To recap, attributable is defined as who acquired the data or performed the action/modification and when it happened.

Design Considerations

Computer systems must be procured and configured to the meet the applicable regulatory requirements.

The initial user requirements (URS) must define the intended use of the systems and how they apply to Annex 11 (Europe) or 21 CFR Part 11 (US).

A product demo should be performed to show the design and configuration needs coupled with any potential compliance risks.

Vendor documentation should include the specific post-installation attributes of the system that must exist to meet the requirements.

Verification Considerations

A list of defined user roles should exist based on record involvement, for example:

  • User ability to create
  • User ability to modify
  • User ability to delete

Each user must have a unique User ID to access the system.

Part 11/Annex 11 assessment must be performed to verify all regulatory expectations, including eSignature and record attributes etc.

Security settings, such as the following, must be in place to prevent administrators from tampering with compliance settings:

  • Audit trail
  • User management
  • Signatures

Best Practices

You should only have one user per role.

If possible, the admin of the system should be independent from the department responsible for the electronic records.

System admins should not review or generate data.

The use of shared or generic log-ons must be avoided to ensure that electronic records and signatures can be attributed to a unique individual.

Implement SOPs to identify the importance of data integrity and define procedural controls to prevent the overwriting or deleting of data.

Online course
6 modules
Data Integrity Awareness: CSV Best Practices


Find out more about this course