Two passwords is this a required?

Hi

I work for a small (<20 employee) software development company in
Beverly, Massachusetts. We are currently developing an FDA-compliant
software solution that utilizes Electronic Signatures. We have a
question regarding the interpretation of Electronic Signatures as
releated to the 21 CFR Part 11 standard.

Background: In order to collect Electronic Signatures in our software,
we are requiring users to re-enter their password when committing a
change to a file (as well as provide a reason and additional notes, if
necessary).

Question: Does the password used for the Electronic Signature have to
be different than the users log in password for the system? In other
words, does each user need to have TWO passwords for a single system;
one for initial log-in, and one for Electronic Signatures?

A client brought up the issue of a second password, and we are unaware
of any regulation that states this as a requirement for FDA compliance.
We have reviewed the 21 CFR Part 11 ruling and have not found any
verbiage to support this two-password paradigm. (The only reference to
two passwords we could find relates to a supervisory user appending the
first signature with their own.)

Any information you can provide would be extremely helpful.

Regards

Patom

Firstly, I would not market it as FDA compliant software. This is a
misnomer, you are creating a tool to become FDA compliant. 21CFRPart 11
depends on a total integration including procedures as well as systems.
Market it as a 21 CFR part 11 “tool” and your clients (as well as the
FDA) will be more trusting that you know what you are doing. Just
because I buy a million dollar reactor does not mean I know how to use
it properly.

Electronic signatures are meant to take the place of hard signatures.
You only have one hard signature right? Same concept with the
electronic signature. There is absolutely no requirement for multiple
electronic signatures related to multiple logins. Perhaps they were
referring to multiple signature meanings as in “approved” “reviewed”
“accepted”, etc.

You would never want different logins with different passwords. That
just makes security less robust and harder to control.

One login, One person, one password that only the person it belongs to
knows.

Regards

There seems to be some confusion in their terminology here. The requirement is as follows for one person:

  • One login to the system for ‘network access’ [User id: Joe Bloggs]
  • One password entry to the system for ‘network access’ [Password: *******]

The above gives the User ‘network access’ to the desktop PC applications installed.

However when the User is requested to electronically sign-off something within a GxP application e.g. a batch release document. He/she would be expected to ‘re-enter’ THE SAME User id and password again as authorization that they are actually the same person using the same desktop PC/station i.e. they haven’t walked away for a beer and somebody else has sat down at the same station! NOTE: This shouldn’t happen anyway as it is a requirement that the PC/station should “time-out” after a period of time!

So yes…one login, one person, one password for ‘system network access’, BUT re-entry of these same details is required at the actual electronic signature sign-off point of the GxP batch release document.

[quote=DaveH]
He/she would be expected to ‘re-enter’ THE SAME User id and password again as authorization that they are actually the same person using the same desktop PC/station i.e. they haven’t walked away for a beer and somebody else has sat down at the same station![/quote]

On this point I have worked with applications where there is an inital login with user_id and password but on subsequent sign-offs off critcal data the application was configured so that only a password was required, assuming that the person was still logged in with their intial username and password and not locked out.

This is still in compliance with part 11.

Regards

[quote=gokeeffe]On this point I have worked with applications where there is an inital login with user_id and password but on subsequent sign-offs off critcal data the application was configured so that only a password was required, assuming that the person was still logged in with their intial username and password and not locked out.

This is still in compliance with part 11.

Regards[/quote]

Agreed. Yes, this common practice is my understanding and experience too.

I’ve always tried to simplify the whole login, user name / password thing. Generally, we have a network password and an application password. Sometimes those two synch up :), other times they don’t :mad: . We are in the process of putting in a new EDMS and this software requires a different username and password for electronic signatures. :confused: Apparently, whoever wrote this software subscribes to the same misinterpretation of Part 11.

Thats a pity, the only way to avoid this I suppose is have someone do the
vendor assessment that understands the regulations. Too many times people who buy applications and devices that are deemed part 11 compliant take for granted that everything is covered.