We all know the importance of 21 CFR Part 11 and in particular how people access these systems on a regular basis. For those of you who are not familiar with this regulation it is referenced in 11.10 “Controls for closed systems” and 11.30 “Controls for open systems:

(ii) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(iii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Access must be limited to authorized individuals. The FDA recommends that:

  • Each user of the system have an individual account;
  • User should log into their accounts at the beginning of a data entry session, input information (including changes) on the electronic record, and log out at the completion of the data entry session;
  • The system be designed to limit the number of log-in attempts and to record unauthorized access log-in attempts;
  • Users should work only under their own user profiles encompassing unique user IDs and individual passwords or other access keys and not share these with others;
  • The system not allow an individual to log into the system to provide another person access to the system;
  • Passwords or other access keys be changed at established intervals commensurate with a documented risk assessment;
  • When leaving a workstation, users should log off the system. Alternatively, an automatic log off may be appropriate for long idle periods;
  • For short periods of inactivity, an automatic protection (for example, an automatic screen saver) be installed against
    unauthorized data entry.

Sample Regulatory Action

An inspection for compliance with 21 CFR 211 in November 1997 resulted in a warning letter for a company because there were insufficient controls in place to ensure the integrity of data calculated by software in its quality control laboratory. Specifically:

  • There was no audit trail to track the number of templates accessed to generate data calculations;
  • Password protection could be bypassed in the system;
  • Data files were automatically deleted after a hardcopy was generated and there wasn’t a requirement to identify the analyst or time/date stamp spreadsheet hardcopies.