Page 1

21 CFR PART 11 REGULATIONS ON

ELECTRONIC RECORDS &

ELECTRONIC SIGNATURES &

REGULATORY PERSPECTIVE

ON ITS REQUIREMENTS

&

GAMP Requirements

Apr 15, 2023

Page 2

Original intended key objectives of Part 11 Regulations

Retention/documentation of records

Integrity/security of Records

FDA Access to Records

Authentication of Electronic Signatures

Accountability for Maintaining Records / System

Validation

Page 3

Contents

21 CFR Quality Management System Regulations

What is 21CFR11

The important aspects of 21CFR11

21CFR Basics

Equivalent requirements in EU legislation & PICs

Problem Area’s

Examples

FDA Inspector Questions

FDA Checks based on their training & experience

GAMP requirements & catagories

Page 4

QUALITY SYSTEM REGULATION

PART 11 REGS.

- 21 CFR 11.10(a)

Validation of Systems

- 21 CFR 11.10(b)

Controls – Closed Systems

-Generate copies of

records for inspection

-21 CFR 11.10(c)

Protection of Records to enable retrieval

Page 5

QUALITY SYSTEM REGULATION

PART 11 REGS.

- 21 CFR 11.10(a)

Validation of Systems

- 21 CFR 11.10(b)

Controls – Closed Systems

-Generate copies of

records for inspection

-21 CFR 11.10(c)

Protection of Records to enable retrieval

Page 6

QUALITY SYSTEM REGULATION

PART 11 REGS.

-21 CFR 11.10(i)

Education - personnel

-21 CFR 11.10(j)

Accountability

-21 CFR 11.10(k)

Controls – system documentation

Page 7

QUALITY SYSTEM REGULATION

GOOD LAB. PRACTICE REG.

- 21 CFR 58.15 Inspection of records

- 21 CFR 58.29 Personnel – education and training

- 21 CFR 58.33 Study Director – responsibility for

documentation

- 21 CFR 58.35 Quality Assurance Unit

- 21 CFR 58.81 Written standard operating

procedures

- 21 CFR 59.190 Storage and retrieval

of records

- 21 CFR 58.195 Retention of records

Page 8

What is 21CFR11?

21CFR = FDA, Code of Federal Regulations

21CFR58 = GLP

21CFR210 = GMP, Drugs (General)

21CFR211 = GMP, Drugs (Finished Pharmaceuticals)

21CFR312 = Inv. New drug Application (GCP)

21CFR314 = FDA Approval of new drug (GCP)

21CFR6xx = GMP, biologics

21CFR820 = GMP, Devices

21CFR…… = Food, nutrients and cosmetics

21CFR11 = Electronic Records; Electronic

Signatures

Page 9

The important aspects of 21CFR11:

Substantive rule from 20 August 1997

Applies to any e-record in any FDA regulated

work including legacy systems

Criteria for e-records and e-signatures:

- Trustworthy and reliable

E-signatures = hand-written signatures

Minimum requirements / fraud prevention

Page 10

21 CFR Part 11, Basics

Electronic records equivalent with paper records• Storage, retrieval and copying in full retention period• Submitting to FDA

Protection of electronic records• Security (physical and logical)• Validation• Audit trail (who did what, when including reason where

req.)

Permission to use of electronic signature• Equivalent with handwritten signatures• Name, date and meaning• Linking of signature to record• Unique for an individual

Page 11

Equivalent requirements in EU legislation

Annex 11, Computerised Systems

Personnel

Validation

System

• Descriptions and SOP’s

• Change control and configuration management

• Records; entry, storage, retrieval

• Audit trail

• Security and Disaster recovery

• etc.

Page 12

PIC/S Guidance

Good Practices for Computerised Systems in

regulated ”GXP” environment

Computer System Life cycle, incl.

Electronic Records and Signatures

Security, and

Audit trail

Checklists for Inspection

Links ISO and IEEE standards, 21CFR11, APV

guides, PDA Technical Reports together

Page 13

Problem areas

Lack of knowledge in the organisation on

Computer Validation

21 CFR Part 11

Maintenance of computer systems

Purchase of non-compliant systems are ongoing

”Part 11 compliant systems” do not exist

• Administrative controls (= Company policies)

• Procedural controls (= Company SOP’s)

• Technical controls (= Supplier SW controls)

Page 14

Example of 483 given by FDA investigator:

Below 483 is leaded to issuance of Warning Letter by FDA:

A review of the High Performance Liquid Chromatograph

(HPLC) electronic records from July 3, 2013, for (b)(4) batch

#(b)(4) revealed an Out-of-Trend (OOT) result. The sample

preparation raw data was discarded and not reported. A QC

analyst indicated that these results were discarded due to

some small extra peaks identified in the chromatogram

fingerprint and an unexpected high assay result.  The QC test

data sheet reported two new results that were obtained from

samples tested on July 4, 2013 and July 5, 2013, using a

different HPLC instrument. 

Page 15

FDA 21CFR11 inspection questions

Who is allowed to input data?

Who is allowed to change data?

How can you tell who entered the data?

How do you know which data had been changed?

When do you lock down the data input?

Can you do the following actions?

“Show me some data, show me you can see the history of the

data, show me you control the data life cycle.”

Is the system validated and are the requirements met?

Can you show me the results of the validation activities?

Does the validation include: “Pass/fail, signature, date/time

stamp”; and “objective evidence - screen prints or page

printouts with a link to the direction that generated the output.”?

Page 16

What FDA Inspectors are Trained to Look For…

To effectively prepare for a visit from FDA, you must learn to look at your operations

through the eyes of an FDA investigator. For your computerized systems, some items

FDA investigators are trained to observe include:

– Is data is being collected concurrently with the performance of your operations?

– Are systems designed to record non-conformances?

– Do systems question out-of-specification results but not borderline results?

– Are passwords shared, maintained on “Post-Its”, or found in the middle desk drawer?– Are password restrictions logical (e.g., not re-used, not the same as user IDs, not just one character or space, or easily guessed)?– Are adequate protections in place when employees leave or transfer — or IDs are compromised?– Are systems left on and unattended?– Are electronic signatures being used and, if so, has the firm filed a Part 11.100(c) notification?– Are hybrid systems being used and, if so, how are handwritten signatures linked to electronic records?

Page 17

What FDA Inspectors are Trained to Look For…

To effectively prepare for a visit from FDA, you must learn to look at your operations

through the eyes of an FDA investigator. For your computerized systems, some items

FDA investigators are trained to observe include:

– Are electronic copies of electronic records available?

– Does the firm truly understand “system validation”?

– Can records be altered without leaving a trace?

– Are changes to electronic records obvious and clearly flagged to indicate a change?

– Is the original data readable?

– Have system administrators been trained in network operations and security?

– Are systems open or closed — and what is being done to ensure the security of open

systems?

Page 18

Note:

Note that this enforcement is not based on what system or process the manufacturer says is

being used — but on the investigator’s actual observation and evidence collection of

what system is being used. Citations, usually referencing the predicate rules and not always

mentioning Part 11, are appearing in both FDA-483s as well as Warning Letters.

Page 19

Automating GMP Areas: GAMP

Good Automated Manufacturing Practices (GAMP) provides the Framework for

Automated System Validation

Current version GAMP 5 emphasizes Risk Based Approach to Software Validation

with Life Cycle ModelGAMP Categories

Category Software Type CSV Criticality

1 Operating System Low

2 Firmware Removed in GAMP 5

3 Standard Software Packages Medium - High

4 Configurable Software Packages Medium - High

5 Custom or Bespoke Systems High

Page 20

Automating GMP Areas:

Personnel Qualifications (211.25)Consultants (211.34)Equipment Cleaning and Maint. (211.67)Automated Equipment (211.68)*Written Procedures (211.100)Materials Examination and Usage (211.122)Packaging and Labeling Oper. (211.130)Drug Product Inspection (211.134)Distribution Procedures (211.150)Reserve Samples (211.170)Records and Reports (211.180)

Equipment Cleaning and Use (211.182)Component, Container, Closure and Labeling Records (211.184)Master Production Records (211.186)Batch Production Records (211.188)Production Record Review (211.192)Laboratory Records (211.194)Distribution Records (211.196)Complaint Files (211.198)Returned Drug Products (211.204)Drug Product Salvaging (211.208)

Page 21

Automating GMP Areas:

Process Control Systems

• PLC / DCS / SCADA / BMS

• Laboratory Computerized Systems

• Application Software Like HPLC /GC /FTIR etc

Global Information Systems

• ERP Systems Like SAP / BaaN

• Document Management Systems

Page 22

Process Control Systems:

Access Control & Password Management

Program Back Up for PLC / HMI / SCADA

Set Parameter Ranges To Be Restricted / Defined

Alarm Management

System Clock Synchronization

System Design Documents V/s Configuration Check

Printers & Reports

Electronic Records & Signatures – Wherever Applicable

Life Cycle Management

Page 23

Laboratory Computerised Systems:

Access Control & Password Management

Adequate User Ids

Data Back Up & Restore

Data Security

Laboratory Network & Server Qualification

System Clock Synchronization

Printers & Records

Electronic Signatures & Records

Life Cycle Management

Page 24

Global Information Systems like ERP, SAP & DMS & Agile etc., :

cGMP vs. System Configuration

Interfacing of Quality Management System (BMRs) vs. ERP Records

Access Control & Password Management

Adequate User Ids

Data Back Up & Restore

Data Security

Network & Server Qualification

Paper Records vs. Electronic Records

Electronic Signatures

Life Cycle Management

Page 25

Maintaining Control in Operation (Post Validation) Program should ensure the following –

All up-dates / new development / implementation are in line with the Change Control

Procedures

Risk Assessment is carried out for all up-dates / new development / implementation

Validation documents (SOPs / Protocols / Specifications) are reviewed and updated

periodically

Audit the Validation Status of various systems

Monitor the Performance of Systems Periodically

Maintaining Control in operation:

Page 26

Formulate Computer System Validation Policy – Top Line Statement

Form the Core Team

Formulate Validation Master Plan

Define IT policies & Procedures

For New Systems Follow GAMP V Model – URS to PQ

For Existing Systems

• Take the inventory of Systems

• Carry Out Impact Analysis

• Carry Out Risk Assessment for each System

• Close the Gaps

• Update the URS and follow GAMP v Model

Maintain Control in Operation

Approach towards Compliance:

Page 27