21 CFR Part 11 Compliance: Technical Controls

Last revised: 

Technical Controls focus on the computer part of your system. They affect how the data is transmitted, accessed, manipulated, stored, and secured. 21 CFR Part 11 does not dictate how these controls are to be implemented. Rather, the regulation provides high-level requirements that guide the function and design of your system. It’s up to you to determine the risk factors associated with maintaining data integrity and use technology that best fits your situation and reduces your risk. Technical controls are documented as requirements and design documents. 

21 CFR Part 11 dictates that the computer system be capable of:

For all Electronic Records

  • Discerning invalid or altered records
  • Generating accurate and complete records
  • Controlling task sequencing when event order is important (i.e., operational checks)
  • Protecting records throughout the record retention period
  • Generating an audit trail through the record retention period – contains date/time of operator entries, description of actions taken, and is cumulative
  • Limiting access to the system to authorized individuals
  • Limiting access to system functions to authorized users (i.e., authority checks)
  • Limiting data input to authorized sources (i.e., device checks)
  • Protecting transmission of data from point of creation to receipt

For Electronic Signatures

  • Assigning a perpetual, unique signature, with at least two identifying components (when not based on biometrics) to each individual (e.g., ID code and password)
  • Requiring all identifying components on first signing, and one thereafter for each subsequent signing, during a single period of controlled system access
  • Requiring all identifying components on subsequent signings not carried out during a single period of controlled system access
  • Generating electronic signature metadata – signer name, date/time of signature, purpose of signature
  • Preventing use of signatures by anyone other than the genuine owner to the extent that attempts at misuse require at least two individuals to collaborate
  • Preventing and monitoring for unauthorized use of signature identifying components
  • Deactivating compromised signature identifying components or devices that generate them
  • Issuing temporary or permanent replacement signature identifying components