ESR CFR 21 FDA

Device Validation Forum.
John E. Lincoln
Issues with Medical Device

Part 11 Electronic Records;
Electronic Signatures
John E. Lincoln
Device Validation Forum discusses regulatory

requirements, scientific principles, strategies, and
approaches associated with medical device validation that are useful to practitioners. We intend this
column to be a valuable resource for daily work
applications. The key objective for this column is
useful information.
Reader comments, questions, and suggestions
are needed to help us fulfill our objective for this
column. Suggestions for future discussion topics or questions to be addressed are requested.
Case studies illustrating principles associated with
medical devices submitted by readers are also most
welcome. We need your help to make Device
Validation Forum a useful resource. Please send
your comments and suggestions to column coordinator John E. Lincoln at jel@jelincoln.com or to
journal managing editor Cale Rubenstein at crubenstein@advanstar.com.
INTRODUCTION
As the medical device industry moves toward electronic records (ER) and signatures by in-house systems and/or cloud/web-based systems, and away from
paper documentation, 21 Code of Federal Regulations
(CFR) Part 11, Electronic Records; Electronic Signatures
(ES) verification and validation (V&V) activities and
documentation become mandatory. These issues are
not only a regulatory/Part 11 concern but also a user/
customer concern.
These requirements should not be viewed as unnecessary bureaucratic red tape. All industries, not just
For more Author
gxpandjvt.com/bios
gxpandjv t.com
magenta
cyan
yellow
black
What are these Issues?

There are several issues pertinent issues that need to
be described. They discuss how a company can verify
or validate compliance to those portions of Part 11
that are applicable to their operations.
Large software applications having a current good
manufacturing practice (cGMP) impact include enterprise resource planning (ERP) systems. ERP validations typically involve both cGMP activities/records
and purely business/non-cGMP activities/records.
These typically impact all areas of a company. They
often present the most complex challenge for a Part 11
V&V project. Since that is the case, a Part 11 validation
will typically only use test cases/scripts that address
specifically the cGMP functions that the software
performs, when they can be separated. Each test case
is developed from the software requirements specification (SRS) or its equivalent, which should only list
those requirements that are cGMP-specific (for the
purpose of the cGMP/Part 11 software V&V).
The companys 21 CFR Part 11 ER/ES requirements
would be included in the SRS. However, the author
recommends that the purely Part 11 requirements be
addressed by test cases in the operational qualification
information,
go to
US Food and Drug Administration-regulated ones,

are increasingly faced with these issues. The requirements of Part 11 are very similar to those that banking, finance, legal, and other business entities face.
All must strive to ensure the integrity of electronic
records/signatures as these increasingly replace paperbased records and documentation systems.
ABOUT THE AUTHOR

John E. Lincoln is a principal consultant for J.E. Lincoln and Associates LLC, which assists companies in the
design and implementation of complete 21 CFR 111, 210, 211, 820 and ISO 13485 quality management systems
that are fully cGMP-compliant and will have pass FDA audits. He may be reached by e-mail at jel@jelincoln.com.
Journal
of
Validation t echnology [Autumn 2012]
ES156867_IVTJVT1112_015.pgs 11.21.2012 00:44
15
ADV
(OQ), including those addressed by non-software/

offline systems and references to relevant standard
operating procedures (SOPs), manual logs, or similar
documentation. The rationale is that the V&V of Part
11 requirements generally focuses on the existence/
initialization (installation qualification [IQ] or operational qualification [OQ]) of each applicable element
of Part 11 rather than its repeatability performance
qualification (PQ). Where proof of repeatability is
a concern, test cases could be added to the PQ runs
as well.
As with any validation, a line in the sand must be
drawn prior to start. This means that once the decision
is made to validate, the software must be frozen
in time, with any future changes performed under
revision/release number/change control. Any changes
must include consideration of the degree of effect the
change may have on any previous verification/validation activities. Where such change control is relatively
easy with hardware, it is increasingly difficult with
software, especially cloud or web-based software
(e.g., applications or data warehousing/storage that
can almost automatically be upgraded, patched,
or have a service pack added by the vendor over the
Internet without notification or input from the using
company).
Whenever this author undertakes such a validation
with a client, a meeting is arranged with the companys information technology (IT) department and
quality assurance (QA) team to initiate systems and
capture and hold all such incoming changes for joint
IT/QA review against existing V&Vs. The appropriate
decision and method of implementation, regression
testing required, and/or similar actions can be decided, documented with supporting rationale, signed,
dated, and implemented under change control. Without such a system in place, any validations are merely
a waste of time and valuable resources.
ELECTRONIC RECORDS/SIGNATURES
AREAS REQUIRING V&V
The following are the type of electronic records and/or
e-signatures that require validation under 21 CFR Part
11. These may be exclusive cGMP records or records
used for cGMP decision-making (regardless of the
company written policy):
Any cGMP document that an SOP states is documented by a controlled hard/paper copy with
manually entered signatures (this includes personnel actually not using these hard copies but
referring to their computers in order to make
quality control [QC]/cGMP decisions [i.e., it is
16
magenta
cyan
yellow
black
Journal
of
not what a company says, but what it is actually

being done])
Management reviews of quality policies, systems,
organization/staffing, audits, etc.
Internal quality audits
Training: conduct, subject matter, and records
Proof of design control activities (an electronic
design history file [e-DHF])
Any cGMP document approval using e-documents
and/or e-signatures
Change control
Documentation of suppliers, evaluation/audits
rankings, and purchasing/quality data
Inventory identification, traceability, and status
Electronic SOPS (e-SOPs)
Monitoring/control of production processes electronically with e-reports
Environmental controls (heating, ventilation,
and air conditioning [HVAC], vector/pest, et al)
Post monitoring (PM) and/or calibration
scheduling
Record of equipment inspections
Control of manufacturing materials (e.g., lubricating oils, cleaners)
Test equipment control, including the above
Validation records
Incoming, in-process, and finished goods inspections: data, acceptance status, quarantine
Non-conformance reports, controls, reviews, dispositions, and approvals
Corrective and preventative action (CAPA) system documentation, including complaint and
MDR files, failure investigations, and root cause
analysis
Labeling design, control/storage, and issuance/
counts
Packaging documentation
Distribution records
All cGMP e-records (if primary records, as defined
by usage)
Device master record (DMR)
Device history (batch/lot) record (DHR)
Any electronic/computer statistical analysis tools
related to making cGMP decisions (e.g., product
release, which may require additional software
V&V)
As per above, all software systems, independent
of cGMP records/signatures used in manufacturing or part of medical devices, require their
own V&V per other guidance documents (820.30
design controls [product validation] and 820.70
[i] automated processes)
iv tnetwork.com
ES156871_IVTJVT1112_016.pgs 11.21.2012 00:44
ADV
John E. Lincoln.
Table I: Subpart 11.10: Verify Records Input and Retention.

Action Initiated
Expected Outcome
Meet Outcome
Can invalid or altered records be

determined?
Invalid/altered records can be

determined.
Yes/No
Attachment #
Is system capable of producing

accurate/complete hard/paper
copies of electronic records?
System produces accurate/

complete hard copies of ER.
Yes/No
Attachment #
Are records readily retrievable

throughout their retention period
(user to define records/data bases
involved and retention periodone
year from shipment, minimum)?
ERs are readily retrievable

throughout their retention period.
Yes/No
Attachment #
Is system access limited to

authorized personnel (by
password, SOP, and user-provided
and physical security)?
System access is limited to

authorized personnel (state
method).
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table II: Verify Audit Trail.

Action Initiated
Expected Outcome
Meet Outcome
Does system create/maintain a

secure, time-stamped audit trail?
System creates/maintains a
secure, time stamped audit trail.
Yes/No
Attachment #
Does it record date/time, entries/

actions for any activity that
creates, modifies, or deletes
electronic records (documents
to be controlled by user, and 21
CFR Part 820 Quality System [QS]
Regulation/medical device cGMPs).
System records date/time, entries/

actions for any ER creation,
modification, or deletion of cGMP
records.
Yes/No
Attachment #
Are changed or deleted records

archived and retrievable (records to
be defined by user)?
Changed or deleted records are

archived and retrievable.
Yes/No
Attachment #
Is the audit trail retrievable throughout

that records retention period?
Audit trails are retrievable

throughout the ERs retention
period.
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
ERP software used to control movement and storage of inventory, as per above
Any other cGMP/QA/QC approval action and/
or status record.
gxpandjv t.com
magenta
cyan
yellow
black
RISK-BASED BLACK BOX V&V

Since most projects usually involve commercial offthe-shelf (COTS) software, the scripts/test cases are run
black box and also involve hardware functionality.
Journal
of
ES156875_IVTJVT1112_017.pgs 11.21.2012 00:44
17
ADV
Table III: System features/checks.

Verify data installation is completed, correct, and readily retrievable.
Action Initiated
Expected Outcome
Meet Outcome
Can it be reviewed/copied by FDA?
ERs can be reviewed/copied by

FDA.
Yes/No
Attachment #
Does the system enforce sequence

of steps/events if required (e.g., no
release to inverse of non-approved
components/specific steps)?
The system enforces the sequence

of ERP events per referenced flow
charts.
Yes/No
Attachment #
Are only authorized individuals

allowed access to the system,
permitted to sign records, access
the operation/input/output device,
alter records, and perform other
operations (e.g., defined by password
and level of authority/access)?
Only authorized individuals are

allowed access, sign records,
installation/operation access,
records altering, and similar
operations that affect ER accuracy/
retention/retrieve ability.
Yes/No
Attachment #
Does the system check the validity

of the data source if multiple
sources for such data exist?
The system checks one source

therefore there are no checks
between sources.
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
Table IV: Training.

Verify data installation completed per SOP.
Action Initiated
Expected Outcome
Meet Outcome
Is training of all involved personnel

conducted and documented
(user issue/vendor assist)?
Training is conducted periodically

and documented.
Yes/No
Attachment #
Do written policies address the

accountability and responsibility of
individuals actions initiated under
their electronic signature (user
issue)?
Written policies/SOPs address ES

accountabilities/responsibilities.
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
Of course, all software V&V is product risk-based. It

is recommended that an International Organization
for Standardization (ISO) 14971 product risk management file/report (and use the same format for non-device
industries) be developed prior to developing the V&V
documentation. The degree of risk tied to the user of the
companys products can be used to determine the amount
of test case/script elements necessary to prove compli18
magenta
cyan
yellow
black
Journal
of
ance. Tie test cases to specific risk document references

by a traceability matrix or commonality of numbering
between hazard/risk entry and test case/script to justify
the degree of verification elements addressed in each test
case. It is crucial to draw that line in the sand on the
software with the support of the company IT department
to prevent non-approved updates, patches, etc. to the
relevant software that could impact the V&V downstream.
iv tnetwork.com
ES156880_IVTJVT1112_018.pgs 11.21.2012 00:44
ADV
John E. Lincoln.
Table V: Systems documentation control.

Verify data installation completed per SOP.
Action Initiated
Expected Outcome
Meet Outcome
Is systems operation/maintenance
documentation controlled
(user and password limits)?
Systems operation/maintenance
documentation is controlled
(reference method[s]).
Yes/No
Attachment #
Is system documentation under

formal change control with a
time-sequenced audit trail for
changes (Also see other audit
trail questions/comments)?
System documentation is under

formal change control with an audit
trail.
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
Table VI: Subpart 11.30.

Verify data installation is completed, correct, and readily retrievable.
Action Initiated
Expected Outcome
Meet Outcome
Is open system data
Open system data is encrypted.
N/A
Are open system signatures

digitized?
Open system signatures are

digitized (or reference any alternate
method(s).
N/A
Verified By
Initial & Date
Comments: __________________________________________________________________________________
The following test case elements are extracted

directly from 21 CFR Part 11.
ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES

Subpart A--General Provisions 11.1 - Scope. 11.2 Implementation. 11.3 - Definitions.
Subpart B--Electronic Records 11.10 - Controls for closed
systems. 11.30 - Controls for open systems. 11.50 - Signature manifestations. 11.70 - Signature/record linking.
Subpart C--Electronic Signatures 11.100 - General requirements. 11.200 - Electronic signature components and controls. 11.300 - Controls for identification codes/passwords.
DEVELOPING THE TEST CASES/TEST

SCRIPT
Each element of the subparts of Part 11 are reframed
into questions or statements for which an answer in
the companys Part 11 software or offline systems
will have to be found. Subparts 11.1, 11.2, and 11.3
gxpandjv t.com
magenta
cyan
yellow
black
provide background information and requirements

of the CFR, and consideration is for reference only.
Beginning with subpart 11.10, the suggested
approach described below can be implemented. In
some instances, assumptions have been made regarding the element to verify. When using this example,
the user will have to adjust actual test cases/scripts to
match the systems/applications elements that apply
to their application. Higher risk applications would
require expansion of the number of test case/test script
entries to resolve or verify function of each element.
SOFTWARE VERIFICATION/VALIDATION
PROTOCOL FORMAT EXAMPLES
The following should be considered as very basic templates. Applicable test cases or test case elements should
be expanded depending upon the applications being
verified/validated. These present one possible method
among many that could be acceptable in validating electronic records and electronic signatures to 21 CFR Part 11.
Journal
of
ES156872_IVTJVT1112_019.pgs 11.21.2012 00:44
19
ADV
VERIFICATION SCRIPT: ELECTRONIC

SIGNATURES
Table VII: Subpart 11.50: Electronic Signatures Features.

Verify data installation is completed, correct, and retrievable.
Action Initiated
Expected Outcome
Meet Outcome
Do electronic signature
manifestations include the printed
name, date/time of signing, and
meaning of signing (approval,
review, responsibility, and feature
is available generally by level of
password-protected /defined level
of access)?
ESs include stated requirements.
Yes/No
Attachment #
Is the signature supporting

information mentioned above
displayed and printed on hard
copies of the electronic record?
ESs are displayed, printed, or

obviously linked on hard copies
printed of the ER.
Yes/No
Attachment #
Are signatures linked to the

respective electronic record
to prevent cut/copy/transfer/
falsification (are signatures
imbedded in the actual record/
document or stored in another file
and flagged)?
ESs are either linked to, or

embedded in, the respective ER.
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
Table VIII: Subpart 11.100: Unique Electronic Signature.

Action Initiated
Expected Outcome
Meet Outcome
Are electronic signatures unique to

an individual (through specific login
and password)?
Unique ESs exist.
Yes/No
Attachment #
ID verified before issue?
Verification performed by system to

prevent duplicate IDs.
Yes/No
Attachment #
Are electronic signatures reused or

reassigned to others (controlled user
SOP number/user setup)?
ESs are not reused
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
20
magenta
cyan
yellow
black
Journal
of
iv tnetwork.com
ES156869_IVTJVT1112_020.pgs 11.21.2012 00:44
ADV
John E. Lincoln.
Table IX: Subpart 11.200: Secure Electronic Signature.

Action Initiated
Expected Outcome
Meet Outcome
Is the signature made up of at least

two components (e.g., code, card,
password combinations, ID and
password, and use physical ID
components [e.g., cards])?
ES has minimum of two

components (describe).
Yes/No
Attachment #
Must the password be executed at

each signing and during a multiple
signing (continuous) session?
Password must be entered for

each signing in multiple signings.
Yes/No
Attachment #
Does the capability exist to be

defined by user?
Capability is defined by user

(describe).
Yes/No
Attachment #
Recommend reentry of password

wherever a new physical signature
would be required rather than a
multiple/continuous-signing feature.
Password reentry is required for

any new signature.
Yes/No
Attachment #
If not continuous, must both

components of the signature be
executed (to be user-defined)?
Describe number of components

required for a signature to be
entered (user ID/user password).
Yes/No
Are non-biometric signatures only

used by their genuine owners (user
SOP defined/a user security issue)?
Describe method used for control

of non-biometric ES: issue of single
user ID/user defined password.
Yes/No
Has it been shown that biometric

signatures can only be used by
their genuine owner (are biometric
signatures [retina or fingerprint
scans, etc.] utilized)?
Biometric signatures are not

currently used in this ERP.
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
Table X: Planned security breach.

Action Initiated
Expected Outcome
Meet Outcome
Would an attempt to falsify an

electronic signature require the
collaboration of at least two
individuals (only in the sense that
one of the two just have been
careless in allowing another to
steal and use his/her password)?
Purposeful falsification of an
ES requires two or more willing
individuals
Yes/No
Is the software configured

to require a minimum of two
passwords to accomplish a defined
action (e.g., document changes)?
A minimum of two ESs are required

for the approval of a cGMP ER.
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
gxpandjv t.com
magenta
cyan
yellow
black
Journal
of
ES156868_IVTJVT1112_021.pgs 11.21.2012 00:44
21
ADV
Table XI: Subpart 11.300: User ID/Passwords.

Action Initiated
Expected Outcome
Meet Outcome
Are controls in place to assure

the uniqueness of each code/
password combination?
User IDs/passwords are controlled;

system prevents user ID to be reissued/re-used
Yes/No
Attachment #
Do procedures require the periodic

checking of the validity of ID codes
(user SOP issue: does software do
this automatically)?
This is controlled in Windows OS;

passwords expire per defined
intervals.
Yes/No
Attachment #
Do passwords periodically expire

and require revision (see above)?
Passwords are controlled by

Windows OS with periodic
expiration/revision.
Yes/No
Attachment #
Is there a procedure to recall ID

codes/passwords when someone
leaves/is transferred?
User IDs/passwords are recalled/

retired when the owner leaves/is
transferred per SOP XXX.
Yes/No
Attachment #
Is there a procedure to
electronically disable any ID code/
password that has been potentially
compromised/lost?
User IDs/passwords can be

disabled if they are suspected of
having been compromised/lost per
SOP XXX.
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
Table XII: Outside systems breech/hacking.

Action Initiated
Expected Outcome
Meet Outcome
Is there a procedure to detect

attempts at hacking and inform
security (primarily by the audit trail
feature after the fact)?
Hacking can be detected and is

acted upon by reviewing IT or
advanced security logs daily.
Yes/No
Attachment #
Is there a procedure for reporting

repeated or serious attempts at
unauthorized use to management
(could be by means of audit trail
review or user SOP)?
Attempts at unauthorized use

(see above) are documented and
reported to management (describe
method).
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
22
magenta
cyan
yellow
black
Journal
of
iv tnetwork.com
ES156870_IVTJVT1112_022.pgs 11.21.2012 00:44
ADV
John E. Lincoln.
Table XIII: Loss management.

Action Initiated
Expected Outcome
Meet Outcome
Is loss management defined/

practiced for lost or stolen devices
(only by user SOP)?
Loss management of any

applications-accessible devices is
practiced (describe).
Yes/No
Attachment #
Is there a procedure to
electronically disable a device if
its lost/stolen/compromised (by
password access/user alternative)?
Describe any method to disable a

compromised device.
Yes/No
Attachment #
Are there controls for issuance

of temporary and permanent
replacements?
Describe any controls in the

issuance of temporary or
permanent replacement devices.
Yes/No
Attachment #
Is there initial and periodic testing

of tokens/cards?
Describe or N/A
N/A
Does this check for unauthorized

alterations?
Describe or N/A
N/A
Verified By
Initial & Date
Comments: __________________________________________________________________________________
AN IMPORTANT CAVEAT
CONCLUSION
A company may believe and proclaim that it is not

using electronic records and/or electronic signatures.
It may base this on the fact that its SOPs define that
controlled records are paper documents with manual
signatures, and those hard copies are routed for
approval and used for cGMP actions and retains/files.
However, the real test is how records are actually being
used to make cGMP decisions in the company. FDA
consumer safety officers (CSOs)/auditors have been
seen observing company personnel using their computer screen to pull up records and SOPs and then
make cGMP decisions from that image. If this is the
companys practice, even if they are controlling hard
copies and state that in their SOPs, the auditor will
rightly conclude that an e-record is being used and
expect to see 21 CFR Part 11 validation performed.
The use of electronic records and electronic signatures is increasingnot just in regulated industries.
These types of issues will be seen in all industries that
require legally binding documentation. Most professionals already deal with encrypted transactions on
the Internet and hope that companies have similar
systems in place to ensure integrity versus the growing danger of identity theft. The type of information
and verification/validation required in 21 CFR Part
11 will be replicated and expanded upon worldwide,
not only in medical products, but in finance, legal,
and all business entities desiring a viable global business model. JVT
gxpandjv t.com
magenta
cyan
yellow
black
Journal
of
ES156882_IVTJVT1112_023.pgs 11.21.2012 00:44
23
ADV
GLOSSARY
Black box
CDRH
cGMPs
CFR
COTS
CSO
ERP
FDA
24
magenta
cyan
yellow
black
Journal
of
Review/verification of software algorithm/coding by observing the softwares operation of the hardware, without access to the actual software code,
as opposed to white box or glass
box testing (see white box below)
Center for Devices and Radiological
Health
Current good manufacturing practices
(for devices it is 21 CFR Part 820)
Code of Federal Regulation
Commercial off-the-shelf software
Consumer safety officer (i.e., the FDA
compliance auditor)
Enterprise resource planning
The United States Food and Drug
Administration
ISO
IT
IQ
OS
OQ
PQ
International Standards Organization

Information technology
Installation qualification
Operating system
Operation qualification
Performance qualification (generally
three or more as needed by inherent
system inputs, et al, variability)
QA
Quality assurance
RA
Regulatory affairs
R&D
Research and development
SOP
Standard operating procedure
SRS
Software requirements specification
V&V/V[T]&V Verification [Testing] and Validation
White box
Code review for logic and adherence to
conventions with no observable problems (same as glass box review).
iv tnetwork.com
ES156878_IVTJVT1112_024.pgs 11.21.2012 00:44
ADV
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

ESR CFR 21 FDA

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ESR CFR 21 FDA

Загружено:

Авторское право:

Доступные форматы

Device Validation Forum.

Issues with Medical Device

Device Validation Forum discusses regulatory

For more Author

What are these Issues?

US Food and Drug Administration-regulated ones,

ABOUT THE AUTHOR

Validation t echnology [Autumn 2012]

ES156867_IVTJVT1112_015.pgs 11.21.2012 00:44

Device Validation Forum.

(OQ), including those addressed by non-software/

Validation t echnology [Autumn 2012]

not what a company says, but what it is actually

ES156871_IVTJVT1112_016.pgs 11.21.2012 00:44

Table I: Subpart 11.10: Verify Records Input and Retention.

Can invalid or altered records be

Invalid/altered records can be

Is system capable of producing

System produces accurate/

Are records readily retrievable

ERs are readily retrievable

Is system access limited to

System access is limited to

Table II: Verify Audit Trail.

Does system create/maintain a

Does it record date/time, entries/

System records date/time, entries/

Are changed or deleted records

Changed or deleted records are

Is the audit trail retrievable throughout

Audit trails are retrievable

RISK-BASED BLACK BOX V&V

Validation t echnology [Autumn 2012]

ES156875_IVTJVT1112_017.pgs 11.21.2012 00:44

Device Validation Forum.

Table III: System features/checks.

Can it be reviewed/copied by FDA?

ERs can be reviewed/copied by

Does the system enforce sequence

The system enforces the sequence

Are only authorized individuals

Only authorized individuals are

Does the system check the validity

The system checks one source

Table IV: Training.

Is training of all involved personnel

Training is conducted periodically

Do written policies address the

Written policies/SOPs address ES

Of course, all software V&V is product risk-based. It

Validation t echnology [Autumn 2012]

ance. Tie test cases to specific risk document references

ES156880_IVTJVT1112_018.pgs 11.21.2012 00:44

Table V: Systems documentation control.

Is system documentation under

System documentation is under

Table VI: Subpart 11.30.

Is open system data

Open system data is encrypted.

Are open system signatures

Open system signatures are

The following test case elements are extracted

ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES