21 CFR Part 11 – System Access to Authorized Individuals
We all know the importance of 21 CFR Part 11 and in particular how people access these systems on a regular basis. For those of you who are not familiar with this regulation it is referenced in 11.10 “Controls for closed systems” and 11.30 “Controls for open systems:
(ii) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(iii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
Access must be limited to authorized individuals. The FDA recommends that:
- Each user of the system have an individual account;
- User should log into their accounts at the beginning of a data entry session, input information (including changes) on the electronic record, and log out at the completion of the data entry session;
- The system be designed to limit the number of log-in attempts and to record unauthorized access log-in attempts;
- Users should work only under their own user profiles encompassing unique user IDs and individual passwords or other access keys and not share these with others;
- The system not allow an individual to log into the system to provide another person access to the system;
- Passwords or other access keys be changed at established intervals commensurate with a documented risk assessment;
- When leaving a workstation, users should log off the system. Alternatively, an automatic log off may be appropriate for long idle periods;
- For short periods of inactivity, an automatic protection (for example, an automatic screen saver) be installed against
unauthorized data entry.
Sample Regulatory Action
An inspection for compliance with 21 CFR 211 in November 1997 resulted in a warning letter for a company because there were insufficient controls in place to ensure the integrity of data calculated by software in its quality control laboratory. Specifically:
- There was no audit trail to track the number of templates accessed to generate data calculations;
- Password protection could be bypassed in the system;
- Data files were automatically deleted after a hardcopy was generated and there wasn’t a requirement to identify the analyst or time/date stamp spreadsheet hardcopies.
I am very disappointed with this article. You have quoted section 11.200 of Part 11, “Electronic signature components and controls”, but the rest of your article discusses system access and data protection. While many companies do use the same components to control user access as they use for electronic signatures, the user id/password combination and electronic signature components serve very different purposes. They should never be thought of as the same thing; this can lead to confusion about the use, meaning, and application of electronic signatures, and improper implementation of controls required by Part 11.
The recommended access controls discussed in this article, and the regulatory action cited do not appear to be related to electronic signatures. The applicable sections of part 11 are 11.10 “Controls for closed systems” and 11.30 “Controls for open systems.”
Access controls serve the purpose of helping to protect data integrity. Electronic signatures are intended to take the place of handwritten signatures on paper.
There is enough misinterpretation and misunderstanding of the regulations out there without having it perpetuated in this forum.
I am very disappointed with this article. You have quoted section 11.200 of Part 11, “Electronic signature components and controls”, but the rest of your article discusses system access and data protection. While many companies do use the same components to control user access as they use for electronic signatures, the user id/password combination and electronic signature components serve very different purposes. They should never be thought of as the same thing; this can lead to confusion about the use, meaning, and application of electronic signatures, and improper implementation of controls required by Part 11.
The recommended access controls discussed in this article, and the regulatory action cited do not appear to be related to electronic signatures. The applicable sections of part 11 are 11.10 “Controls for closed systems” and 11.30 “Controls for open systems.”
Access controls serve the purpose of helping to protect data integrity. Electronic signatures are intended to take the place of handwritten signatures on paper.
There is enough misinterpretation and misunderstanding of the regulations out there without having it perpetuated in this forum.
Hello kaysee12, thank you for pointing out this error we have now updated the article.
Hello kaysee12, thank you for pointing out this error we have now updated the article.