21 CFR Part 11 compliance features software security

1. Software Security: Security controls are in place to prevent unauthorised access of the software data Integrity.

2. Electronic records are tamper evident through the use of checksums and are tamper proof from ordinary means.

3. Audit trails: The systems will generate automatic audit trails for all data records, consistent with 21CFR Part 11 specifications.

4. Controls: Configurations option prevent users, or user groups from accessing restricted data or performing controlled activities.

5. Electronic Signatures: Electronic signatures can be applied to records to document data review and/or approval, as well as record change

Close No. 21 CFR 11 – Requirements Does Open Lab CDS Software Comment
comply?
11.10a Has the system been validated in order to ensure Ok Not Ok NR
accuracy, reliability, consistent intended
performance, and the ability to discern invalid or
altered records?
Is the system validated? Ok Not Ok NR
(The system must be capable of being validated)
Is it possible to discern invalid or altered records? Ok Not Ok NR
11.10b Is the system capable of generating accurate and Ok Not Ok NR
complete copies of all required records in both
human readable and electronic form suitable for
inspection, review and copying by the FDA?
Interpretation
The system must be capable of producing
accurate and complete copies of electronic
Records on paper.
The system must be capable of producing
accurate and complete copies of records in
electronic form for inspection, review and
Copying by the FDA.
11.10c Are the records protected to enable the accurate Ok Not Ok NR
and ready retrieval throughout the record retention
period?
Interpretation
Records must be readily retrievable Throughout
their retention period.
11.10d Is system access limited to authorized individuals? Ok Not Ok NR
Interpretation
System access must be limited to authorized
Individuals.
11.10e Is there a secure, computer-generated, time- Ok Not Ok NR
stamped audit trail that independently records the
date and time of operator entries and actions that
create, modify, or delete electronic records?
Interpretation
The system must be capable of producing a
secure, computer-generated, time-stamped
audit trail that records the date and time
of operator entries and actions that create,
Modify or delete electronic records.
Upon making a change to an electronic
 Record, original information is still available.
11.10e Are electronic audit trails kept for a period at least Ok Not Ok NR
as long as their subject electronic records' and
available for agency review and copying?

Interpretation

Electronic records audit trails are retrievable

Throughout the record’s retention period.
The audit trail is available for review and
reproduction by the FDA

Use of secure, computer Generated, time-stamped

audit trails in independently record the data and
time of operator entries and actions that create,
modify, or delete electronic records. Records
changes shall not obscure previously recorded
information.
Such audit trail documentation shall be retained
for a period as least as long as that required for the
subject electronic records and shall be
Available for agency review and copying.
11.10 (f) Are operational system checks used to enforce Ok Not Ok NR
permitted sequencing of steps and events?

Interpretation

Use of operational system checks to enforce

permitted sequencing of steps and events, as
appropriate.
If the sequence of system steps or
events is important, is this enforced by
 the system (e.g., as would be case in a process
control When any sequence of system steps is
important, that sequence must be enforced
By the system.
11.10(g) Are authority checks in place to ensure that only Ok Not Ok NR
authorized individuals can use the system,
electronically sign a record, access the operation
or computer system input or output device, alter a
record, or perform the operation at hand?
Interpretation
Use of authority checks to ensure that only
authorized individuals can use the system,
electronically sign a record, access the operation
or computer input or output device, alter a record,
or Perform the operation at hand.

Does the system ensure that only Authorized

individuals can use the System; electronically sign
records, access the operation, or computer system
input or output device, alter a record, or perform
other operations.

The system should ensure that only authorized

Individuals can use the it, electronically sign
records, access the operation or computer system
input or output device, alter a Record, or perform
other operations.
11.10(h) Are device checks used to determine, as Ok Not Ok NR
appropriate, the validity of the source of data or
operational instruction?

Interpretation
 Use of device (e.g., terminal) Checks to
determinate, as appropriate, the validity of the
source of data input or operational instruction. If it
is a requirement of the system that input data or
instructions can only come from certain input
devices (e.g., terminal) does the system check the
validity of the source of any data or instructions
Received?
(Note: This applies where data or instructions can
come from more than one device, and therefore
the system must verify the integrity of its source,
such as a network of weigh scales, or remote,
radio controlled terminals)
The system should be able to check the
validity of the source of any data or instructions
If it is a requirement of the system that input data
or instructions can only Come from certain input
devices.

11.10(i) Do the persons, who develop, maintain, or use Ok Not Ok NR
electronic records/signature systems have the
education, training, and experience to perform
their assigned tasks?

Interpretation

Determination that persons who develop,

maintain, or use electronic record/ electronic
signature systems have the education, training,
and experience to perform their assigned tasks.
 Is there documented training, including on the job
training for system users, developers, IT support
staff?
A documented training, including on the
job training for system users, developers, IT
Support staff should be available.
11.10(j) Have written policies been established, and Ok Not Ok NR
adhered to, that hold individuals accountable and
responsible for actions initiated under their e-
signatures in order to deter record and signature
falsification?

Interpretation

The establishment of an adherence to written

policies that hold individuals accountable and
responsible for actions initiated under their
electronic signatures, in order to determine record
and signature falsification.

Is there a written policy that makes individuals

fully accountable and responsible for actions
initiated under their electronic signatures?

A written policy that makes individuals fully

responsible for actions initiated under their
Electronic signatures should be in place.

11.10(k)(1) Are there adequate controls over the distribution Ok Not Ok NR
of, access to, and use of documentation for system
operation and maintenance?
Interpretation
 The distribution of, access to, and use of Systems
operation and maintenance documentation should
be controlled.
11.10(k)(2) Are there formal revisions and change control Ok Not Ok NR
procedures to maintain an audit trail that
documents time-sequenced development and
modification of systems documentation?

Interpretation
A formal change control procedure for
system documentation that maintains
a time sequenced audit trail of changes
Should be in place.
Controls for Open Systems
11.30 Are there procedures and controls used to protect Ok Not Ok NR
the authenticity, integrity and confidentiality of
the electronic records from their creation point to
the point of their receipt?
Interpretation
Persons who use open systems to create, modify,
maintain, or transmit electronic records shall
employ procedures and controls designed to
ensure the authenticity, integrity and, as
appropriate the confidentially of electronic records
from the point of their creation to their receipt.
Such procedures and controls shall include those
identified in §11.10, as appropriate and additional
Measures such as document encryption and use of
appropriate digital signature standards to ensure,
as necessary under the circumstances, record
authenticity, Integrity and confidentiality.
 Is data encrypted?

Are digital signatures used?

11.30 Are additional measures used to ensure the Ok Not Ok NR
confidentiality of the electronic records from the
point of their creation to the point of their receipt?
Signature Manifestations
11.50 (a) Do the signed electronic records contain Ok Not Ok NR
information associated with the signing that
clearly indicates the following:
1. Printed name of signer,
2. Date and time that the signature was executed,
3. The meaning associated with the signature?

Interpretation

Signed electronic records shall

contain information associated with the signing
that clearly indicates all of the following:
(1) The printed name of the signer
(2) The date and time when the signature was
executed; and
(3) The meaning (such as review,
Approval, responsibility, or authorship) associated
with the signature.
(b) The items identified in paragraphs
(a)(1), (a) (2), and (a) (3) of this section shall be
subject to the same controls as for electronic
records and shall be included as part of the
electronic record (such as electronic display or
printout).
Do signed electronic records contain the following
information?
 - The printed name of the signer
- The date and time of signing
- The meaning of the signing (such as
approval, review, responsibility)

The above information should be shown

on displayed and printed copies of the
Electronic record.
11.50 (b) Are these items part of any human readable form Ok Not Ok NR
of the electronic record?
Signature / Record Linking
11.70 Is the electronic signature linked to its respective Ok Not Ok NR
electronic record to ensure that the signature
cannot be excised, copied or otherwise transferred
to falsify an electronic record by ordinary means?
Interpretation
Signatures should be linked to their respective
Electronic records to ensure that they cannot be
cut, copied, or otherwise transferred by ordinary
means for the purpose of Falsification.

Electronic signatures and handwritten signatures

executed to electronic records shall be linked to
their respective electronic records to ensure that
the signatures cannot be excised, copied, or
otherwise transferred to falsify an electronic
record by ordinary Means.
Are signatures linked to their respective
electronic records to ensure that they cannot be
cut, copied, or otherwise transferred by ordinary
means for the purpose of falsification
General Requirements
11.100 (a) Is each electronic signature unique to one Ok Not Ok NR
individual and not reused by, or reassigned to,
anyone else?

Interpretation

(a)Each electronic signature shall be unique to the

one individual and shall not be reused by, or
reassigned to ,anyone else
(b) Before an organization establishes, assign,
certifies, or otherwise sanctions an individual’s
electronic signature, or any element of such
electronic signature, the organization shall verify
the identity of The individual.
Are electronic signatures unique to an individual?
Are electronic signatures ever reused by, or
reassigned to anyone else? Is the identity of an
individual verified before an electronic signature
is allocated?
Electronic signatures must unique to each
Authorized individual.
The reuse or reassignment of electronic
Signatures should be discouraged.
The identity of the individual should be
verified before an electronic signature is
Allocated.
11.100 (b) Are the identities of the individual verified prior to Ok Not Ok NR
the establishment, assignment, and certification or
otherwise sanctioning an individual's electronic
signature or any element of an electronic
signature?
11.100 (c) Has the Company delivered it corporate electronic Ok Not Ok NR
signature certification letter to the FDA?
11.100 (c)(1) Is it in paper form with a traditional handwritten Ok Not Ok NR
signature?
11.100 (c)(2) Can additional certification or testimony be Ok Not Ok NR
provided that a specific electronic signature is the
legally binding equivalent of the signer's
handwritten signature?
Electronic Signature Components and Controls
11.200 (a)(1) Does the e-signature employ at least two distinct Ok Not Ok NR
identification components such as User ID and
password?
Signatures must be made up of at least two
components such as an identification code
and password, or an identification card and
Password.

11.200 (a)(1)(i) When an individual executes a series of signings Ok Not Ok NR
during a single, continuous period of controlled
system access, is the first signing executed using
all the electronic signature components?

Interpretation

The user's password must be executed at

each signing when several signings are
Made during a continuous session.
11.200 (a)(1)(ii) When an individual executes a series of signings Ok Not Ok NR
not performed during a single, continuous period
of controlled system access; does each signing
executed require all signature components?
Interpretation
 If signings are not done in a continuous session,
both components of the electronic signature
should be executed with each Signing.
11.200 (a)(2) Are controls in place to ensure that only their Ok Not Ok NR
genuine owners can use the electronic signature?
Interpretation
Non-biometric signatures should only used
By their genuine owners.
11.200 (a)(3) Are the electronic signatures to be administered Ok Not Ok NR
and executed to ensure that the attempted use of
an individual’s electronic signature by anyone
other than its genuine owner requires the
collaboration of two or more individuals?
Interpretation
Attempts to falsify an electronic signature
must require the collaboration of at least
Two individuals.
11.200(a) 11.200(a) Electronic signatures that are not 
based upon biometric shall:
(1) Employ at least two distinct identification
components such as an Identification code and
password.
(1)(i) When an individual executes a series of
signings during a single, continuous period of
controlled system access, the first signing shall be
executed using at least one electronic signature
component that is only executable by and
designed to be used only by the individual.
(1)(ii) When an individual executes one or more
signings not performing during a single,
continuous period of controlled system access,
 each sign shall be executed using all of the
electronic signature components
(2)Be used only by their genuine owners,
and
(3)Be administered and executed to ensure
that attempted use of an individual’s
electronic signature by anyone other than its
genuine owner requires collaboration of two or
more individuals.
(b)Electronic signatures based upon
biometrics shall be designed to ensure that
they cannot be used by anyone other than
their genuine owners During a continuous session,
is the password executed at each singing? (Note:
both components must be executed at the
first signing of a session)
If signings are not done in a continuous
session, are both components of the
Electronic signature with each signing?
Are non-biometric signatures only used by
Their genuine owners?
Would an attempt to falsify an electronic
signature require the collaboration of at
Least two individuals?
Has it been shown that biometric electronic
signatures can be used only by their
Genuine owner?
Controls for Identification Codes/Passwords
11.300(a) Are controls in place to ensure the uniqueness of Ok Not Ok NR
each combined identification code and password
maintained, such that no two individuals have the
same combination of identification code and
password?
 Interpretation

Controls to maintain the uniqueness of each

combined identification code and password,
such that no individual can have the same
combination of identification code and
Password, are in place.
11.300 (b) Are controls in place to ensure that the Ok Not Ok NR
identification code and password issuance is
periodically checked, recalled, and revised?

Interpretation

Procedures must be in place to ensure the validity

of identification codes and that they are
periodically checked.
Passwords should periodically expire and
Need to be revised.
11.300 (c) Are there loss management procedures in place to Ok Not Ok NR .

electronically disable lost, stolen, missing, or

otherwise potentially compromised tokens, cards,
and other devices that bear or generate
identification code or password information?

Interpretation

Procedure for recalling identification codes

And passwords if a person leaves or is transferred
should be developed.
11.300 (d) Are transaction safeguards in use to prevent Ok Not Ok NR
unauthorized use of passwords and/or
identification codes?

Interpretation

A procedure for electronically disabling an

identification code or password if it potentially
compromised or lost should be in place.
11.300 Controls for Identification Codes and
Passwords shall include:
(a)Maintaining the uniqueness of each
combined identification code and password, such
that no two individuals have the same
combination of identification code and
password
(b)Ensuring that identification code and password
issuances are periodically checked, recalled, or
revised (e.g., to cover such events as password
aging)
(c)Following loss management procedures to
electronically DE authorize lost, stolen, missing,
or otherwise potentially compromised token,
cards, and other devices that bear or generate
identification, and to issue temporary or
permanent replacements using suitable rigorous
Controls.
(d)Use of transaction safeguards to prevent
unauthorized use of passwords and /or
identification codes, and to detect and
report in an immediate and urgent manner
any attempts at their unauthorized use to
system security unit, and, as appropriate, to
Organizational management.
Following loss management procedures to
electronically DE authorize lost, stolen, missing,
or otherwise potentially compromised tokens,
Cards, and other devices that bear to generate
identification code and password identification,
and to issue temporary or permanent replacements
using suitable rigorous controls.
(e)Initial and periodic testing of devices,
such as tokens or cards, that bear or
generate identification code or password
information to ensure that they function
properly and have not been altered in an
Unauthorized manner. Are controls in place
to maintain the uniqueness of each
combined identification code and password,
such that no individual can have the same
combination of identification code and
Password? Are procedures in place to
ensure that the validity of identification
Codes is periodically checked?
Do passwords periodically expire and need
To be revised? Is there a procedure for
recalling identification codes and passwords
Is there a procedure for electronically
disabling an identification code or password
if it is potentially compromised or lost?
Is there a procedure for detecting attempts
at authorized use and for informing
security?
Is there a procedure for detecting attempts at
unauthorized use and for informing security?
 Is there a procedure for reporting repeated or
serious attempts at unauthorized use to
management?
Is there a loss management procedure to be
followed if a device is lost or stolen?
Is there a procedure for electronically
Disabling a device if it is lost, stolen, or
potentially compromised?
Are there controls over the issuance of temporary
and permanent replacements?
Is there initial and periodic testing of tokens and
cards?
Does this testing check that there have been no
unauthorized alterations?
A procedure for detecting attempts at
unauthorized use and for informing security
Should be in place.
A procedure for reporting repeated or serious
attempts at unauthorized use to Management
should be in place.

OK = fulfils requirement
NOK = does not fulfil the requirement
NR = not relevant.

Important notes as following

1. Data Security: System activity log, Selection of authentication provider, Management of users, groups, roles, and privileges,
security policy.

2. Data integrity risk: Subject to regulation from USFDA or similar organisations are cautioned FTP services are enabled by
default.
3. Shared Services and secure storage
FTP server protocol setting, (IT)
Database statistic, (IT)
Resource monitoring, (IT)
Disaster recovery planning (IT)
Back up procedures (IT)
Restore procedures (IT)

4. Project Creation and Audit trail enable

5. Screen print of Chromatographic software Roles and Privileges
6. Training to QA Mgr. for Audit trail monitoring, Back up monitoring view, take print out with comments as reviewed by
with USER ID and Password.
7. Everything (QA Mgr.) with accessibility of Level 1 & 2.
8. In level 2 Head/QC/QA Not relevant.
9. In Level 2 Clarity Manager QC review Integration in software and take print.(Level 1 person Integrate chromatogram
and save it)Final print out after Level 2 reviewed only.
10. In Level 3 Everything, System, Instrument, Project Administrative role by Manager QA.
11. In Level 2 can Manual Integration by prior permission of Head QA.
12. No Single Injections by any level of user. It’s should be as per STP sequence and protocol if RT not achieved raise incident
and do CAPA according prepare new sequence and attach previous data and new data.