Audit Trails Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes cannot obscure previously recorded information. Such audit trail documentation should be retained for a period at least as long as that required for the subject electronic records and also should be available for agency review and copying.

This requirement has been the subject of many questions and discussions, especially regarding which details must be recorded. For example, what should be recorded when generating a calibration table? Should each typing error be recorded when entering a compound name, should each line be recorded when the return key is pressed, or should entries only be recorded when the session is closed? Too many confirmation steps will affect productivity.

Another concern is that, because everything analysts do can be reconstructed, their creativity could be negatively influenced, especially in the development of new processes.

Digital Signatures In Open Systems Persons who use open systems to create, modify, maintain, or transmit electronic records must ensure the authenticity, integrity, and, if necessary, the confidentiality of electronic records from the point of creation to the point of receipt. Such procedures and controls include those identified for closed systems, as appropriate, and additional measures such as document encryption and digital signatures.

Implementing digital signatures requires software for document encryption and may also require hardware and software for generating digital signatures. Typically, computer systems used in analytical laboratories are closed systems, which do not need digital signatures. However, record encryption and digital signatures are required in open systems, such as when analytical data generated by a contract laboratory are transmitted to the sponsor over the Internet. Technology and applications for this purpose have been described elsewhere.⁵

New Scope Of 21 CFR Part 11 Although Part 11 has been in place for six years now (and enforced for four years), there is still confusion in industry over how to implement it. 21 CFR Part 11, as well as early draft guidance documents and FDA staff interpretations, does not distinguish between record types or criticality. Part 11 compliance was requested for all records that passed through any computer, and FDA could audit any such records at inspections. Under this very broad interpretation, full implementation turned out to be very expensive and, for some applications, impractical. In some cases, companies decided against the use of new technology due to the anticipated additional complexity and cost of implementing Part 11. However, this contradicts the original intent and spirit of the rule, which was issued to enable the use of new technology while protecting and furthering public health.

With the release of a draft guidance on the scope and applications of Part 11 in February 2003,⁶ FDA initiated a new, narrower approach. This approach became official with the release of the final guidance on September 3, 2003 and FDA's announcement that it would re-examine Part 11 and initiate a new rule-making process. The new approach likely will be in effect for the next few years.

The new guidance states that Part 11 applies only when the record is required by a predicate rule and when one or both of the following conditions apply:

• Electronic records are used instead of paper.
• Persons make printouts but still rely on the electronic records to perform regulated activities.

Figure 1: Deciding where Part 11 Applies

First, check if the record is required by a predicate rule (or if the record must be submitted to FDA). Next, determine if the record falls under the new, narrower scope. Is the record maintained in electronic format in place of paper, or is it maintained as both electronic and paper records, but the electronic record is used to perform regulated activities? Finally, conduct a risk assessment of the criticality of the Part 11 records and document the result. Part 11 controls are implemented based on the outcome of this process.