Part 11 Simplified
I often see the concepts of audit trails, system access, and electronic signatures confused as the same thing. This is not surprising given that 21 CFR Part 11 is not written in a way that makes these concepts easy to distinguish; however, it is critical to understand these three elements because they are central concepts in this regulation. Let me try to bring some clarification to these three concepts and simplify some of the complexity.
First, let’s take a look at “System Access.” This is the act of an individual gaining access to a system in an authorized way. Gaining system access doesn’t have anything to do with “signing” a particular document or workflow actions.
Second, let’s take a look at “Audit Trails.” To be considered an “audit trail” it must be independent of the individual performing the actions. In order for audit trails to work, an individual must have already been authenticated while logging into the system access. Audit trails simply record activities in the background while someone is in the system. The individual must also not have access to change or alter an audit trail for it to be compliant. Audit trails, like system access, do not have anything to do with “signing” a particular document or workflow action.
Now, let’s look at “Electronic Signatures.” In order to be considered an electronic signature, four key elements must be in place. Let's take a look at each one separately.
An electronic signature must be a conscious and distinct act for a stated purpose (i.e. I have reviewed and approve this document).
A signature must be unique and controlled only by the individual owning that signature.
A signature must be able to stand as the electronic equivalent of a person’s handwritten signature.
Sometimes it helps to think about this in a non-electronic environment because, at the end of the day, we need to be able to prove that we meet predicate rules (rules in place prior to the electronic signature regulation). If we do this it becomes very clear. To equate an electronic signature to the act of signing into a system is a bit like saying that if I have a key to the front door, then I’ve automatically signed the first contract for the day. I don’t think anyone will say that makes sense so why do we think it makes sense in an electronic environment?
Additionally, the first actual signing event must be authenticated with both security components of a person’s electronic signature. After that, within the same session, only one component is needed.
Finally, it is important that we look at these as distinct elements that help ensure the electronic systems we use every day (1) are secure, (2) can show what people did in the system so we can investigate any issues, and (3) ensure that signatures can be positively identified back to their owners. 21 CFR Part 11 requires distinct solutions for all three components (System Access, Audit Trails, and Electronic Signatures).
Still have questions? Need help assessing your systems for compliance?