21 CFR Part 11

Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08

Document Number: PDVS-007 Rev: 00 Page 1 of 7

Document Name 21 CFR Part 11 Assessment

Document Number PDVS-007
Application From A Tracker
 21 CFR Part 11
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 2 of 7

SECTION A (COMPLIANCE SUMMARY)

1.0 COMPLIANCE REQUIREMENT

Result of the Assessment Assessment result (Yes or If the result is “No” give a
No) justification

Does the software/system create, Yes – Assessment

modify, maintain, archive, retrieve required using Section
or transmit a record in electronic A, B & C
format, which is regulated to No – justify in next
demonstrate compliance with EU or column. No further
FDA regulations action necessary. Attach
section A only.

2.0 CLASSIFICATION OF SOFTWARE/SYSTEM

Result of the Assessment If the result is “No” give a justification
Classification 1 (Electronic records only)
Classification 2 (Handwritten signatures
applied to electronic records)
Classification 3 (Electronic signatures based
upon Identification (ID) code and password

3.0 ASSESSMENT DETAILS & RESULTS

Summarise areas of non-compliance that apply to this software/system as detailed in section B and C
 21 CFR Part 11
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 3 of 7

4.0 ASSESSMENT AGREEMENT

POSITION PRINT NAME SIGNATURE DATE

SECTION B (OBSERVATIONS)

ISSUE PART 11 REFERENCE COMMENTS & OBSERVATIONS

NUMBER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 21 CFR Part 11
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 4 of 7

SECTION C (ASSESSMENT FORM)

Part 11 Requirement/Question Response Comment / IQ/OQ

Reference Yes No N/A Reference number
Validation 820.70(i) – When computers or automated data processing systems are used as part of
production or the quality system, the manufacturer shall validate computer software for its intended use
according to an established protocol. All software changes shall be validated before approval and
issuance. These validation activities and results shall be documented for:
11.10 CONTROLS FOR CLOSED SYSTEM
11.10(a) Does the software/system record data
accurately, is deemed reliable and have
consistent intended conformance
11.10(a) Does the system have the ability to detect
the alteration of any record, even if the
alteration was done directly to the
database
Inspectability – Procedures and controls shall be designed and implemented to:
11.10(b) Generate accurate and complete copies of
records in both human and electronic
form for inspection, review, and copying
by the FDA.
11.10(c) Protect records to enable their accurate
and ready retrieval throughout the records
retention period.
Security – Security procedures and controls shall be designed and implemented to include:
11.10(d) Does the software/system limit who may
access the system.
11.10(f) Does the software/system have the
capability to detect when an entry occurs
outside of the normal sequence ( eg data
must be entered before it can be
approved)
Authority Checks – ensures that authorized individuals can:
11.10(g) Electronically sign a document
11.10(g) Alter a record
11.10(g) Specifically restrict the individual to
specific records.
11.10(h) Does the system record the location of the
workstation where each entry was made?
Audit Trails – SOP’s and controls shall be implemented to ensure audit trails are:
11.10(e) Secure

11.10(e) Computer generated

11.10(e) Date and time stamped

Audit Trails – Record Operator entries and actions for:

11.10 (e) Creating electronic records
 21 CFR Part 11
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 5 of 7

11.10 (e) Modifying electronic records

11.10 (e) Maintaining electronic records
11.10 (e) Deleting electronic records
11.10 (e) Ensure changes to electronic records shall
not obscure previously recorded
information
11.10 (e) Ensure that the audit trails can be
maintained for at least as long as that
underlying records
11.10 (e) Ensure that audit trails are available for
review and copying by a regulatory body
if required.
Qualifications of Personnel using the System/Software – Evidence that the following persons have the
education, training and experience to perform their assigned tasks.
11.10 (i) Developers of the software/system
11.10 (i) Administrators of the software/system
11.10 (i) Users of the software/system
11.10 (j) Responsibility and Accountability of
actions – Are there written SOP’s or
policies in place that hold individuals
responsible for their actions once they
apply their electronic signature to an
action in the system.
System/Software Documentation Controls – Establishment and use of appropriate controls over system
documentation.
11.10 (k) Access to documentation
11.10 (k) Use of the documentation
11.10 (k) Revision and change control procedures
to maintain an audit trail of all documents
associated with the system/software
11.10 CONTROLS FOR OPEN SYSTEM
Controls for Open Systems – Open systems used to create, modify, maintain, or transmit electronic
systems shall employ procedures and controls designed to ensure the following attributes for those
electronic records from the point of their creation to the point of their receipt:
11.30 Authenticity
11.30 Integrity
11.30 Confidentiality
11.30 Document encryption as appropriate
Signature Manifestations – Signed electronic records shall contain information associated with the
signing that clearly indicates all of the following e.g. when using a hybrid system.
11.50(a)(1) The printed name of the person who signs
11.50(a)(2) The data and time when the signature was
executed
11.50(a)(3) The meaning of the signature (Approval,
Review, Author)
All items defined above shall be
11.50(b) Subject to the same controls as for
electronic records.
 21 CFR Part 11
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 6 of 7

11.50(b) Included as part of any human readable

form of the electronic record (such as
electronic display and/or printout or
report).
11.70 Signature/Record Linking – Electronic
signatures, and handwritten signatures
executed to electronic records, shall be
linked to their respective electronic
records to ensure that the signatures
cannot be excised, copied, or otherwise
transferred to falsify an electronic record
by ordinary means.
11.10 ELECTRONIC SIGNATURES
11.100 General Requirements for Electronic Signatures
11.100 (a) Each electronic signature assigned to an
individual shall be unique and cannot be
re-issued or re-assigned to anyone else.
11.100 (b) The identity of the individual shall be
verified prior to the organization
establishing, assigning, certifying, or
otherwise sanctioning that individual’s
electronic signature.
11.100 (c) Persons using electronic signatures shall,
prior to or at the time of such use, certify
to the FDA or equivalent regulatory
authority that the electronic signatures
used in the computerized system on or
after August 20, 1997 are intended to be
the legally binding equivalent of
traditional handwritten signatures.
11.100 (c) A certificate shall be kept in paper form
(1) and signed with a traditional handwritten
signature to acknowledge the authority of
the electronic signature.
11.200 Electronic Signatures Components & Controls
Electronic signatures that are not based on electronic signatures shall
11.200 (a) Use at least 2 distinct identification
(1) components such as an identification code
and password.
11.100 (a) When an individual executes a series of
(1)(i) signings during a single continuous period
of controlled system access, the first
signing shall be executed using all
electronic signature components.
Subsequent signings shall be executed
using at least one electronic signature
component that is only executable by, and
designed to be used only by the
individual.
11.200 (a) When an individual executes one or more
(1)(ii) signings not performed during a single,
 21 CFR Part 11
Document Title: 21 CFR Part 11 Assessment Date: 01-Aug-08
Document Number: PDVS-007 Rev: 00 Page 7 of 7

continuous period of controlled system

access, each signing shall be executed
using all of the electronic signature
components.
11.200 (a) Be used only by their genuine owners.
(2)
11.300 Controls for Identification Codes/Passwords
Persons who use electronic signatures based upon use of identification codes in combination with
passwords shall employ controls to ensure their security and integrity, including:
11.300 (a) The combination of identification code
and password shall be unique.
11.300 (b) Identification code and password issuance
shall be periodically checked, recalled, or
revised
Transaction safeguards shall be implemented to:
11.300 (d) Prevent unauthorized use of identification
codes and passwords.
11.300 (d) Detect any attempt at unauthorized use for
identification codes and/or passwords.
11.300 (d) Report in an immediate and urgent
manner any attempt at unauthorized use
of identification codes and passwords to
the system security unit, and, as
appropriate, organizational management.
11.300 (e) Initial and periodic testing of devices that
bear or generate identification code or
password information.