I’m exploring the “SharePoint Configuration Guidance for 21 CFR Part 11 Compliance” whitepaper and noticed the following statement regarding regulations for signatures:
“21 CFR Part 11 is the only one with a concept of a signing password, where the user re-authenticates in order to validate the signing event.”
I can’t see this requirement explicitly stated in the 21 CFR Part 11 regulation and would therefore argue that the above statement could be challenged.
Try 11.200(1)(a): i When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
[/i]
The intent is to ensure that the person signing is really the person signing. Say you logged in (or initiated a signing session) and then walked away from your computer. Some devious person might take the opportunity to sign something for you. If the system requires you to re-authenticate (typically a password entry), they wouldn’t be able to complete the signing. (Of course if they were really devious, they’d look under your keyboard to see the hand-written copy of your password then complete the signing. )
Thanks very much for your reply and I had a feeling you might say that! Whilst I agree with the intent, I think the wording is open to interpretation and leaves room for manouevre - humour me if you will with the following hypothetical example:
Let’s say we have a system whereby ‘controlled system access’ is granted via username and password i.e. using all electronic signature components and that this statement is clearly defined in the system’s validation package. As such I would argue that every signing in a ‘controlled system access’ session, be it the first, second or fiftieth would therefore be ‘executed’ using all electronic signature components because by definition, having ‘controlled system access’ was entirely dependent upon all electronic signature compenents. It says nothing about time frames or leaving a desk and so whilst I understand the intent, I don’t think the regulation is clear enough in mandating this - if they mean that then they need to say that!
To defend this position further lets say I work for a company with certification to the ISO 27001 Information Security standard, as such we have an approved and regularly audited clear desk policy mandating that workstations cannot be left unlocked when the operator is not present, thus delivering the same intent but via a different highly governed mechanism. I think a combination of these measures could potentially defend the absence of a password prompt at the point of signature.
Do you think the above challenge would hold water? I guess in summary what I am saying is that the word ‘executed’ was poorly chosen by the regulators (leaving the options above as viable in my eyes) and that the term re-authenticated, as stated in the SharePoint whitepaper would have been more appropriate in achieving the intent. I know I’m being a pedant but just interested to hear other peoples opinions on this and fancied a debate!
Whether or not something holds water is in the eyes of the inspector. I expect you know the history of the regulation (“enforcement discretion” and all that). If you feel you are in a defensible position for being reasonably certain that the person electronically signing that document is the actual person signing, then put it forth! It’s always best to document that kind of rationale / decision. If you have something of a validation master plan, you can document it there. Outside or in addition to that, you might search around the internet for a Part 11 checklist and go through the exercise, documenting this rationale.
By now, the inspectors (if they actually check!) are getting pretty used to seeing the controls as I described. Deviations from that will be questioned, likely, but if you have your rationale documented, you’re at least in a better position.
Thanks again, yes I 100% agree with you. I just thought I’d put this scenario out there in anticipation of proceeding down a similar route to see what you experts here had to say, rather hear it from you first than in an audit situation.
