Part 11 compliant systems must be designed so that unauthorized attempts to use e-signatures are detected and reported to security management.

Access must be limited to authorized individuals.

The FDA recommends the following.

1. Individual Account

Each user of the system has an individual account.

2. Data Entry Session

Users should log into their accounts at the beginning of a data entry session, input information (including changes) on the electronic record, and log out at the completion of the data entry session.

3. Limit Number of Logins

The system be designed to limit the number of log-in attempts and to record unauthorized access log-in attempts.

4. Unique User ID

Users should work only under their own user profiles encompassing unique user IDs and individual passwords or other access keys and not share these with others.

5. Admin Functionality

The system will not allow an individual to log into the system to provide another person access to the system.

6. Passwords

Passwords or other access keys can be changed at established intervals commensurate with a documented risk assessment.

7. Log Off System

When leaving a workstation, users should log off the system. Alternatively, an automatic log off may be appropriate for long idle periods.

8. Automatic Screen Saver

For short periods of inactivity, an automatic protection (for example, an automatic screen saver) be installed against unauthorized data entry.