Audit Protocol Template
Stage One Computing
Stage One Computing, 21 CFR Part 11 GAP analysis.
System Audit Protocol [AUP]
Date
Author
Audited part
Subject
File name
Version
Document approvals
<Date>
<Bahman Kolahi>
Stage One Computing A/S
Laurentsvej 27
DK-2880 Bagsværd
Audit checklist for Computerized systems at Company Stage One
Computing A/S
SOC_21CFRPart11_GAP_analyse.doc
00h Unreleased document – Ready for customer review 1
Company Date Init Name
Stage One Computing yyyy.mm.dd BaKo Technical Expert, Author
Bahman Kolahi
Stage One Computing yyyy.mm.dd DEF Technical Expert
Ditlev Erwin Frandsen
Stage One Computing yyyy.mm.dd GHI QA
Gert Henriette Invarsen
Signature
System Audit Protocol
726922226
Page 1 of 18
Stage One Computing
Distribution list
Company
Stage One Computing
Stage One Computing
Stage One Computing
Person
Bahman Kolahi
Ditlev Erwin Frandsen
Gert Henriette Invarsen
(BaKo@stageone.dk)
(DEF@stageone.dk)
(GHI@stageone.dk)
Contents
ABBREVIATIONS AND WORD EXPLANATIONS .................................................... 18
System Audit Protocol
726922226
Page 2 of 18
Stage One Computing
1.
Introduction
1.1
Purpose
The purpose with this document is to define how an audit of GxP critical computer systems at Stage One Computing will be performed. The audit will be with regards of fulfilling the requirements specified in 21 CFR Part 11.
1.2
Scope
The audit will be concentrated on Unomedical sites in Europe covering the following sites:
Site name Site address System types
BA Production and administration
JO
Laurentsvej 27
DK-2880 Bagsværd
Denmark
Bygaden 2, Jørlunde
DK-350 Slangerup
Denmark
Production
An audit will be made of each GxP critical computer system as defined in the Audit Protocol
(this document), and the method that will be used is an Audit checklist, which is a part of chapter 4 of this document.
2.
Method
The method of progress is to execute this Audit Protocol and use the data and information found to evaluate the level of GxP criticality. All systems are later evaluated via risk assessment. All system evaluation will result in a Validation Master Plan that defining further system validation activity.
Figure 2.1 Document workflow
System Audit Protocol
726922226
Page 3 of 18
Stage One Computing
3.
Audit Report
When the Audit of all GxP critical computer systems are finalized an Audit Report that summarizes the activities during the Audit will be written. This report will list all systems evaluated during the system selection audit. The report will focus on highlighting/listing the
GxP level of the GxP critical computer systems identified during system selection.
Copies of the checklist will be made for each GxP critical computer system, and the copies will be attached to the audit report as appendixes.
Example of listing contents in the Audit Report :
System ID
[Number according to company’s internal procedures –Also used as reference to the previous executed System
Selection Checklist and later the Risk
Assessment]
GxP level
[Direct Impact DI
Indirect Impact II
No Impact NI]
Note/comments
[Free text notes]
Appendix ref. reference number to the filled in check list]
This list will be the basis of an additional audit to evaluate if these selected GxP critical computer systems fulfil the requirements specified in 21 CFR Part 11.
4.
Audit checklist
The following audit checklist will be copied for each GxP critical computer system. The checklist have 4 columns which are :
1.
ID
Unique identification of audit checkpoint.
2.
21 CFR Part 11
Reference to the paragraph in 21 CFR Part 11.
3.
Question / Requirement
The 21 CFR Part 11 requirement is phrased as a question or a statement.
4.
Answer / Comment
The result of audit checkpoint with regards to the 21 CFR Part 11 requirement. The result may be an answer to the Audit Question [3], covering “Yes”, “No” or “N/A” + an optional explanatory explanation if deemed necessary.
System Audit Protocol
726922226
Page 4 of 18
Stage One Computing
4.1
System Information
Please specify the name of the Computer system that is about to be audited and the area or section it is used.
System Name Area of Use System ID [e.g. TAGname]
System contact E-mail Phone no.
4.2
Audit checkpoint
ID
Validation / System documentation
21 CFR
Part11
AUP1.1 § 11.10 (a)
Question /
Requirement
Question
Is the system validated?
Method
Verify if system validation documentation exists.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page. N/A indicates that no comments are made. [Comment or N/A]
AUP1.2 § 11.10 (a) Question
Does the system have any design specifications?
Method
Verify if System Design
Specifications exists.
AUP1.3 § 11.10 (a) Question
Does the system have a User requirement specification?
Method
Verify if User
Requirements
Specifications exists.
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 5 of 18
Stage One Computing
4.2
Audit checkpoint
ID
Validation / System documentation
21 CFR
Part11
AUP1.4 § 11.10 (a)
Question /
Requirement
Question
Does the system have a user manual?
Method
Verify if a user manual exists.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page. N/A indicates that no comments are made. [Comment or N/A]
AUP1.5 § 11.10 (a)
AUP1.6 § 11.10 (a)
Question
Does the system have documented source code?
Method
Verify if source code exists. Verify if source code is accessible (via supplier), or formal agreement regarding source code availability exists.
Question
Does the system have any other documentation?
(Please specify)
Method
Verify if other documentation than the ones (AUP1.1 -
AUP1.5) mentioned above exists (i.e. mail, letters, fax documents etc.).
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 6 of 18
Stage One Computing
4.3
Audit checkp oint ID
Security
21 CFR Part
11
AUP2.1 § 11.300 (b)
Question /
Requirement
Question
Do passwords periodically expire and need to be revised?
Method
Verify at system administrator level if password expires.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP2.2 § 11.200
(a) (1) (i)
AUP2.3 § 11.100 (b)
AUP2.4 § 11.70
Question
Is the signature made up of at least two components, such as an identification and password.
Method
Verify at system administrator level if multi level authentification are implemented.
Question
Is the identity of an individual verified before an electronic signature is allocated?
Method
Verify if users are identified at an administrative level.
Question
Are signatures linked to their respective electronic records to ensure that they cannot be cut, copied, or otherwise transferred by ordinary means for the purpose of falsification?
Method
Verify if system records and audit trails are encrypted or protected by other means (i.e. file security).
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 7 of 18
Stage One Computing
4.3
Audit checkp oint ID
Security
21 CFR Part
11
AUP2.5 § 11.100 (a)
Question /
Requirement
Question
Are electronic signatures unique to an individual?
Method
Verify at an administrative level that password policies are in control.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP2.6 § 11.3 Question
Are data encrypted?
Method
Verify at a system administrative level that data are encrypted.
AUP2.7 § 11.10 (k)
AUP2.8 § 11.10 (g)
Question
Is the distribution of, access to, and use of systems operation and maintenance documentation controlled?
Method
Verify if SOPs are in place.
Question
Does the system ensure that only authorized individuals can use the system, electronically sign records, access the operation, or computer system input or output devices, alter a record, or perform other operations?
Method
Verify that administrative SOPs are in place.
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 8 of 18
Stage One Computing
4.3
Audit checkp oint ID
Security
21 CFR Part
11
AUP2.9 § 11.10 (d)
Question /
Requirement
Question
Is system access limited to authorized individuals?
Method
Verify that administrative SOPs are in place and that system security is implemented in configuration.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 9 of 18
Stage One Computing
4.4
Audit checkpoi nt ID
AUP3.1
AUP3.2
AUP3.3
Electronic Records / Electronic signature
21 CFR
Part11
Question /
Requirement
§ 11.10 (e)
§ 11.10 (e)
§ 11.10 (e)
Question
Is there a secure, computer generated, time stamped audit trail that records the data and time of operator entries and actions that create, modify, or delete electronic records?
Method
Verify if an audit trail is implemented.
Question
Upon making change to an electronic record, is previously recorded information still available?
Method
Verify that audit trail data can not be overwritten or deleted in the audit trail.
Question
Is the reason for a change or an operation recorded?
Method
Verify at an administrative level that the reason is recorded.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP3.4 § 11.10 (e) Question
Is the audit trail of a given electronic record retrievable during the retention period?
Method
Verify that back up and end-of-life procedures are in place.
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 10 of 18
Stage One Computing
4.4
Audit checkpoi nt ID
AUP3.5
AUP3.6
Electronic Records / Electronic signature
21 CFR
Part11
Question /
Requirement
§ 11.10 (e)
§ 11.10 (e)
Question
Is the audit trail available for review and copying by authorities?
Method
Verify that human readable documentation can be presented.
Question
Do time records of audit trail refer to a given standard time?
Method
Verify if full time format is implemented.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP3.7 § 11.3 Question
Are digital signatures used?
Method
Verify if signatures consist of 3 elements.
AUP3.8
AUP3.9
§ 11.100 (a) Question
Are electronic signatures ever reused by, or reassigned to, anyone else?
Method
Verify if procedures allow reassignment of signatures.
§ 11.100 (c) Question
Confirmation with regulatory authorities that electronic signatures are used as equivalent to handwritten signatures.
Method
Verify if information of use of electronic signatures has been submitted to FDA.
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 11 of 18
Stage One Computing
4.4
Audit checkpoi nt ID
AUP3.10
AUP3.11
AUP3.12
Electronic Records / Electronic signature
21 CFR
Part11
Question /
Requirement
§ 11.200
(a) (1) (ii)
§ 11.200
(a) (1) (ii)
§ 11.200
(a) (2)
Question
When several signings are made during a continuous session, is the password executed at each signing? (Note: both components must be executed at the first signing of a session.)
Method
Verify that both ID and password are presented at every signature.
Question
If signings are not done in a continuous session, are both components of the electronic signature executed with each signing?
Method
Verify that both ID and password are presented at every signature.
Question
Are non-biometrics signatures only used by their genuine owners?
Metho
???
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP3.13 § 11.300 (a)
§ 11.200
Question
Would an attempt to falsify an electronic signature require the collaboration of at least two individuals?
Method
Verify at an administrative level that procedures secure password and ID integrity (note that system administrators has special access to the system, and users must be alert to password inconsistencies).
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 12 of 18
Stage One Computing
4.4
Audit checkpoi nt ID
AUP3.14
AUP3.15
AUP3.16
Electronic Records / Electronic signature
21 CFR
Part11
Question /
Requirement
§ 11.300 (a) Question
Are controls in place to maintain the uniqueness of each identification, such that no individual can have
§ 11.50 (a) the same identification?
Method
Verify that users are unique (note that IDs cannot be deleted or reused).
Question
Do signed electronic records contain the following related information?
The printed name of the signer
The date and time of signing
The meaning of the signing (such as approval, review, responsibility)
Method
§ 11.50 (b)
Verify if signatures are complete according to full name, complete time and the meaning of the signing.
Question
Is the above information (3.13) shown human readable copies of the electronic records?
Method
Verify if human readable documentation contains complete signatures according to full name, complete time and the purpose of the signing.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 13 of 18
Stage One Computing
4.4
Audit checkpoi nt ID
AUP3.17
Electronic Records / Electronic signature
21 CFR
Part11
Question /
Requirement
§ 11.10 (a) Question
Is it possible to discern invalid or altered records?
Method
Verify by scrutinizing system documentation that system integrity is implemented.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP3.18 § 11.10 (b)
AUP3.19
AUP3.20
AUP3.21
§ 11.10 (c)
§ 11.10 (c)
§ 11.10 (c)
Question
Is the system capable of producing accurate and complete copies of records in electronic form for inspection, review, and copying by the FDA?
Method
Verify that human readable documentation can be presented.
Question
Are the records readily retrievable throughout their retention period?
Method
Verify that backup and end-of-life procedures are in place.
Question
Can data retention be set to a given time?
Method
Verify if minimum data retention time are defined by procedures.
Question
Are there any tools / utilities that enable the use of records that have been created with expired software that is now unavailable and ensure readability of such records in the future?
Method
Verify if end-of-life procedures are available.
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 14 of 18
Stage One Computing
4.5
Audit checkpoi nt ID
Procedure and Routines
21 CFR Part
11
Question /
Requirement
AUP4.1
AUP4.2
AUP4.3
AUP4.4
§ 11.10 (i)
§ 11.10 (i)
§ 11.10 (j)
§ 11.10 (k)
Question
Is there documented training, including on the job training for system users, developers, IT support staff?
Method
Verify that the documentation mentioned is available.
Question
Documented evidence of education, training and experience of persons that develop, service and use the system is required.
Method
Verify that the documentation mentioned is available.
Question
Is there a written policy that makes individuals fully accountable and responsible for actions initiated under their electronic signatures?
Method
Verify that the documentation mentioned is available.
Question
Is there a formal change control procedure for system documentation that maintains a time sequenced audit trail for those changes made by the pharmaceutical organization?
Method
Verify that the documentation mentioned is available.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 15 of 18
Stage One Computing
4.5
Audit checkpoi nt ID
Procedure and Routines
21 CFR Part
11
Question /
Requirement
AUP4.5
AUP4.6
AUP4.7
§ 11.300 (b) Question
Is there a procedure for recalling identification codes and passwords if a person leaves or is transferred?
Method
Verify that the documentation mentioned is available.
§ 11.300 (b) Question
Is there a procedure for electronically disabling an identification code or password if it is potentially compromised or lost?
Method
Verify that the documentation mentioned is available.
§ 11.300 (d) Question
Is there a procedure for detecting attempts at unauthorized use and for informing security?
Method
Verify that the documentation mentioned is available.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
AUP4.8
AUP4.9
§ 11.10
§ 11.10
Question
Is there a procedure for reporting repeated or serious attempts at unauthorized use to management?
Method
Verify that the documentation mentioned is available.
Question
Is there a procedure for electronically disabling a device if it is lost, stolen, or potentially compromised?
Method
Verify that the documentation mentioned is available.
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 16 of 18
Stage One Computing
4.5
Audit checkpoi nt ID
Procedure and Routines
21 CFR Part
11
Question /
Requirement
AUP4.10 § 11.10 (c) Question
Is there a given procedure for archival storage and data maintenance during retention time?
Method
Verify that the documentation mentioned is available.
Answer / Comment
Additional comments can be made on a separate paper marked with Audit checkpoint id and attached to the page
System ID __________ Appendix no. ______________ Date ____________ Initials ___________
Appendix to System Selection Report SOC_21CFRPart11_GAP_analyse_001
Appendix page ______ of _______
System Audit Protocol
726922226
Page 17 of 18
Stage One Computing
5.
Abbreviations and word explanations
Word/abbreviation
FDA
SOC
Meaning
US Food and Drug Administration
Stage One Computing
6.
References
Reference
SOC_Protokol_for_systembestemmelse
Version 001
Document
System Selection Checklist
7.
Appendixes
Reference
N/A
Document
N/A
8.
Change log
Date
2004.09.16
2004.09.22
Person
Bahman Kolahi
Bahman Kolahi
2004.09.28
2004.09.30
2004.10.02
Bahman Kolahi
Bahman Kolahi
Christian Stage
2004.10.05
2004.10.05
2004.11.05
Bahman Kolahi
Christian Stage
Christian Hemmingsen
Christian Hemmingsen
Bahman Kolahi
Document purpose
Used for defining systems, and establish which ones can be defined as critical.
Version
00a
00b
00c
00d
00e
00f
Changes
Document created
Document updated to reflect Stage One
Computing document standards
Minor modifications to document
Example of audit report added
Information added to checklists
Reference table added
Audit execution and report divided into 2 separate sections
Corrections caused by workshop
00g
00h
Corrections of styles and formatting
Document released for review 1
System Audit Protocol
726922226
Page 18 of 18
