21 CFR Part 11 / Annex 11 Checklist

Summary of the FDA 21 CFR Part 11 Assessment Checklist for Pharmaceutical Software
CFR 21 Part Regulation	Summary
11.10 (Controls for Closed Systems)	Ensure authenticity, integrity, and when appropriate confidentiality of electronic systems) records. Minimize possibility of repudiation by signer
11.10 (a)	Validate the system; ensure ability to detect invalid or altered records.
11.10 (b)	Provide ability to generate accurate and complete records in both human readable and electronic form.
11.10 (c)	Protect records to enable accurate and ready retrieval.
11.10 (d)	Limits system access to authorized individuals.
11.10 (e)	Creates secure, computer-generated, time stamped audit trails.
11.10 (f)	Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
11.10 (g)	Perform authority checks of users. Check use of the system, signing of records or altering of a record.
11.10 (h)	Use of device checks to determine validity of the source of data input.
11.10 (i)	Determination that persons using the electronic system have been properly trained to perform their assigned tasks.
11.10 (j)	Determination that persons using the electronic system have been properly trained to perform their assigned tasks.
11.10 (k)	Appropriate controls over system documentation including access to documentation for system operation and revision and change control procedures that documents time based system modification.
11.30 (Controls for Open Systems)	Implement document encryption for record confidentiality. Use digital signatures for a record authenticity and integrity.
11.50(a) (Signature Manifestations)	Signed electronic records must contain: name, date/time of signing, and meaning of signature.
11.50(b)	Items in 11.50 (a) must appear on every human readable form of the electronic record
11.70 (Signature/Record Linking)	Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.
11.100 (a) (General Requirements)	Electronic signatures shall be unique and shall not be re-used or re-assigned
11.100 (b)	Biometric e-signatures must be usable only by the genuine owner.
11.200 (a) (Electronic signature components and controls)	(1) Non-biometric e-signatures must have at least two components. (1)(i) Continuous session: first signing must use all components; subsequent signings can use one component. (2) Non biometric electronic signatures must be used only by genuine owner. (3) Attempted use of non biometric e-signatures requires collaboration of two or more people.
11.200 (b) (Controls for Identification codes or passwords)	Biometric e-signatures must be usable only by the genuine owner.
11.300 (a)	Maintain uniqueness of “ID code & password” combination.
11.300 (b)	Periodically check ID code and password. Password aging.
11.300 (c)	Manage lost or stolen tokens, cards or other devices and manage replacement issues.
11.300 (d)	Prevent unauthorized use of passwords and the codes; detect and immediately report any such attempts.
11.300 (e)	Test devices tokens, cards initially and periodically for proper function.