Electronic Records - Requirements of 21 CFR Part 11

Electronic Records-21 CFR Part 11

Today, computer technology expanded its roots into the pharmaceutical industry very deeply at a faster pace. As a result, the automation of many activities in the industry has been increased in a significant amount. Due to the existing vulnerabilities, in today's computerized systems, it is essential and inevitable to set forth regulations for the use of electronic records.

Why The US FDA Is Giving Top Priority For Electronic Records?


The pharmaceutical manufacturing industry has a very complex structure of work. It includes more sophisticated technical things blending with human actions and emotions. The deficiencies in the functioning of both of these aspects will directly impact the quality of medicines. Low-quality medicines are the biggest threat to patients.

It is a well-known fact that the manufacturing of medicines has to be done using a predefined and scientifically established process. You would be able to predict precisely what happens at each step or stage, only if you perfectly follow and execute the established procedure as such. A perfect process is one which is reproducible and repeatable at any given point of time. The deviations (knowingly or unknowingly) from the defined process, definitely lead to the production of a product of inferior quality.

The manufacturing of medicinal product contains many phases. Procurement of raw materials, optimization of manufacturing method/process, validation of the manufacturing process, manufacture of a product, analytical testing, packing, storage in the warehouse, and distribution in the market are some key steps in making the medicinal products.

Each and every step of manufacturing has a unique nature and way of functioning. Every action and every activity, at each step, must be documented and recorded with transparency. Records, irrespective of their format, are pieces of evidence of the work executed in a particular set of conditions. Records may exist either in electronic or paper format. For regulators, these records are the only sources and evidence for the scrutiny and verification of manufacturing processes in the pharmaceutical industry.

Today, computer technology expanded its roots into the pharmaceutical industry very deeply at a faster pace. As a result, the automation of many activities in the industry has been increased in a significant amount. Due to the existing vulnerabilities, in today's computerized systems, it is essential and inevitable to set forth regulations for the use of electronic records.

As you know well, the electronic records would come into existence through software/programs which are designed to execute a particular activity. The user interaction with the software/programs is a key parameter in generating electronic records.

Read: Basics of US FDA - Things You Must Know

Types of Digital Environments Described In Part 11

Digital Environment

Since the use of electronic technology has become an integral part of pharmaceutical manufacturing processes and its use is increasing day by day in the industry, the control of digital environment has become an essential thing to bring safe medicines into the market.

So, the US government took this requirement as a top priority and has established strict controls on the use of electronic records and electronic signatures by defining them in 21 CFR Part 11 - Electronic Record and Electronic Signature.

Two types of digital environments are described in 21 CFR Part 11;

1. Closed system
2. Open System.

The rules and regulations in the law were composed considering these two environments, to control the manufacturing activities in the pharmaceutical industry and distribution of medicines in the market.

It is the responsibility of the pharmaceutical industry to manufacture and distribute safe medicines into the market with transparent manufacturing methods and by following the rules established for the control of electronic records.

The purpose of 21 CFR Part 11 is to ensure the transparency and reliability of electronic records and electronic signatures in the pharmaceutical industry.

Read: Fundamentals of 21 CFR Part 11

What Is Closed System in Digital Environment?

Closed System

The 21 CFR Part 11, Section 11.3 defines the closed system as follows:

Closed System means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

The essence of the definition is that whatever platform, software, and server you use for the regulatory activities, shall be in the company's absolute control.

Here the term system has a broad meaning in the context of 21 CFR. It includes:

  1. Everything that you used in the generation, modification, storage, and retrieval of electronic records.
  2. People, machines, and methods you utilized to execute a task.
  3. The tools you used in the generation of electronic records along with the established controls on the tools.

In a Closed System, the entire system would be in the control of the company. No external system can penetrate into it without the permission of the organization.

For example, an automated manufacturing plant.

In this case, the company develops its own software, installs it on its own server and in its own premises of the company. Now the company is the absolute owner of that system.

So, it has to define the users, user levels, security levels, and administrator. This means that the company itself has to decide who should and who should not be allowed to access the system and the level of privileges to be granted at each level. This is called a Closed System.

In a Closed System, the persons those who create electronic records are themselves responsible for the originality and integrity of the content in them, throughout the records' lifecycle.

Basics of Data and Data Integrity - Very Very Important
Data Integrity As Per 21 CFR - You Should Know Now

What Is An Open System in Digital Environment?

Open System

The 21 CFR Part 11, Section 11.3 defines the Open System. as follows:

Open System means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system

The essence of the definition is that organizations may be using different platforms and servers, which are not in their control, to generate and transfer electronic records.

All internet services from external parties may come under this category.

In this type of environment, users can create an electronic record, but they cannot control the change in the content while its transfer to the receiver via the internet. Hence, the users are not responsible for the change of content during the 'record transfer process' between the sender and receiver.

Maintenance of originality and integrity of an electronic record, till it reaches to the recipient, is beyond the control of the user/sender because the transactions are running in an open environment where different kinds of vulnerabilities will exist threatening data security. This type of environment is defined as an Open System.

For example, an organization intends to send an electronic document to the US FDA via e-mail.

Suppose it has sent XYZ.doc to FDA. There is no guaranty that the document will reach the FDA without modification due to cybersecurity problems. FDA may receive XYZ+1.doc if any fraud takes place in between i.e., after delivering and before receiving.

Due to this reason, additional controls are required when you are working on an Open System.. You must ensure electronic record's originality, integrity and confidentiality by taking appropriate security measures.

In an Open System, person or signer is not responsible for the originality, integrity and confidentiality of the content in the electronic records.

Par 11 Requirements Of Electronic Records - Closed System

Closed System - Part 11 Requirements

The requirements of electronic records are composed in 21 CFR Part 11, Subpart B-Electronic Records.

These requirements must be met by all pharmaceutical companies. There are no exceptions in implementing these rules and regulations.

Part 11 applies to all electronic records at all stages in the pharmaceutical manufacturing industry.

I have divided the requirements into three different parts for your convenience and better understanding. Let us go, through them one by one.

A. Generation of Electronic Records

  1. Generate electronic records only through validated systems.

  2. Validation procedure and documentation of it must prove that the used software can produce accurate, reliable, complete and consistent electronic records and has the ability to recognize invalid or altered electronic records.

  3. Your software also should be capable enough to generate accurate and complete copies of original electronic records in human readable form along with the electronic form (i.e., all digital components of the record such as raw data, metadata).

  4. When you create, modify or delete electronic records:

    1. Computer-generated audit trails along with time-stamp must be maintained. The complete history of the electronic record must be recorded automatically by the computer system.

    2. The new data that generates when you, modify or alter the existing electronic record must not overwrite or obscure the original record's data.

  5. Ensure that your electronic workflow in the computer system is functioning properly along with access controls and security checks.

  6. The persons who are identified, assigned and authorized to create, modify and maintain the electronic records must have sufficient education, training, and experience. The organization must certify that the authorized individuals are fit to execute their assigned tasks as per the regulatory norms.

B. Control and Access of Electronic Records

  1. Write a detailed SOP on the control and maintenance of electronic records in your organization.

  2. In your SOP, you must define procedures and controls that will be used at different levels and workflow, to ensure the integrity, authenticity, and confidentiality of the electronic records.

  3. Limit the access of computerized systems to authorized persons only.

  4. Identify the persons who can access the system; document their scope of access to the system very clearly which leaves no ambiguity.

  5. The generator of electronic records is responsible for the content in that particular record. Your established system must be in such a way that the signer should not deny the responsibility for the content in the electronic record generated by him/her.

  6. If you are using an external device to enter data into your computer system, you must ensure the integrity of the device and validity of the data that entered into the system.

  7. Establish company-wide policy and define procedures on electronic signatures that are linked to individuals' operations and electronic records in your computerized systems.

  8. Your policy must hold every individual accountable for the integrity and confidentiality of the electronic records and electronic signatures at all levels of operations and electronic workflows.

C. Maintenance and Retention of Electronic Records

  1. Retain the electronic records as long as they are required as per the requirements in predicate rules.

  2. You should store them in a secured place protecting from natural calamities and fire accidents.

  3. Establish a disaster recovery management system and implement it without gaps.

  4. Audit trail data must be available entire lifetime of the electronic record.

  5. Introduction, revision, and distribution of Computerized System operating procedures must be done through appropriate control systems like Change Control procedure.

  6. There must be adequate controls on the access of Computerized System operation procedures.

  7. Maintenance activities of Computerized System must be done through Change Control systems to prevent unauthorized changes.

  8. Introduction, modification, and removal of audit trail also must be done through Change Control systems.

As the control of computerized systems and electronic records is in the hands of an organization, in Closed System, it is the responsibility of the firm to meet the above requirements. Hence, compliance of Part 11 automatically makes the organization accountable for its any electronic record's tampering and falsifying activities in the regulatory environment in their premises.


Part 11 - CFR - Code of Federal Regulations Title 21

Guidance for Industry: Part 11, Electronic Records;Electronic Signatures — Scope and Application

Par 11 Requirements Of Electronic Records - Open System

Open System - Part 11 Requirements

All the requirements that are described for Closed System are fully applicable to Open System too.

But here you need to consider additional requirements because in Open System electronic records will not be in an organization's control.

The requirements are as follows.

  1. Have a detailed SOP to create, modify, maintain or transmit electronic records.

  2. Establish elaborative procedures and introduce adequate controls for the security of electronic records when you transferring them via the internet.

  3. Your procedures and controls over electronic records in an Open System must ensure the authenticity, integrity, and confidentiality of them.

  4. You must place adequate security checking systems throughout the process, i.e. from the point of creation to the point of receipt. Examples: tracking of malware, installation of antivirus software.

  5. Use document encryption procedures wherever appropriate.

  6. Use digital signatures to ensure the electronic record's authenticity, confidentiality, and integrity.

An organization must be more vigilant and careful if it is using an Open System for regulatory activities. In my view, it is safe to use the Closed System than Open System for the federally regulated activities in the pharma industry. This will avoid not only data integrity issues, but also eliminates the business risk too.

Availability of Electronic Records for FDA Inspection


All electronic records, which will fall under cGMP records' category and requires to be maintained as part of predicate rules, must be available for the inspection of USFDA any time.

This enforcement is applicable to all local firms, i.e., US Companies, as well as foreign companies.

The electronic records must be:

  1. Displayed in a human-readable form such as electronic display or printout.

  2. Readily available for review and inspection of USFDA throughout their life-cycle or retention period.

  3. Complete, accurate and consistent throughout their life-cycle and must be shown non-tampered/original records to USFDA during the inspection.

If you are submitting the copies of original electronic records, for the review of USFDA, they also must be met with the requirements described for Closed and Open systems i.e., should meet Part 11 requirements.


How To Prevent Data Integrity Issues In Pharma QC Lab?

How To Control Data Integrity Issues In The Pharmaceutical Industry?


All electronic records that are used for federally regulated purposes must fulfill the requirements of 21 CFR Part 11. All electronic records must be in human-readable form.

Two types of digital environments are described in Part 11; Closed System and Open System. In a closed system, the systems will be in the control of the organization. And in an Open System, the control will not be in the hands of an organization and needs additional security checks to protect the originality, accuracy, consistency, and confidentiality of the electronic records.

In the Closed System, the signer is responsible for the content of the electronic records, but in Open System, the signer is not responsible for the content in the electronic records.

All electronic records must be generated through properly validated computerized systems.

Electronic Records must be accurate, reliable, complete and consistent throughout their life-cycle.

Adequate controls must be established to protect the originality, integrity, and confidentiality of the electronic records when they are generated through validated computerized systems by using an electronic workflow.

Actions shall be initiated by the USFDA if you are using, maintaining, and submitting electronic records, which are not complied with 21 CFR Part 11, for the purposes of federally regulated activities.

SHARE this article with your friends, if you feel this is helpful. It may help them if they are in need. Each one help one.

Author Profile


Ram Kumar Reddy

Ram Kumar Reddy is the founder of Pharma Times Now. Helping Pharmacy and Chemistry students, along with the pharma employees, in learning pharmaceutical science. He has 24 years of rich experience in the Pharmaceutical industry and well versed in quality systems. He worked with Dr.Reddys and Sai Life Sciences. He lives in Hyderabad, India.

No comments