Table 12-10 21 CFR Part 11 Procedural and Technological Controls | |||
Clause | Type of Control | Responsibility | Description of Clause |
11.10 | Procedural | P | This clause specifies a number of specific controls. The pharmaceutical organization will need to demonstrate a system of self-inspection audits to demonstrate compliance with the procedures and controls listed below. |
11.10(a) | Procedural | P | ER/ES systems need to be validated. An industry-recognized approach is given in GAMP. This validation should include documented verification that the system provides the required controls for 21 CFR Part 11 compliance – for example, the ability to discern invalid records, ability to generate copies of records, provision of adequate audit trail, etc. |
11.10(a) | Technological | S | The ER/ES system should be able to identify changes to electronic records to detect invalid or altered records. In practice, this means having an adequate audit trail that can be searched for information. For example, to determine whether any changes have been made without the appropriate authorizations. |
11.10(b) | Technological | S | ER/ES systems should allow applicable electronic data to be accessed in human-readable form. |
11.10(b) | Technological | S | ER/ES systems must be able to electronically export applicable data and any associated data (e.g., audit trails, configuration information relating to identification, and status of users and equipment). |
11.10(c) | Procedural | P | The pharmaceutical organization should have a clear position on provision of data to external parties and pre-planned processes for managing it. |
11.10(c) | Procedural | P | The pharmaceutical organization should specify retention periods (in accordance with predicate rules) and responsibilities for ensuring data are retained securely for those periods. |
11.10(c) | Procedural | P | The pharmaceutical organization should have defined, proven, and secure backup and recovery, and archival and retrieval, processes for electronic data. |
11.10(c) | Technological | P S | ER/ES systems should be able to maintain applicable electronic data (including any associated data, e.g., audit trails, configuration information relating to identification and status of users and equipment) over periods of many years regardless of upgrades to the software and operating environment, and should be able to export such data electronically and in human-readable form. |
11.10(d) | Procedural | P | The pharmaceutical organization should have procedures defining how access is limited to authorized individuals. See the GAMP Guide. Managing super-user accounts should be given special consideration. |
11.10(d) | Technological | S | ER/ES systems should restrict access in accordance with pre-configured rules that can be maintained. Any changes to the rules should be recorded. |
11.10(e) | Procedural | P | The pharmaceutical organization should have a procedure to maintain the audit trail (see 11.10(c) above). |
11.10(e) | Technological | S | ER/ES systems should be capable of recording all electronic record create, update, and delete operations. Updates should not obscure previous values. Data to be recorded must include as a minimum: time and date, unambiguous description of event, and identity of the operator. This record should be secure from subsequent unauthorized alteration. Audit trails must be available in human-readable form and able to be exported in both hard copy and electronic copy. |
11.10(f) | Technological | P S | Where operations are required in a pre-defined order, for example in batch manufacture, the ER/ES system should enforce that ordering through the system’s design. |
11.10(g) | Procedural | P | The pharmaceutical organization should have procedures defining how the authorization processes are carried out and that staff have been trained in their use. |
11.10(g) | Technological | S | ER/ES systems should restrict use of system functions and features in accordance with configurable rules that can be maintained. Any changes to the rules should be recorded. |
11.10(h) | Technological | P S | Where pharmaceutical organizations require that certain devices act as sources of data or commands, the ER/ES system should enforce the requirement. |
11.10(i) | Procedural | P | Pharmaceutical organization staff who develop, maintain, or use ER/ES systems must have the education, training, and experience to perform their assigned tasks. |
11.10(i) | Procedural | S | Suppliers are required to have a procedure to demonstrate that persons who develop and maintain ER/RS systems have the education, training, and experience to perform their assigned tasks. |
11.10(j) | Procedural | P | The pharmaceutical organization should have a policy that describes the significance of electronic signatures, in terms of individual responsibility, and the consequences of falsification both for the pharmaceutical organization and for the individual. |
11.10(k) | Procedural | P | The pharmaceutical organization should have procedures covering distribution of, access to, and use of operational and maintenance documentation once the system is in operational use. |
11.10(k) | Procedural | P | The pharmaceutical organization must ensure adequate change control procedures for operational and maintenance documentation. |
11.10(k) | Technological | S | Where systems documentation is in electronic form and can be changed by the pharmaceutical organization, an electronic audit trail should be maintained, in accordance with 11.10(e) above. |
11.30 | Open Systems – not covered by this table. | ||
11.50 | Technological | S | ER/ES systems must ensure that signed electronic records contain information associated with the signing that clearly indicates all of the following: ·The printed name of the signer; ·The date and time when the signature was executed; and ·The meaning (such as review, approval, responsibility, or authorship) associated with the signature. These items are subject to the same controls as other electronic records. The information can be stored within the electronic record or in logically associated records, but must always be shown whenever the record is displayed/printed. |
11.70 | Technological | S | ER/ES systems must provide a method for linking electronic signatures and handwritten signatures, where used, to their respective electronic records, in a way that prevents the signature from being removed, copied, or changed to falsify that or any other record. |
11.100(a) | Procedural | P | The pharmaceutical organization must ensure the uniqueness of electronic signatures, and that they are not re-used or re-allocated. The key point is that the use of an electronic signature is directly attributable to one individual. Therefore, it must be unambiguous within the context of its use. |
11.100(a) | Technological | S | The ER/ES system should enforce uniqueness, prevent reallocation of electronic signature, and prevent deletion of information relating to the electronic signature once it has been used. |
11.100(a) | Procedural | P | The pharmaceutical organization should have procedures for managing delegation of ES responsibilities (e.g., holidays, periods of absence). |
11.100(b) | Procedural | P | The pharmaceutical organization should have a procedure for verifying the identity of individuals being granted access to ER/ES system. |
11.100(c) | N/A | See annotated rule (Appendix 1). | |
11.200 (a) (1) | Technological | S | ER/ES systems providing non-biometric electronic signatures need at least two distinct components. |
11.200 (a) (1) | Procedural/ Technological | P S | The pharmaceutical organization should establish how it will ensure that both components of electronic signature are entered if session has not been continuous. |
11.200 (a) (1) | Technological | S | The ER/ES system should enforce that both components are entered at least at the first signing, and following a break in the session. |
11.200 (a) (2) | Procedural | P | The pharmaceutical organization must ensure that staff use only their own electronic signature and not anyone else’s, even on their behalf, as that would be falsification (see also 11.10(j)). |
11.200 (a) (3) | Procedural | P | The pharmaceutical organization should have a procedure that users do not divulge their electronic signature (e.g., passwords). |
11.200 (a) (3) | Technological | S | The ER/ES system should not provide any ordinary means of accessing electronic signature information. |
11.200(b) | Biometrics – not included in this document. | ||
11.300(a) | Already covered in 11.100(a) above. | ||
11.300(b) | Procedural | P | The pharmaceutical organization should have procedures to cover: removal of system access from obsolete users; changing of profiles as user roles change; periodic checking of identification codes for inconsistencies with current users; periodic changing of passwords. |
11.300(b) | Technological | S | The ER/ES system should force passwords to be periodically changed and also enable ID/password combinations to be rendered inactive without losing the record of their historical use. It is recognized that this may not be possible, for example, for certain embedded or PLC systems, in which case procedural controls should be used. |
11.300(c) | Procedural | P | The pharmaceutical organization should have a procedure for management of lost passwords. |
11.300(d) | Procedural | P | The pharmaceutical organization should have a procedure to describe how response to attempted or actual unauthorized access is managed. |
11.300(d) | Technological | S | The ER/ES system should provide notification of attempted unauthorized access and should take preventative measures (e.g., lock a terminal after a specified number of failed attempts, retain card). |
11.300(e) | Procedural | P | The pharmaceutical organization should define how any devices or tokens that carry user/ID or password information are periodically tested and renewed. |
Home > Tools & Setup > Advanced > Audit Viewer >