Articles‎ > ‎

Electronic Records

The introduction of 21 CFR Part 11 in August 1997 caused considerable and ongoing debate within the pharmaceutical industry on how to interpret and implement the regulation for compliance.

The debate centred on a number of areas including:

  • What constitutes and electronic record
  • Validation Requirements
  • Management of audit trails
  • Retention of electronic records and raw data

The FDA provided final guidance in August 2003 which went a considerable way to defining the scope and regulatory enforcement relating to the ruling 21 CFR Part 11.

The draft of the revised EU Annex 11 also has requirements to electronic data, electronic records and signatures. Although still in draft it provides insight in to planned proposed changes.

Both the FDA and EU regulatory requirements are for the regulated company to demonstrate the integrity of records and raw data and the authenticity of electronic signatures when applied.

This article provides information on how a documented risk based approach can be implemented to ensure and document the integrity of the record and authenticity of the signature, to meet regulatory expectations.

Defining a Risk Based Approach

A risk based approach allows the regulated company to assess the potential impact of the record, impact of the record (to patient safety, product quality and GMP compliance) against the potential risk to the integrity of the record.


From having a clear understanding of the associated risk to the integrity of the record allows the regulated company to put in the appropriate control measures. 


The greater the impact of the record to patient safety, product quality or GMP compliance the greater level of controls should be adopted to manage the risk.

Record Impact

The record impact considers the risk the loss of the record against patient safety, product quality and GMP compliance.  The risk output should be High, Medium or Low, where


High Impact Electronic Records – Direct impact on product quality, patient safety and GMP including Batch Records, QC Analysis Results, Calibration Records, etc.


Medium Impact Electronic Records – Indirect impact records used to provide supporting evidence of GMP for example validation documentation, training records, etc.


Low Impact Electronic Records – considered to have negligible risk to patient safety and product quality.  These are supporting records for example Good Engineering Practice (GEP) not necessarily required to demonstrate compliance (but may support). 


Performing a Risk Assessment

The approach that I have taken for performing the risk assessment is first to perform a gap analysis against a standard. The standard provides the preferred solution for the implementation of the system and considers
  • Security Management
  • Back-up and Restore
  • Audit Trail
  • Software Controls
  • Hardware Controls
The standard forms part of the User Requirements and during the Design Review the Electronic Records; Electronic Signatures gap analysis is performed. If no gaps are identified then the integrity of the record and the authenticity of the electronic signatures are assured. The validation of the system then tests the critical aspects.
However more often is the case that all the controls from the standard can not be met. For example the security controls relating to password management may not be met by the software.
Having identified the gap the risk assessment should be performed identifying the potential risk scenarios.
Each potential risk should be considered for impact to the record, likelihood of occurrence and detection. There are a number of ways to evaluate the risk either multiplying the score to give a Risk Priority Number, or the method (which I prefer) included in GAMP 5 as this gives a clear High, Medium or Low result.
For an output of High or Medium some mitigation should be considered (to reduce the risk to the electronic record integrity). The level of control should be in line with Record Impact (detailed above). The remediation should be implemented and verified.
I will add some further articles to provide more details.

Enforcement Action

During a review of the FDA Warning letters from 2008 I could not find any observations directly referencing 21 CFR part 11. There were a number of articles relating to security and audit trails which all attributed to violations against 21 CFR 211.68.
See extracts and comments relating to FDA Warning Letters on my blog.
21 CFR Part 11 enforcement news is that Robert Tollefsen, a consumer safety officer and national expert on computers at the FDA’s division of field investigations wrote to GAMP Americas Leadership that the FDA will be enforcing 21 CFR Part 11.  It will be interesting to see the observations raised and we will keep you updated.


FDA 21 CFR Part 11 – Electronic Records; Electronic Signatures Rule (1997)
FDA Guidance Electronic Records; Electronic Signatures (2003) - PDF
Annex 11 (2008 Draft)  - PDF
© Barry Tedstone 2010
Subpages (1): Audit Trails