BLOG

Author
Denrich Sananda

Date
30-04-2026

Pharmaceutical Manufacturing

FDA 21 CFR Part 11 & IEC 62443: Bridging Regulatory Compliance in Pharma OT Environments

Pharmaceutical OT security leads face a compliance challenge that has no equivalent in other industrial sectors: they must simultaneously satisfy an FDA regulatory framework designed to ensure data integrity in GMP operations, and an international OT security standard designed to protect industrial control systems from cyber threats. The two frameworks - 21 CFR Part 11 and ISA/IEC 62443 - were developed independently, reference different risk models, and use different terminology. But in a pharmaceutical manufacturing environment, they govern the same systems.

The good news is that the overlap between Part 11 and IEC 62443 is substantial. Both frameworks require access controls, audit trails, system integrity, and change management. The challenge is that they require these controls in different ways, with different evidence standards, and for different regulatory audiences. Building two separate compliance programs - one for the FDA inspector and one for the cybersecurity auditor - is expensive, duplicative, and unnecessary.

This post maps the specific requirements of 21 CFR Part 11 against ISA/IEC 62443 controls, identifies where the frameworks align and where they diverge, and provides a practical approach to building a unified compliance program that satisfies both regulatory obligations through a single set of implemented controls.

 

Pharmaceutical manufacturers spend an average of 12-15% of IT and OT operational budget on regulatory compliance activities

A significant portion of this spend is duplicated across quality, compliance, and security programs that address the same underlying controls through separate processes and documentation. Unified compliance programs that align Part 11, GMP computer system validation, and IEC 62443 requirements have been shown to reduce compliance overhead by 30-40% while improving both security posture and regulatory defensibility.

Source: Gartner Pharmaceutical IT Compliance Benchmark, 2024

 

1. Understanding Each Framework's Scope in a Pharma OT Context

1.1 What 21 CFR Part 11 Actually Requires

21 CFR Part 11 establishes FDA requirements for electronic records and electronic signatures when used in place of paper records and handwritten signatures in FDA-regulated activities. For pharmaceutical OT environments, Part 11 applies to any computer system that creates, modifies, maintains, archives, or transmits records required by FDA regulations - including batch records, process parameter records, laboratory data, equipment logs, and electronic signatures on batch release decisions.

The core Part 11 technical requirements are: system validation, audit trails, system access controls, operational system checks, authority checks, device checks, and controls for open and closed systems. Each of these has a direct OT security counterpart:

 

21 CFR Part 11 Requirement

What It Requires

IEC 62443 Counterpart

System validation (11.10a)

Validation that the system performs as intended and that records are accurate and reliable

IEC 62443-3-3 SR 3.3 security functionality verification; 62443-4-1 secure development lifecycle

Audit trails (11.10e)

Computer-generated time-stamped audit trails recording date and time of operator entries and actions that create, modify, or delete electronic records

IEC 62443-3-3 SR 6.1 audit log accessibility; SR 6.2 continuous monitoring

System access controls (11.10d)

Limiting system access to authorized individuals

IEC 62443-3-3 SR 1.1 human user identification and authentication; SR 1.2 software process and device identification; SR 2.1 authorization enforcement

Authority checks (11.10g)

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign records, or perform operations

IEC 62443-3-3 SR 2.1 authorization enforcement; SR 2.6 remote session termination

Record protection (11.10c)

Protection of records to enable accurate and ready retrieval throughout the records retention period

IEC 62443-3-3 SR 3.9 protection of audit information; SR 7.3 backup and restore

Operational controls for open systems (11.30)

Additional controls when open networks are used - document encryption, use of digital signatures, use of electronic signatures complying with 11.50

IEC 62443-3-3 SR 4.1 information confidentiality; SR 4.3 use of cryptography

 

1.2 What IEC 62443 Requires in a Pharma OT Context

ISA/IEC 62443 provides a security framework for industrial automation and control systems organized around security zones, conduits, and Security Levels. For pharmaceutical OT environments, the most directly applicable components are:

 

  • IEC 62443-2-1 Security Management System: Defines the policies, procedures, and organizational practices required to manage OT security - including risk assessment, incident response, patch management, and supplier security. This is the governance layer that gives Part 11 compliance a security management context.
  • IEC 62443-3-2 Risk Assessment: Provides methodology for assessing security risks to OT systems, defining security zones, and assigning Security Level targets. The risk assessment output is the foundation for both the security architecture and the regulatory compliance justification.
  • IEC 62443-3-3 System Security Requirements: Specifies the technical security requirements for OT systems at each Security Level across seven foundational requirements: identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.
  • IEC 62443-4-2 Component Security Requirements: Specifies what security capabilities individual OT components - PLCs, DCS controllers, HMIs, embedded devices - must support. Relevant for new OT procurement in pharma environments.

 

2. Where Part 11 and IEC 62443 Align: The Unified Compliance Opportunity

The following areas represent direct alignment between Part 11 requirements and IEC 62443 controls. Implementing controls in these areas once - with documentation structured to satisfy both regulatory frameworks - eliminates duplication.

2.1 Access Control and Authentication

Part 11 Section 11.10(d) requires that system access be limited to authorized individuals. IEC 62443-3-3 Foundational Requirement 1 (FR1) covers identification and authentication across eight System Requirements (SR 1.1 through SR 1.9). The intersection is direct: role-based access control with unique user accounts, strong authentication requirements, and automated session management satisfy both frameworks simultaneously.

For pharmaceutical OT environments, the practical implementation is: every user of a Part 11-applicable OT system has a unique account with role-based permissions that match their GMP job description, sessions timeout after defined inactivity periods, and access to high-privilege functions (process parameter modification, batch record approval) requires additional authentication. This implementation produces Part 11 compliant access control documentation and IEC 62443 SR 1.1-1.3 compliance evidence simultaneously.

2.2 Audit Trails and Security Event Logging

Part 11 Section 11.10(e) requires computer-generated time-stamped audit trails. IEC 62443-3-3 SR 6.1 and SR 6.2 require audit log accessibility and continuous monitoring. Both requirements are satisfied by the same technical implementation: a centralized logging system that captures all user actions on Part 11-applicable OT systems with timestamps, user identity, and action detail.

The key requirement for unified compliance is that the logging system must satisfy both the GMP evidence standard (human-readable audit trail that demonstrates data integrity for FDA review) and the security monitoring requirement (machine-parseable logs ingested by the security monitoring platform for anomaly detection). These are not competing requirements - they are the same log, consumed by different audiences for different purposes.

2.3 Change Management and Configuration Control

Part 11 Section 11.10(k) requires distribution of copies of documentation to required personnel and procedures to ensure that only authorized individuals initiate changes in records. IEC 62443-2-1 requires a documented change management process for OT systems. GMP 21 CFR 211.68 requires that changes to computerized systems be validated before implementation.

A unified change management process that covers GMP validation impact assessment, cybersecurity impact assessment, change authorization, implementation documentation, and post-change verification satisfies all three requirements through a single workflow. The same change control record that documents GMP validation impact also documents the security review and approval.

2.4 System Integrity and Backup

Part 11 Section 11.10(c) requires protection of records for accurate retrieval throughout the retention period. IEC 62443-3-3 SR 7.3 requires backup and restore capability. Both are satisfied by: encrypted, offline backups of OT system configurations and Part 11 electronic records, documented backup verification procedures, and tested restoration procedures with defined recovery time objectives.

 

3. Where Part 11 and IEC 62443 Diverge: What Each Requires Beyond the Overlap

3.1 What Part 11 Requires That IEC 62443 Does Not Fully Address

Part 11 requirements that go beyond IEC 62443's technical security controls:

 

  • Electronic signature requirements (Part 11, Subpart C): Electronic signatures in Part 11 must meet specific requirements for uniqueness, identity verification, and non-repudiation that go beyond IEC 62443's authentication requirements. Pharmaceutical manufacturers using electronic signatures for batch release must implement signature mechanisms that satisfy Part 11 Subpart C requirements specifically.
  • System validation documentation: Part 11 requires validated computer systems with documented validation evidence - User Requirements Specifications, Design Qualification, Installation Qualification, Operational Qualification. IEC 62443 does not require validation documentation in the FDA sense. This documentation must be maintained separately for Part 11 purposes.
  • Predicate rule alignment: Part 11 records must satisfy the underlying GMP predicate rule requirements - the data content required by 21 CFR Parts 210, 211, and other applicable GMP regulations. IEC 62443 does not address data content requirements.

3.2 What IEC 62443 Requires That Part 11 Does Not Address

IEC 62443 requirements that go beyond Part 11's scope:

 

  • Network segmentation and conduit controls: IEC 62443 zones and conduits require network-level segmentation and traffic controls between OT zones. Part 11 does not address network architecture - it focuses on the control system itself rather than the network in which it operates.
  • Supply chain security: IEC 62443-2-4 and 62443-4-1 address the security practices of OT service providers and software developers. Part 11 requires validated systems but does not directly address the security practices of the vendors who provide those systems.
  • OT threat detection and response: IEC 62443-3-3 SR 6.2 requires continuous security monitoring and anomaly detection. Part 11 requires audit trails for record changes but does not require active monitoring for cyber threats.

 

4. Building a Unified Part 11 / IEC 62443 Compliance Program

4.1 Map Your OT Systems Against Both Frameworks Simultaneously

The starting point is a combined inventory of all OT systems that are subject to Part 11 (because they create or maintain FDA-regulated records) and all OT systems that require IEC 62443 security controls (because they are part of the manufacturing OT environment). In most pharmaceutical facilities, these two populations overlap significantly. Mapping both simultaneously avoids the situation where the quality team maintains a Part 11 system inventory and the security team maintains a separate OT asset inventory with no reconciliation between them.

4.2 Use IEC 62443 Risk Assessment to Inform Part 11 System Classification

Part 11 requires that the controls applied to an electronic record system be based on a risk assessment that considers the criticality of the system to product quality and patient safety. IEC 62443-3-2 provides a structured risk assessment methodology that evaluates the consequence of system compromise and assigns Security Level targets accordingly. Using the IEC 62443 risk assessment methodology to determine Part 11 risk classification produces a single risk assessment that satisfies both frameworks and provides a defensible, documented basis for the control decisions made for each system.

4.3 Structure Compliance Evidence to Satisfy Both Audiences

The same implemented control must produce evidence that satisfies the FDA inspector reviewing Part 11 compliance and the cybersecurity assessor reviewing IEC 62443 compliance. This requires that control documentation be structured to address both frameworks:

 

  • Access control documentation: Documents both the Part 11 authority check implementation and the IEC 62443 SR 2.1 authorization enforcement evidence.
  • Audit trail configuration: Documents both the Part 11 audit trail scope and format and the IEC 62443 SR 6.1 audit log accessibility configuration.
  • Change control records: Include both the GMP validation impact assessment and the cybersecurity impact assessment for each change.

 

Bottom Line

21 CFR Part 11 and IEC 62443 are not competing frameworks in a pharmaceutical OT environment - they are complementary frameworks governing the same systems from different regulatory perspectives. The pharmaceutical manufacturers who have built the most efficient and defensible compliance programs are those who recognized this complementarity early and built a unified compliance architecture that serves both the FDA and the cybersecurity auditor through a single set of implemented controls and a single documentation structure. The investment required is in the upfront alignment work - which pays back through reduced compliance overhead, cleaner audit outcomes, and a more coherent security posture.

 

Frequently Asked Questions

Does 21 CFR Part 11 apply to all computer systems in a pharmaceutical facility?

No. Part 11 applies specifically to electronic records that are created, modified, maintained, archived, retrieved, or transmitted under GMP requirements - that is, records required by FDA regulations. Not every computer system in a pharmaceutical facility generates Part 11-regulated records. A corporate HR system, an IT service desk platform, or a building security system typically does not generate FDA-regulated records and is not subject to Part 11. The determination of which systems are Part 11-applicable requires a system inventory combined with a predicate rule analysis - identifying which FDA regulations require the records that each system produces. This analysis is also the input for the IEC 62443 risk assessment, making the two exercises natural complements.

How does GAMP 5 relate to Part 11 and IEC 62443?

GAMP 5 - the Good Automated Manufacturing Practice guideline published by ISPE - provides a risk-based approach to computer system validation for pharmaceutical manufacturers. It classifies software into categories based on complexity and provides validation guidance appropriate to each category. GAMP 5 is not an FDA regulation but is widely accepted by FDA as a defensible approach to Part 11 compliance. From an IEC 62443 perspective, GAMP 5 validation documentation - User Requirements Specifications, Design Qualification, Installation Qualification - provides the baseline configuration documentation that IEC 62443-3-3 SR 7.6 software and information integrity requires. Building GAMP 5 validation documentation to also capture IEC 62443 security requirements reduces the documentation burden for both frameworks.

What are the consequences of a Part 11 violation that also involves a cybersecurity incident?

A cybersecurity incident that affects Part 11-regulated records - for example, ransomware that corrupts batch records, or an insider who modifies analytical data - creates both a cybersecurity incident response obligation and a GMP investigation obligation. The FDA consequence depends on whether the incident affected data integrity in a way that impacts product quality or regulatory submissions. Corrupted batch records that cannot be reconstructed may require product quarantine and investigation. Modified analytical data may require review of all batches tested on the affected system. If the incident is detected during an FDA inspection or results in an FDA field alert report, the regulatory consequences escalate significantly. This is why OT security in pharmaceutical manufacturing is not only a cybersecurity matter - it is a product quality and regulatory compliance matter that requires involvement from the quality organization from the outset of any incident response.