The 21 CFR Part 11 compliance checklist is a tool that can be used to evaluate the level of compliance with the requirements outlined in 21 CFR Part 11.
It provides a comprehensive list of questions to consider when assessing the compliance of electronic records and electronic signature systems.
We offer a downloadable compliance checklist in PDF and Excel formats that contains questions as per 21 CFR Part 11 requirements organized into 7 categories:
- Validation
- Audit trail
- System
- Copies of records
- Record retention
- Electronic signatures
- Access security
Many Life Science companies are implementing 21 CFR Part 11 compliant Document Management Systems or eQMS solutions to make compliance easier. Throughout the article, we will give examples of how such solutions help ensure compliance.
SimplerQMS offers 21 CFR Part 11 compliant eQMS solutions tailored to the needs of Life Science companies. Book a personalized demo and talk to our experts to see how SimplerQMS can help you stay compliant and work more efficiently.
Downloadable 21 CFR Part 11 Compliance Checklists to Follow
A checklist helps with compliance assessment by making sure requirements are met.
First, it is important to understand whether your current system has any gaps between real-world situations and the requirements outlined in the FDA 21 CFR Part 11 (section-by-section).
The gap analysis can help identify the areas that need improvement to ensure compliance.
Here is the 21 CFR Part 11 checklist you can use for Gap Analysis purposes – you can download it in either PDF or Excel format.
Download the checklist for Gap Analysis in PDF format.
Download the checklist for Gap Analysis in Excel (XLS) format.
To assess the implementation of the FDA 21 CFR Part 11, you can use a compliance checklist.
Our downloadable 21 CFR Part 11 compliance checklist is available in PDF and Excel formats.
You can download the checklist by clicking the link below (depending on the preferred format).
Download the 21 CFR Part 11 compliance checklist in PDF format.
Download the 21 CFR Part 11 compliance checklist in Excel (XLS) format.
Below, we will go through the questions included in the checklist to help better understand each category and its purpose. We will also give examples of how modern eQMS solutions like SimplerQMS can help ensure compliance with some of these requirements.
NOTE
The information presented in this article is intended for educational purposes. It should not be relied upon as official regulatory guidance. Companies that aim to comply with 21 CFR Part 11 should consult the regulation for official guidance.
Validation
The validation of computerized systems is an essential part of complying with 21 CFR Part 11, as stated in section 21 CFR 11.10(a).
Validation should be based on a justified and documented risk assessment, determining the system’s potential impact on record integrity. This could be done using a 21 CFR Part 11 Applicability Assessment to define whether a system performs functions regulated by 21 CFR Part 11.
Here are the questions related to system validation you would want to ask:
- Is the system validated?
- Is the system performance accurate, reliable, and consistent?
- Is the system able to identify invalid or altered records?
- Are there written policies in place that outline the accountability and responsibility of users for actions initiated under their electronic signatures?
- Are users informed and trained on the policies related to electronic signatures to prevent record and signature falsification?
- Can you provide training documentation demonstrating that individuals who develop, maintain, or use electronic record and signature systems have the required experience for their assigned tasks?
- Is there a documented process for verifying the identity of users before their electronic signature is established, assigned, or certified?
- Is the system designed to require the collaboration of two or more individuals to use an electronic signature that does not belong to them?
SimplerQMS offers a fully validated system following ISPE GAMP5 – a risk-based approach to compliant systems, to ensure that it is fit for its intended use.
Our software undergoes revalidation processes whenever a new version is released or when standard updates are applied.
This eliminates the need for our customers to conduct any system validation activities regarding SimplerQMS.
Audit Trails
Section 21 CFR 11.10(e) and 11.10(k)(2) specify the requirements for the generation and maintenance of accurate and complete audit trails that record all actions related to electronic records.
Companies should ensure the audit trail’s completeness, protect it from unauthorized access or modifications, and ensure it can be retrieved and reviewed as needed.
For more detailed information on the audit trail as per FDA 21 CFR Part 11, read our article on audit trail requirements.
Check off the following steps to ensure audit trail compliance:
- Are document management and change control procedures in place to maintain an audit trail?
- Does the system have a secure and computer-generated audit trail to record operator entries and actions that create, modify, or delete electronic records?
- Does the system record the date and time of these operator entries and actions on the audit trail?
- Do changes to records modify previously recorded information? Note that all previous information should still be accessible and not erased or hidden by changes.
- Is the audit trail documentation retrievable and available for FDA review and copying?
SimplerQMS solution automatically records all audit trail data entries in compliance with 21 CFR Part 11. The system creates an independent record of the date, time, username, and actions performed on electronic records.
All documents and related audit trails are stored in a cloud-based system for as long as required. Inspectors can easily view documents in the SimplerQMS system during audits.
Systems
The compliance requirements for electronic recordkeeping systems are outlined in Sections 21 CFR 11.10 and 11.30.
The system must be supported by documented evidence and justification that it is suitable for its intended use, which includes:
- Using electronic records and signatures
- Implementing access controls
- Performing system checks
- Managing distribution of system documentation.
You will need to check off the following steps:
- Does the company use electronic records?
- Does the company use electronic signatures?
- Does the company use handwritten signatures executed to electronic records?
- Does the company use electronic signatures based on biometrics?
- Does the system prevent electronic signatures based on biometrics from being used by anyone other than their genuine owners?
- Is the system designed to ensure that only authorized individuals can access it and perform actions?
- Does the system have controls to prevent unauthorized access to the operation or computer system input/output devices?
- Does an open system comply with the appropriate procedures and controls identified in section 11.10?
- Does an open system employ additional controls, such as document encryption and digital signature standards, to ensure record authenticity, integrity, and confidentiality?
- Is there a procedure to conduct device checks to ensure the data input source or operational instruction is valid?
- Does the system use operational checks to enforce actions to be executed in a predetermined sequence, if applicable?
- Are there controls in place for the distribution of system documentation?
- Is an access control procedure in place to ensure only authorized users can access system operation and maintenance documentation?
- Is there a procedure to ensure the proper use of system documentation for operation and maintenance?
Companies using the SimplerQMS solution, for instance, benefit from its closed-system architecture and security controls. This helps ensure that only authorized individuals can access and modify electronic records.
SimplerQMS connects with Microsoft Entra ID (previously known as Microsoft Azure Active Directory) for secure identity and access management. Each person has only one user account for a clear one-to-one relationship between the authorized person and their login account.
Copies of Records
Generating copies of records is an essential part of complying with 21 CFR Part 11, as stated in section 21 CFR 11.10(b).
FDA recommends that copies of records should accurately reflect the content and meaning of the original record. During an audit, you should allow reasonable and helpful access for the investigator to electronic records.
Go through the following questions to ensure your system can provide the required record copies for compliance:
- Is the system capable of producing accurate and complete copies of electronic records?
- Are electronic signatures linked to their respective electronic records preventing the removal, copying, or transfer of signatures?
- Can all electronic records be provided to the FDA for inspection and review?
- Are records in the system protected from unauthorized changes by having authorization checks in place?
SimplerQMS is a 21 CFR Part 11 compliant software that automatically links electronic signatures to records preventing them from being falsified.
Additionally, the software offers a controlled printing feature, which allows users to print or download copies of records while easily keeping track of all printouts.
Record Retention
Section 21 CFR Part 11.10(c) addresses record retention requirements for electronic records under FDA regulations.
Electronic records must be retained to ensure the records are accurate, complete, and secure during the entire retention period.
Check off the following elements to ensure the proper retention of your records:
- Do the signed electronic records contain information that indicates the signer’s printed name?
- Do the signed electronic records contain information indicating the date and time when the signature was executed?
- Do the signed electronic records contain information that indicates the meaning associated with the signature, such as review, approval, responsibility, or authorship?
- Is the level of control for signature information equivalent to that of electronic records?
- Are electronic records readily retrievable throughout their retention period?
- Is the audit trail documentation retained for the required period?
For instance, 21 CFR Part 11-compliant software solution, like SimplerQMS, ensures that all essential signature information is automatically captured and included in the electronic record.
The system has strict controls in place to manage both signatures and records, ensuring that all necessary information is displayed on the document.
SimplerQMS also offers a search feature to facilitate document retrieval.
It is possible to search keywords in titles and content of records to locate the precise document during daily activities or audit situations.
Electronic Signatures
Requirements for electronic signature use and controls are outlined in sections 11.100 and 11.200 of 21 CFR Part 11. Which also includes validation and authentication to ensure the signer’s identity.
This checklist section provides a structured and comprehensive approach to electronic signature validation and ensures that all critical aspects of the system are evaluated.
For more detailed information on electronic signatures, please read our 21 CFR Part 11 compliant electronic signatures article.
To ensure compliance with electronic signature requirements, verify the following steps:
- Are electronic signatures in the system restricted to authorized users only?
- Does each user have their own unique electronic signature?
- Are electronic signatures only being used by their genuine owners?
- Do electronic signatures use at least two different identification components, such as an identification code and password?
- Does the system require all electronic signature components for the first signature within a series of signatures in a single system access?
- Does the system require at least one electronic signature component for subsequent signatures?
- Does the system require all electronic signature components when a user signs during several system accesses?
- Is there a procedure to prevent signatures from being reassigned or reused?
- Did users provide a traditional handwritten signature on the Electronic Signature Agreement to acknowledge that their electronic signature is equivalent to a handwritten signature?
- Has the company ensured that everyone using electronic signatures in their system, used on or after August 20, 1997, has their certification submitted to the FDA?
- Has the company followed the submission guidelines on the FDA’s web page on the Letters of Non-Repudiation Agreement to certify electronic signatures?
- Are the users aware FDA may require them to provide additional certification or testimony of the equivalence of an electronic signature to their handwritten signature?
SimplerQMS requires at least two different identification components, such as an identification code and password, for electronic signatures. This ensures that only genuine owners can use their signatures.
The system also follows procedures to prevent electronic signatures from being reassigned or reused by someone else, ensuring that signatures are unique and cannot be used by anyone else.
Access Security
Proper identification code and password controls are essential to maintain access security per section 21 CFR Part 11.300.
One way to ensure compliance with these controls is to implement best practices for password creation and management, which you can learn more about in our article on 21 CFR Part 11 password requirements.
Additionally, specific procedures and checks ensure unique, valid, and secure identification codes and passwords. It is also important to manage lost or compromised credentials and devices.
Ensure access security by checking off the following:
- Are controls in place to ensure each individual has a unique identification code and password combination?
- Is the system capable of preventing the creation of duplicate identification code and password combinations?
- Are passwords required to expire and be updated periodically?
- Are there any procedures in place to recall or revise identification codes and passwords if necessary?
- Is there a procedure to periodically check the validity of the identification code and password combinations recorded in the system?
- Are there procedures to revoke identification code and password combinations that may have been compromised?
- Is there a procedure for recalling identification codes and passwords if someone leaves the company?
- Is there a procedure to disable lost, stolen, or missing electronic devices to protect system access and sensitive data?
- Are temporary or permanent password replacements issued using appropriate and rigorous controls?
- Does the system detect attempts of unauthorized use of passwords and identification codes?
- Is the system security unit immediately informed of any unauthorized use attempts of passwords and identification codes?
- Is organizational management notified of any unauthorized use of passwords and identification codes, if appropriate?
- Does the company perform initial testing on devices that generate or hold identification codes or password information to ensure they function properly?
- Does the company perform periodic device testing to ensure they still function properly?
- Is there a procedure to test for unauthorized device alterations that generate or hold identification codes or password information?
For example, SimplerQMS employs Microsoft Entra ID (previously known as Microsoft Azure Active Directory) for managing access control and electronic signature components.
Each signing credential has a unique signature assigned to it, along with a specific user identification code and password.
Our software enforces strict password security by requiring passwords to have a minimum length of eight characters, including at least one uppercase letter, one lowercase letter, and one digit.
Furthermore, passwords in SimplerQMS expire and are required to be updated every three months.
Here Are the Checklists In Case You Did Not Get Them Yet
Checklist for the purpose of Gap Analysis:
21 CFR Part 11 compliance checklist for assessing the implementation:
Going Beyond 21 CFR Part 11 Compliance With SimplerQMS
SimplerQMS not only meets but exceeds the 21 CFR Part 11 compliance requirements.
We offer a complete QMS software solution designed specifically for the Life Science industries and fully compliant with 21 CFR Part 11.
Here are some of the key SimplerQMS features that help ensure compliance with 21 CFR Part 11:
- Document Management: Our software enables easy creation, storage, organization, and retrieval of electronic records. SimplerQMS provides 21 CFR Part 11 compliant document management capabilities that include version control, automated numbering, change control management, and more.
- Electronic Signatures: With SimplerQMS is possible to work with electronic signatures easily, providing security and eliminating the need for physical signatures. Our software links electronic signatures to electronic records, ensuring document authenticity, integrity, and confidentiality.
- User Access Control: SimplerQMS uses Microsoft Entra ID to manage system access. The software also allows companies to assign roles and responsibilities to employees and control who can access the system by setting access levels based on user groups.
- Time-stamped Audit Trails: SimplerQMS keeps track of every change in records and provides an audit trail that includes the date and time of each change. This helps to identify who performed what, when, and the reason why.
- Training and Support: We offer training to ensure users are familiar with the system and can use electronic records and signatures for assigned tasks. The integrated training module allows for easy employee training management and tracking, including 21 CFR Part 11 process-specific training.
SimplerQMS is a complete eQMS solution for Life Science companies.
We provide integrated QMS modules such as document management, employee training, change control, non-conformance, customer complaint, CAPA, supplier management, and more.
The software streamlines processes and ensures compliance with regulations, such as 21 CFR Part 11, and many other Life Science regulations and standards, while saving time and resources.
Allowing companies to focus on more value-adding activities, such as product research and development. In other words, allocating more time and resources toward innovation, improving products and services, and staying ahead of the competition.
To evaluate the benefits of eQMS, we suggest downloading our eQMS Business Case template. It helps you identify potential ROI (Return on Investment) and present findings to management.
Final Thoughts
Use our free 21 CFR Part 11 checklists for Gap Analysis and compliance assessment to identify areas for improvement, and reduce the risk of non-compliance.
Furthermore, Life Science companies must go beyond just 21 CFR Part 11 compliance and embrace modern digital solutions to manage quality processes more effectively. Implementing QMS software helps streamline processes and move towards a culture of continuous improvement.
SimplerQMS provides a comprehensive solution, including all QMS modules such as document control, change control, training, non-conformance, CAPA, supplier, audit management, and more. The system also fully complies with 21 CFR Part 11 requirements for electronic records and signatures.
If you are interested in learning more about SimplerQMS and how we can help your company ensure 21 CFR Part 11 compliance and streamline quality management processes, book a free demo today.