21 CFR 11 Revisited
Risk-Based Approach for Networked System Compliance
and the Role of Network Qualification
Wolfgang Winter
T
he electronic records and
electronic signatures
(ERES) rule, 21 CFR
Part 11 (Part 11), became
effective in 1997. It was
intended to protect public health
while enabling the use of
technology unavailable when the
original predicate rules (the GxPs)
were developed. Part 11 defines a
framework for the technical and
behavioral controls that must exist
in order for electronic records and
electronic signatures to become the
legally binding equivalent of
traditional paper records and
handwritten signatures.
PRODUCT FOCUS: ALL FDA-
REGULATED PRODUCTS MADE USING
CHROMATOGRAPHY DATA SYSTEMS AND
LABORATORY INFORMATION
MANAGEMENT SYSTEMS
PROCESS FOCUS: VALIDATION,
REGULATORY COMPLIANCE, METHOD
AND PROCESS DEVELOPMENT, QA/QC
WHO SHOULD READ: IT, METHOD
AND PROCESS DEVELOPMENT,
MANUFACTURING, AND QA/QC
PERSONNEL
KEYWORDS: 21 CFR PART 11,
CHROMATOGRAPHY DATA SYSTEMS
(CDS), COMPUTER NETWORK
INFRASTRUCTURE, QUALIFICATION
LEVEL: BIOTECH BASICS
34 BioProcess International JULY 2003
Neither Part 11 itself nor any
previous guidance documents
differentiated between systems with
high risk to product quality and
safety, such as chromatographic data
systems used for QC analysis of final
drugs, and low risk systems such as
word processors used to generate a
laboratory SOP. In some cases,
companies decided against the use
of new technologies and kept paper-
based systems just to avoid ERES.
For instance, the implications of the
guidance on “Maintenance of
Electronic Records” (1) and
“Electronic Copies of Electronic
Records” (2) raised serious concerns DIGITAL VISION (WWW.DIGITALVISION.COM)
because the required technology to
fulfill those requirements is not 2002 (6), the FDA announced the
always available. In some cases, the reexamination of Part 11 (7) and
estimated cost outweighs the added published a new draft guidance,
value. withdrawing the previous guidance
It has been extremely difficult for documents (1, 2, 8–11).
the industry (and its suppliers) to
find a correct balance between A RISK-BASED
doing just enough and doing too APPROACH TO CGMP
much (3), so industry groups began In August 2002, the FDA
to work on concrete and pragmatic announced an initiative to merge
implementation plans for Part 11 science-based risk management with
compliance. For example, the an integrated quality systems
Parenteral Drug Association (PDA) approach (6). This risk-based
and the Good Automated approach will help the industry,
Manufacturing Practice (GAMP) industry suppliers, and regulatory
Forum developed valuable agencies focus resources on critical
guidelines for implementing Part issues for public health and
11, such as Good Electronic consumer safety, while adopting
Records Management (GERM) and innovations made in pharmaceutical
the GAMP4 guide published by the engineering.
ISPE (4, 5). In line with a new Assessment versus Management:
cGMP initiative launched in August Practical guidelines for conducting

risk assessments have been published
in appendix M3 of the GAMP4
guide (5). However, it is important
to note that risk assessment is very
different from risk management.
The goal of risk assessment is
analysis and qualification
(evaluation) of risks viewed from a
specific angle, such as risk for the
consumer and commercial risk to a
business.
Risk assessments result in a “risk
register” along with a classification
of each particular risk. The
classification typically assigns a risk
severity based on its impact (high,
medium, or low impact on the
effort required to meet the defined
objective) and its probability of
occurring (high if the probability is
greater than 60%, low if is less than
10%).
The task of risk management is to
define how identified risks can be
controlled and minimized or
compensated, as shown in the
following box:
RISK MANAGEMENT
Risk management typically asks
the following questions:
What are the risks, how do they
affect us, and how do we
manage them?
Risk Triggers: Risk Mitigation:
What is the What are we
trigger for us to doing now to
change the risk avoid or reduce
severity (mitigate) the
classification? risk?
What will we do if the risky
situation occurs?
Risk Contingency Plans:
What actions will we take if the
risk is triggered?
The risky situation occurred —
how do we deal with it?
What actions do (did) we take?
What is the impact of the risky
situation so far?
Ludwig Huber recently published
a helpful guidebook on the
development of risk management
master plans (12).
IS SOFTWARE A GXP
ELECTRONIC RECORD?
The ISPE submitted a white paper
on a risk-based approach to
computer system validation to the
FDA in December 2002 (13). The
paper was based on concepts
emphasized by the FDA’s new
cGMP initiative. This white paper
appears to have triggered (or at least
accelerated) the process for issuing
the new draft guidance on Part 11.
The paper concluded that internal
system information not identified by
any predicate rule was likely to be of
low impact. In this case, it was
acceptable not to have additional
Part 11 controls for those records
provided that adequate procedures
were in place and the required paper
records were kept.
It should be noted that
compliance policy guide (CPG)
7132a.11, CGMP Applicability to
Hardware and Software, is still in
effect. It explicitly mandates that
software be considered as a GxP
electronic record: “Where a
computer system is performing a
function covered by the cGMP
regulations then, in general,
hardware will be regarded as
equipment and applications software
will be regarded as records” (14).
The authors of the white paper
strongly opposed an existing
interpretation that software be
considered GxP electronic records
that are subject to Part 11. The
authors viewed this as unnecessary
mostly because industry (in
collaboration with the FDA) had
already developed “approaches for
dealing with hardware and software
in the GxP environment based on
validation of systems, configuration
management, change control, and
adequate procedures and plans for
maintaining the validated state.
These approaches have been widely
adopted and very successful in
meeting GxP requirements.
Considering software as GxP
electronic records has little practical


Enforcement
discretion does not
mean that
TECHNICAL
C O N T R O L S for
audit trails or
processes and
procedures for
record retention
are no longer
required.
benefit, as well as discouraging firms
from adopting innovative
technological solutions” (13).
ENFORCEMENT VERSUS
ENFORCEMENT DISCRETION
In its new guidance, the FDA
reemphasizes requirements for
records mandated by the predicate
rules. The new draft guidance
defines no new Part 11
requirements, but it suggests that
fewer records will be considered
subject to Part 11. Clearly, the
intent is to redirect the focus to
critical aspects for product quality
and public health, which remain
governed by predicate rules such as
GCP, GLP, and cGMP. The final
guidance (expected some time after
May 2003) is likely to result in less
emphasis on the technically complex
and validation-intensive aspects of
audit trails, time-stamps, record
retention, and record copying,
especially for systems that were put
in place before Part 11 became
effective (so-called “legacy”
systems).
The new guidance will narrow
the interpretation scope for Part 11.
At the same time, the agency
intends to “exercise enforcement
discretion with respect to certain
Part 11 requirements” such as
“validation, audit trails, record
retention, and record copying” (7),
areas where extraordinary efforts
were made, resulting in enormous
JULY 2003 BioProcess International 35
Figure 1: Distributed networked data system with instrumentation connected to the local
area network (LAN) and a central database server (GRAPHIC REPRODUCED WITH PERMISSION FROM
AGILENT TECHNOLOGIES).
technical complexity with little
return. Enforcement discretion does
not mean that technical controls for
audit trails or processes and
procedures for record retention are
no longer required. Companies
must base their decision whether to
implement a certain control on a
justified and documented risk
assessment along with the
consideration of the record required
by the corresponding predicate
rules.
The new draft guidance strongly
emphasizes the importance of
record requirements outlined in the
predicate rules, especially regarding
their impact on product quality.
This means specifically that key
technical controls for access security,
operational system and device
checks, open system controls, and
electronic signatures are still
required along with appropriate staff
training, documentation, and
change control. Some predicate
rules (such as GCP and GLP)
explicitly require audit trails for
traceability of changes when users
can create, modify, or delete
regulated records during normal
operation.
The majority of original Part 11
technical controls will continue to
be enforced for records that are
subject to Part 11. Therefore, the
following elements are still required
and enforced by the new guidance:
36 BioProcess International JULY 2003
• System validation
• System access limited to
authorized individuals
• Operational system checks
• Authority checks
• Device checks
• Determination that persons
who develop, maintain, or use
electronic systems have the
education, training, and experience
to perform their assigned tasks
• Accountability for signatures.
REQUIREMENTS RELATED
TO ELECTRONIC SIGNATURES
Areas now designated for
“enforcement discretion” are Part
11-specific requirements: e-audit
trails, validation, record
maintenance, and e-copies with no
or low impact on product quality
according to documented risk
assessment and Part 11 enforcement
for legacy systems (those installed
before 2 August 1997).
Records subject to Part 11 include
the following:
• Records required to be
maintained by the predicate rule
maintained in electronic format in
lieu of paper records (examples
include original observations;
instrument raw data laboratory
worksheets; instrument calibration
records; metadata to prove that the
specified sampling, testing, and
inspection procedures were actually
carried out; test results of materials
and bulk and finished products)
• Records required to be
maintained by the predicate rule
and maintained in electronic format
and paper format, when electronic
records are relied on to perform
regulated activities (such as
quantification results from a
chromatography sequence leading
to the release of a production batch)
• Records electronically
submitted to the FDA under the
predicate rules (such as clinical
study protocols)
• Electronic signatures intended
to be equivalent to handwritten
signatures, initials, and other general
signings required by predicate rules
(such as electronic signatures to
sign-off data entry changes for
samples, sequence information,
methods, and calculations in a
chromatography data system).
Records no longer subject to Part 11
include the following:
• Records that are maintained in
electronic format but that are not
required by any predicate rule
(instrument diagnostics files,
presentations or business reports)
• An electronic record that is not
itself submitted and is not required
to be maintained by a predicate rule
but is used in generating a
submission (a batch file or script for
collating the submission package for
a new drug application from the
individual source documents).
An important question is whether
an electronic record kept in addition
to a paper record will be subject to
Part 11 requirements. The answer is
yes, if the electronic record is relied
on to perform regulated activities.
The FDA may take business
practices into account to determine
whether an electronic record is used
instead of a paper record. It is
therefore recommended to
determine and document in advance
whether the electronic record or the
paper record will be used to
perform regulated activities.
Networked or chromatography data
systems (NDS, CDS), laboratory
information management systems
(LIMS), and enterprise resource
planning (ERP) systems manage
critical decision-support data and
continue to be in the limelight for
GxP enforcement. The
trustworthiness and reliability of the
data managed by these systems is
highly dependent on efficient
technical controls that ensure access
security, data integrity, and
traceability. Figure 1 shows the
conceptual structure of a networked
data system with instruments
directly connected to the local area
network (LAN).
TECHNICAL CONTROLS FOR PART 11
In the following section, key Part
11 requirements are detailed in
reference to the new draft guidance,
along with a number of examples of
the resulting user requirements for
data systems to be deployed in
analytical laboratories operating
under GxP and Part 11. Examples
are provided from the perspective of
chromatography data systems.
Figure 2 identifies the key Part
11 requirements and provides
Figure 2: Required technical controls (blue ellipses) for Part 11-compliant systems and examples (white boxes) of resulting user requirements.
ILLUSTRATION BY C.A. SCOTT
38 BioProcess International JULY 2003
examples for the resulting user
requirements. As illustrated, the
following key Part 11 requirements
have not changed at all:
System access must be limited to
authorized personnel, and the
system needs to perform authority
checks where appropriate.
Appropriate technical controls need
to ensure that “impersonation” by
ordinary means is prevented. In
modern systems, this is
implemented based on the security
mechanisms (security policies) of the
underlying operating system to
easily align access control to the
CDS with general IT practices.
Device checks continue to be a
key mechanism for ensuring the
validity of the data source (source of
input). Level-4 instrument control
(15–18) available with some NDSs
implements this requirement
effectively and efficiently.
Operational checks are still
required to enforce the permitted
sequencing of steps, for example, for
results review and results approval.
Electronic signature requirements
have not changed with the new
guidance.
METADATA: THE IMPORTANCE OF
LEVEL-4 INSTRUMENT CONTROL
Electronic records generated by an
analytical instrument are reliable and
trustworthy only if the
communication between the
instrument and a system controller
is reliable and trustworthy.
A regulatory agency may ask for
documented evidence of instrument
parameters for acquiring raw data,
for example in a pharmaceutical
quality control laboratory for testing
finished drug products. If a
company relies on the electronic raw
data to perform “regulated
activities” such as QA/QC testing


Network
qualification is
establishing itself
as the N E X T
D I M E N S I O N in
computer systems
validation. The Part
11 guidance helps
focus the
qualification
activities by basing
them on
documented risk
assessment.
of finished drug products for
shipment release, it might be very
difficult to prove that a result was
generated according to the defined
procedure or monograph without
proper documentation of the
instrument control parameters used
for the analysis.
Managing metadata electronically
(including the instrument control
parameters) is an effective means to
reduce adverse effects on product
quality by making results
trustworthy and reliable according
to 21 CFR Part 11. Traceable
level-4 instrument control uses
advanced mechanisms for automatic
tracking of instrument identification
or configuration information and is
a prerequisite for the
implementation of additional failure
warning mechanisms such as EMF
(early maintenance feedback).
Details on the levels of instrument
control and EMF have been
discussed elsewhere (15–18).
NETWORK MONITORING
AND NETWORK QUALIFICATION
Client-server data systems are
proliferating in regulated laboratories
and manage large amounts of critical
data. It is obvious that the operation
and qualification of the network
infrastructure needs to be an integral
40 BioProcess International JULY 2003
part of a company’s validation
strategy. By their nature, networks
are heterogeneous and comprise a
variety of hardware components
running diverse communication
protocols. A change to a network
component potentially affects other
components and applications. Also,
the FDA is taking a closer look at
networks and has been citing
companies for violations (see
www.fdawarningletter.com).
Personnel who may not even be GxP
trained will have to access the
network as part of their normal
business responsibilities. It is
paradoxical that the network
infrastructure must be compliant, but
many components (cabling, utilities,
and so on) do not have validation
plans. The network infrastructure
requires frequent changes, additions,
and repairs, but it can never be taken
out of service. A risk assessment in
combination with a sound risk
management plan helps to divide and
conquer the problem.
A striking example of a computer
network infrastructure failure made
the headlines in April 2003 when a
recently installed laboratory
computer system in a medical center
became overloaded, resulting in a
severe backlog of blood-testing
samples (19).
Several questions had to be asked
during the root cause analysis:
• Did formal requirements
include specifications for the
anticipated load of the system?
Figure 3: Network monitoring results overview showing current network bandwidth, network
health, and administrative alerts for networked instruments controlled by a chromatography
data system.
• Was the system installed
according to the supplier’s
specifications?
• Did it pass the test suite
defined for the installation
qualification and the operational
qualification?
• Did performance qualification
tests simulate the anticipated load of
the networked system in terms of
number of samples and number of
concurrent users, in the context of
the hospital’s office and laboratory
network?
• What measures were in place
for the prevention and early
detection of severe failures and
performance bottlenecks?
• Could the bottleneck have
been prevented through the use of a
network monitoring system?
Network qualification is
establishing itself as the next
dimension in computer systems
validation. The Part 11 guidance
helps focus the qualification
activities by basing them on
documented risk assessment. The
qualification of the network
infrastructure needs to focus on the
following tasks:
Design Qualification (DQ):
Evidence that the network is
suitable for the applications (the
design is fit for the intended
purpose).
Installation Qualification (IQ):
Verification and documentation of
the static network topology and
inventory (evidence that the


As this article goes
to press, the new
guidance reflects
current agency
thinking, but it is
still a D R A F T ; it
does not yet have
the force of law
behind it.
implementation matches the
design).
Operational Qualification (OQ):
Dynamic topology verification and
capacity testing (evidence that the
system operates properly according
to the vendor specifications).
Performance Qualification (PQ):
Maintenance of the qualification
status ensuring continuous
performance through ongoing
monitoring during use and
measurement of performance over
time, and minimizing the risk of
failure during operation.
AVAILABLE TOOLS
FOR NETWORK QUALIFICATION
Network monitoring applications
are commercially available from
companies including Agilent
Technologies, Computer Associates,
Hewlett-Packard, IBM, and others.
Although software applications
provide excellent monitoring
capabilities, network qualification
may also require powerful network
measurement and test hardware to
capture and document network
connections, communication
activities, available and consumed
capacity, and control data. For
regulated laboratory operations, the
challenge is to turn network
measurements into qualification
results meaningful from a systems
validation perspective. Only a few
companies offer network assessment
and qualification services specifically
for laboratory networks. Figure 3
visualizes network monitoring
results for a chromatography data
system with instruments directly
42 BioProcess International JULY 2003
connected to the network. A
network administrator gets a visual
overview of the network’s health,
current bandwidth utilization, the
current connections and recent
alerts. In this example, a network
failure was simulated by unplugging
the LAN cable of one instrument.
As clients, servers, and
instruments get connected to a
network, the available bandwidth of
the network may be dramatically
reduced. This is especially true if the
network is not well segregated, thus
leading to unnecessary broadcast
network traffic between (for
example) an analytical laboratory
network and the office network. This
decrease in bandwidth may result in
slower response for users on the
corporate network. The decrease in
performance can affect real-time
processes and could even result in
data loss, as shown by the hospital
network example cited above.
Clearly, proper network
administration and operation is an
area that is subject to scrutiny by
regulatory authorities. During
validation, it is important to
document a baseline of the network.
Whenever a change to the network
is made, this baseline can be
compared with the current
configuration to ensure proper
communication among the various
nodes on the network. In addition,
a retrospective document should be
maintained that tracks those changes
over time.
Modern analytical equipment and
the networks within which they
operate can be monitored by
network analyzer software along
with the client and servers that
control them. This analyzer software
not only helps operators monitor
the health of their networks, but
also aids in the qualification of the
networks through which the
instrument data flow.
STILL A DRAFT
The scope of Part 11 interpretations
has narrowed, and now the decision
whether Part 11 applies to
laboratory operations must be based
on documented business practices
and documented risk analysis of the
impact records have on product
quality. The enforcement focus will
be on predicate rule requirements.
Many records managed in analytical
laboratories continue to be subject
to Part 11 and predicate rules,
especially if their risk potential on
product quality is high. Records that
fall into this category must be
trustworthy and reliable. Key
technical controls for access security,
operational system and device
checks, open system controls, and
electronic signatures are still
required along with appropriate staff
training, documentation, and
change control.
One Word of Caution: As this
article goes to press, the new
guidance reflects current agency
thinking, but it does not have the
force of law behind it yet. Please
note that the new draft guidance is
still a draft, and not yet a final
guidance (the comment period
ended on 28 April 2003).
At the same time, validation and
qualification activities need to
consider the network infrastructure.
The role of network monitoring
hardware and software for the
qualification of networks and for
maintaining the qualification status
of the network infrastructure will
continue to increase.
ACKNOWLEDGMENT
The author thanks Bob Giuffre, a senior
network data system consultant with Agilent
Technologies based in New Jersey, who
performed the network monitoring
measurements using the Agilent
Advisor/Distributed Network Analyzer and
Agilent FrameScope 350 in combination
with an Agilent Cerity for Pharmaceutical
QA/QC networked data system and Agilent
1100 HPLC instruments directly connected
to the LAN.
REFERENCES
1 Guidance for Industry, 21 CFR Part
11; Electronic Records; Electronic Signatures;
Electronic Copies of Electronic Records.
www.fda.gov/cber/gdlns/esigcopies.htm.
2 Guidance for Industry, 21 CFR Part
11; Electronic Records; Electronic Signatures;
Maintenance of Electronic Records.
www.fda.gov/cber/gdlns/esigmaint.htm.
3 Huber, L. Validation of Computerized
Analytical and Networked Systems;
Interpharm Press Inc.: Buffalo Grove, IL,
2002.
4 ISPE and PDA. Good Practice and
Compliance for Electronic Records and
Signatures, Part 1: Good Electronic Records
Management (GERM), July 2002. Available
from www.ispe.org and www.pda.org.
5 GAMP 4, Guide for Validation of
Automated Systems. December 2001,
www.ispe.org.
6 Pharmaceutical cGMPs for the 21st
Century: A Risk-Based Approach.
www.fda.gov/oc/guidance/gmp.html.
7 FDA draft guidance, Part 11,
Electronic Records; Electronic Signatures –
Scope and Application. www.fda.gov/cber/
gdlns/prt11elect.pdf.
8 Guidance for Industry, 21 CFR Part
11; Electronic Records; Electronic Signatures;
Glossary of Terms. http://www.fda.gov/
cber/gdlns/esigglos.htm.
9 Guidance for Industry, 21 CFR Part
11; Electronic Records; Electronic Signatures;
Validation. www.fda.gov/cber/gdlns/
esigvalid.htm.
10 Guidance for Industry, 21 CFR Part
11; Electronic Records; Electronic Signatures
Time Stamps. www.fda.gov/cber/gdlns/
esigtime.htm.
11 Department of Health and Human
Services, Food and Drug Administration
NovaSeptum Autoclavable
Sampling Unit
[Docket No. 00D–1540]: “Withdrawal of Draft Guidance.” BioPharm International,
Draft Guidance for Industry on Electronic 2003, 16(4), 28–34; Agilent publication
Records; Electronic Signatures, Electronic 5988-9606EN.
Copies of Electronic Records.” Federal 18 Winter, W. Electronic Records Are
Register, Vol. 68, No. 23, 4 February Here to Stay. BioPharm Europe. September
2003/Notices. www.fda.gov/cber/ 2002 Supplement, 29–31; Agilent
gdlns/esigcopieswdrl.pdf. publication 5988-8010EN.
12 Huber, L. Risk Management Master 19 L.A. Hospital Computer System
Plan — Best Practices Series, Breaks Down. The Associated Press, 22 April
www.labcompliance.com, May 2003. 2003, www.wtopnews.com

13 Risk-Based Approach to 21 CFR Part
11. ISPE Whitepaper, 2003, www.ispe.org.
14 Compliance Policy Guide 7132a.11, Wolfgang Winter, Dipl.-Ing., is senior
Sec. 425.100. Computerized Drug Processing; product manager for networked data
CGMP Applicability to Hardware and systems at Agilent Technologies GmbH,
Software (CPG 7132a.11).
http://www.fda.gov/ora/compliance_ref/cp
Lifescience and Chemical Analysis,
g/cpgdrg/cpg425-100.html Hewlett-Packard Straße 8, D-76337
15 Winter, W; Huber, L. Instrument Waldbronn, Germany, +49-7243-602-
Control in Pharmaceutical Laboratories — 454; fax +49-7243-602-501;
Compliance with 21 CFR Part 11 and the wolfgang_winter@agilent.com.
New Draft Guidance. Pharmaceutical
Technology Europe, Special Issue: 21 CFR
Part 11: Compliance and Beyond, March
2003, 40–45.
16 Winter, W; Huber, L. Implementing
21 CFR Part 11: Electronic Signatures and
Records in Analytical Laboratories, Part 5 —
The Importance of Instrument Control and
Data Acquisition. BioPharm 2000, 13(9);
Agilent publication number 5988-0946EN. Agilent publication number
17 Winter, W; Huber, L. “Part 11 Is Not
Going Away — The New Electronic Records 5989-0330EN
www.novaseptic.com
Circle Reader Service No. 127