This is the memo we created to self certify to Part 11
Guidance Ref. No.
Requirement
Answer
Compliant?
11.10
Controls for closed systems
XXX is designed to be a closed system and uses username and password credentials to authenticate each user.
Yes
11.10a
Validation of Systems
Validation reporting within QMS
Yes
11.10b
FDA Copies
All quality relevant data is available electronically as well as in a human readable format.
Yes
11.10c.
Protection and recoverability
XXX is running on at least two distributed servers in parallel. This ensures high availability and duplication of the data (fail-over). Furthermore, we regularly backup the data for added protection.
Yes
11.10.d
Limiting system to authorized individuals
Access to the data is given only to authorized persons with individual usernames and passwords.
Yes
11.10e
Audit Trails
Modifications to database so that the reported temperature data is stored with a calculated hash value that can be used to verify the data authenticity. Also, access permissions have been updated to prevent any updates through the application and out-of-application access to GCP is audited.
Yes
11.10f
Operation Sequences
Whenever actions must be performed in a specific sequence the system enforces this sequence and therefore prevents accidental
changes to data.
Yes
11.10g
Authority checks
XXX has a role based authority concept which meets the requirements of 21 CFR Part 11.
Yes
11.10h
Device Checks
The system has validated input and output interfaces. The webservice based interfaces accept and provide data securely in the so called JSON format.
Yes
11.10i
Training
All experts which are involved in the creation and maintenance of XXX are trained in computer system validation and 21 CFR Part 11 compliance.
Yes – Upon hire and annualy thereafter.
11.10j
Establishment and adherence to written policies
XXX has established, and adheres to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
Yes
11.10k
Control over Documentation
Our software documentation is validated through a strict review and versioning process.
Yes
11.30
Controls for Open Systems
This point does not apply since XXX is designed to be a closed system.
N/A
11.50 a/b
Signature Manifestations
This point does not apply since XXX does not make use of electronic/digital signatures.
N/A
11.70
Signature/record linking
This point does not apply since XXX does not make use of electronic/digital signatures.
N/A
11.1001 a,b, c
Electronic Signatures
This point does not apply since XXX does not make use of electronic/digital signatures.
N/A
11.200 a, b
Electronic signature components
This point does not apply since XXX does not make use of electronic/digital signatures
N/A
11.300a
Uniqueness of each combined identification code and password
The system ensures that the login credentials are always unique.
Yes
11.300b
Changing and aging of credentials
The system enforces passwords to be changed after a certain period. Furthermore, authorized personnel can lock and unlock certain users if necessary.
Yes
11.300c
Loss Management Procedures
This point does not apply since XXX does not make use of any hardware to identify individual. The username/password credentials are the only way to get access to the system.
N/A
11.300d
Safeguards to prevent unauthorized access
Two factor authentication is in place.
Yes
11.300e
Initial and periodic testing of authentication devices
This point does not apply since XXX does not make use of any hardware to identify individual. The username/password credentials are the only way to get access to the system
N/A