Professional Documents
Culture Documents
Page of
Date: Signature:
Author:
Approval:
Table of Contents
1 INTRODUCTION....................................................................................................................................... 3
2 OVERALL DESCRIPTION......................................................................................................................... 3
2.1 BUSINESS PROCESS <NAME>............................................................................................................... 3
2.1.1 Business Process Model............................................................................................................. 3
3 BUSINESS REQUIREMENTS................................................................................................................... 4
4 REGULATORY REQUIREMENTS............................................................................................................ 5
4.1 REGULATORY REQUIREMENTS FOR E-RECORD SYSTEMS.....................................................................5
4.2 REGULATORY REQUIREMENTS FOR E-SIGNATURE SYSTEMS..............................................................10
4.3 OVERVIEW OF REGULATED RECORDS.................................................ERROR! BOOKMARK NOT DEFINED.
5 DATA REQUIREMENTS..............................................................ERROR! BOOKMARK NOT DEFINED.
6 INTERFACE REQUIREMENTS....................................................ERROR! BOOKMARK NOT DEFINED.
7 USER ACCOUNT ROLE REQUIREMENTS.................................ERROR! BOOKMARK NOT DEFINED.
8 INFRASTRUCTURE REQUIREMENTS.......................................ERROR! BOOKMARK NOT DEFINED.
9 SERVICE LEVEL REQUIREMENTS............................................ERROR! BOOKMARK NOT DEFINED.
10 REFERENCES / GLOSSARY.......................................................ERROR! BOOKMARK NOT DEFINED.
11 APPENDIX....................................................................................ERROR! BOOKMARK NOT DEFINED.
PT Hal 3 dari 13
Page of
1 Introduction
The User Requirements Specification (URS) describes in lay terms what the system should do. It also
describes the data, interface, security, performance and hardware requirements, which provide a complete
and comprehensive description of the requirements for the system. This set of requirements will be used for
the vendor selection process. This set of requirements will be used as a foundation for the Functional and
Design Specifications.
2 Overall Description
This section of the User Requirements Specification describes the general factors that affect the system and
its requirements. This section does not state specific requirements. Instead, it provides a background for
those requirements, which are defined in detail in Section 3, and makes them easier to understand. Business
(sub) processes which are analyzed in more detail in the subsections bellow are identified in this section.
Example:
PT Hal 4 dari 13
Page of
3 Business Requirements
This section of the User Requirements Specification contains all of the business requirements of the system.
These requirements are written at a level of detail sufficient to enable designers to design a system that will
satisfy those requirements and testers to test that the system satisfies those requirements. When writing
requirements, remember to use clear and complete language and avoid ambiguity and jargon. Determine the
criticality of the requirements. Indicate which requirements have regulatory impact (e.g. GxP, SOX, Data
Privacy etc.). Optionally CTQ “Critical to Quality” could also be added as reference.
* E – Essential
I – Important
D – Desired
PT Hal 5 dari 13
Page of
4 Regulatory Requirements
Regulatory Requirements are to be identified and added. The requirements identified under these sections
must be comprehensive to address both system and regulatory needs. It is acceptable for requirements
identified in this section to be incorporated into other sections of User and Functional Requirements.
URS-ER- § 11.10 (d) The CS must allow for the use of individual Note:
09 accounts, shared accounts for access levels Password
other than read are not acceptable. used in
conjunction
with individual
User IDs shall
not be shared.
URS-ER- § 11.10 (d) The CS should provide a mechanism to lock out/
10 interrupt access of any user after a configurable
period of non-attendance/ non-interaction with
the system (recommendation: 15 minutes at a
maximum). Password protected screensavers
are acceptable means to fulfil this requirement
provided that the security mechanisms of the
application are not compromised.
URS-ER- § 11.10 (d) The implementation of the lock out process Recommendati
11 should be well investigated in regard to safety on: Purchase
needs. Access to safety relevant functions & CS with safety
operations must always be possible and should relevant
be given priority. functions and
operations
detached from
general system
security
mechanisms.
URS-ER- § 11.10 (d) If technically possible passwords must be stored
12 in the CS in encrypted form. In case were
encryption of passwords is not possible, the
file(s) containing passwords and user-Ids must
be secured by technical means and their access
strictly controlled (no read option for any user,
SOP/strict instruction for administrators about
password file handling, password file not
accessible for users).
URS-ER- § 11.10 (d) When password entry fields are shown on the
13 screen, password entries must be obscured (e.g.
"*********").
URS-ER- § 11.10 (d) The system should allow for quality passwords Refer to ISEC
14 (at least 8 alphanumeric characters) and enforce Key Directive
their use. 02
URS-ER- § 11.10 (d) Transaction safeguards as specified in URS-ES-
15 17, URS-ES-18 and URS-ES-19 should be
implemented.
URS-ER- § 11.10 (e) If the CS provides for secured, computer-
16 generated audit trails for e-records, they must be
enabled.
PT Hal 7 dari 13
Page of
URS-ER- § 11.10 (e) The server time should be used for the
22 generation of time stamps.
URS-ER- § 11.10 (e) Time & date settings should be subject to
23 rigorous control to ensure the accuracy of time
stamps, the CS should provide the ability to
restrict access to time settings. Users should not
be able to change time & date settings.
URS-ER- § 11.10 (e) CS spanning multiple time zones should be able
24 to display & print the time zone used with the
time stamp.
URS-ER- § 11.10 (e) The CS should have a mechanism to prevent
25 that changes to e-records obscure or destroy the
original recorded information. Secured
references/ pointers from computer generated
audit trails to the original recorded information
are acceptable.
URS-ER- § 11.10 (e) If audit trail information are not part of the record
26 itself, the CS must implement mechanisms to
establish a secured link between audit trail & the
respective record.
URS-ER- § 11.10 (e) The ability to change computer generated audit Note: There
27 trails must be restricted to a minimum number of might be
individuals and to duly authorized personal. exceptional
cases, where the
Audit trails should only be changeable by the
alteration of
following role: _____ computer
generated audit
trails is
unavoidable
(e.g. due to
technical issues
PT Hal 8 dari 13
Page of
URS-ER- § 11.10 (g) Records may be linked to an authorization code See remark to
31 that identifies the title or organizational unit of URS-E-29
those individuals who are allowed to modify and/
or sign records. Based on this authorization
code, the CS should provide or reject access to
records/ e-signature functions.
URS-ER- § 11.10 (g) The CS should enforce record specific access See remark to
32 rights (e.g. only the originator of a record is URS-E-29
allowed to modify it) whenever the business
process asks for such controls.
This can be achieved by maintaining a list of
those records, an individual is allowed to modify/
sign. Before access to a record is provided for an
individual, the CS should check if this record is
part of the individual’s list.
5 Data Requirements
This section captures data requirements such as source/target databases, transformational rules, extent of
conversion/migration, data integrity, and archive requirements. Determine the criticality of the requirements.
Indicate which requirements have regulatory impact (e.g. GxP, SOX, Data Privacy etc.). Optionally CTQ
“Critical to Quality” could also be added as reference..
6 Interface Requirements
This section captures interface requirements such as user interfaces, application interfaces, database
interfaces, and equipment interfaces. Determine the criticality of the requirements. Indicate which
requirements have regulatory impact (e.g. GxP, SOX, Data Privacy etc.). Optionally CTQ “Critical to Quality”
could also be added as reference.
8 Infrastructure Requirements
This section captures infrastructure requirements such as memory storage, performance requirements,
backup requirements, installation requirements etc. Determine the criticality of the requirements. Optionally
CTQ “Critical to Quality” could also be added as reference.
9 References / Glossary
Define references and terms used in the document.
10 Appendix.