Department | Validation/Technical Services | Document no | VAL-150 | ||
Prepared by: | Date: | Supersedes: | |||
Checked by: | Date: | Date Issued: | |||
Approved by: | Date: | Review Date: |
1.0 DOCUMENT OWNER
Validation / Technical Services Manager
2.0 PURPOSE
The purpose of this Standard Operating Procedure is to provide instruction and practical guidelines for conducting a Electronic Record and Electronic Signature Assessment.
The purpose of the Assessment Worksheet is to:
– Specify the criteria under which computer systems are to be evaluated against 21 CFR Part 11
– Document the evaluation of computerized systems
3.0 SCOPE
The assessment worksheet must be completed for:
– Records and signatures that are required by the FDA that are created, modified, maintained, archived, retrieved, or transmitted in electronic form
– Records and signatures which may be submitted to the FDA in electronic form, whether required by FDA regulation or not
– Signatures applied electronically to FDA required records or records that may be submitted to FDA, even if the signatures are not required by FDA regulation.
4.0 RESPONSIBILITY \ BUSINESS RULES
It is the responsibility of the Validation Representative to conduct the assessment.
5.0 PROCEDURE
The Electronic Records and Electronic Signatures Compliance Assessment Worksheet (Appendix 1) is detailed in two parts, part I is System Information and part II is System Assessment and Electronic Records, Electronic Signatures – ERES Compliance assessment.
Assemble a cross functional team to conduct the assessment. Recommended members include the system owner or a very knowledgeable user, a Technical or Support lead from IT, Quality Assurance and a Validation representative. Record the information about the assessment meeting in Section A (Participant Information).
Gather information about the computerized system, Complete Section B (General Information for All Systems) for all systems. Complete Section C (Record and Report Information for All Systems) for all systems. Complete Section D (Software System) for a Software System. Complete Section E (Equipment/Instrument Information) for Equipment or Instruments. Complete Section F (Built-in or Firmware) for Devices integral to the system. Complete Section G (External PLC) for external devices connected to the system. Complete Section H (Device Information) for all Devices.
Complete Section I (Part II Applicability Questions) (Questions Q1 through Q4). Continue with the following steps based on the results obtain in this section.
Complete Section J (Assessment). Guidance for completing this section follows. Assess the ability of the system to fulfill the specified 21 CFR Part 11 Requirement. Record “Not Applicable”, “Yes” or “No” in the Assessment Results column. Use the Remarks section to provide references for the Assessment Result.
Use Section K (Assessment Action Items) to track any action items that are identified during the assessment.
Documentation related to the assessment should be properly maintained.
6.0 DEFINITIONS / ACRONYMS
CFR | Code of Federal Regulations |
7.0 REFERENCES
None.
8.0 SUMMARY OF CHANGES
Version # | Revision History |
VAL 150 | New |
APPENDIX 1
Part I (System Information)
Section A (Participant Information)
Field Name | Description |
Participant Name | Please PRINT the full name |
Role | Some example roles include Project Manager, System Owner, Validation Lead, Technical Lead, Support Lead and Quality Assurance. One person may have multiple roles. |
Section B (General Information for All Systems)
Field Name | Description |
Business Unit | Identify the name of the Business Unit(s) using the system. |
System Description | Describe the definition of the “system” in terms of its logical and physical boundaries and interfaces with other systems. Be sure to identify which systems are interfaced to this system. Identify the data going in and the data (reports) going out. Describe the automated aspects of the system and the paper aspects of the system. |
Local or Global System (if global, list the site names) | Specify LOCAL or GLOBAL. If Global, list all the site names. |
Does a System Diagram Exist? | Include an architectural diagram if available. |
System Location | Use as appropriate, however, it is recommended that the building and room location be specified. |
Number of Users | Specify the total number of authorized users not the number of users which may be on-line at any one time. |
Date of Implementation (if known) | Use the format DD-MMM-YYYY |
Plans to replace and when | If there are plans to replace the system, please describe. Use the format DD-MMM-YYYY for when the system might be replaced. |
Other Information | Attach additional pages as appropriate. |
Section C (Record and Report Information for All Systems)
Field Name | Description |
Purpose of Data | Describe how the data/results are used If asked to produce information for an inspector, will any information be obtained from the computerized system? |
Source(s) of Data | Reference the data input to a system, as by data entry or from an instrument, a barcode scanner, or another system |
Predicate FDA (21 CFR) Rule and/or Business Practice that Applies | Reference the predicate rule that applies (GLP, GMP, GCP). Please identify the section number of the predicate rule that applies. In some cases, business practices exist that are used to demonstrate compliance to a predicate rule, such as data trending, signatures on training records etc. |
Record and Report Information (1, 2, 3……n) | |
Field Name | Description |
Record or Report (n) | Specify the type of record that is generated or stored in the system. Either all records may be specified or only critical ones. Repeat row as needed. |
Data Retention Period (n) | According to the local record retention policy, specify the category of records and their respective retention period. Repeat row as needed. |
Are the records printed and then signed? | Yes or No. Indicate one of these choices. |
Is the record signed using a non-biometric electronic signature? | Yes or No. Indicate one of these choices. |
Is the record signed using a biometric electronic signature? | Yes or No. Indicate one of these choices. |
Section D (Software Information)
General Information | |
Field Name | Description |
Common System Name | Enter the name of the system by which it is commonly known. |
Custom or Commercial-Off-The-Shelf | Indicate any that apply – can be one or both |
Core Application Information | |
Application Software Name and Version | List the name of the application software and its version |
Application Software Vendor Name | Specify the name of the vendor who provides the application software. Include their address, phone or other related information if it is available. |
Operating System name and Version | Indicate the operating system (NT, Unix, etc) and its version. |
Hardware Information for Application Software | Indicate what hardware was implemented to run the application software. Please include the make and model number. |
Additional Software (1) (Optional) | |
Additional Software Name and Version (1) | Indicate other software components that make up the system and its version. |
Additional Software Vendor Name (1) | Specify the name of the vendor who provides the additional software. Include their address, phone or other related information if it is available. |
Operating System Name and Version (1) | Indicate the operating system (NT, Unix, etc) and its version |
Hardware Information for Additional Software (1) | Indicate what hardware was implemented to run the additional software. Please include the make and model number. |
Additional Software (2) (Optional) | |
Additional Software Name and Version (2) | Indicate other software components that make up the system and its version. |
Additional Software Vendor Name (2) | Specify the name of the vendor who provides the additional software. Include their address, phone or other related information if it is available. |
Operating System Name and Version (2) | Indicate the operating system (NT, Unix, etc) and its version |
Hardware Information for Additional Software (2) | Indicate what hardware was implemented to run the additional software. Please include the make and model number. |
Database Information | |
Database Software Name/Version | Specify the name of the database software and its version. |
Database Software Vendor Name | Specify the name of the vendor who provides the database software. Include their address, phone or other related information if it is available. |
Operating System Name and Version | Indicate the operating system (NT, Unix, etc) and its version. |
Hardware Information for Database Software | Indicate what hardware was implemented to run the database software. Please include the make and model number. |
Section E (Equipment/Instrument Information)
Field Name | Description |
Product/Equipment Name | Indicate the product/system name |
Product/Equipment Vendor | Specify the name of the vendor who provides the product/equipment. Include their address, phone or other related information if it is available. |
Model Number | Specify the model number |
Section F (Built-in PLC or Firmware)
Field Name | Description |
Controller Make and Model | Specify the controller make and model. |
Software or Ladder Logic Version or Date | Specify the software name and version number or specify the ladder logic version (or date) |
Ladder Logic or Software is … | Indicate whether the ladder logic is Unmodified from Vendor or Modified/Custom. |
Section G (External PLC)
Field Name | Description |
Controller Make and Model | Specify the controller make and model. |
Software or Ladder Logic Version or Date | Specify the software name and version number or specify the ladder logic version (or date) |
Ladder Logic or Software is … | Indicate whether the ladder logic is Unmodified from Vendor or Modified/Custom. |
Section H (Device Information)
Device Information (1, 2, 3, …n) | |
Field Name | Description |
Device Name (n) | Indicate the device name. |
Model Number (n) | Specify the model number. |
Device Vendor (n) | Specify the name of the vendor who provides the device. Include their address, phone, or other related information if available. |
Part II: System Assessment
Section I (Part 11 Applicability Questions)
Field Name | Description |
Q1 | This includes systems that have data that will go directly into a regulatory document and also systems that may provide supporting data in case of a query or inspection. Indicate the predicate rule (and section) which applies. |
Q2 | Some regulations specify paper records or documents (GLP and GMPs do not). For these cases, electronic records are prohibited. One example is that physical copies of master labels and package inserts must be retained. |
Q3 | A closed system is when data and system access is solely controlled by the site (including the Agents) who are responsible for the content of the electronic records on the system. An open system is when data and system access is not solely controlled by the site (including Agents) who are responsible for the content of the electronic records on the system. A system may initially be considered to be open but then controls are applied to make it a closed system. |
Q4 | Be sure to differentiate between “signature” and “identification”. If the intent is to use the applied identification to authenticate the electronic record, the n identification is an electronic signature. If the intent is to merely identify who did something, then the identification is not an electronic signature. A question to help determine if it’s a “signature” or “identification” is “IF I sign ‘Jack Handy’, does that mean I have attested that I did or saw something, or that I’m authorizing some action?” If you have to sign the paper copy, you have to sign the electronic copy. Whether or not to use electronic signatures is not the system owner’s choice. The choice is whether to use electronic records or not. That choice (plus the predicate rules) dictates whether electronic signatures are required or not. A question to help determine if signatures are required is “If these were printed out, would you need to sign them?” – Does the predicate rule require signatures on the record? – Does a company policy require signatures on the record? – Identify every display screen and report generated by the computerized system where an electronic signature is represented. Each occurrence should be separately assessed for compliance. |
Applicability Sections of 21 CFR Part 11 Open System/Closed System
Open System | ||||||||||
Closed System | ||||||||||
Scenarios | Attributes | 11.10 | 11.50 | 11.70 | 11.100 | 11.200(a) | 11.200(b) | 11.300(a), (b), (d) | 11.300 (c), (e) | 11.30 |
1 | Electronic Record Only (Closed System) | X | X | X | X | |||||
2 | Handwritten Signature Executed to Electronic Record (Hybrid) | X | X | X | X | |||||
3 | Electronic Signature Based upon Biometrics | X | X | X | X | X | X | |||
4 | Electronic Signature Based upon ID Code/Password | X | X | X | X | X | X | X | ||
5 | Electronic Signature Based upon ID Code/Password and Token | X | X | X | X | X | X | X | X |
Section J (Assessment)
Section | Preamble Reference | Additional Questions to Consider |
Electronic Records Questions | ||
11.10(a) | 64, 65, 66, 67, 68 | When was it last validated or revalidated? Does an organization-specific validation standard exist? Is there documentation to support the validation (list and review at end of the interview if time permits) Was an established software development life cycle used? Does a requirements document exist? Does a design document exist? Have code reviews been conducted? If developed in-house, has developer testing been conducted? If vendor supplied, has an audit of the vendor been conducted? Has System Testing been conducted? Has User Acceptance Testing been conducted? Has Installation Qualification Testing been conducted? Has Operational Qualification Testing been conducted? Has Performance Qualification Testing been conducted? Has formal training been performed? Is there a support plan? If this is a legacy system, has a Part 11 assessment been conducted? Does a Change Control procedure exist? Does evidence exist that it was followed? Does it cover changes to all system components? Are these documents kept in electronic format? If so, is the document management system Part 11 compliant? Did validation include testing that the system discerns invalid records (i.e. invalid field entries, fields left blank that should contain data, values outside of limits, ASCII characters in numeric-only fields, etc)? |
11.10(b) | 69, 70 | Can a copy of a single record (in electronic format) be supplied to an inspector? In paper format? Can a copy of the entire database (in electronic format) be supplied to an inspector? Are procedures in place to describe HOW to accomplish these inspection tasks? Are procedures in place to define what format the electronic records will be provided? Is there test evidence that the process works? |
11.10(c) | 71 | Are records protected on the system to prevent unauthorized modification or deletion? Are data files written to a protected directory or database table such that only personnel with high-level access privileges can access the data files? Do system users have access to the data files or database records, such that they could inadvertently or intentionally modify or delete data files? Has any capacity planning been performed? ————————————————————————————— Is there a written records retention policy? Does it include electronic records? Does it include audit trails? Does a procedure exist for the backup and restore process? Does a procedure for data archiving exist? If not, is all data kept on-line? Does the SOP and actual practice ensure the archived data is controlled and maintained for the required retention period? Are any backups and/or archives duplicated (e.g., to create off-site backups/archives for disaster recovery)? How is this media protected? Is the metadata stored with the archived data? Is virus software loaded and regularly updated to prevent viruses corrupting data? |
11.10(d) | 83 | This requirement refers to both logical and physical access. Is a username/password (or other logical security) required to access the system? Is there a security SOP that covers physical and logical security, access authorization, modification, disabling/deleting periodic checking of access, approval by System Owner? Does an Account Management procedure exist? Does the system have the ability to generate historical access lists? Is there test evidence that the access is restricted? ————————————————————————————— What controls limit physical access to the system? Is there firewall protection to prevent authorized access from the Internet? |
11.10(e) | 72, 73, 74, 75, 76, 77, 78, 93 | For each type of record in the system, please address the following questions : Does the system generate automatic, electronic audit trail information (who, what, when)? Does the audit trail include the reason for change (if required by the predicate rule)? Is the audit trail function always ON, or is it turned OFF and ON manually? If manual, who and what triggers audit trail recording? Does it get turned on early enough in the process? Is it reliable (i.e., can they forget to turn it on)? Does the audit trail capture every user action that creates, modified, or deletes records, without exceptions? When information is changed, does the audit trail record/save the previous value? Are audit trail entries made at the time the action/operation was conducted electronically? Is the audit trail ever monitored or reviewed to detect possible misuse or unauthorized activity? Is it possible to reconstruct events (delete, modify, etc) to any point in time by only using the audit trail information and the original record? Are electronic audit trails (all or any part) readily available for FDA review and copying? In paper format? Does the audit trail contain date and time stamps? Can time local to the activity be derived? Are meaningful units of time chosen in terms of documenting human actions? (For example, seconds might be used in a data collection system while minutes might be appropriate for a document management system.) ————————————————————————————— Is the audit trail completely transparent to, and outside the control and access of, the user? How is audit trail data protected from accidental or intentional modification or deletion? System Administrators and DBA’s typically make changes. Do those changes have audit trails? If not, do procedural controls exist over use of such administrator tools? Does the records retention program cover audit trails? Are electronic audit trails kept for at least as long as their respective electronic records? What ensures that the system time and date are correct? How frequently are the time and date synchronized with a reliable source? Can users readily change the system time/date? Are time/date stamps applied by the local workstation or by a server (or equivalent)? Is there test evidence for the audit trail functionality? |
11.10(f) | 59, 79, 80, 81 | Are there sequences of operations, or sequential events, or sequential data entry, that is important to this system? If so, what are they? If so, how does the system ensure that steps are followed in the correct sequence? Does test evidence exist to demonstrate the operational checks? |
11.10(g) | 82, 83, 84 | This requirement refers to functional access once a user logs into the system. Are there different levels of access based on user responsibilities? If so, what are they? Is there an SOP describing how these assigned, documented and controlled? What process is followed to grant a new user access to the system, or to change privileges for an existing user? Is it documented? Are levels of access periodically reviewed? Are authority checks used to ensure that only authorized individuals can use the system? Are authority checks used to ensure that only authorized individuals can electronically sign a record? Are authority checks used to ensure that only authorized individuals can access the operation or computer system input or output devices? Are authority checks used to ensure that only authorized individuals can alter a record? Are authority checks used to ensure that only authorized individuals can perform the operation at hand? Does test evidence exist to demonstrate the use of the authority checks? |
11.10(h) | 59, 85 | Is it necessary to ensure that the data source is identified? If so, what are they? If so, how are they identified? Example – console commands for a server are limited to the console station Example – modem access may be verified to ensure the identify of the caller |
11.10(i) | 86, 87 | Are there SOPs, company requirements, job descriptions, etc., that describe minimum education requirements and/or work experience for system developers? Support staff? For internal persons, is there evidence that they are qualified for their job? (This requirement may be met with CVs, job descriptions, training records, and a training procedure that is followed) For external persons, is there evidence that they are qualified to perform the work for which they were hired? (This requirement may be met by having their resume on file) For CROs, is there evidence that they are qualified to perform the work for which they were hired? Is there an SOP covering user training? Is there evidence of user training? ————————————————————————————— Were vendor’s qualifications reviewed during a vendor audit? If so, was the result successful and is it documented? |
11.10(k) | 78, 92, 93 | Is there a list of system documentation related to the development of the system that exists (e.g., requirements, design specifications, training materials, etc.)? Is the system documentation maintained by Site revision control so changes can be determined and the history of the documents is obvious? Is access to the Design documentation restricted? Are these documents kept in electronic format? If so, is the document management system Part 11 compliant? |
Open System Questions | ||
11.30 | 94, 95, 96, 97 | Is document encryption (or an alternate technology) used to protect the confidentiality of the electronic records on the system? Are digital signatures (or an alternative technology) use to protect the authenticity and integrity of the electronic records on the system? |
Signature Questions | ||
11.10(j) | 6, 88, 89, 90, 91 | Is there a written procedure that describes user responsibilities for the use of computerized systems? Does it include not sharing passwords, periodically changing passwords, not using easy to guess passwords? Does it include not installing unapproved software and running virus protection software? Does user acceptance/approval in writing that acknowledges their understanding that their electronic signature is the legally binding equivalent of the handwritten signature exist? |
11.50 | 98, 99, 100, 101, 102, 103, 104, 105, 106 | Is the full name (first and last) is displayed? The printed name cannot be the User ID. Is the meaning of the signature included? Is the Date and Time included? Precision of time is based on risk. For example, the time might be reported in seconds for a data collection system. The time might be reported in minutes for a document management system. Is the manifestation information under the same controls as for electronic records? Can the local time be derived if the system runs across time zones? Where is the time taken from? Is it protected from change by the user? Are the 4 components in the screen displays and reports? Does test evidence exist? |
11.70 | 107, 108, 109, 110, 111, 112, 113 | Is the electronic signature linked to the electronic record? Is the transfer of the signature to another record prevented? Is the record protected to prevent changes after signing or to force re-signing? Are signature changes recorded in the audit trail? Does test evidence exist? |
11.100(a) | 16, 114, 115, 116 | Is there a policy or procedure explicitly stating that each assigned electronic signature is unique to one person? Does the system enforce unique username/id? Is there a policy or procedure that explicitly states that electronic signatures shall not be reused by or reassigned to anyone else? Does test evidence exist? |
11.100(b) | 117, 118 | Has the contractor or temporary employee been cleared by Security or Human Resources to enter the workplace? Are controls in place to ensure that fake identities can be discerned with high reliability? Are controls in place to verify that requestors are authorized to make requests for an e-signature (i.e., on behalf of themselves or another user)? Are individuals required to show ID when they are given their electronic signatures/ Are individuals requested to verify their identity if they forget their password? |
11.100(c) | 119, 120, 121 | The certification letter has been sent. Is there documentation to support that individuals understand that electronic signatures are legally binding? What format is the additional testimony (training, signing of “evidence of understanding”? Is there documented training for persons using electronic signatures? Is there a procedure that states that the electronic signature is the legal binding equivalent of the handwritten signature? |
Non-Biometric Signature Questions | ||
11.200(a) | 16, 115, 122, 123, 124, 125, 126, 127, 128 | Initial log on to the system requires the execution of the identification code and password. This is not a signature. The combination of these two components must be unique. The first signing requires both components. Is there a definition for a continuous session? Subsequent signings in the same session, requires only the password (which is When executing more than one signing not performed during a single continuous period, both the user id and password are required? If, when resetting the account on some systems, a “default” password is assigned, is the user forced to change the password immediately upon log on? When an identification code and password are used as the electronic signature, is the password unknown to everyone, including the System Administrator? Are system tools used that might allow a System Administrator to falsify electronic records and/or electronic signatures? If so, are there procedures in place to ensure adequate controls over these activities? Does the system/workstation log-out after a period of inactivity? Do procedures and training reinforce that non-biometric electronic signatures must not be shared or loaned? Are safeguards in place that prevent one person from forging another person’s electronic signature? Is the non-biometric electronic signature only used by the genuine owner? Are the controls in place to require the collaboration of two or more individuals when some one other than the genuine owner attempts to use it? |
ID Code and Password Only Questions | ||
11.300(a) | 130 | Does a corporate policy exist? Is uniqueness maintained historically? Does the system check for duplicate Ids? |
11.300(b) | 131 | Does a written procedure exist? Does the computerized system include functionality that requires users to periodically change their passwords (password aging)? Is there a manual procedure that requires users to periodically change their passwords? Are the controls built into the system? |
11.300(d) | 133, 134, 135, 136, 137 | Is there a procedure or system function that revokes sign-on privileges when an incorrect combination of identification and password are repeatedly entered? Has testing been conducted to ensure that “inactive” user accounts cannot be activated by unauthorized persons? Are there procedures and appropriate training to assure that users understand that passwords are not to be shared? Does the system create alert messages for unauthorized access attempts (e.g., access violations)? Is access frozen after a number of unsuccessful attempts to log in? Are “attempts at unauthorized use” defined? Are potential break-in attempts monitored in real-time? Is access violation reporting monitoring and escalation addressed in a SOP? Is “immediate and urgent” defined? Is the procedure and timing for notifying management defined? Does the procedure describe the security group’s responsibility and required activities when notified of possible security breaches? Does test evidence exist? |
ID Code/Password and Token Questions | ||
11.300(c) | 132 | Does a written procedure for loss management exist Is there a procedure to describe how temporary replacements are handled? |
11.300(e) | 138 | Is there a procedure that requires both initial and periodic testing of these devices? Is initial testing of the devices conducted to ensure that they are tamper-proof and reliable? Is periodic re-testing of devices conducted prior to putting new stock and/or models into service? Are there testing steps to ensure that devices operate within the manufacturer’s operating parameters and functional tolerances? Does test evidence exist? |
Biometric Signature Questions | ||
11.200(b) | 6, 128 | A properly designed and implemented biometric-based electronic signature system makes it unlikely that any electronic signature could be falsified. Does testing evidence exist? If image files are used, are they stored in a manner in which they could not be copied and applied elsewhere? |
Section K (Assessment Action Items)
Field Name | Description |
System Name | Indicate the system name or identifier. |
Action Item No. | 1, 2, 3, etc. |
Section No. | Reference the section number of the checklist (A, B, C etc.) where the action item was identified. |
Part 11 Requirement No. | Reference the section number of 21 CFR Part 11 where the action item was identified |
Description of Action Item | Describe the proposed action item. |
Assignee | Indicate who is assigned to complete the action item |
Open/Closed | Indicate whether the action item has been Closed (C) or remains Open (O). |
Remarks | Annotate the result if appropriate. |
Example Systems
Scenario Description | Result |
The data center is managed by an outside vendor. However, the company buys the server and controls access. | Initially, the system was considered to be OPEN. However, the controls in place where documented and considered to be CLOSED. |