Transcription
21 CFR PART 11Requirement ChecklistDoes MadgeTechSecureSoftware Comply?No AdditionalAction RequiredTo Comply?The system must be capable of beingvalidated.YesYesThe customer must execute the IQ/OQ/PQ to validate that thesoftware is installed correctly and that it operates properlyIt must be possible to discern invalid oraltered records.YesNoThe file format used in the Secure software is proprietary to MadgeTechand cannot be opened in any other piece of software. Only .MTFFS filesare able to be saved and/or opened by the MadgeTech Secure.The system must be capable of producingaccurate and complete copies of electronicrecords on paper.YesNoThe MadgeTech Secure software allows the graph and all data recordsto be printed on paper. In addition, device status, data file statistics,audit trails and other pertinent information may be printed.The system must be capable of producingaccurate and complete copies of records inelectronic form for inspection, review andcopying by the FDA.YesNoAll data files may be transferred by e-mail or other means to other users of MadgeTech Secure software, or printed to a secure document inanother format such as PDF.NoAll data downloaded from a device are automatically saved to aninternal secure database, these data cannot be altered, but is alwaysavailable for the user to generate a visual representation of the datain grid, graph, and statistic format.21 CFR Part 11RequirementRecords must be readily retrievablethroughout their retention period.YesCommentsSystem access must be limited to authorized individuals.YesYesThe MadgeTech Secure software ensures that only users with a validUser ID and password can gain access to the software. End-user SOPsshould be developed and maintained to ensure that users do notshare their unique user ID and or passwordThe system must be capable of producing asecure, computer-generated, time-stampedaudit trail that records the date and timeof operator entries and actions that create,modify or delete electronic records.YesNoThe MadgeTech Secure software maintains an audit trail file on anysalient operation performed on the system. The audit trail is secureand encrypted and contains all operations performed by date, timeand operator.Upon making a change to an electronicrecord, original information is still available.YesNoChanges cannot be made to raw data datasets; however, reportsgenerated by the user may be changed as desired.Electronic records audit trails are retrievablethroughout the record’s retention period.YesNoAll audit trails are saved as a part of the record and cannot be deletedor modified in any way.
Does MadgeTechSecureSoftware comply?No AdditionalAction RequiredTo Comply?CommentsThe audit trail is available for review andreproduction by the FDAYesNoThe MadgeTech Secure software allows the Audit Trail to be printed ortransferred electronically for review and reproduction by the FDA.When any sequence of system steps isimportant, that sequence must be enforcedby the system.NoYesThe MadgeTech Secure software does not require any specific sequence of steps or order of operation. The customer is responsible fordefining, writing and enforcing any SOPs that require a sequence ofsteps.YesMadgeTech Secure software requires unique User IDs and passwordsto login to the system. Different features are available to differentusers depending on their level of access. These levels may be definedand created by the user. Defined SOPs should be implemented so thePC requires an authorized login and directs that users cannot sharetheir unique user IDs and or passwords.NoMadgeTech Secure software will only accept input and communicate with data loggers specifically designed and manufactured byMadgeTech using MadgeTech’s proprietary communication protocol.Each MadgeTech data logger is uniquely identified by an electronicserial number.21 CFR Part 11RequirementThe system should ensure that only authorized individuals can use the it, electronicallysign records, access the operation or computer system input or output device, alter arecord, or perform other operations.The system should be able to check thevalidity of the source of any data or instructions If it is a requirement of the systemthat input data or instructions can onlycome from certain input devices.YesYes(Note: This applies where data or instructions can come from more than one device, and therefore the system must verify the integrity of its source, such as anetwork of weigh scales, or remote, radio controlled terminals.)A documented training, including on thejob training for system users, developers, ITsupport staff should be available.YesYesUsers may arrange to purchase on site system training fromMadgeTech or provide their own training through testing and the support of MadgeTech's Secure software documentation package.A written policy that makes individuals fullyresponsible for actions initiated under theirelectronic signatures should be in place.NoYesIt is the responsibility of the customer to provide a written policy thatinforms individual users that they are responsible for all actions takenwhile under their login.The distribution of, access to, and use ofsystems operation and maintenance documentation should be controlled.YesYesThe customer is responsible for obeying the licensing terms anddistribution of the software and documentation that supportsMadgeTech Secure softwareA formal change control procedure forsystem documentation that maintainsa time sequenced audit trail of changesshould be in place.YesNoThe MadgeTech Secure software operations document is revisioncontrolled
Signed Electronic Records21 CFR Part 11RequirementDoes MadgeTechSecureSoftware comply?No AdditionalAction RequiredTo Comply?CommentsSigned electronic records should contain thefollowing related information: Printed name of the signer Date and time of signing Meaning of the signingYesYesThis name of the signer, the date and time of signing and the meaningof the signing are contained in all electronically signed records and allprinted material. The customer is required to define the meaning ofsigning the document.The above information should be shownon displayed and printed copies of theelectronic record.YesNoAll the above information is displayed and printed on all copies ofrecords.Signatures should be linked to their respective electronic records to ensure that theycannot be cut, copied, or otherwise transferred by ordinary means for the purpose offalsification.YesNoSignatures are linked to the original record and cannot be cut, copied,or transferred.Electronic Signatures (General)21 CFR Part 11RequirementDoes MadgeTechSecureSoftware comply?No AdditionalAction RequiredTo Comply?CommentsElectronic signatures must unique to eachauthorized individual.YesNoThe MadgeTech Secure software will not allow the user to duplicateelectronic signatures. MadgeTech recommends that SOPs include astatement clearly defining that only one person is linked to each userID. The administrator must define the unique user IDs, the user mustdefine their own unique password.The reuse or reassignment of electronicsignatures should be discouraged.YesYesThe end user SOPs should state that user IDs are not to be re-used orreassigned to anyone else. User IDs should be inactivated and a newID created.YesThe end user SOP should state that the identity of the individual isverified before an ID is assigned. Once a new user is created, an emailwill be sent to the administrator and user verifying his/her ownunique login password. Once verified the MadgeTech Secure softwarewill identify the individual in the future via the user ID and password.The user will be required to enter their username and password.The identity of the individual should beverified before an electronic signature isallocated.Yes
Electronic Signatures (Non-biometrics)21 CFR Part 11RequirementDoes MadgeTechSecureSoftware comply?No AdditionalAction RequiredTo Comply?CommentsSignatures must be made up of at least twocomponents such as an identification codeand password, or an identification card andpassword.YesNoTo electronically sign a record, the username and password need to beentered.The user's password must be executed ateach signing when several signings aremade during a continuous session.YesNoMadgeTech's Secure software requires the password to be executed ateach signing.If signings are not done in a continuoussession, both components of the electronicsignature should be executed with eachsigning.YesNoTo electronically sign a record, the username and password need toentered at each signing.Non-biometric signatures should only usedby their genuine owners.YesYesUsers should put in place SOPs requiring that combination of user IDsand password only be made known to the genuine owner.Attempts to falsify an electronic signaturemust require the collaboration of at leasttwo individuals.YesYesUsers should put in place SOPs that forbid users from disclosing theirunique User ID and password.
Controls for IdentificationCodes & Passwords21 CFR Part 11RequirementDoes MadgeTechSecureSoftware comply?No AdditionalAction RequiredTo Comply?Controls to maintain the uniqueness of eachcombined identification code and password,such that no individual can have the samecombination of identification code andpassword, are in place.YesNoMadgeTech Secure software will not allow duplicate User IDs.YesThe end user's SOP should state that the System Administrator is toperiodically maintain active accounts and disable inactive accounts.MadgeTech's Secure software allows the administrator to set accounts to expire automatically.Procedures must be in place to ensure thevalidity of identification codes and that theyare periodically checked.YesCommentsPasswords should periodically expire andneed to be revised.YesYesMadgeTech Secure software allows the administrator to give the useroptions to make user passwords expire as well as set warnings tonotify the user in advance as to when the password is scheduled tobe reset. The customer SOP should determine how often and/or whenpasswords expire.Procedure for recalling identification codesand passwords if a person leaves or istransferred should be developed.YesYesPasswords cannot be recalled; the administrator can reset the password.The SOP should state that the administrator can only reset a password ifthe password is lost or stolen, or the user leaves or is transferred.A procedure for electronically disablinga identification code or password if itpotentially compromised or lost should bein place.YesYesThe MadgeTech secure software will allow user accounts to be temporarily or permanently disabled. The customer's SOPs will designatean administrator to have this responsibility. Only administrators canchange user account settings.YesThe MadgeTech Secure software will detect attempts at unauthorizeduse. All attempts are recorded and marked clearly in the audit trail.SOPs should be implemented so that a designated user is responsiblefor reviewing the audit trail for any suspicious activity.YesThe MadgeTech Secure software will detect attempts at unauthorizeduse. All serious or repeated attempts are emailed to the designatedadministrator(s). SOPs should be implemented so that a designated useris responsible for reviewing the audit trail for any suspicious activity.A procedure for detecting attempts atunauthorized use and for informing securityshould be in place.A procedure for reporting repeated orserious attempts at unauthorized use tomanagement should be in place.YesYes
21 CFR PART 11 Requirement Checklist 21 CFR Part 11 Requirement Does MadgeTech Secure Software Comply? No Additional Action Required To Comply? Comments The system must be capable of being validated. Yes Yes The customer must execute the IQ/OQ/PQ to validate that the software is installed correctly and that it operates properly
