While the FDA’s rules for life science companies and how they handle electronic records and electronic signatures have been out for some time, many companies find compliance elusive. At eLeaP, we understand how challenging it can be to comply with government mandates, particularly when the information you need is written in legalese and so difficult to understand. We created this 21 CFR Part 11 checklist PDF to help simplify matters and ensure that you’re able to move forward. You can download a PDF version of the CFR Part 11 checklist here.
21 CFR Part 11 Checklist PDF Part 1
- Is the system a closed system?
- Is the system an open system?
- Does the system already use a username/ID and password combination for access?
- Does the system utilize session tokens?
- Does your system make use of biometrics like fingerprints or iris scanning?
- Is the system validated?
- Does the system have validation documentation?
- Does that validation documentation list compliance areas?
Systems Record Control
- Does the system highlight altered records or invalid records?
- Does the system allow access to the entirety of an electronic record?
- Does the system create accurate copies of electronic records digitally and in hardcopy?
- Does the system support sharing record copies with FDA inspectors?
- Does the system maintain and make records available throughout their required period of retention?
System Access Control
- Does the system support limited access and ensure that only authorized users can access sensitive data?
- Does each audit trail contain a timestamp, date, and all actions taken by a user?
- Does the system maintain older information when changes take place?
- Does the system make audit trails available for all records throughout their required retention period?
- Does the system make all audit trails available for review by the FDA?
- Can inspectors view, print, or save specific portions of the audit trail?
System Enforcement and Assurance
- Does the system enforce a specific set or sequence of steps or events where necessary?
- Does the system ensure that only authorized individuals can log in?
- Does the system ensure that only authorized individuals can sign records?
- Does the system ensure that only authorized individuals can access operations?
- Does the system ensure that only authorized individuals can alter a record?
- Does the system ensure that only authorized individuals can perform actions?
- Does the system ensure that only authorized devices and IP addresses have access?
- Does the system check for the validity of any input devices or data sources?
System Training and Documentation
- Is there documented training available detailing how the system is used?
- Is that training available to users, IT teams, and others?
- Is on the job training available?
- Do you have a written policy that makes all employees/system users accountable and responsible for their actions?
- Is there a policy for distributing, accessing, and using system operations and maintenance documentation?
System Information and More
- Is access to sensitive system information limited to specific users/electronic signatures?
- Does the system have a formal change control procedure that maintains an audit trail complete with date, time, and electronic signatures for all changes?
- Does the system have controls to ensure the confidentiality, authenticity, and integrity of all records?
- Is the system’s data encrypted?
- Do signed records contain the meaning of a signing, the printed name of the signer, and the date/time of the signing?
- Does the information in the previous step show on printed and digital copies of all records?
- Does the system automatically record time and date stamps?
- Are time and date stamps consistently presented in the same format to ensure accuracy and understanding?
- Are time and date subject to the same controls as all other information in the system?
- Are all changes to electronic signatures part of the audit trail?
Linking Signatures to Records
- Are all signatures linked to their respective electronic records?
- Are all signatures protected against falsification and/or duplication?
- Are handwritten signatures linked to electronic records where applicable?
- Is the signer prompted to re-sign if an electronic record is changed?
- Are all electronic signatures linked to their electronic records for security?
- Are all electronic signatures unique to individual users?
- Do you have a policy preventing the re-issuance or re-use of signatures?
- Does the system verify a user’s identity before creating/assigning an electronic signature?
- Do you have a procedure in place to deal with forgotten/lost credentials?
Signatures and Controls
- Does the system automatically time out and require users to sign back in periodically?
- Does the system require re-authentication of signatures during continuous sessions?
- Does the system require full re-authentication of signatures between sessions?
- Do you have a policy regarding users “sharing” their non-biometric signatures with other people?
- Are there controls in place to ensure that all signatures and their components are authentic?
- Is there a procedure in place that requires users to periodically change their username and password?
- Do passwords automatically expire after a specific period?
- Is there a means to disable a signature/set of credentials if the information is compromised or lost?
Beyond the 21 CFR Part 11 Checklist PDF
As you can see, there’s a lot that goes into ensuring compliance with 21 CFR Part 11. What’s more, these steps apply to all electronic systems your life science company uses, from payroll to learning and development. Each system must be validated to ensure that it meets the requirements we’ve discussed above. That can be challenging and time-consuming. You can also download the whitepaper, “How to Prepare for a 21 CFR Part 11 FDA Inspection“.
At eLeaP, we’ve done your due diligence for you. Our LMS is fully validated and compliant with 21 CFR Part 11, allowing you to save time and hassle, while still taking advantage of the modern technology today’s businesses and learners need. Contact us today to schedule your custom consultation and to learn more about our cloud-based learning management system.