21 CFR Part 11 Compliance Checklist

Introduction to the 21 CFR part 11 compliance checklist

Anybody in a controlled GMP/GLP environment will be familiar with the FDA 21 CFR part 11 regulations. Ensuring your systems are validated and proving that they follow the regulations is a challenge. That’s why we have created this 21 CFR part 11 compliance checklist to ensure you have the right checks in place to comply with the regulations.

Before reading the document please take note of our standard disclaimer that the advice and checklists that we provide represent our advice in regards to the regulations.

We do not represent any government or FDA agency and nothing in this guide should be taken as fact. The regulations we provide are true to the publishing date of this article. For further details of the most recent regulations you should visit the FDA website.

Controls for Closed Systems

Have you validated the system to ensure that it performs for it’s intended use and in your environment?
Is it possible to validate the accuracy of the records produced?
Are the records complete and accurate in both human and electronic form?
Are the records generated suitable for an agency or auditor to review and copy?
Are the records protected and readily retrievable throughout the record retention period?
Is a system in place for periodical password changes?
Is there appropriate control over the distribution and access to system operation and maintenance documentation?

Electronic Records

Does your system generate secure, generated, time stamped audit trails that record actions including, creating, modifying and deleting records?
Are electronic records made available for review or copy by an agency and remain available through the period that they are required?

Do electronic records contain:

  • The printed name of the signer?
  • The date and time of signature execution?
  • The meaning of the signature such as the approval or authorship?

Article: How to Configure Electronic Signatures for GxP Compliance

Are electronic records identified in the bullet points above made available in human readable form?
Are all electronic signatures associated with the full name of their signers?
Are reasons for approval/disproval validated under an SOP?
Are electronic records and electronic signatures linked and cannot be removed, cooped or transferred to falsify a record in the system?
Are electronic signatures unique to one person only, and not reassigned to anyone else periodically?
Does your organisation keep a record of historical user IDs to prevent reissue or reuse of historical user ID’s?
Before an electronic signature is used is that user’s identity verified?
Has the FDA been notified that electronic signatures issued in your company are intended to be legally binding equivalents of traditional handwritten signatures?
Article: Tips for setting up your electronic signature for the FDA

Do your electronic signatures that are not biometrical contain at least two district identification components?
When a series of signings occur are there systems in place the allow only one component to be required after the first two component signing has happened?
Is an electronic signature required after a period of inactivity has occurred?
Article: How to Configure System Security in Windows for GxP Compliance

Are there restrictions in place that disallow electronic signature duplication?
Are procedures in place for configuring lost or stolen user accounts and passwords?
Have electronic signatures been periodically tested to make sure they are functioning correctly?

System Access

Does the system record when an emergency login has occurred?
Are all login attempts recorded in the audit trail for further investigation?
Do the emergency collaborators have the same user privileges as the third user they are logging in as?
Is there an emergency login system available that allows two or more Individuals to collaborate to login as a third user?
Are there time-outs or system lock-outs for a period of inactivity? Does the system restrict unauthorized individuals?
Does the system ensure that authorised individuals can use the system, sign records, and perform other operations as intended?
Have you created secure usernames and passwords for authorised users?
Are checks in place that enforce certain necessary workflows or steps as appropriate?

More than 21 CFR compliance

Our collaboration and tracking software GxP Module takes into account all of the above points for 1D analysis and 2D HCP coverage analysis regarding electronic signatures, electronic records and system access. In addition to the tools to collaborate on analyses all with no project overwriting.