records are used instead of paper.
When persons make printouts but still rely on the
electronic records in the computerized system to perform
regulated activities.
Records submitted to the FDA, under predicate rules
(even if such records are not specifically identified in
agency regulations) in electronic format.
Electronic signatures intended to be the equivalent of
handwritten signatures, initials and other general signings
required by predicate rule
REQUIREMENTS OF THE RULE
The most important requirements and some interpretations
for implementation are:
System Validation - 11.10(a)
"Procedures should be in place for Validation of systems to
ensure accuracy, reliability, consistent intended performance,
and the ability to discern invalid or altered records".
That condition applies to both new and existing systems.
 Validation should include application specific functions as well
as functions related to Part 11, electronic audit trail and
electronic signatures. Recommended test procedures include:
Limited and authorized system access. This can be achieved by
entering correct and incorrect password combinations and
verifying if the system behaves as intended.
Limited access to selected tasks and permissions. This can be
achieved by trying to get access to tasks as permitted by the
administrator and verifying if the system behaves as specified.
 Computer generated audit trail. Perform actions that
should go into the e-audit trail according to specifications.
Record the actions manually and compare and contrast
the recordings with the computer generated audit trail.
Accurate and complete copies. Calculate results from raw
data using a defined set of evaluation parameters. Save
raw data, final results and evaluation parameters on a
storage device. Switch off the computer. Switch it on again
and perform the same tasks as before using data stored
on the storage device. Results should be the same as for
the original evaluation.
 Binding signatures with records. Sign a data file electronically. Check the
system design and verify that there is a clear link between the electronic
signature and the data file. For example, the link should include the
printed name or a clear reference to the person who signed, the date
and time and the meaning of the signature.
Accurate and Complete Copies - 11.10(b) and 11.10(c)
(b) "Procedures should be in place to o generate accurate and
complete copies of records in both human readable and electronic form
suitable for inspection, review, and copying by the agency. Persons should
contact the agency if there are any questions regarding the ability of the
agency to perform such review and copying of the electronic records"
 Accurate and Ready Retrieval - 11.10(c)
(c) "Records must be protected to enable their accurate and ready
retrieval throughout the records retention period". The agency wants to be
able to trace final results back to the raw data using the same tools as the
user had when this data was generated. This is probably one of the most
difficult requirements to implement.
Limited Access - 11.10(d)
"Procedures should be in place to limit system system access to
authorized users". Limited access can be ensured through physical and/or
logical security mechanisms. Most companies already have procedures in
place. For logical security users typically log on to a system with a user I.D.
and password. Physical security through key locks or pass cards in addition
to logical security is recommended for high-risk areas, for example, for data
centers with network severs and back-data. These procedures should be very
well documented and validated.
 User-Independent Computer Generated Time-Stamped Audit Trails -
11.10(e)
"Procedures should be available to use secure, computer-generated, time-
stamped audit trails to independently record the date and time of operator
entries and actions that create, modify, or delete electronic records. Record
changes shall not obscure previously recorded information. Such audit trail
documentation shall be retained for a period at least as long as that
required for the subject electronic records and shall be available for agency
review and copying". The main purpose is to ensure and prove data integrity.
If the data has been changed the computer should record what has been
changed and who made the change. The audit trail functionality should be
built into the software and is especially important for critical computer
related processes with manual operator interaction.
 Operational System Checks - 11.10(f)
"Procedures should be available to use operational system
checks to enforce permitted sequencing of steps and events, as
appropriate".
Use of Authority Checks - 11.10(g)
"Procedures should be available to use authority checks to
ensure that only authorized individuals can use the system,
electronically sign a record, access the operation or computer
system input or output device, alter a record, or perform the
operation at hand".
 Authority checks must be in place to ensure
authenticity, integrity and confidentiality of
electronic records, and to ensure that the signer
cannot readily repudiate the signed record as not
genuine. This requires procedural and technical
controls. Authority checks should be used when an
individual attempts to: access a system.
Perform selected permitted tasks.
Change a record.
Electronically sign a record.
 Use of Device Checks - 11.10(h)
"Procedures should be available to use device (e.g., terminal)
checks to determine, as appropriate, the validity of the source of
data input or operational instruction".
This requirement refers to automatically determining the
identification and location of a piece of equipment hardware or
another computer system. An example would be that a computer
system controlling an instrument should automatically recognize the
equipment as a valid input device through its serial number. If the
serial number is not set up in the computers database the
instrument cannot be used as an input device.
 People Qualification - 11.10(i)
"Procedures should be available to determine that persons
who develop, maintain, or use electronic record/electronic
signature systems have the education, training, and experience
to perform their assigned tasks".
People qualification is a GxP requirement and not specific to
Part 11. Procedures should be in place to document tasks and
qualifications, to develop a gap analysis and to develop an
implementation plan on the gaps that can be filled.
 Individual Accountability - 11.10(j)
"Procedures should be available to establish, and adhere to,
written policies that hold individuals accountable and
responsible for actions initiated under their electronic
signatures, in order to deter record and signature
falsification".
Procedures should make employees aware that electronic
signatures have the same meaning as handwritten
signatures.
 Controls Over System Documentation - 11.10(k)
"Procedures should be in place for appropriate controls
over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use
of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit
trail that documents time-sequenced development and
modification of systems documentation".
 Use of Digital Signatures for Open Systems - 11.30
"Persons who use open systems to create, modify, maintain, or
transmit electronic records shall employ procedures and controls
designed to ensure the authenticity, integrity, and, as appropriate,
the confidentiality of electronic records from the point of their
creation to the point of their receipt. Such procedures and controls
shall include those identified for closed systems, as appropriate, and
additional measures such as document encryption and use of
appropriate digital signature standards to ensure, as necessary
under the circumstances, record authenticity, integrity, and
confidentiality".
 Requirements for Signed Electronic Records - 11.50
(a) Signed electronic records shall contain information associated with
the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or
authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this
section shall be subject to the same controls as for electronic records
and shall be included as part of any human readable form of the
electronic record (such as electronic display or printout).
 Linking records to Signatures - 11.70
"Electronic signatures and handwritten signatures executed
to electronic records shall be linked to their respective
electronic records to ensure that the signatures cannot be
excised, copied, or otherwise transferred to falsify an
electronic record by ordinary means."
 General requirements for electronic signatures - 11.100
"(a) Each electronic signature shall be unique to one individual
and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or
otherwise sanctions an individual's electronic signature, or any
element of such electronic signature, the organization shall verify
the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time
of such use, certify to the agency that the electronic signatures in
their system, used on or after August 20, 1997, are intended to
be the legally binding equivalent of traditional handwritten
signatures.
 (1) The certification shall be submitted in paper form and
signed with a traditional handwritten signature, to the
Office of Regional Operations (HFC-100), 5600 Fishers
Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency
request, provide additional certification or testimony that
a specific electronic signature is the legally binding
equivalent of the signer's handwritten signature."
 Electronic signature components and controls - 11.200
"(a) Electronic signatures that are not based upon biometrics
shall:
(1) Employ at least two distinct identification components such as
an identification code and password.
(i) When an individual executes a series of signings during a
single, continuous period of controlled system access, the first
signing shall be executed using all electronic signature
components; subsequent signings shall be executed using at least
one electronic signature component that is only executable by,
and designed to be used only by, the individual.
 (ii) When an individual executes one or more signings not
performed during a single, continuous period of controlled system
access, each signing shall be executed using all of the electronic
signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of
an individual's electronic signature by anyone other than its
genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed
to ensure that they cannot be used by anyone other than their
genuine owners.
 Controls for identification codes/passwords - 11.300
Persons who use electronic signatures based upon use of identification codes
in combination with passwords shall employ controls to ensure their security
and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and
password, such that no two individuals have the same combination of
identification code and password.
(b) Ensuring that identification code and password issuances are
periodically checked, recalled, or revised (e.g., to cover such events as
password aging).
 (c) Following loss management procedures to electronically deauthorize lost,
stolen, missing, or otherwise potentially compromised tokens, cards, and
other devices that bear or generate identification code or password
information, and to issue temporary or permanent replacements using
suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords
and/or identification codes, and to detect and report in an immediate and
urgent manner any attempts at their unauthorized use to the system security
unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear
or generate identification code or password information to ensure that they
function properly and have not been altered in an unauthorized manner."
 GAMP 5
(GOOD AUTOMATED MANUFACTURING
PRACTICE)
 INTRODUCTION
Good Automated Manufacturing Practice (GAMP) is a technical subcommittee
of the International Society for Pharmaceutical Engineering (ISPE), a set of
guidelines for manufacturers and users of automated systems in the
pharmaceutical industry. More specifically, the ISPE's guide Good Automated
Manufacturing Practice (GAMP) guide for Validation of Automated Systems in
Pharmaceutical Manufacture describes a set of principles and procedures that
help ensure that pharmaceutical products have the required quality. One
of the interior principles of GAMP is that quality cannot be tested into a batch
of product but must be built into each stage of the manufacturing process. As
a result, GAMP covers all aspects of production; from the raw materials,
facility and equipment to the training and hygiene of staff. Standard
operating procedures (SOPs) are essential for processes that can affect the
PURPOSE OF GAMP

To help USERS understand the requirements for

prospective validation of an automated system and the
level to which the validation should be performed
To help SUPPLIERS ensure that systems are developed
according to good practice, and to provide documentary
evidence that their systems meet the agreed specification
 GAMP4 December 2001 Major revision and new content in line with
regulatory and technological developments. Broadened scope to include
regulated healthcare industries. Greater coverage of user
responsibilities and detail on operational activities
The new Good automated manufacturing practices (GAMP)-5
guidelines were released February 2008 at the ISPE(International
Society for Pharmaceutical Engineering) Manufacturing Excellence
Conference in Tampa, Florida. These guidelines are the latest, up-to-
date thinking in the approach to validation of GxP computerized
systems. The purpose of the guidelines is to provide a cost effective
framework of good practice to ensure that computerized systems are fit
for use and compliant with regulation.
There are five key concepts to GAMP 5
1. Product and Process Understanding
2. Lifecycle approach within QMS
3. Scalable Lifecycle Activities
4. Science Based Quality Risk Management
5. Leveraging Supplier Involvement
1) Product and Process Understanding
Understanding the product and process is critical in determining
system requirements and for making science and risk-based
decisions to ensure that the system is fit for use. In determining fit
for use, attention should be focused on those aspects that are
critical to patient safety, product quality, and data integrity.
2) Lifecycle Approach within a QMS
Defining a lifecycle approach to a computerized system has been
expanded from GAMP 4 to include all phases and activities from
concept and implementation through operation and retirement. These
activities should be defined within the quality management system
(QMS). This allows for a consistent approach across all systems.
There are four major phases defined for any system:
1. Concept
2. Project
3. Operation
4. Retirement
3) Scalable Lifecycle Activities
Within the GAMP 5 guidelines GAMP outlines that lifecycle activities
should be scaled according to:
System impact on patient safety, product quality, and data
integrity (Risk Assessment)
 System complexity and novelty
Outcome of supplier assessment
4) Science Based Quality Risk Management
Science Based Quality Risk Management allows companies to
focus on critical aspects of the computerized system and develop
controls to mitigate those risks. This is where a clear
understanding of the product and process is critical to determine
potential risks to patient safety, product quality, and data
integrity.
5) Leveraging supplier involvement
Documentation should be assessed for suitability, accuracy,
and completeness. There should be flexibility regarding acceptable
format, structure and documentation practices.
OBJECTIVE

GAMP5 guidance aims to achieve computerized

systems that are fit for intended use and meet current
regulatory requirements, by building upon existing industry
good practice in an efficient and effective manner
GAMP 5 SETS THE MAIN REQUIREMENTS FOR THE USE OF
COMPUTERIZED SYSTEMS IN PHARMACEUTICAL
APPLICATIONS:
Patient safety, product quality and data integrity.
Effective governance to achieve and maintain GxP compliance.
Quality by design (QBD).
Continuous improvement with in Quality management system (QMS).
Critical quality attributes (CQA).
Improving GxP compliance efficiency.
 Configurable systems and development models.
Use of existing documentation and knowledge
Effective supplier relationships.
Scalable approach to GxP compliance
Science based quality risk management system.
Life cycle approach within QMS.
SOME APPLICATIONS OF GAMP-5
1. Monitoring manufacturing, production and storage
environments in the pharmaceutical industry.
The conditions under which pharmaceutical products are
manufactured and stored can have a major impact on their
quality. Factors such as temperature, humidity, air quality, time
and production process characteristics can all have a
significant impact on the final quality of a product or batch of
products.
 For the purposes of traceability, it is necessary to adhere to GAMP
5 guidelines to accurately record every stage in the production
lifecycle of a product, encompassing not just the manufacturing
process but also the storage and distribution stages. In doing so,
manufacturers can prove to have acted in accordance with best
practice by building in quality from the outset and designing
failure out of the process.
GAMP guidelines advise that the manufacture, storage and
distribution stages of pharmaceutical products are monitored to
ensure that any facilities involved meet the required standards. Of
the various parameters that need to be carefully controlled,
temperature and humidity are perhaps the two most critical
2. Monitoring the autoclaving process in the pharmaceutical industry.
Provides independent verification and validation monitoring
of the autoclaving process Sterilization permits the re-use of
pharmaceutical equipment such as instruments, utensils, lab
equipment and media preparation, and is necessary to eliminate
transmissible agents such as spores, bacteria and viruses. It is
possible to kill some microorganisms with chemicals, irradiation, and
dry heat but the most effective and inexpensive method is with
saturated steam.
3. Water purification in the pharmaceutical industry.
Provides independent verification and validation of the water
purification process. Water is a major commodity used by the
pharmaceutical industry. Different grades of water quality are required
according to the pharmaceutical process. The United States
Pharmacopoeia (USP) and the European Pharmacopoeia (EP) are the
governing bodies that issue guidelines for the manufacture of drugs to
their respective markets. Amongst these guidelines are regulations, legally
enforceable by the FDA and European equivalents (such as the MHRA),
for the purification of different grades of water used in the
pharmaceutical processes:
 Purified water is used in preparation of medicinal
products other than those that require the use of water to
be sterile.
Highly purified water - intended for use in the preparation
of products where water of high biological quality is
needed, except where water for injection is required.
Water for injection the purest grade of bulk water
monographed by the USP and EP and is found in the
manufacture of parenteral, ophthalmic and inhalation
products.
4. Freeze drying in the pharmaceutical industry
Provides independent verification and validation monitoring of the
freeze drying process. Freeze drying is a technique used by
pharmaceutical manufacturers to derive dry product from aqueous
solutions. Originally developed during the 1940s, the technique
produces a dry product which can be readily reconstituted to its
original form by adding water when required. As such it is as an
ideal way of prolonging the life of pharmaceutical products,
particularly where this may involve long periods of storage and
transit prior to use.
CONCLUSION

While there are new revolutionary concepts in GAMP 5, it does

bring together the latest industry and regulatory thinking in GxP
computerized system validation into one concise guidance. By using
the basic concepts that the GAMP, FDA, PIC/S, and other groups
have been touting, such as -Using a scientific risked based
approach to validation and leveraging vendor documentation,
regulated companies can reduce the time and cost necessary for
validation and maintain their systems in a compliant state.
REFERENCE
P. Lalasa & Vishal Gupta et.al., A Review on applications of GAMP 5 in
Pharmaceutical Industry, Jss university, July- September 2013, Vol. 5, Issue 3,
ISSN 0975 9344.
https://www.slideshare.net/PrashantTomar7/good-automated-manufacturing-
practices
https://globalhealthtrials.tghn.org/site_media/media/articles/QAData_21C
FR_Part11.pdf
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?C
FRPart=11&showFR=1&subpartNode=21:1.0.1.1.8.2
http://www.labcompliance.com/tutorial/part11/default.aspx?sm=d_c