– Electronic Signatures

Systems Subject to Part 11

Not all computerized systems fall under the scope of Part 11. Systems are in-scope if they:

• Are used in GxP processes
• Generate records that are required to be maintained by predicate rules (e.g., 21 CFR 210, 211, 820)
• Use electronic records in lieu of paper records or use electronic signatures in place of handwritten signatures

Validation Requirements under 21 CFR Part 11

According to Part 11.10(a), systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Validation under Part 11 includes both functional and compliance-focused testing of features like user authentication, audit trails, e-signatures, and data retention.

Step-by-Step Part 11 Validation Process

1. Risk Assessment

Conduct a risk analysis to determine the criticality of the system and its features. Systems that control batch release, lab result entry, or change control will typically be classified as high-risk due to their direct impact on product quality and patient safety.

Common risk factors include:

• Likelihood of data integrity failure
• Impact on product quality and regulatory compliance
• Potential for falsification or untraceable changes

2. Validation Plan (VP)

Develop a validation plan tailored for Part 11 compliance. It should include:

• System overview and intended use
• Scope and boundaries of validation
• Roles and responsibilities
• Documentation deliverables (URS, FS, DS, test protocols)
• Risk levels and rationale
• Traceability matrix strategy

3. User Requirements Specification (URS)

The URS must explicitly state requirements for Part 11-related functionality, including:

• Secure user authentication
• Audit trail creation and protection
• Electronic signature capturing and linking to actions
• System time-stamping and record locking
• Electronic record viewing, retrieval, and export capabilities

4. Functional and Design Specifications (FS/DS)

Detail the configuration of ER/ES features such as:

• Password policies and expiration rules
• Audit trail display and reporting structure
• Signature components (user ID, password, role)
• Automatic logout after inactivity
• Time synchronization mechanisms

5. IQ/OQ/PQ Protocols

• IQ: Confirm system setup, security configuration, software version control
• OQ: Validate functional controls for electronic records and signatures
• PQ: Test business workflows with real-world use cases (e.g., deviation approvals, batch review)

Part 11 Testing Scenarios

Electronic Records

• Create and save electronic data entries
• Validate time-stamping and user attribution
• Verify record locking after approval
• Test viewing, filtering, and exporting of data
• Ensure original record is not overwritten during changes (version control)

Audit Trail

• Verify independent, time-stamped logs for create, modify, delete actions
• Check that audit trails cannot be disabled or altered
• Test audit trail review and reporting functionality

Electronic Signatures

• Test that signing requires username/password
• Verify that signatures are linked to specific actions (e.g., ‘Approved by’)
• Ensure double signature steps (e.g., reviewer + QA) are enforced where required
• Validate representation of signature (name, timestamp, purpose)

Electronic Signature Elements (Part 11.50)

• Name of the signer
• Date and time of the signature
• Meaning of the signature (approval, review, authorship)
• Clear, tamper-evident link to the corresponding record

Audit Trail Format and Frequency

Audit trails must be:

• Automatically generated
• Time-stamped with system clock
• Retained as long as the associated record
• Reviewable by authorized personnel

Recommended review frequencies:

• Critical systems – weekly or per transaction
• Moderate risk systems – monthly
• Low-risk systems – quarterly

Data Integrity and ALCOA+ in ER/ES

Ensure your system’s ER/ES features align with ALCOA+ principles:

• Attributable: Audit trail captures the user ID
• Legible: Electronic record is readable with audit trail viewer
• Contemporaneous: Timestamps are recorded in real time
• Original: First data capture is retained in full
• Accurate: No alterations without record of changes
• Complete, Consistent, Enduring, Available: All forms of ER are maintained securely and retrievable

Documentation Package

• Validation Plan and Risk Assessment
• URS/FS/DS with Part 11 controls
• IQ/OQ/PQ Protocols and Test Scripts
• Traceability Matrix (URS to Tests)
• Audit Trail Logs and Signature Reports
• Validation Summary Report (VSR)
• SOPs for electronic signatures and record retention

Post-Validation Compliance Monitoring

• Change control for any system updates
• Periodic audit trail and signature reviews
• Annual review of user access and privileges
• Routine backup and disaster recovery tests
• Retraining users on ER/ES SOPs

Common Pitfalls in ER/ES Validation

• Assuming vendor validation is sufficient
• Neglecting signature meaning or link to records
• Failing to secure audit trails
• Missing documentation on e-signature consent
• No periodic review of user credentials and access

Conclusion

Validating electronic records and electronic signatures is essential for ensuring data integrity, regulatory compliance, and patient safety in the digital pharmaceutical landscape. Following the framework set by 21 CFR Part 11, and implementing a robust validation lifecycle ensures that your ER/ES systems meet regulatory scrutiny while streamlining operations.

For downloadable 21 CFR Part 11 validation templates, test scripts, and SOPs, visit PharmaSOP.in. For expert CSV guidance and audit trail implementation support, explore PharmaValidation.in.

Recommended Resources

• FDA Part 11 Scope and Application
• EMA Annex 11: Computerized Systems
• ICH Q9 – Quality Risk Management
• WHO GXP Data Integrity Guidance
• PharmaRegulatory.in for updates on global data integrity regulations