This document is a checklist for assessing compliance with 21 CFR Part 11, which establishes criteria for electronic records and electronic signatures. It contains questions in 7 sections related to controls for closed systems, additional controls for open systems, requirements for signed electronic records, general requirements for electronic signatures, controls for non-biometric and biometric signatures, controls for identifications and passwords, and additional controls for devices bearing code or password information. The checklist is used to determine if a system passes or fails the assessment for 21 CFR Part 11 compliance.
This document is a checklist for assessing compliance with 21 CFR Part 11, which establishes criteria for electronic records and electronic signatures. It contains questions in 7 sections related to controls for closed systems, additional controls for open systems, requirements for signed electronic records, general requirements for electronic signatures, controls for non-biometric and biometric signatures, controls for identifications and passwords, and additional controls for devices bearing code or password information. The checklist is used to determine if a system passes or fails the assessment for 21 CFR Part 11 compliance.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
This document is a checklist for assessing compliance with 21 CFR Part 11, which establishes criteria for electronic records and electronic signatures. It contains questions in 7 sections related to controls for closed systems, additional controls for open systems, requirements for signed electronic records, general requirements for electronic signatures, controls for non-biometric and biometric signatures, controls for identifications and passwords, and additional controls for devices bearing code or password information. The checklist is used to determine if a system passes or fails the assessment for 21 CFR Part 11 compliance.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
Checklist Approved for compliance with 21CFR Part 11 Name Position Signature Date
Name Review Performed by Review Approved by
* Circle as appropriate
Position
Signature
Date
Result Pass / Fail * Pass / Fail *
Page 1 of 7
21 CFR Part 11 Compliance Check List
1. Checks for Closed Systems Question Is the system validated? Is it possible to distinguish invalid or altered records? Is the system capable of producing accurate and complete copies of electronic records on paper? Is the system capable of producing accurate and complete copies of records in electronic form? Are records retrievable throughout there retention period? Is the system limited to authorised individuals? Is there a secure, computer generated, time stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records? Upon making a change to an electronic record, is previously recorded information still available (i.e. not obscured by the change)? Is an electronic records audit trail retrievable throughout the records retention period? Is the audit trail available for review and copying? If the sequence of system steps or events is important, is this enforced by the system (as would be the case in a process control system)? Yes No Comments 21CFR Part 11 Clause # 11.10 (a) 11.10 (a) 11.10 (b) 11.10 (b) 11.10 (c) 11.10 (d) 11.10 (e) 11.10 (e) 11.10 (e) 11.10 (e) 11.10 (f)
Page 2 of 7
21 CFR Part 11 Compliance Check List
1. Checks for Closed Systems (continued) Question Does the system ensure that only authorised individuals can use the system, electronically sign records, access the operation, or computer system input or output device, alter a record, or perform other operations? If it is a requirement of the system that input data or instructions can only come from certain input devices (e.g. terminals) does the system check the validity of the source of any data or instructions received? (Note: This applies where data or instructions come from more than one device, and therefore the system must verify the integrity of its source, such as a network of scales or remote radio controlled terminals) Is there documented training, including on the job training for system users, developers, IT support staff? Is there a written policy that makes individuals fully accountable and responsible for actions initiated under electronic signatures? Is the distribution of, access to, and use of systems operation and maintenance documentation controlled? Is there a formal change control procedure for system documentation that maintains a time sequenced audit trail of changes? Yes No Comments 21CFR Part 11 Clause # 11.10 (g)
11.10 (h)
11.10 (i) 11.10 (j) 11.10 (k) 11.10 (k)
Page 3 of 7
21 CFR Part 11 Compliance Check List
2. Additional Checks for Open Systems Question Is data encrypted? Are digital signatures used? Yes No Comments 21CFR Part 11 Clause # 11.30 11.30
3.
Signed Electronic Records
Question Do signed electronic records contain the following information: The printed name of the signer The date and time of signing The meaning of the signing (e.g. review, approval) Is the above information shown on displayed or printed copies of the electronic record? Are signatures linked to their respective records to ensure that they cannot be cut, copied or otherwise transferred by ordinary means for the purpose of falsification? Yes No Comments
21CFR Part 11 Clause # 11.50
11.50 11.70
4.
Electronic Signatures (General)
Question Are electronic signatures unique to an individual? Are electronic signatures ever re-used by, or re-assigned to, anyone else? Is the identity of an individual verified before an electronic signature is allocated? Page 4 of 7 Yes No Comments
5. Electronic Signatures (Non Biometric) Question Does the electronic signature require at least two identification components, such as an identification code and password? When an individual executes a series of electronic signings in a single continuous session, does: The first signing require all elements of the electronic signature? and Subsequent signings require at least one element that is only executable by the signer? When an individual executes electronic signings that are not performed in a single continuous session, does: The signing require all elements of the electronic signature? Are non-biometric signatures, only used by their genuine owners? Would an attempt to falsify an electronic signature require collaboration of at least two individuals? Yes No Comments 21CFR Part 11 Clause # 11.200 (a) (1)
11.200 (a) (1)(i)
11.200 (a) (1)(ii) 11.200 (a) (2) 11.200 (a) (3)
6.
Electronic Signatures (Biometric)
Question Has it been shown that, biometric electronic signatures can only be used by their genuine owner? Yes No Comments
21CFR Part 11 Clause # 11.200 (b)
Page 5 of 7
21 CFR Part 11 Compliance Check List
7. Controls for Identifications and Passwords Question Are controls in place to maintain the uniqueness of combined identification code and password, such that no individual can have the same combination of identification code and password? Are procedures in place to ensure that the validity of identification codes is periodically checked? Do passwords expire and need to be revised? Is there a procedure for electronically recalling identification codes and passwords if a person leaves or is transferred? Is there a procedure for electronically disabling an identification code or password if it is potentially compromised or lost? Is there a procedure for detecting attempts at unauthorised use and for informing security? Yes No Comments 21CFR Part 11 Clause # 11.300 (a) 11.300 (b) 11.300 (b) 11.300 (b) 11.300 (c) 11.300 (d)
Page 6 of 7
21 CFR Part 11 Compliance Check List
7. Addition Checks required for; Tokens, Cards and other Devices bearing or generating code or password information Question Is there a procedure to follow if a device is lost or stolen? Is there a procedure for electronically disabling a device if it is lost, stolen or potentially compromised? Are there controls for the issuance of temporary and permanent device replacements? Is there initial and periodic testing of Tokens and Cards? Does the testing check that there have been no unauthorised alterations? Yes No Comments