21 CFR Part 11 Compliance Checklist

21 CFR Part 11 is an FDA guidance that sets out how organizations operating in the United States can use electronic records and digital signatures in their quality management systems to replace paper-based documents and physical signatures.

This checklist will take you through the 4 major stages of 21 CFR Part 11 compliance – with individual checklists for each.

1. Validation

  • Is your system validated?
  • Can you identify inaccurate or altered records?
  • Are your records readily retrievable across their retention period?
  • Can the system limit access to authorized individuals?
  • Are user-based permissions possible for electronically signing records, altering a record, or performing other operations?
  • Does the system make a provision for checking or restricting instructions and/or data from specific devices (such as scales or thermometers)?
  • Is your training documented?
  • Are there written policies that make individuals fully accountable and responsible for actions determined by their electronic signatures?
  • Are all distribution, access, and use of systems operation and maintenance documentation controlled?
  •  Is system data encrypted?
  • Are digital signatures used?

2. Audit Trails

  • Do you have a secure audit trail that records the date and time of operator entries and actions that interact with electronic records?
  • Does your system have version control?
  • Is the audit trail for an electronic record retrievable throughout the record’s retention period?
  • Is the audit trail comprehensive - including the User, all actions, links to edits and versions, a change log, and revision and change controls?
  • Are audit trails available for FDA review?
  • Do your electronic records contain the name of the signee, the date and time of signing, and the type of signing (approval, review, etc.)?
  • Is the above information displayed on all copies of the electronic record (digital and printed)?
  • Are electronic signatures unique to a specific user or individual?
  • What additional authentication is performed to verify the identity of an individual before an electronic signature is used?
  • When multiple signings are performed during a single session, what level of authentication is executed for each signing?
  • Are signatures explicitly associated with their respective electronic records?
  • Does your change control procedure maintain its own audit trail?
  • Is it possible to falsify an electronic signature? If so, how?

3. Record Retention

  • Is the system able to force automatic password expiration and renewal?
  • Is there a procedure for recalling authentication methods and passwords if a person leaves or is transferred?
  • What is the procedure for electronically disabling an identification code or password if it is lost or compromised?
  • What is the procedure for detecting unauthorized access attempts to the system?
  • What is the procedure for informing security of unauthorized access attempts?
  • What is the procedure for informing management of unauthorized access attempts?
  • What is the procedure for reporting and managing a lost or stolen device?
  • What is the procedure for electronically disabling a device if it is lost, stolen, or potentially compromised?
  • What controls exist for issuing temporary or permanent replacement devices?

4. Copies of Records 

  • Is the system capable of producing accurate and complete copies of electronic records on paper?
  • Is the system capable of producing accurate, complete, and un-editable copies of records in electronic form?
  • Can these copies be provided to the FDA for inspection and review?
  • What established export methods is the system using?

Learn how DocXellent’s Document Management software, ENSUR, can help you easily meet FDA 21 CFR Part 11 requirements and improve your quality processes:

Get More Info