Section 21CFR11.10



[Code of Federal Regulations]
[Title 21, Volume 1]
[Revised as of April 1, 2002]
From the U.S. Government Printing Office via GPO Access
[CITE: 21CFR11.10]

[Page 123-124]
 
                        TITLE 21--FOOD AND DRUGS
 
CHAPTER I--FOOD AND DRUG ADMINISTRATION, DEPARTMENT OF HEALTH AND HUMAN 
                                SERVICES
 
PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES--Table of Contents
 
                      Subpart B--Electronic Records
 
Sec. 11.10  Controls for closed systems.


    Persons who use closed systems to create, modify, maintain, or 
transmit electronic records shall employ procedures and controls 
designed to ensure the authenticity, integrity, and, when appropriate, 
the confidentiality of electronic records, and to ensure that the signer 
cannot readily repudiate the signed record as not genuine. Such 
procedures and controls shall include the following:
    (a) Validation of systems to ensure accuracy, reliability, 
consistent intended performance, and the ability to discern invalid or 
altered records.
    (b) The ability to generate accurate and complete copies of records 
in both human readable and electronic form suitable for inspection, 
review, and copying by the agency. Persons should contact the agency if 
there are any questions regarding the ability of the agency to perform 
such review and copying of the electronic records.
    (c) Protection of records to enable their accurate and ready 
retrieval throughout the records retention period.
    (d) Limiting system access to authorized individuals.
    (e) Use of secure, computer-generated, time-stamped audit trails to 
independently record the date and time of operator entries and actions 
that create, modify, or delete electronic records. Record changes shall 
not obscure previously recorded information. Such audit trail 
documentation shall be retained for a period at least as long as that 
required for the subject electronic records and shall be available for 
agency review and copying.
    (f) Use of operational system checks to enforce permitted sequencing 
of steps and events, as appropriate.
    (g) Use of authority checks to ensure that only authorized 
individuals can use the system, electronically sign a record, access the 
operation or computer system input or output device, alter a record, or 
perform the operation at hand.
    (h) Use of device (e.g., terminal) checks to determine, as 
appropriate, the validity of the source of data input or operational 
instruction.
    (i) Determination that persons who develop, maintain, or use 
electronic record/electronic signature systems have the education, 
training, and experience to perform their assigned tasks.
    (j) The establishment of, and adherence to, written policies that 
hold individuals accountable and responsible for actions initiated under 
their electronic signatures, in order to deter record and signature 
falsification.
    (k) Use of appropriate controls over systems documentation 
including:
    (1) Adequate controls over the distribution of, access to, and use 
of documentation for system operation and maintenance.

[[Page 124]]

    (2) Revision and change control procedures to maintain an audit 
trail that documents time-sequenced development and modification of 
systems documentation.