Professional Documents
Culture Documents
21CFR11
Subpart Requirement Text Requirement Description Comment
Reference
Subpart B – ER
The system must generate accurate and complete records including Event logs displayed on the screen are with all necessary units and
§ 11.10 (b) 11.10 Controls for
metadata. metadata.
Closed Systems
The Computer System must either support the viewing of e-records or
Subpart B – ER The ability to generate accurate and complete the generation of valid paper copies. The Computer System should
All e-records can be viewed either from EBO or from external tools into
§ 11.10 (b) 11.10 Controls for copies of records in both human readable and provide viewing & printing capabilities for all relevant e-records. (In
the PostgreSQL. Paper copies can be generated.
Closed Systems electronic form suitable for inspection, review, and certain cases, controlled database queries or accurately performed
copying by the agency. Persons should contact the screen dumps may satisfy this requirement.)
agency if there are any questions regarding the
Subpart B – ER ability of the agency to perform such review and
The Computer System should allow for the export of e-records to All reports can be generated in pdf format with signed digital certificate
§ 11.10 (b) 11.10 Controls for copying of the electronic records.
portable file formats, preferably automatically. to ensure data integrity.
Closed Systems
Subpart B – ER Protection of records to enable their accurate and If the retention strategy does not include keeping the e-records in the
Clients can perform own archive strategy based on scalable
§ 11.10 (c) 11.10 Controls for ready retrieval throughout the records retention originating system, the Computer System should have implemented a
database.
Closed Systems period. mechanism to archive e-records in a standard file format.
Subpart B – ER Ensure that the Computer System has a security mechanism that uses
§ 11.10 (d) 11.10 Controls for at least two distinct identification components (e.g. User ID/ password, User ID and password required for system access.
Closed Systems PKI mechanisms) or biometriComputer System.
Subpart B – ER
The Computer System must allow for the use of individual accounts,
§ 11.10 (d) 11.10 Controls for User ID and password required for system access.
shared accounts for access levels other than read are not acceptable.
Closed Systems
Subpart B – ER
When password entry fields are shown on the screen, password
§ 11.10 (d) 11.10 Controls for Password entries are obscured.
entries must be obscured (e.g. "*********").
Closed Systems
Subpart B – ER
The system should allow for quality passwords (configurable number of
§ 11.10 (d) 11.10 Controls for Passwords are configurable.
alphanumeric characters, special characters) and enforce their use.
Closed Systems
Subpart B – ER The System shall include a log off mechanism after a pre-defined
§ 11.10 (d) 11.10 Controls for period of user inactivity, or a mechanism where user ID entry is System has configurable lock out mechanism.
Closed Systems required after inactivity period.
Subpart B – ER
§ 11.10 (e) 11.10 Controls for Audit trails cannot be turned off. Audit trails are automatic.
Closed Systems
Subpart B – ER
Audit trails must be available for review and be copied during the entire
§ 11.10 (e) 11.10 Controls for The audit trail is available for review and copying
retention period
Closed Systems
Subpart B – ER
§ 11.10 (e) 11.10 Controls for Audit trails must be part of any back up The audit trails are backed up.
Closed Systems
Subpart B – ER Computer generated audit trails should at least record the hour and
§ 11.10 (e) 11.10 Controls for minute and must be as precise as required by the business process Audit trails recorded to at least the minute
Closed Systems (e.g. to verify correct sequencing of events).
Subpart B – ER
§ 11.10 (e) 11.10 Controls for The server time should be used for the generation of time stamps. Server time is used for the audit trail.
Closed Systems
Use of secure, computer-generated, time-stamped Time & date settings should be subject to rigorous control to ensure the
Subpart B – ER
audit trails to independently record the date and accuracy of time stamps, the Computer System should provide the
§ 11.10 (e) 11.10 Controls for Time settings controlled by System Administrator.
time of operator entries and actions that create, ability to restrict access to time settings. Users should not be able to
Closed Systems
modify, or delete electronic records. Record change time & date settings.
changes shall not obscure previously recorded
information. Such audit trail documentation shall be
Subpart B – ER retained for a period at least as long as that
§ 11.10 (e) 11.10 Controls for required for the subject electronic records and Time clock can be synchronized to central system. Time clock can be synchronized to a central time system.
Closed Systems shall be available for agency review and copying.
Subpart B – ER
Computer System spanning multiple time zones should be able to
§ 11.10 (e) 11.10 Controls for Ability to print in time zone
display & print the time zone used with the time stamp.
Closed Systems
Subpart B – ER
§ 11.10 (e) 11.10 Controls for Audit trails can be reviewed. All audit trails can be reviewed.
Closed Systems
Subpart B – ER
If possible, Computer System has search tools, data filter and/ or report
§ 11.10 (e) 11.10 Controls for The system has effective filter functionality
functions for the audit trail to support its review.
Closed Systems
Subpart B – ER
§ 11.10 (g) 11.10 Controls for - create, modify, inactivate/ logically delete, delete records System has security for all functions.
Closed Systems
Ensure that all users are uniquely identifiable in the Computer System.
Subpart B – ER Where the User ID is not the user’s full name, ensure it is traceable to
§ 11.50 (a) 11.50 Signature The meaning (such as review, approval, the user’s full name. This does not impact the requirement that signed Full name shown.
Manifestations responsibility, or authorship) associated with the records used for GxP purposes must display the full name (at least
signature name & surname) of the signer.
Subpart C – ES
11.300 Controls for The Computer System should support password-aging processes
§ 11.300 (b) System supports password ageing
identification (prompts for password renewal after xx calendar days).
codes/passwords
Subpart C – ES
11.300 Controls for The Computer System should allow for configuration of the password
§ 11.300 (b) On the system is the ability to configure password ageing.
identification aging parameter.
codes/passwords
Subpart C – ES Ensuring that identification code and password
11.300 Controls for issuances are periodically checked, recalled, or The setting of the password aging parameter should be limited to duly
§ 11.300 (b) Password ageing parameters secured to Administrator.
identification revised (e.g., to cover such events as password authorized personnel only.
codes/passwords aging).
Subpart C – ES
Controls for The System shall ensure that an identification code and password are
§ 11.300 (b) The system forces passwords to be changed.
identification periodically checked, recalled or revised.
codes/passwords
Subpart C – ES
Controls for Check that the system is able to lock a user account after a specified
§ 11.300 (b) Can configure how many failed attempts prior to locking of the system.
identification number of failed access attempts.
codes/passwords