This document summarizes an assessment of software/systems for compliance with 21 CFR Part 11 regulations. It includes a compliance summary section listing requirements and assessment results. It also includes sections for observations of issues, an assessment form with detailed questions, and documentation of controls for electronic records, signatures, and systems. The assessment is intended to validate that the software accurately records and maintains electronic records in compliance with FDA regulations.
This document summarizes an assessment of software/systems for compliance with 21 CFR Part 11 regulations. It includes a compliance summary section listing requirements and assessment results. It also includes sections for observations of issues, an assessment form with detailed questions, and documentation of controls for electronic records, signatures, and systems. The assessment is intended to validate that the software accurately records and maintains electronic records in compliance with FDA regulations.
This document summarizes an assessment of software/systems for compliance with 21 CFR Part 11 regulations. It includes a compliance summary section listing requirements and assessment results. It also includes sections for observations of issues, an assessment form with detailed questions, and documentation of controls for electronic records, signatures, and systems. The assessment is intended to validate that the software accurately records and maintains electronic records in compliance with FDA regulations.
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 1 of 7
Document Name 21 CFR Part 11 Assessment
Document Number PDVS-007 Application From A Tracker 21 CFR Part 11 Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08 Document Number: PDVS-007 Rev: 00 Page 2 of 7
SECTION A (COMPLIANCE SUMMARY)
1.0 COMPLIANCE REQUIREMENT
Result of the Assessment Assessment result (Yes or If the result is “No” give a No) justification
Does the software/system create, Yes – Assessment
modify, maintain, archive, retrieve required using Section or transmit a record in electronic A, B & C format, which is regulated to No – justify in next demonstrate compliance with EU or column. No further FDA regulations action necessary. Attach section A only.
2.0 CLASSIFICATION OF SOFTWARE/SYSTEM
Result of the Assessment If the result is “No” give a justification Classification 1 (Electronic records only) Classification 2 (Handwritten signatures applied to electronic records) Classification 3 (Electronic signatures based upon Identification (ID) code and password
3.0 ASSESSMENT DETAILS & RESULTS
Summarise areas of non-compliance that apply to this software/system as detailed in section B and C 21 CFR Part 11 Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08 Document Number: PDVS-007 Rev: 00 Page 3 of 7
Part 11 Requirement/Question Response Comment / IQ/OQ
Reference Yes No N/A Reference number Validation 820.70(i) – When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented for: 11.10 CONTROLS FOR CLOSED SYSTEM 11.10(a) Does the software/system record data accurately, is deemed reliable and have consistent intended conformance 11.10(a) Does the system have the ability to detect the alteration of any record, even if the alteration was done directly to the database Inspectability – Procedures and controls shall be designed and implemented to: 11.10(b) Generate accurate and complete copies of records in both human and electronic form for inspection, review, and copying by the FDA. 11.10(c) Protect records to enable their accurate and ready retrieval throughout the records retention period. Security – Security procedures and controls shall be designed and implemented to include: 11.10(d) Does the software/system limit who may access the system. 11.10(f) Does the software/system have the capability to detect when an entry occurs outside of the normal sequence ( eg data must be entered before it can be approved) Authority Checks – ensures that authorized individuals can: 11.10(g) Electronically sign a document 11.10(g) Alter a record 11.10(g) Specifically restrict the individual to specific records. 11.10(h) Does the system record the location of the workstation where each entry was made? Audit Trails – SOP’s and controls shall be implemented to ensure audit trails are: 11.10(e) Secure
11.10(e) Computer generated
11.10(e) Date and time stamped
Audit Trails – Record Operator entries and actions for:
11.10 (e) Creating electronic records 21 CFR Part 11 Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08 Document Number: PDVS-007 Rev: 00 Page 5 of 7
11.10 (e) Modifying electronic records
11.10 (e) Maintaining electronic records 11.10 (e) Deleting electronic records 11.10 (e) Ensure changes to electronic records shall not obscure previously recorded information 11.10 (e) Ensure that the audit trails can be maintained for at least as long as that underlying records 11.10 (e) Ensure that audit trails are available for review and copying by a regulatory body if required. Qualifications of Personnel using the System/Software – Evidence that the following persons have the education, training and experience to perform their assigned tasks. 11.10 (i) Developers of the software/system 11.10 (i) Administrators of the software/system 11.10 (i) Users of the software/system 11.10 (j) Responsibility and Accountability of actions – Are there written SOP’s or policies in place that hold individuals responsible for their actions once they apply their electronic signature to an action in the system. System/Software Documentation Controls – Establishment and use of appropriate controls over system documentation. 11.10 (k) Access to documentation 11.10 (k) Use of the documentation 11.10 (k) Revision and change control procedures to maintain an audit trail of all documents associated with the system/software 11.10 CONTROLS FOR OPEN SYSTEM Controls for Open Systems – Open systems used to create, modify, maintain, or transmit electronic systems shall employ procedures and controls designed to ensure the following attributes for those electronic records from the point of their creation to the point of their receipt: 11.30 Authenticity 11.30 Integrity 11.30 Confidentiality 11.30 Document encryption as appropriate Signature Manifestations – Signed electronic records shall contain information associated with the signing that clearly indicates all of the following e.g. when using a hybrid system. 11.50(a)(1) The printed name of the person who signs 11.50(a)(2) The data and time when the signature was executed 11.50(a)(3) The meaning of the signature (Approval, Review, Author) All items defined above shall be 11.50(b) Subject to the same controls as for electronic records. 21 CFR Part 11 Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08 Document Number: PDVS-007 Rev: 00 Page 6 of 7
11.50(b) Included as part of any human readable
form of the electronic record (such as electronic display and/or printout or report). 11.70 Signature/Record Linking – Electronic signatures, and handwritten signatures executed to electronic records, shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. 11.10 ELECTRONIC SIGNATURES 11.100 General Requirements for Electronic Signatures 11.100 (a) Each electronic signature assigned to an individual shall be unique and cannot be re-issued or re-assigned to anyone else. 11.100 (b) The identity of the individual shall be verified prior to the organization establishing, assigning, certifying, or otherwise sanctioning that individual’s electronic signature. 11.100 (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the FDA or equivalent regulatory authority that the electronic signatures used in the computerized system on or after August 20, 1997 are intended to be the legally binding equivalent of traditional handwritten signatures. 11.100 (c) A certificate shall be kept in paper form (1) and signed with a traditional handwritten signature to acknowledge the authority of the electronic signature. 11.200 Electronic Signatures Components & Controls Electronic signatures that are not based on electronic signatures shall 11.200 (a) Use at least 2 distinct identification (1) components such as an identification code and password. 11.100 (a) When an individual executes a series of (1)(i) signings during a single continuous period of controlled system access, the first signing shall be executed using all electronic signature components. Subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by the individual. 11.200 (a) When an individual executes one or more (1)(ii) signings not performed during a single, 21 CFR Part 11 Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08 Document Number: PDVS-007 Rev: 00 Page 7 of 7
continuous period of controlled system
access, each signing shall be executed using all of the electronic signature components. 11.200 (a) Be used only by their genuine owners. (2) 11.300 Controls for Identification Codes/Passwords Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity, including: 11.300 (a) The combination of identification code and password shall be unique. 11.300 (b) Identification code and password issuance shall be periodically checked, recalled, or revised Transaction safeguards shall be implemented to: 11.300 (d) Prevent unauthorized use of identification codes and passwords. 11.300 (d) Detect any attempt at unauthorized use for identification codes and/or passwords. 11.300 (d) Report in an immediate and urgent manner any attempt at unauthorized use of identification codes and passwords to the system security unit, and, as appropriate, organizational management. 11.300 (e) Initial and periodic testing of devices that bear or generate identification code or password information.