Compliance Documents >>>

CAP: CFR 21 Part 11 Compliance

Ref. Electronic Records Systems Yes / No Comments
11.1(b) Does the system contain records (that are saved to durable media) that are created, modified, maintained, archived, retrieved, or transmitted, under any agency records requirements set forth in agency regulations?

If no, the regulation does not apply.
Yes
11.3(b)(4) Is the system a Closed system i.e., an environment in which system access is controlled by persons who are responsible for the content of the electronic records on the system?

If Yes, part 11.10 applies.
Yes
11.3(b)(9) Is the system an Open system i.e., an environment in which system access is not controlled by persons who are responsible for the content of the electronic records on the system?

If Yes, parts 11.10 and 11.30 apply.
No

Subpart B – Electronic Records

Ref. Electronic Records Systems;
Closed Systems
Yes / No Comments
11.10(a) Is the system validated to ensure accuracy, reliability, and consistent intended performance?
  • Does validation documentation exist?
Yes
11.10(a) Is the system validated to ensure the ability to discern invalid or altered records?
  • Does the system trap invalid records?
  • Does the audit trail track altered records?
Yes to all
11.10(b) Is the system capable of producing accurate and complete copies of electronic records in human readable form for inspection, review and copying by the FDA?
  • Can all required records be printed?
  • Can only selected records be printed?
Yes to all
11.10(b) Is the system capable of producing accurate and complete copies of records in electronic form for inspection, review and copying by the FDA?
  • Can records be extracted in a format that can be read by FDA?
  • Are annotations (e.g., “sticky notes”) excluded?
Yes to all
11.10(c) Are the records protected to enable their accurate and ready retrieval throughout their retention period?
  • Are records protected from deletion and modification?
  • Is there a backup and restore SOP?
  • Is there an archive and dearchive SOP?
  • Are records in the archive protected?
  • Is there a records retention SOP?
  • Does the system retirement SOP address data migration?
Yes to all
11.10(d) Is system access limited to authorized individuals?
  • Does the system provide adequate security?
  • Is there a security feature? Does it include physical and logical security?
  • How are users authorized to get access?
  • How is access modification and deletion managed?
  • Is access periodically checked?
  • Does the system time-out?
Yes to all
  • Users must be defined through system owner. Access authorization is performed by program when starting.
  • Authorized users can be deleted and/or modified through system owner only.
11.10(e) Is there a secure, computer generated, time stamped audit trail that independently records the date and time of operator entries and actions that create, modify, or delete electronic records?
  • Is the audit trail protected from intentional or accidental modification or deletion?
  • Is the audit trail always on?
  • Is the audit trail computer generated?
  • Is the date and time recorded? Is the time local to the activity? Is the time checked periodically? Is it protected from unauthorized change? Is time recorded to the second?
  • Is the operator username captured?
  • Does the audit trail track operator entries and actions that create, modify, or delete records? Can the type of action be determined from the audit trail?
  • If required by GxP, does the audit trail prompt for reason for change?
Yes to all
  • Audit Trail is always on but can be turned of by system owner. In this case, warning message is shown when starting and, if defined in Audit Trail Settings, data is being set to Read-Only disabling all Create, Edit and Delete functions.
11.10(e) Upon making a change to an electronic record, is previously recorded information still available (i.e. not obscured by the change)?

Yes
11.10(e) Is an electronic record’s audit trail retrievable throughout the record’s retention period?
  • Are audit trails addressed in records retention procedures?
  • Are audit trails addressed in system retirement procedures?
Yes to all
11.10(e) Is the audit trail available for review and copying by the FDA?
  • Can the audit trail be printed?
Yes to all
11.10(f) If the sequence of system steps or events is important, is this enforced by the system (e.g., data must be entered before it can be approved)?

Yes
11.10(g) Are there checks in place to ensure that only authorized individuals can use the system, (electronically sign records), access the operation or computer system input or output device, alter a record, or perform other operations?
  • Do different authority levels exist? Are they documented? Are they enforced by the system?
  • Does the security SOP address assigning, modifying, deleting different levels of access? Does it address authorization by the system owner?
  • Is the user list periodically reviewed to verify the authority levels?
  • Does the system check authority levels before allowing a record to be signed electronically?
Yes to all