Practical assistance
Interpretation of 21 CFR 11 applicable to electronic records on computerized systems

Part 11 of the Code of Federal Regulations Title 21 has been a topic of discussion since August 1997. The debate has at times been controversial, and the FDA has repeatedly presented new interpretations and applications. As part of its “Risk-Based Approach to Pharmaceutical Current Good Manufacturing Practices (cGMP) for the 21st Cen-
tury”, the FDA intends to clarify the situation in its “Guidance
for Industry, Part 11 Scope and Application.” The following
article explains what this will mean in practice.


The view of what constitutes electronic records as defined in Part 11 has changed significantly. The latest thinking is reflected in the “Scope and Application” guidance document. In contrast to the former approach which was very
broad and categorized all GMP relevant data that exist in electronic form as electronic records, Part 11 now only applies to records that are explicitly required by a
higher-level statute or regulation (predicate rule) and that exist exclusively in electronic form. Records that are transmitted electronically to the FDA (for example submissions) and documents with electronic signatures must also comply with the requirements of Part 11.
Example 1/raw analytical data: One of the underlying predicate rules in this case is 21 CFR 211.194 (a) (4): “A complete record of all data secured in the course of each test, including all graphs, charts, and spectra from laboratory instrumentation…”. This includes the raw data file (usually in binary format) and the method of analysis (for example HPLC peak baseline detection). If the format of the resulting report is electronic and if this is the format that is relied on for the approval decision, the report must meet the requirements for Part 11 records. If on the other hand the approval decision is based on a report that has been printed out and signed, the paper format is regarded as the relevant version and the electronic version of the report does not have to fulfill Part 11 requirements.
Example 2/data collection in production: Electronic records would include electronic data used for electronic batch recording (EBR). Records created with a word processing program that are printed out and signed manually are not Part 11 records.

Requirements for electronic records
In defining requirements, 21 CFR 11 makes a distinction between open systems and closed systems (Subpart B §11.10 and §11.30). On closed systems, system access is controlled by responsible persons. This category also includes modem access if appropriate safeguards are in place to control dial-up access. Responsible persons can be members of any department in the organization who are responsible for the GMP relevant data including persons responsible for system administration and maintenance activities acting on behalf of internal or external functions. Open system means an environment where system access is not controlled by persons who are responsible for the content of the data on the computer system. Currently, closed systems are the norm. However if a system evaluation shows that an open system exists, supplemental measures must be taken in addition to what is required for closed systems.
Requirements for closed
systems
System validation [§11.10 (a, k)]
Computer systems that are used to create, administer or change GMP-relevant data must be validated. 21 CFR 11 does not require separate validation in addition to normal computer validation. However, it is important that the requirements described below (audit trail, etc.) are included in the evaluation. As a wealth of information pertaining to methods of validating computer-based systems already exists, we will not go into detail on this topic at this
point.
Copies of electronic records [§11.10 (b)]
During the course of an inspection, it must be possible to provide a complete and accurate copy of electronic records to the inspector both in electronic and paper-based (human readable) form. If it is not possible to review the particular electronic data record without the appropriate application, information must be provided to the inspector or the agency explaining how to proceed in that specific instance.
Explanation: similar to the situation in today’s paper-based environment, companies must be able to make data available within a matter of hours. This can be accomplished by displaying the data on a screen and/or by printing the data out. Databases generally are more suitable for meeting individual requests placed by inspectors than current paper-based filing systems. However, because the systems in use can only be operated in accordance with specifications, it cannot be assumed that every imaginable query can be answered. Thus in any particular instance, the inspector or the agency must determine the best method of collecting data which fulfills the purpose of the inspection and which is technically feasible. This also applies to formats and media used to transfer data in electronic format.
Data backup and archival [§11.10 (c)]
The data (including the audit trail) must be accessible in readable form throughout the record retention period. The retention period is determined by the time periods prescribed. A suitable procedure must be used to backup data on operational systems. Accessibility via online systems and storage on external systems/media are two typical methods of archival. Appropriate measures must be taken to ensure data availability and integrity. In particular, a review must be conducted during the retention period to determine whether the media and/or the data format must be changed.
Example 1: A regular backup procedure exists for online access, which can also used for archival.
Example 2: When a system change takes place, either the old hardware and software are retained or valid data migration to the new system is performed.
Example 3: Reports or similar documents are stored in graphic format, for example as pdf files.
Example 4: A regular check of archived data is performed on a sample basis to ensure data availability and integrity.
In practical application, a suitable combination of the examples listed may be appropriate.
System access [§11.10 (d)]
Suitable mechanisms must be used to limit system access. The person responsible for the system must ensure that only authorized persons are allowed to access the system. Example: system access is limited by measures to control access to the plant, building and network. Additional system-specific measures are described in the “Access Rights/Authority” section below.
Audit trail [§11.10 (e)]
The audit trail is a computer-generated log file that runs in the background. It creates a complete record of which user (for example unique name in clear text or user ID) created, modified or deleted which data record (e.g. field name) when (date and time). Since there must be a method of reconstructing the information that existed before the data record was changed, either the old record must be retained or the audit trail must indicate what changes were made (before/after content). However, if it is not possible to change or delete a data record, then there is no need for an audit trail because in this case the audit trail does not enhance the level of security. A thorough justification (for example in a risk assessment) is required to explain why an audit trail is not necessary. If due to GxP requirements certain processes require that a justification be provided for changes that are made, an audit trail can fulfill this requirement. The audit trail is itself an electronic record and must be available during the entire record retention period.
Adherence to a sequence of steps
[§11.10 (f)]
If a particular sequence of steps or events is classified as critical, system functional checks must ensure that the sequence is adhered to. If these checks cannot be performed, then organizational measures must be taken to ensure adherence. The steps are as follows:
1. data entry
2. data verification
3. data release
The system must not allow step 2 before step 1, and it must not allow step 3 before step 2.
Access rights/authority checks
[§11.10 (g)]
In addition to the measures described in the “System Access” section above, authority checks must be performed to ensure that only authorized persons have operational access to the system and the data on the system. These access rights must be defined, documented and tested in a suitable manner.
System login examples:
UserID (unique name abbreviation, employee number, unique sequence of letters or numbers) and password;
use of individual ID cards (e.g. plant ID), for electronic signatures used together with a password;
identification using biometrics: fingerprint, voice, retinal scan; hand-written signature on a medium that transfers the information electronically to the system.
Examples of operational use of a system:
allocation of specific write and read privileges;
booking and approval privileges;
administration privileges;
access to critical system or hardware components.
Device checks [§11.10 (h)]
Sources of data and/or instructions must be validated in a suitable manner. Validation of automatic interfaces and checking of input media during manual input is performed as part of system validation. Example: several scales are attached to a network. Access is only permitted to the (calibrated) scale that has the correct weighing range.
Training [§11.10(i)]
All persons who work with computer systems (use, develop, maintain, etc.) must have the appropriate training to perform their assigned tasks.
Use of electronic signatures [§11.10 (j)]
If electronic signatures are used on a computer system, there must be written policies that assign responsibility to each person for actions that are initiated under his or her electronic signature. The consequences of falsifying data and signatures must be made clear.
System documentation [§11.10 (k 1,2)]
Documentation needed to operate a system must be accessible. Creation and modification of this documentation must always be controlled and traceable.
In summary, the new guidance has largely defused the discussion surrounding 21 CFR 11. The law now only applies to records that are explicitly required (predicate rule) and that exist in electronic form only. Exceptions to the requirements of Part 11 are allowed if suitable measures have been taken which convince the agency that data cannot be changed at all or that any changes will be detected. This eliminates the need for costly new investment (upgrade of audit trails). The relaxation of requirements gives the industry greater freedom of movement.