Part 11 compliant systems must be designed so that unauthorized attempts to use e-signatures are detected and reported to security management.
Access must be limited to authorized individuals.
The FDA recommends the following.
1. Individual Account
Each user of the system has an individual account.
2. Data Entry Session
Users should log into their accounts at the beginning of a data entry session, input information (including changes) on the electronic record, and log out at the completion of the data entry session.
3. Limit Number of Logins
The system be designed to limit the number of log-in attempts and to record unauthorized access log-in attempts.
4. Unique User ID
Users should work only under their own user profiles encompassing unique user IDs and individual passwords or other access keys and not share these with others.
5. Admin Functionality
The system will not allow an individual to log into the system to provide another person access to the system.
6. Passwords
Passwords or other access keys can be changed at established intervals commensurate with a documented risk assessment.
7. Log Off System
When leaving a workstation, users should log off the system. Alternatively, an automatic log off may be appropriate for long idle periods.
8. Automatic Screen Saver
For short periods of inactivity, an automatic protection (for example, an automatic screen saver) be installed against unauthorized data entry.