Gap Analysis - ChecklistPage 1 of 11
Document Number: E-168 Version 1.xxEffective date: April 1, 2012
Title: 21 CFR Part 11 – Electronic Records & Signatures
Gap Analysis - Checklist
21 CFR Part 11
Electronic Records & Signatures
This document is a proposal and starting point only. The type and extent of documentation depends on the process environment. The proposed documentation should be adapted accordingly and should be based on individual risk assessments. There is no guarantee that this document will pass a regulatory inspection.
Publication from
Global on-line resource for validation and compliance
Copyright by Labcompliance. This document may only be saved and viewed or printed for personal use. Users may not transmit or duplicate this document in whole or in part, in any medium. Additional copies and licenses for department, site or corporate use can be ordered from
While every effort has been made to ensure the accuracy of information contained in this document, Labcompliance accepts no responsibility for errors or omissions. No liability can be accepted in any way.
Labcompliance offers books, master plans, complete Quality Packages with validation procedures, scripts and examples, SOPs, publications, training and presentation material, user club membership with more than 500 downloads and audio/web seminars. For more information and ordering, visit
1.PURPOSE OF GAP ANALYSIS / CHECKLIST
Whenever records have been identified to be Part 11 records, they should follow the US regulation: 21 CFR Part 11 - Electronic records/Electron signature. This form should help to identify requirements for the records and computer systems associated with the record. Because each system is different going through checklists does not mean that everything is covered for each system nor does it mean that all checklist items are applicable for each system.
2.SCOPE OF GAP ANALYSIS / CHECKLIST
Whenever Electronic Records generated in FDA regulated environments have been identified as Part 11 records. (The SOP ’21 CFR Part 11 – Scope and Controls’ can be used to identify Part 11 records. For ordering from Labcompliance visit
select S-137).
3.SYSTEM
System IDLocation
System Owner
4. SIGNATURES/APPROVALS
Prepared by / Reviewed by / Approved byName
Signature
Date
4.GAP ANALYSIS / CHECKLIST
A= Administrative P=Procedural T=Technical controls
Paragraph / Topic / Type / Yes/NoStarting Question / Are you working in a GxP environment?
If not, stop here, otherwise proceed to next row.
General Documents
Policy / Is there a company policy for Part 11? / AP
Master Plan / Is there a Part 11compliance master plan with interpretations, company guidelines and examples for interpretations? / AP
Risk plan / Are there risk assessment plans for computer systems to justify and document risk levels? / AP
SOP / Is there an SOP to define Part 11 requirements for individual projects
Part 11 Paragraphs
11.10(a) / Is the system validated?
Is there a validation master plan that shows the organization's approach towards computer system validation? / AP
Are all systems validated, e.g., systems for instrument control? / T
Database software applications? / T
Networked systems and applications? / T
Macros? / T
Spreadsheet calculations? / T
Are there validation project plans for individual projects with tasks, owners and time lines? / T
Are there User Requirement Specifications for each software/computer system? / AP,T
Are there Functional Specifications for each software/computer system? / AP,T
Are there procedures and documented evidence for vendor assessment? / AP,T
Are there procedures and documentation for 'proper' installation of hardware and software? / AP,T
Are there procedures and documentation for operational qualification and/or factory acceptance testing? / AP,T
Do test procedures include limit testing, high load testing, life testing, and stress testing? / AP, T
Is there a change control procedure? / AP
Is the network infrastructure qualified? / AP, T
Is accurate and complete file transfer through networks verified? / T
11.10(a) / Does the system discern invalid or altered records? / T
11.10(b) / Does the system generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA? / T
Do records include storage of instrument control, sequence, data acquisition and data evaluation parameters together with audit trail and raw data? / T
Versioning of data and all associated Meta Data (including automatic versioning of re-integrated results)? / T
Is accurate and complete file transfer through networks verified? / T
11.10(c) / Does the system protect records to enable their accurate and ready retrieval throughout the records retention period? / AP,T
Is there a procedure that explains for how long data should be archived? / AP
Is there a data archiving process and routine available for long-term data storage? / AP,T
Are data files written to a protected directory, such that only personnel with access privileges can access the data files? / T
Can data be reprocessed, not only displayed, through the retention period as defined in the procedure for data archiving and retrieval? / T
11.10(d) / Is system access limited to authorized persons? / AP
Has the operating system been selected with security in mind, e.g., MS NT, Windows 2000, XP? / T
Are there procedures to limit access to data and systems? / AP
Is there a policy to generate, distribute and use passwords? / AP
Has the limited access function been validated? / T
Are there lists with authorized users to systems and tasks? / AP
Are there different levels of access based on user responsibilities? / T
11.10(e) / Is there a secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records? / T
Does audit trail track "who, what, when and why" (optional) for activities within the application (integration, calibration and method changes) as well as data transfers and storage? / T
Does audit trail include information on instrument ID? / T
Is the audit-trail user independent? / T
Is the audit trail function always ON (or can it turned OFF and ON by the operator) / T
Is audit trail data protected from accidental or intentional modification or deletion? / T
Is there a procedure for periodic review of the audit trail? / AP
11.10(e) / Is previously recorded information protected when records are changed? / T
Is there versioning of data and all associated meta-data (including automatic versioning of re-integrated results)? / T
11.10(e) / Is audit trail documentation be retained for a period at least as long as that required by the predicate rule? / AP
Is audit trail part of data migration procedure to new systems? / T
11.10(e) / Is audit trail available for review and copying by the FDA? / T
11.10(f) / Are there operational system checks to enforce permitted sequencing of steps and events, if required? / T
Is the sequential operation of the system enforced? / T
11.10(g) / Does the system ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter records, or perform other operations? / T
Is there application specific user ID and Password (not only NT user log-on)? / T
Is there limited access for individual persons or groups to selected tasks, e.g., start/stop an analysis, create and edit methods, review, reprocess or delete data etc? / T
11.10(h) / Does the system allow to use device checks to determine, as appropriate, the validity of the source of data input or operational instruction? / AP
Does the system automatically identify input devices such as system serial numbers of equipment? / T
11.10(i) / Is there documented evidence that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks? / AP
Is there a procedure to train staff on computers and electronic records/signatures?
Are there job descriptions, training plan, documented training on computerized systems with success based certificates? / AP
Is there any system training for developers and/or support staff? / AP
Is all staff working in GxP environment trained on GxP regulations? / AP
11.10(j) / Is there a written policy that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to determine record and signature falsification? / AP
Have employees been trained on this procedure? / AP
11.10(k) / Is the distribution of, access to, and use of system operation and maintenance documentation controlled? / AP
11.10(i) / Is there a formal change control procedure for system documentation that maintains a time sequence audit trail of changes? / AP
11.50 / Do signed electronic records contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer?
(2) The date and time when the signature was executed? and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature? / T
11.50 / Is the above information (1) to (3) shown on display and/or printed on paper copies of the electronic record? / T
11.70 / Are electronic signatures and handwritten signatures linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means? / T
Is there a user specific log on in case more than one person work on a system? / T
Are there clearly specified sanctions for violations of the signature uniqueness (e.g., for casual sharing of passwords, or fraudulent use of electronic signatures)? / AP
Is there a user specific automated inactivity time out in case more than one person work on a single system? / T
11.100(a) / Are electronic records unique to an individual? / T
Does only the individual, not anybody else, e.g., the system administrator know the User ID and PW? / AP,T
Is there a long-term archiving strategy for user ID and password combinations? / AP
Are there procedures and controls to make sure that electronic signatures are never reassigned to anyone else? / AP
11.100(b) / Is the identity of an individual verified before an electronic signature is allocated? / AP
11.100 (c) / In case you use electronic signatures, has your organization sent a document to the FDA to certify that you employees understand the legally binding equivalency of electronic signatures to handwritten signatures? / AP
11.200(a)
(1)(i) / Does the electronic signature employ at least two distinct identification components such as an identification code and password? / T
11.200(a)
(1) (I) / Is the first signing executed using all electronic signature components when an individual executes a series of signings during a single, continuous period of controlled system access? / T
11.200(a)
(1) (i) / Are subsequent signings executed using at least one electronic signature component that is only executable by, and designed to be used only by the individual? / T
Is there a procedure describing a 'continuous' session for your organization / AP
11.200(a)
(1) (iii) / If signings are not in a continuous session, are both components of the electronic signature executed with each signing? / T
11.200(a)
(2) / Can electronic signatures that are not based upon biometrics used only by their genuine owners? / T
11.200(a)
(3) / Would an attempt to falsify an electronic signature require the collaboration of at least two individuals? / T
11.200(b) / Can biometric signatures only be used by their genuine owner? / T
Have biometric devices been validated?
11.300(a) / Are procedures and controls in place to maintain the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password? / AP
11.300(b) / Are controls in place to ensure that identification code and password issuance are periodically checked, recalled, or revised (e.g., to cover such events as password aging). / AP, T
Are there password policies for periodic changing of passwords, password length and characters? / AP
Are there procedures for lost passwords?
11.300(c) / Are there procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromise tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls? / A
11.300(d) / Are there procedures to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management? / T
Are there procedures to respond to attempts to access the system by non-authorized individuals? / AP
Are unauthorized attempts to enter a system detected automatically? / T
Is the security unit notified immediately of unauthorized attempts? / T
11.300(e) / Is there a procedure for initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password? / AP
Individual Projects
Has the project owner been defined?
Are responsibilities for all other project contributors defined?
Are GxP record requirements defined? (do records need to be retained, explicit, implicit)
Is the criticality of each record defined?
Are business practices defined?
Do business practices describe who has access to electronic records?
Do business practices describe who can change electronic records?
Do business practices describe where records are signed?
Do business practices describe how records a re retained?
Is electronic audit trail required? (justified and documented)
Is the format for record retention defined? (paper vs. electronic, electronic format, justified and documented)
Is the extent of validation defined?
(replace with Your Company’s Name) FOR INTERNAL USE