21 CFR PART 11

Requirement Checklist
Does MadgeTech No Additional
21 CFR Part 11
Secure Action Required Comments
Requirement
Software Comply? To Comply?

The system must be capable of being The customer must execute the IQ/OQ/PQ to validate that the
Yes Yes
validated. software is installed correctly and that it operates properly

The file format used in the Secure software is proprietary to MadgeTech

It must be possible to discern invalid or
Yes No and cannot be opened in any other piece of software. Only .MTFFS files
altered records.
are able to be saved and/or opened by the MadgeTech Secure.

The system must be capable of producing The MadgeTech Secure software allows the graph and all data records
accurate and complete copies of electronic Yes No to be printed on paper. In addition, device status, data file statistics,
records on paper. audit trails and other pertinent information may be printed.

The system must be capable of producing

All data files may be transferred by e-mail or other means to other us-
accurate and complete copies of records in
Yes No ers of MadgeTech Secure software, or printed to a secure document in
electronic form for inspection, review and
another format such as PDF.
copying by the FDA.

All data downloaded from a device are automatically saved to an

Records must be readily retrievable internal secure database, these data cannot be altered, but is always
Yes No
throughout their retention period. available for the user to generate a visual representation of the data
in grid, graph, and statistic format.

The MadgeTech Secure software ensures that only users with a valid
System access must be limited to autho- User ID and password can gain access to the software. End-user SOPs
Yes Yes
rized individuals. should be developed and maintained to ensure that users do not
share their unique user ID and or password

The system must be capable of producing a

The MadgeTech Secure software maintains an audit trail file on any
secure, computer-generated, time-stamped
salient operation performed on the system. The audit trail is secure
audit trail that records the date and time Yes No
and encrypted and contains all operations performed by date, time
of operator entries and actions that create,
and operator.
modify or delete electronic records.

Upon making a change to an electronic Changes cannot be made to raw data datasets; however, reports
Yes No
record, original information is still available. generated by the user may be changed as desired.

Electronic records audit trails are retrievable All audit trails are saved as a part of the record and cannot be deleted
Yes No
throughout the record’s retention period. or modified in any way.
 Does MadgeTech No Additional
21 CFR Part 11
Secure Action Required Comments
Requirement
Software comply? To Comply?

The audit trail is available for review and The MadgeTech Secure software allows the Audit Trail to be printed or
Yes No
reproduction by the FDA transferred electronically for review and reproduction by the FDA.

The MadgeTech Secure software does not require any specific se-
When any sequence of system steps is
quence of steps or order of operation. The customer is responsible for
important, that sequence must be enforced No Yes
defining, writing and enforcing any SOPs that require a sequence of
by the system.
steps.

MadgeTech Secure software requires unique User IDs and passwords

The system should ensure that only autho-
to login to the system. Different features are available to different
rized individuals can use the it, electronically
users depending on their level of access. These levels may be defined
sign records, access the operation or com- Yes Yes
and created by the user. Defined SOPs should be implemented so the
puter system input or output device, alter a
PC requires an authorized login and directs that users cannot share
record, or perform other operations.
their unique user IDs and or passwords.

The system should be able to check the MadgeTech Secure software will only accept input and communi-
validity of the source of any data or instruc- cate with data loggers specifically designed and manufactured by
tions If it is a requirement of the system Yes No MadgeTech using MadgeTech’s proprietary communication protocol.
that input data or instructions can only Each MadgeTech data logger is uniquely identified by an electronic
come from certain input devices. serial number.

(Note: This applies where data or instructions can come from more than one device, and therefore the system must verify the integrity of its source, such as a
network of weigh scales, or remote, radio controlled terminals.)

A documented training, including on the Users may arrange to purchase on site system training from
job training for system users, developers, IT Yes Yes MadgeTech or provide their own training through testing and the sup-
support staff should be available. port of MadgeTech's Secure software documentation package.

A written policy that makes individuals fully It is the responsibility of the customer to provide a written policy that
responsible for actions initiated under their No Yes informs individual users that they are responsible for all actions taken
electronic signatures should be in place. while under their login.

The distribution of, access to, and use of The customer is responsible for obeying the licensing terms and
systems operation and maintenance docu- Yes Yes distribution of the software and documentation that supports
mentation should be controlled. MadgeTech Secure software

A formal change control procedure for

system documentation that maintains The MadgeTech Secure software operations document is revision
Yes No
a time sequenced audit trail of changes controlled
should be in place.
 Signed Electronic Records
Does MadgeTech No Additional
21 CFR Part 11
Secure Action Required Comments
Requirement
Software comply? To Comply?

Signed electronic records should contain the

This name of the signer, the date and time of signing and the meaning
following related information:
of the signing are contained in all electronically signed records and all
• Printed name of the signer Yes Yes
printed material. The customer is required to define the meaning of
• Date and time of signing
signing the document.
• Meaning of the signing

The above information should be shown

All the above information is displayed and printed on all copies of
on displayed and printed copies of the Yes No
records.
electronic record.

Signatures should be linked to their respec-

tive electronic records to ensure that they
Signatures are linked to the original record and cannot be cut, copied,
cannot be cut, copied, or otherwise trans- Yes No
or transferred.
ferred by ordinary means for the purpose of
falsification.

Electronic Signatures (General)

Does MadgeTech No Additional
21 CFR Part 11
Secure Action Required Comments
Requirement
Software comply? To Comply?

The MadgeTech Secure software will not allow the user to duplicate
electronic signatures. MadgeTech recommends that SOPs include a
Electronic signatures must unique to each
Yes No statement clearly defining that only one person is linked to each user
authorized individual.
ID. The administrator must define the unique user IDs, the user must
define their own unique password.

The end user SOPs should state that user IDs are not to be re-used or
The reuse or reassignment of electronic
Yes Yes reassigned to anyone else. User IDs should be inactivated and a new
signatures should be discouraged.
ID created.

The end user SOP should state that the identity of the individual is
verified before an ID is assigned. Once a new user is created, an email
The identity of the individual should be
will be sent to the administrator and user verifying his/her own
verified before an electronic signature is Yes Yes
unique login password. Once verified the MadgeTech Secure software
allocated.
will identify the individual in the future via the user ID and password.
The user will be required to enter their username and password.
 Electronic Signatures (Non-biometrics)
Does MadgeTech No Additional
21 CFR Part 11
Secure Action Required Comments
Requirement
Software comply? To Comply?

Signatures must be made up of at least two

components such as an identification code To electronically sign a record, the username and password need to be
Yes No
and password, or an identification card and entered.
password.

The user's password must be executed at

MadgeTech's Secure software requires the password to be executed at
each signing when several signings are Yes No
each signing.
made during a continuous session.

If signings are not done in a continuous

session, both components of the electronic To electronically sign a record, the username and password need to
Yes No
signature should be executed with each entered at each signing.
signing.

Non-biometric signatures should only used Users should put in place SOPs requiring that combination of user IDs
Yes Yes
by their genuine owners. and password only be made known to the genuine owner.

Attempts to falsify an electronic signature

Users should put in place SOPs that forbid users from disclosing their
must require the collaboration of at least Yes Yes
unique User ID and password.
two individuals.
 Controls for Identification
Codes & Passwords
Does MadgeTech No Additional
21 CFR Part 11
Secure Action Required Comments
Requirement
Software comply? To Comply?

Controls to maintain the uniqueness of each

combined identification code and password,
such that no individual can have the same Yes No MadgeTech Secure software will not allow duplicate User IDs.
combination of identification code and
password, are in place.

The end user's SOP should state that the System Administrator is to
Procedures must be in place to ensure the
periodically maintain active accounts and disable inactive accounts.
validity of identification codes and that they Yes Yes
MadgeTech's Secure software allows the administrator to set ac-
are periodically checked.
counts to expire automatically.

MadgeTech Secure software allows the administrator to give the user

options to make user passwords expire as well as set warnings to
Passwords should periodically expire and
Yes Yes notify the user in advance as to when the password is scheduled to
need to be revised.
be reset. The customer SOP should determine how often and/or when
passwords expire.

Procedure for recalling identification codes Passwords cannot be recalled; the administrator can reset the password.
and passwords if a person leaves or is Yes Yes The SOP should state that the administrator can only reset a password if
transferred should be developed. the password is lost or stolen, or the user leaves or is transferred.

A procedure for electronically disabling The MadgeTech secure software will allow user accounts to be tem-
a identification code or password if it porarily or permanently disabled. The customer's SOPs will designate
Yes Yes
potentially compromised or lost should be an administrator to have this responsibility. Only administrators can
in place. change user account settings.

The MadgeTech Secure software will detect attempts at unauthorized

A procedure for detecting attempts at
use. All attempts are recorded and marked clearly in the audit trail.
unauthorized use and for informing security Yes Yes
SOPs should be implemented so that a designated user is responsible
should be in place.
for reviewing the audit trail for any suspicious activity.

The MadgeTech Secure software will detect attempts at unauthorized

A procedure for reporting repeated or
use. All serious or repeated attempts are emailed to the designated
serious attempts at unauthorized use to Yes Yes
administrator(s). SOPs should be implemented so that a designated user
management should be in place.
is responsible for reviewing the audit trail for any suspicious activity.

MadgeTech, Inc. . 6 Warner Road . Warner, NH 03278

Tel: (603) 456-2011 . Fax: (603) 456-2012 . [email protected] . www.madgetech.com