Pharmaceutical
•
September 29th, 2023
21 CFR Part 11 Compliance Checklist to Follow
21 CFR Part 11 outlines the FDA’s requirements for the integrity, quality, and compliance of digital documents and also signatures. The management of data and paperwork is an essential part of a life science quality management system—use this below checklist to resolve each requirement of FDA 21 CFR Part 11 and embed full compliance.
Validation – For Security
Item Number | Requirement |
---|---|
1
|
Is the system validated?
|
2
|
Is it possible to distinguish invalid or changed records?
|
3
|
Are the documents easily retrievable throughout their retention period?
|
4
|
Is system access restricted to licensed individuals?
|
5
|
If the sequence of system steps or events is crucial, is this implemented by the system procedure control system?
|
6
|
Does the system guarantee that only authorized people can use it, digitally sign documents, modify a document, or execute other processes?
|
7
|
If it is a requirement of the system that input data or guidelines can only originate from specific input devices (e.g., terminals), does the system check the validity of the source of any data guidelines received? (Note: This applies where the information or guidelines can originate from more than one device, and for that reason the system must validate the integrity of its source, such as network of weight scales, or remote, radio-controlled terminals).
|
8
|
Is there recorded training, consisting of on duty training for system users, developers, IT support team?
|
9
|
Is there a written policy that makes people completely liable and in charge of actions initiated under their electronic signatures?
|
10
|
Is the distribution of, access to, and use of systems processes and maintenance paperwork regulated?
|
11
|
Is data encrypted?
|
12
|
Are digital signatures used?
|
Audit Trails – For Traceability
Item Number | Requirement |
---|---|
1
|
Is there a secure, computer-generated, time-stamped audit trail that records the date and time of operator entries and actions that develop, customize, or remove digital records?
|
2
|
Upon making a modification to an electronic document, is previously recorded information still available (i.e., not obscured by the modification)
|
3
|
Is an electronic records audit trail retrievable throughout the document’s retention period?
|
4
|
Is the audit trail available for evaluation and copying by the FDA?
|
5
|
Does the audit trail consist of the customer ID, series of events (particularly situations or circumstances), original and new values (backups of any changed or erased documents), a modification log, and revision and change controls?
|
Do signed electronic records contain:
|
|
6
|
The printed name of the signer?
|
7
|
The date and time of signing?
|
8
|
The meaning of the signing (such as approval, review, etc.)?
|
9
|
Is the above information shown on displayed and printed copies of the electronic record?
|
10
|
Are signatures linked to their corresponding electronic records to make sure that they cannot be cut, duplicated, or otherwise transferred by common means for the purpose of falsification?
|
11
|
Is there an official change control procedure for system documentation that preserves a time-sequenced audit trail for those modifications made by the pharmaceutical company?
|
12
|
Are electronic signatures unique to an individual?
|
13
|
Are electronic signatures ever reused by or reassigned to anyone else?
|
14
|
Is the identity of an individual validated prior to an electronic signature is assigned?
|
15
|
Is the signature comprised of a minimum of two elements, such as an identification code and password, or an id card and password?
|
16
|
Has it been shown that biometric electronic signatures can be used only by their authentic proprietor?
|
17
|
When multiple signings are made during a continuous session, is the password implemented at each signing? (Note: Both elements must be carried out at the first signing of a session.)
|
18
|
If signings are refrained in a continuous session, are both elements of the electronic signature implemented with each signing?
|
19
|
Are non-biometric signatures only used by their genuine owners?
|
20
|
Would an attempt to falsify an electronic signature require the collaboration of at least two individuals?
|
Electronic Signatures – For Valid Use
Item Number | Requirement |
---|---|
1
|
Are Electronic Signatures Unique for Every User?
|
2
|
Is It feasible to Reuse or Reassign the Electronic Signature to anybody else?
|
3
|
Does Each Electronic Signature Link to Its Respective Electronic Record?
|
4
|
Is The Identity of An Individual inspected and thoroughly verified at The Time of Signing Using an Electronic Signature?
|
Copies of Records – For Reference
Item Number | Requirement |
---|---|
1
|
Is the system efficient in generating precise and full copies of electronic records on paper?
|
2
|
Is the system efficient in generating precise and full copies of records in electronic form for inspection, review, and copying by the FDA?
|
3
|
Is the system using established automated conversion or export methods (PDF, XML, or SGML)?
|
Record Retention – For Efficiency
Item Number | Requirement |
---|---|
1
|
Are controls in place to preserve the individuality of each combined identification code and password, such that no individual can have the same combination of identification code and password?
|
2
|
Are procedures in place to guarantee that the credibility of identification codes is regularly checked?
|
3
|
Do passwords periodically expire and need to be revised?
|
4
|
Is there a procedure for recalling identification codes and passwords if a person leaves or is transferred?
|
5
|
Is there a procedure for electronically restricting an identification code or password if it is possibly compromised or lost?
|
6
|
Is there a procedure for identifying attempts at unapproved use and for notifying security?
|
7
|
Is there a procedure for reporting recurrent or serious attempts at unlawful use to management?
|
8
|
Is there a loss management procedure to be adhered to if a device is lost or stolen?
|
9
|
Is there a procedure for electronically inactivating a device if it is lost, stolen, or potentially compromised?
|
10
|
Are there controls over the issuance of temporary and permanent substitutes?
|
11
|
Is there preliminary and regular testing of tokens and cards?
|
12
|
Does this testing check that there have been no unlawful modifications?
|