Introduction to the 21 CFR part 11 compliance checklist
Anybody in a controlled GMP/GLP environment will be familiar with the
FDA 21 CFR part 11 regulations. Ensuring your systems are validated and
proving that they follow the regulations is a challenge. That’s why we
have created this 21 CFR part 11 compliance checklist to ensure you have
the right checks in place to comply with the regulations.
Before reading the document please take note of our standard declaimer
that the advice and checklists that we provide represent our advice in
regards to the regulations. We do not represent any government or FDA
agency and nothing in this guide should be taken as fact. The
regulations we provide are true to the publishing date of this article.
For further details of the most recent regulations you should visit the
Controls for Closed Systems
Have you validated the system to ensure that it performs for it’s
intended use and in your environment?
Is it possible to validate the accuracy of the records produced?
Are the records complete and accurate in both human and electronic
Are the records generated suitable for an agency or auditor to review
Are the records protected and readily retrievable throughout the
record retention period?
- Is a system in place for periodical password changes?
Is there appropriate control over the distribution and access to
system operation and maintenance documentation?
Does your system generate secure, generated, time stamped audit trails
that record actions including, creating, modifying and deleting
Are electronic records made available for review or copy by an agency
and remain available through the period that they are required?
Do electronic records contain:
- The printed name of the signer
- The date and time of signature execution
The meaning of the signature such as the approval or authorship
Article: How to Configure Electronic Signatures for GxP Compliance
Are electronic records identified in the bullet points above made
available in human readable form?
Are all electronic signatures associated with the full name of their
- Are reasons for approval/disproval validated under an SOP?
Are electronic records and electronic signatures linked and cannot be
removed, cooped or transferred to falsify a record in the system?
Are electronic signatures unique to one person only, and not
reassigned to anyone else periodically?
Does your organisation keep a record of historical user IDs to prevent
reissue or reuse of historical user ID’s?
Before an electronic signature is used is that user’s identity
Has the FDA been notified that electronic signatures issued in your
company are intended to be legally binding equivalents of traditional
Article: Tips for setting up your electronic signature for the FDA
Do your electronic signatures that are not biometrical contain at
least two district identification components?
When a series of signings occur are there systems in place the allow
only one component to be required after the first two component
signing has happened?
Is an electronic signature required after a period of inactivity has
Article: How to Configure System Security in Windows for GxP
Are there restrictions in place that disallow electronic signature
Are procedures in place for configuring lost or stolen user accounts
Have electronic signatures been periodically tested to make sure they
are functioning correctly?
- Does the system record when an emergency login has occurred?
Are all login attempts recorded in the audit trail for further
Do the emergency collaborators have the same user privileges as the
third user they are logging in as?
Is there an emergency login system available that allows two or more
Individuals to collaborate to login as a third user?
Are there time-outs or system lock-outs for a period of inactivity?
- Does the system restrict unauthorized individuals?
Does the system ensure that authorised individuals can use the system,
sign records, and perform other operations as intended?
Have you created secure usernames and passwords for authorised users?
Are checks in place that enforce certain necessary workflows or steps
More than 21 CFR compliance
Our collaboration and tracking software Version Control takes into
account all of the above points for 1D analysis and 2D HCP coverage
analysis regarding electronic signatures, electronic records and system
access. In addition to the tools to collaborate on analyses all with no