21 CFR Part 11 Compliance Check List

System Assessment Report <System Name>

Checklist Approved for compliance with 21CFR Part 11 Name Position Signature Date

Name Review Performed by Review Approved by

* Circle as appropriate

Position

Signature

Date

Result Pass / Fail * Pass / Fail *

Page 1 of 7

21 CFR Part 11 Compliance Check List

1. Checks for Closed Systems
Question Is the system validated? Is it possible to distinguish invalid or altered records? Is the system capable of producing accurate and complete copies of electronic records on paper? Is the system capable of producing accurate and complete copies of records in electronic form? Are records retrievable throughout there retention period? Is the system limited to authorised individuals? Is there a secure, computer generated, time stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records? Upon making a change to an electronic record, is previously recorded information still available (i.e. not obscured by the change)? Is an electronic records audit trail retrievable throughout the records retention period? Is the audit trail available for review and copying? If the sequence of system steps or events is important, is this enforced by the system (as would be the case in a process control system)? Yes No Comments 21CFR Part 11 Clause # 11.10 (a) 11.10 (a) 11.10 (b) 11.10 (b) 11.10 (c) 11.10 (d) 11.10 (e) 11.10 (e) 11.10 (e) 11.10 (e) 11.10 (f)

Page 2 of 7

21 CFR Part 11 Compliance Check List

1. Checks for Closed Systems (continued)
Question Does the system ensure that only authorised individuals can use the system, electronically sign records, access the operation, or computer system input or output device, alter a record, or perform other operations? If it is a requirement of the system that input data or instructions can only come from certain input devices (e.g. terminals) does the system check the validity of the source of any data or instructions received? (Note: This applies where data or instructions come from more than one device, and therefore the system must verify the integrity of its source, such as a network of scales or remote radio controlled terminals) Is there documented training, including on the job training for system users, developers, IT support staff? Is there a written policy that makes individuals fully accountable and responsible for actions initiated under electronic signatures? Is the distribution of, access to, and use of systems operation and maintenance documentation controlled? Is there a formal change control procedure for system documentation that maintains a time sequenced audit trail of changes? Yes No Comments 21CFR Part 11 Clause # 11.10 (g)

11.10 (h)

11.10 (i) 11.10 (j) 11.10 (k) 11.10 (k)

Page 3 of 7

21 CFR Part 11 Compliance Check List

2. Additional Checks for Open Systems
Question Is data encrypted? Are digital signatures used? Yes No Comments 21CFR Part 11 Clause # 11.30 11.30

3.

Signed Electronic Records

Question Do signed electronic records contain the following information: The printed name of the signer The date and time of signing The meaning of the signing (e.g. review, approval) Is the above information shown on displayed or printed copies of the electronic record? Are signatures linked to their respective records to ensure that they cannot be cut, copied or otherwise transferred by ordinary means for the purpose of falsification? Yes No Comments

21CFR Part 11 Clause # 11.50

11.50 11.70

4.

Electronic Signatures (General)

Question Are electronic signatures unique to an individual? Are electronic signatures ever re-used by, or re-assigned to, anyone else? Is the identity of an individual verified before an electronic signature is allocated? Page 4 of 7 Yes No Comments

21CFR Part 11 Clause # 11.100 (a) 11.100 (a) 11.100 (b)

21 CFR Part 11 Compliance Check List

5. Electronic Signatures (Non Biometric)
Question Does the electronic signature require at least two identification components, such as an identification code and password? When an individual executes a series of electronic signings in a single continuous session, does: The first signing require all elements of the electronic signature? and Subsequent signings require at least one element that is only executable by the signer? When an individual executes electronic signings that are not performed in a single continuous session, does: The signing require all elements of the electronic signature? Are non-biometric signatures, only used by their genuine owners? Would an attempt to falsify an electronic signature require collaboration of at least two individuals? Yes No Comments 21CFR Part 11 Clause # 11.200 (a) (1)

11.200 (a) (1)(i)

11.200 (a) (1)(ii) 11.200 (a) (2) 11.200 (a) (3)

6.

Electronic Signatures (Biometric)

Question Has it been shown that, biometric electronic signatures can only be used by their genuine owner? Yes No Comments

21CFR Part 11 Clause # 11.200 (b)

Page 5 of 7

21 CFR Part 11 Compliance Check List

7. Controls for Identifications and Passwords
Question Are controls in place to maintain the uniqueness of combined identification code and password, such that no individual can have the same combination of identification code and password? Are procedures in place to ensure that the validity of identification codes is periodically checked? Do passwords expire and need to be revised? Is there a procedure for electronically recalling identification codes and passwords if a person leaves or is transferred? Is there a procedure for electronically disabling an identification code or password if it is potentially compromised or lost? Is there a procedure for detecting attempts at unauthorised use and for informing security? Yes No Comments 21CFR Part 11 Clause # 11.300 (a) 11.300 (b) 11.300 (b) 11.300 (b) 11.300 (c) 11.300 (d)

Page 6 of 7

21 CFR Part 11 Compliance Check List

7. Addition Checks required for; Tokens, Cards and other Devices bearing or generating code or password information
Question Is there a procedure to follow if a device is lost or stolen? Is there a procedure for electronically disabling a device if it is lost, stolen or potentially compromised? Are there controls for the issuance of temporary and permanent device replacements? Is there initial and periodic testing of Tokens and Cards? Does the testing check that there have been no unauthorised alterations? Yes No Comments

21CFR Part 11 Clause # 11.300 (c) 11.300 (c) 11.300 (c) 11.300 (e) 11.300 (e)

Page 7 of 7