Could access data generated by an access control system (controlling access to a GMP area) and stored electronically, be considered ‘electronic records’, subject to compliance with 21 CFR Part 11?
What electronic record is the system storing that is required by a predicate rule? You have to answer that before you can determine if Part 11 is in play.
Thanks Yodon, yes I agree.
21 CFR Part 211.28 Personnel Responsibilities, © Only personnel authorized by supervisory personnel shall enter those areas of the buildings and facilities designated as limited-access areas.
If the data from the access control system were to be stored only in electronic format and was the only means to show compliance with this regulation, then I would assume 21 CFR Part 11 would be applicable?
The Answer is “YES”.
Some sections of part 11 will be applicable . Commonsense suggests this data should be searchable, should be available for printing and for also transfer to electronic media.
Thanks Yogibear and Yodon, the information has been very helpful!
Would like to add one more important point -“Data should be temper-proof.”
I believe that the data in access control systems would not qualify as electronic records in the sense of 21 CFR Part 11.
I am not aware of any regulation that says that we have to keep these records. Access control must be implemented, if company internal SOPs call for them. But this does not imply that the data collected must be made available during inspections.
GLP and GMP regulations are calling for calibration records on the other hand. This is a predicate rule. Thus, when keeping calibration dates and persons in electronic form only, this would qualify as electronic records.
If you know of any regulation calling for records on access control systems - please share !
See below:
Hi Berthold,
The regulation we are referring to is:
21 CFR Part 211.28 Personnel Responsibilities, © Only personnel authorized by supervisory personnel shall enter those areas of the buildings and facilities designated as limited-access areas.
The computerised system is the physical control preventing access to unauthorised individuals.
Hi Berthold,
Actually, after considering this I agree with you. None of the regulations I am aware of (including the one I quoted) specifically request these records to be kept. In this case, I believe the correct approach to take would be to validate the system and to apply technical and procedural controls as necessary to ensure that the access control is maintained.
Thanks Berthold for your help and guidance!
1 Like
Hi,
Actually the area access by records needs to be generated…& even being inspected by the FDA.
Beware !