21 CFR PART 11 GAP ANALYSIS CHECKLIST

SECTION 11.1 SCOPE

21 CFR 11.1(a) The system should use electronic records.

21 CFR 11.1(a) The system should use electronic signatures.

21 CFR 11.1(a) The system can use handwritten signatures executed to ele

SECTION 11.10 CONTROLS FOR CLOSED SYSTEMS

21 CFR 11.10(a) The company can use a closed system.

21 CFR 11.10(a) The system should be validated.

21 CFR 11.10(a) The company must measure system performance.

21 CFR 11.10(a) The system should identify invalid or altered records.

21 CFR 11.10(b) The system should produce accurate and complete copies o

21 CFR 11.10(b) Electronic records must be provided to the FDA for inspectio

21 CFR 11.10(c) Electronic records must be retrievable during their retention

21 CFR 11.10(d) The system should ensure that only authorized individuals c
 The system should have a secure and computer-generated
21 CFR 11.10(e)
electronic records.

21 CFR 11.10(e) The system should record the date and time of these operat

21 CFR 11.10(e) Changes to records must not modify previously recorded inf

21 CFR 11.10(e) Audit trail documentation must be retained for the required

21 CFR 11.10(e) Audit trail documentation must be retrievable and available

21 CFR 11.10(f) If applicable, the system should use operational checks to e

21 CFR 11.10(g) The system should ensure that only authorized individuals c

21 CFR 11.10(g) Electronic signatures must be restricted to authorized users

21 CFR 11.10(g) The system should have controls to prevent unauthorized ac

21 CFR 11.10(g) Records in the system must be protected from unauthorized

21 CFR 11.10(h) The company must conduct device checks to ensure the dat

21 CFR 11.10(i) The company must provide evidence of training for individua

21 CFR 11.10(j) The company must have written policies outlining users' acc

21 CFR 11.10(j) Users should follow the policies related to electronic signatu
 21 CFR 11.10(k)(1) The system should have controls for the distribution of syste

21 CFR 11.10(k)(1) The system should ensure that only authorized users can ac

21 CFR 11.10(k)(1) The company must properly use system documentation for

21 CFR 11.10(k)(2) The system should have revision and change control proced

SECTION 11.30 CONTROLS FOR OPEN SYSTEMS

21 CFR 11.30 The company can use an open system.

21 CFR 11.30 The open system should comply with the appropriate proced

The open system should employ additional controls, such as

21 CFR 11.30
integrity, and confidentiality.

SECTION 11.50 SIGNATURE MANIFESTATIONS

21 CFR 11.50(a)(1) The signed electronic record must contain information that c

21 CFR 11.50(a)(2) The signed electronic record must contain information that c

21 CFR 11.50(a)(3) The signed electronic record must contain information that c

21 CFR 11.50(b) The system should ensure the same level of control for sign
SECTION 11.70 SIGNATURE AND RECORD LINKING

21 CFR 11.70 The system should link electronic signatures to their respect

SECTION 11.100 GENERAL REQUIREMENTS

21 CFR 11.100(a) Each user must have their own unique electronic signature.

21 CFR 11.100(a) The system should prevent signatures from being reassigne

The company must have a documented process for verifying

21 CFR 11.100(b)
certified.

The company must ensure users provide a traditional handw

21 CFR 11.100(c)(1)
signature.

The company must ensure that everyone using electronic si

21 CFR 11.100(c)(1)
to the FDA.

The company must follow the submission guidelines on the

21 CFR 11.100(c)(1) signatures.

Letters of Non-Repudiation Agreement

21 CFR 11.100(c)(2) Users should know FDA may require additional certification

SECTION 11.200 ELECTRONIC SIGNATURE COMPONENTS AND CON

21 CFR 11.200(a)(1) The system should ensure electronic signatures use at least

21 CFR 11.200(a)(1)(i) The system should require all electronic signature compone
21 CFR 11.200(a)(1)(i) The system should require at least one electronic signature

21 CFR 11.200(a)(1)(ii) The system should require all electronic signature compone

21 CFR 11.200(a)(2) Electronic signatures must only be used by their genuine ow

21 CFR 11.200(a)(3) The system should require the collaboration of two or more

21 CFR 11.200(b) The company can use electronic signatures based on biome

21 CFR 11.200(b) The system should prevent electronic signatures based on b

SECTION 11.300 CONTROLS FOR IDENTIFICATION CODES AND PAS

21 CFR 11.300(a) The system should ensure each individual has a unique iden

21 CFR 11.300(a) The system should prevent the creation of duplicate identifi

21 CFR 11.300(b) The system should ensure passwords expire and update per

21 CFR 11.300(b) If necessary, the company must have procedures to recall o

The company must have procedures to periodically check th

21 CFR 11.300(b)
system.

21 CFR 11.300(c) The system should revoke identification code and password
21 CFR 11.300(c) The system should recall identification codes and passwords

21 CFR 11.300(c) The system should disable lost, stolen, or missing electronic

21 CFR 11.300(c) The system should issue temporary or permanent password

21 CFR 11.300(d) The system should detect attempts of unauthorized use of p

21 CFR 11.300(d) The system should immediately inform the security unit of a

21 CFR 11.300(d) The system should notify the organizational management of

The company must perform initial testing on devices that ge

21 CFR 11.300(e)
properly.

21 CFR 11.300(e) The company must perform periodic device testing to ensur

21 CFR 11.300(e) The system should test for unauthorized device alterations t
.

res.

es executed to electronic records.

ormance.

ed records.

complete copies of electronic records.

e FDA for inspection and review.

ring their retention period.

orized individuals can access it.

mputer-generated audit trail to record operator entries and actions that create, modify, or delete

me of these operator entries and actions on the audit trail.

iously recorded information.

d for the required period.

able and available for FDA review and copying.

ational checks to enforce actions to be executed in a predetermined sequence.

orized individuals can access it and perform actions.

o authorized users only.

nt unauthorized access to the operation or computer system input/output devices.

from unauthorized changes by having authorization checks in place.

s to ensure the data input source or operational instruction is valid.

aining for individuals who work with an electronic record and signature system.

outlining users' accountability and responsibility for actions under their electronic signatures.

electronic signatures to prevent record and signature falsification.

 istribution of system documentation.

orized users can access system operation and maintenance documentation.

ocumentation for operation and maintenance.

nge control procedures to maintain an audit trail.

appropriate procedures and controls identified in section 11.10.

al controls, such as document encryption and digital signature standards, to ensure record authenticity

n information that clearly indicates the signer's printed name.

n information that clearly indicates the date and time when the signature was executed.

n information that clearly indicates the meaning associated with the signature.

of control for signature information and electronic records.

res to their respective electronic records preventing the removal, copying, or transfer of signatures.

ectronic signature.

m being reassigned or reused.

rocess for verifying the identity of users before their electronic signature is established, assigned, or

a traditional handwritten to acknowledge that their electronic signature is equivalent to a handwritten

using electronic signatures in their system on or after August 20, 1997, has their certification submitt

guidelines on the FDA's web page on the Letters of Non-Repudiation Agreement to certify electronic

ional certification or testimony of the equivalence of an electronic signature to its handwritten signatu

ENTS AND CONTROLS

atures use at least two different identification components, such as an identification code and passwor

ignature components for the first signature within a series of signatures in a single system access.
ectronic signature component for subsequent signatures.

ignature components when a user signs during several system accesses.

y their genuine owners.

on of two or more individuals to use an electronic signature that does not belong to them.

es based on biometrics.

natures based on biometrics from being used by anyone other than their genuine owners.

ODES AND PASSWORDS

has a unique identification code and password combination.

f duplicate identification code and password combinations.

ire and update periodically.

cedures to recall or revise identification codes and passwords.

eriodically check the validity of the identification code and password combinations recorded in the

ode and password combinations that may have been compromised.

des and passwords if someone leaves the company.

missing electronic devices to protect system access and sensitive data.

rmanent password replacements using appropriate and rigorous controls.

authorized use of passwords and identification codes.

e security unit of any unauthorized use attempts of passwords and identification codes.

al management of any unauthorized use of passwords and identification codes, if appropriate.

on devices that generate or hold identification codes or password information to ensure they function

ce testing to ensure they still function properly.

device alterations that generate or hold identification codes or password information.

actions that create, modify, or delete

ermined sequence.

m input/output devices.

s in place.

is valid.

nd signature system.

under their electronic signatures.

fication.
 documentation.

1.10.

ure standards, to ensure record authenticity,

e.

the signature was executed.

with the signature.

moval, copying, or transfer of signatures.

onic signature is established, assigned, or

nic signature is equivalent to a handwritten

ust 20, 1997, has their certification submitted

pudiation Agreement to certify electronic

ctronic signature to its handwritten signature.

such as an identification code and password.

of signatures in a single system access.

tem accesses.

that does not belong to them.

her than their genuine owners.

n.

ds.

password combinations recorded in the

romised.
ensitive data.

orous controls.

rds and identification codes.

identification codes, if appropriate.

ssword information to ensure they function

or password information.