Computer System Validation CFR 21 Part 11 (Sub Part Guideline)

CFR 21 Part 11 (Sub Part Guideline)

Section	Description
11.1(a)	Validation should include application specific functions as well as functions related to Part 11, electronic audit trail and electronic signatures. Recommended test procedures include: ·         Limited and authorized system access.:-  It  can be Described by entering correct and incorrect password combinations and verifying. ·         Limited access to selected tasks and permissions. This can be achieved by trying to get access to tasks as permitted by the administrator and verifying ·         Audit trail :- Perform actions that should go into the e-audit trail according to specifications. Audit Trail should be Computer Generated. ·         Accurate and complete copies. :- Calculate results from raw data using a defined set of evaluation parameters (e.g., chromatographic integrator events, calibration tables etc.). Save   raw data, final results and evaluation parameters on a storage device. Switch off the computer. Switch it on again and perform the same tasks as before using data stored on the storage device. Results should be the same as for the original evaluation.. ·         Signatures with records: - Sign a data file electronically.Check the system design and verify that there is a clear link between the electronic signature and the data file. For example, the link should include the printed name or a clear reference to the person who signed, the date and time and the meaning of the Signature
11.10(b)	Accurate :- "Procedures should be in place to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records"
11.10(c)	Retrieval :- "Records must be protected to enable their accurate and Ready retrieval throughout the records retention period".
11.10(d)	Limited Access :- Describe the following Thing ·         Limited access can be ensured through physical and/or logical security mechanisms. ·         Most companies already have procedures in place. For logical security users typically log on to a system with a user I.D. and password. Physical security through key locks or pass cards in addition to logical security is recommended for high-risk areas, for example, for data centres with network severs and back-data. These procedures should be very well documented and validated.
11.10(e)	User-Independent Computer Generated Time-Stamped Audit Trails - "Procedures should be available to use secure, computer- generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject Electronic records and shall be available for agency review and copying.” ·         Most important is the word “independently”, which means independently from the operator. The main purpose is to ensure and prove data integrity. ·   If the data has been changed the computer should record what has been changed and who made the change. The audit trail functionality should be built into the software and is especially important for critical computer related processes with manual operator interaction.
11.10(f)	Operational System Checks :- "Procedures should be available to use operational system checks to enforce permitted sequencing of steps and events, as appropriate.”
11.10(g)	Authority Checks :- "Procedures should be available to use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand". ·         Authority checks must be in place to ensure “authenticity, integrity and confidentiality” of electronic records, and to ensure that the signer cannot “readily repudiate the signed record as not genuine.” ·      This requires procedural and technical controls. Procedures should be in place to assign access to systems and permitted tasks to individuals and the system should be able to verify that an individual is permitted or authorized to perform the requested function. Authority checks should be used when an individual attempts to: ·         Access a system. ·         Perform selected permitted tasks. ·         Change a record. ·         Electronically sign a record.
11.10(h)	Device Checks :- "Procedures should be available to use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction". ·         This requirement refers to automatically determining the identification and location of a piece of equipment hardware or another computer system. An example would be that a computer system controlling an instrument should automatically recognize the equipment as a valid input device through its serial number. If the serial number is not set up in the computer’s database the instrument cannot be used as an input device.
11.10 (i)	Training :- "Procedures should be available to determine that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks". ·         People qualification is a GxP requirement and not specific to Part11. Procedures should be in place to document tasks and qualifications, to develop a gap analysis and to develop an Implementation plan on the gaps that can be filled. This paragraph applies to users as well as developers of systems and also to people supporting all kinds of computer systems Including network infrastructure.
11.10 (j)	Accountability:- "Procedures should be available to establish, and adhere to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification". ·         Procedures should make employees aware that electronic signatures have the same meaning as handwritten signatures. The content of the procedures should be communicated in trainings and enforced.
11.10(k)	System Documentation :- "Procedures should be in place for appropriate controls oversystems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2)Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation". ·         System documentation includes all lifecycle documents from validation planning, vendor assessment, development documentation and specifications, to installation records, operation and test procedures and protocols, change control and procedures to ensure system security and the operator’s authenticity. All documentation should followapproved change control processes and should be under revision control. Controls should be in place to ensure that the most recent version of the document is always used.

Note :- This is Only Knowledge Purpose and Blog Contain is my View  + Internet Search and Guideline.