21 CFR Part 11 : Electronic Records & Signatures

Guideline (SOP) for Electronic Records & Signatures (21 cfr part 11) and implementation of the same during Data generation and assurance at pharmaceutical drug manufacturing plant and API.

21 CFR Part 11 – Electronic Records & Signatures

1.0   Purpose : 

    • The objective of this Guideline is to define the security controls for Computerized Systems that ensure the accuracy and completeness of Electronic Records and their Electronic Signatures with the ultimate goal of meeting cGxP requirements.

2.0   Scope : 21 CFR Part 11 –

3.0   Responsibility :

    • A System Owner is appointed for each cGxP Computerized System and is accountable for the Validation status of his/her system(s). (S) he owns the Electronic Records (21 CFR part 11) created, processed, held and transmitted by his/her system(s). His/her responsibilities include:
      • Defining segregation of duties requirements.
      • Identifying Electronic Records (21 CFR part 11) in the system’s URS and in the Global Procedures and SOPs that govern the business processes using Electronic Records.
      • Approval of access requests and periodic review of users’ accounts and privileges.
      • Establishing a procedure for linking handwritten signatures to their electronic records.
    • A Technical Owner is appointed for each cGxP Computerized System to lead design, build and maintenance activities. His/her responsibilities include:
      • Documenting and justifying use of generic user accounts (21 CFR part 11).
      • Establishing a system administration procedure.
    • A Quality Assurance Lead is the Quality Assurance representative assigned to specific departments/systems to act as the independent QA acceptor of Computer Systems Validation deliverables. The QA Lead approves security control procedures and the system administration procedure.
    • Note: Additional responsibility detail is provided in the process description sections of this Guideline.

4.0   Abbreviations And Definitions (21 CFR Part 11) :

Term Definition
Availability Ensuring timely and reliable access to and use of information
CAPA Corrective And Preventive Action is improvements to an organization’s processes taken to eliminate causes of nonconformities or other undesirable situations.
cGxP GxP is a general term that stands for current Good “x” Practice (x = Clinical, Engineering, Laboratory, Manufacturing, Documentation, Pharmaceutical, etc.).
cGxP Computerized Systems Those Computerized Systems that fall under USA federal, state or international regulatory controls and support or have a direct impact on product quality, safety, efficacy, strength, stability, identity or availability.

Computerized System

A functional unit consisting of hardware, software, peripheral devices, personnel and documentation.
Confidentiality Assuring that information is not made available or disclosed to unauthorized individuals, entities, or processes
CSV Computer System Validation
Electronic Data Data recorded by direct entry into a Computerized System either by a digital device or operator entry
Electronic Record Electronic Data that is used in lieu of paper cGxP records. (21 CFR Part 11)
Electronic Signature A system of operator authentication, adopted or authorized by an individual, which is the legal equivalent of the individual’s handwritten signature for a cGxP action or approval. (21 CFR Part 11)
Incident An unplanned interruption to a Computer System service or event that either immediately compromises the confidentiality, integrity or availability of information or systems, or compromises the effectiveness of the established security controls.
Integrity Assuring the accuracy and completeness of data over its entire life-cycle.
IT Information Technology
IT Infrastructure A connected set of hardware, firmware, operating system software that acts as infrastructure to one or more Computerized Systems and falls into the scope of responsibility of the IT Infrastructure Function
QA Quality Assurance
Qualification Action of proving and documenting, using Good Documentation Practices that equipment or ancillary systems are properly installed, work correctly and actually lead to the expected results. Qualification is part of Validation.
Security The preservation of Confidentiality, Integrity and Availability of information and systems
URS User Requirements Specification
Validation Establishing documented evidence, which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes.

5.0   Procedure / Process Description (21 CFR Part 11 Implementation)

  • Integrity, authenticity and availability of Electronic Records and Signatures (21 CFR Part 11) are achieved through a combination of Organizational Controls, Procedural Controls and Technical Controls. Many of these controls are described in other GQSs along with the CSV processes of which they are apart. This guideline summarizes the totality of ERES controls and details the organizational and procedural controls for Information Governance.

21 CFR Part 11

    • Organizational Control:

    • Electronic Record Ownership:

    • The System Owner shall act as owner for each type or grouping of Electronic Record created, processed or held in his/her Computerized System.
    • Legal Equivalence of Electronic Signature:

    • When Electronic Signature (21 CFR Part 11) is used in lieu of a handwritten signature required by cGxP regulations, then it shall be considered a legally binding equivalent to the handwritten signature.
    • Certification of Legal Equivalence:

    • Before use of Electronic Signature in lieu of handwritten signature in any site or regional or global business function that markets or produces for the USA or makes submissions to the USA regulatory authorities, the relevant head of Quality Assurance shall certify that the Electronic Signatures employed are intended to be a legally binding equivalent of traditional handwritten signatures. This certification may be performed at a corporate level.
    • Training of CS Development and Maintenance Staff:

    • All individuals engaged in the development and maintenance of Computerized Systems that are used to create, maintain and retain ERs shall be trained as defined in the SOP- cGxP Computerized Systems Implementation.
    • Training of ER Users and Signatories (21 CFR Part 11):

    • All users of Computerized Systems that are used to create, maintain and retain ERs shall be trained as defined in the SOP- cGxP Computerized Systems Implementation. The training shall include as a minimum:
      • Acceptable user account and password practices.
      • Acceptable Electronic Record accuracy, completeness and timeliness practices.
      • The legal equivalence of an Electronic Signatures used in lieu of a handwritten signature.
    • Segregation of Duties:

    • User’s duties with respect to cGxP Computerized Systems shall be segregated to ensure the integrity of the system and its Electronic Records. Segregation rules shall be approved by the System Owner and whenever possible shall include:
      • System implementation and support users that implement functional or parameterization changes shall not transact cGxP processes or process Electronic Records in the system.
      • User administrators shall not transact cGxP processes or process Electronic Records in the
      • User administrators shall not implement functional or configuration changes to the system.
      • In the case that the cGxP mandate that only QA may perform a specific duty, then the supporting
        cGxP Computerized System shall restrict the privileges so that only QA personnel can execute
        those tasks.
  • Procedural Controls (21 CFR Part 11 Compliance)

    • Identification of Electronic Records:

    • The System Owner shall ensure that the SOP(s) that govern the creation, maintenance, retention and disposition of the cGxP record, defines when an ER is used in lieu of paper record, and that the system’s User Requirement Specification (URS) defined the ERs created, processes, held or transmitted by the system.
    • Verification of Electronic Signatory’s Identity:

    • Before granting a system user the privilege to execute Electronic Signatures, the identity of the user shall be verified.
    • Granting User Access:

    • User privileges (including system administration access) shall be granted using user accounts that are unique to the individual user. Generic user accounts shall be used only where there is no technical capability to execute required actions by an individual user account. If actions using a generic user account are necessary, the Technical Owner shall document the activity with justification for using the
      generic account and seek approval from the System Owner.
    • All users of cGxP Computerized Systems shall be granted access only after approval by the System Owner or his/her deputy. Access shall only be approved if:
      • The principle of least privileges is honored: privileges are restricted to only those required by
        the user to fulfil his/her duties.
      • The training evidence cited in the request is sufficient for the privileges requested.
      • That the Segregation of Duties rules are adhered to.
    • Permanent access (i.e. access to a cGxP Computerized System without a start and end date) shall only be granted to permanent employees of company.
    • The System Owner shall not approve any request for access for him/herself. In such cases a peer or supervisor shall approve the access request.
    • Revoking User Access (21 CFR Part 11):

    • Upon change of responsibilities, or termination of a User, Computerized Systems privileges that are no longer required shall be revoked.
    • On a periodic basis, not exceeding once per calendar month, the System Owner shall verify that user accounts for terminated staff are disabled or deleted.
    • Periodic Access Rights Review (21 CFR Part 11):

    • Periodically, not exceeding one year, the System Owner shall conduct a full review of user access rights to verify that users’ privileges are only those required to fulfil his/her duties, and that segregation of duties requirements are honored. Excess or conflicting privileges shall be revoked.
    • Security Monitoring as per 21 CFR Part 11:

    • The Technical Owner shall establish and execute a Security Monitoring Process for the systems in his/her scope of responsibility. The Security Monitoring Process shall include, but is not limited to the following activities:
      • Vulnerability scanning.
      • Adherence to software suppliers’ security patch recommendations.
      • Currency of virus protection software and data files.
      • Review of security event logs for anomalous activities such as multiple failed log-in events.
      • Review of the physical access events.
      • Method and evidence of monitoring to be recorded.
    • The Technical Owner shall periodically, not exceeding every three years, update the Security Monitoring Process.
    • The Security Monitoring Plan shall be approved by as a minimum the System Owner and QA Lead
    • If during any security monitoring activity a failure of security control or an breach is identified, then the Technical Owner shall ensure that a Security Incident is raised and processed.
  • Management of Electronic Records:

    • The System Owner shall ensure that the SOP(s) that govern the creation, maintenance, retention and disposition of Electronic Records ensure their integrity.
    • Handwritten Signatures applied to Electronic Records:

    • In the case of a hand-written signature applied to an electronic record (for example signature on a paper print-out of an ER) the System Owner shall establish a procedure to ensure that the signature is uniquely and explicitly linked to the signed ER.
    • Electronic Copies of Paper Records:

    • Electronic copies (for example digital scans) of paper cGxP documents and records shall not be used in lieu of those paper documents and records.
    • The process for creating the electronic copy is governed by an approved SOP. The paper originals shall not be destroyed.
  • Technical Controls – 21 CFR Part 11:

    • Technical Design of ER Computerized System:
    • Minimum technical requirements for Computerized Systems that process ERs and ESs are specified in the SOP – cGxP Computerized Systems Implementation and its supporting Global Procedures.
    • These technical requirements include:
      • Data Entry Validation. Where possible the system shall be designed with data validation
        mechanisms to enforce data entry with meaningful values.
      • Audit Trail of creation, changes and deletion of ERs, consisting of the ER changed, identity of the
        user that made the change, date and time and the before and after values of fields changed.
      • Human and machine readability of Electronic Records and associated Signatures (21 CFR Part 11) in full including associated metadata.
      • Sequence Checks. When required by the cGxP process supported by a Computerized System, the system shall enforce correct sequence of operator actions.
      • Device Checks. When required by the cGxP process supported by a Computerized System, the system shall perform input device checks to determine the validity of the source of data input
        of operational instruction.
      • Electronic Record Retention. The Computerized System shall have the facility to either retain ERs
        for their whole retention period or archive them to an archive without loss of record integrity.
    • Control of Data Manipulation Features:

    • Standard software products used in Regulated Computerized Systems sometimes include standard features that enable manipulation of data. The use of data manipulation features shall be strictly controlled, and where possible such features shall be disabled.
  • Use of Open Systems (21 CFR Part 11):

    • An open system is any Computerized System for which does not control access (for example cloud solutions).
    • If an open system is used to create, modify, maintain or transmit ERs, the System Owner shall ensure that controls are established to ensure the authenticity, integrity, confidentiality and availability of ERs from point of their creation to the point of their receipt. These controls include all those specified above and additional measures to address the specific risks of open systems

6.0   References (21 CFR Part 11 – Guideline)

    • 2.0   SOP for Computerized Systems Governance
    • 4.0   SOP for cGxP Computerized Systems Implementation
    • 6.0   SOP for cGxP Computerized Systems Operation


Janki Singh is experienced in Pharmaceuticals, author and founder of Pharma Beginners, an ultimate pharmaceutical blogging platform. Email: [email protected]

Leave a Reply