21 CFR 11 Timeframe of Inactivity after which all Signature Components are Required?

R

ryno fan

#1
Hi,

The FDA regulation on CFR 11-Electronic Records; Electronic Signatures (specifically 11.200 Electronic signature components and controls) requires that:


(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

In the scenario where the authorized user has control over the system but is simply not using it (has it open, but is performing other tasks at his desk) - Does anyone know of a standard amount of time (from FDA or other guidance) after which an electronic system is expected to prompt the user for "all of the electronic signature components" after such a period of inactivity? (are there rules on "system timeouts"?) :cfingers:

Thanks
 
Last edited by a moderator:
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
#2
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Haven't heard of / seen any hard-and-fast rules. The decision (time) should be risk-based.

I've seen 30 minutes as a reasonable time for not-high risks. I think you would have a hard time defending something like 24 hours. Whatever you decide, you may have to defend it so documenting the decision is a good idea.
 
G

Gert Sorensen

#3
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

All the systems that I have worked with, or evaluated, has been using 15 minutes of inactivity as the set period before signing the user out. :bigwave:
 
P

phloQS

#4
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Hi,
I have another question related to this topic: Do we need a automatic timeout? We have an instructio in one of our procedures, that nobody is allowed to leave his desk without logging the computer, so unauthorized access is not possible. Where is the benefit on security, when a person has to use both components again, after lets say 15 minutes? Accidentally given signature is not possible, because everybody needs one component to sign something. I think typing in the password "accidentally" is not possible. It is different to just clicking ok or setting a checkbox. Any thought on this?

regards


phloQS
 
G

Gert Sorensen

#5
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Part 11 is pretty clear on this subject:

Part 11 ? 11.200 Electronic signature components
and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual?s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.


Your procedure regarding logging of is common sense, but employees do not always demonstrate that :) therefore the requirement for controls to be in place for electronic systems.
:bigwave:
 
P

phloQS

#6
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

We always interpreted the point 3 in the way that there must be at least two other persons to supply username/ password. I thought this number says that it is prohibited that another person knows combination of password/username and that it is prohibited that there is kind of a list where these combinations are readable.

regards

phloQS
 
G

Gert Sorensen

#7
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Sure there is to be no list, and no-one is to know your user password etc. But in the real world people use post-it's on their screen, or in their drawer where they list their passwords, and IT always has access to more than we like. So, to prevent misuse the time-out has been invented. It is not an ideal solution, but it does increase security.
 
P

phloQS

#8
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

So the question is: Is it mandatory to have a timeout with a defined time or not. I am sorry that i hang on this point but our company is just establishing elctronic signature and we are able to change something now. But such a tool must be integrated in the software we use and this has to be done by developers. We are not selling to US-Market at the moment, so I am not very familiar with that topic. We use what a consultant told us.

regards

phloQS
 
G

Gert Sorensen

#9
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

My take on that is: Yes, it is mandatory to have controls that ensure that need to use a two-component signature. You will have a hard time explaining that your procedure always ensures that. You will not have a hard time demonstrating that your have validated the security measures and controls.
 
P

phloQS

#10
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Thanks for your advise. Just for my understanding: We are just talikng about a timeout when user is inactive (No input over standard IO-Hardware like mouse, keyboard, etc) over a defined timeframe (15min.).
A gerneral session timeout, even when user is active (Typing clicking etc.) is NOT necessary. Did I get it? What about just moving mouse (whithout clicking)?

regards

phlo QS
 
Thread starter Similar threads Forum Replies Date
P Controls over Systems Documentation in 21 CFR Part 11 Qualification and Validation (including 21 CFR Part 11) 1
E The FDA regulations (21 CFR 312.3): Is it allowable that IND sponsor involves more than one individual or organization? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
K 13485 do e-signatures have to be 21 CFR Part 11 compliant? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Audit Report details when ISO 13485:2016 and cGMP 21 CFR 820 are applicable ISO 13485:2016 - Medical Device Quality Management Systems 6
I 21 CFR 806 Corrections and Removals Other US Medical Device Regulations 2
C 21 CFR 820.90 - Documenting rework and reevaluation in DHR 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
P 21 CFR 58 GLP Periodic Study Phase Inspection Report Other US Medical Device Regulations 0
Sam Lazzara Record signature requirements in proposed FDA 21 CFR 820 QMS Regulation 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 9
William55401 21 CFR 11 Password Aging - What does "periodically" revised mean in your org? Qualification and Validation (including 21 CFR Part 11) 3
D 21 CFR Part 11 Assessment (Fully Compliant or Not) Qualification and Validation (including 21 CFR Part 11) 9
JesseE Electronic signatures FDA CFR 820 ISO 13485:2016 - Medical Device Quality Management Systems 3
M Validation of Data verification tool per 21 CFR 820 Quality Assurance and Compliance Software Tools and Solutions 1
Anonymous16-2 Sinks and Sanitation - 21 CFR Part 111 Miscellaneous Environmental Standards and EMS Related Discussions 4
S 21 CFR part 11 version differences Qualification and Validation (including 21 CFR Part 11) 1
L FDA & 21 CFR Part 11 Medical Device and FDA Regulations and Standards News 19
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A TUV Audits - 21 CFR 820 General Auditing Discussions 6
S Records - Do's and don't' of record entries (FDA - 21 CFR 820) Records and Data - Quality, Legal and Other Evidence 13
T 21 CFR 820.20 - Quality Planning Requirements? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
S ISO 9001:2015 vs 21 CFR Part 211 matrix Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
D CFR Title 14: Aeronautics and Space PART 120—DRUG AND ALCOHOL TESTING PROGRAM Federal Aviation Administration (FAA) Standards and Requirements 3
M 21 CFR 820 vs 21CFR820 vs 21 CFR Part 820 Document Control Systems, Procedures, Forms and Templates 3
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
C 21 CFR 803 malfunction detected during packaging - report? Other US Medical Device Regulations 1
J 21 CFR 821 Medical Device Tracking Requirement 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Equipment 21 CFR 820.70(g) - User Requirements Document for Off the shelf equipment 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
Anonymous16-2 21 CFR Part 11 - Steps to take if we want to validate an electronic system Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 3
A 21 CFR part 11 - section 11.100 - Electronic Signature Certification Other US Medical Device Regulations 6
E 21 CFR 211.103 Calculation of Yield Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 5
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
Q 21 CFR 821 Medical Device Tracking 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
L Wearables 21 CFR Part 11 compliance Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
Ed Panek 21 CFR Part 820 - FDA Label Requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
J Mislabeling - Consider this an FDA notified recall? CFR 806.10 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
L UDI Requirments Gap Analysis - EU MDR vs FDA CFR EU Medical Device Regulations 8
P 21 CFR 807.81 When a premarket notification submission is required Other US Medical Device Regulations 0
F 21 CFR Part 11 - Implicit requirements - Validation plan for a Software as a Service Other US Medical Device Regulations 1
C 21 CFR Part 11- What about handwritten signatures? Other US Medical Device Regulations 1
Z 21 CFR and Annex 11 mapping document Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
Ed Panek Do Cloud services require 21 CFR Part 11 compliance? Qualification and Validation (including 21 CFR Part 11) 7
QIE FDA 21 CFR Part 11 "Meaning of Signature" Other US Medical Device Regulations 6
J Business Intelligence and 21 CFR Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 1
R Addressing training requirements - 21 CFR Part 820.25 (1) & (2) Other US Medical Device Regulations 4
R How to improve a Validation program and procedures to FDA (21 CFR part 820) & ISO13485 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
Marc Problem with 21 CFR Part 820 - US FDA Quality System Regulations (QSR) sub-forum link - 2 May 2019 Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 1
R 21 CFR Part 820 Contract Manufacturer of Medical Device Component 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
S 21 CFR 810 - Medical Device Recall Authority - Contract Manufacturing Other US Medical Device Regulations 1
S Is Adobe Sign - E-signature for QMS documents - 21 cfr part 11 compliant? ISO 13485:2016 - Medical Device Quality Management Systems 2
D Design developer - 21 CFR 807 - do we need to register? Other US Medical Device Regulations 0
C Signature manifestations - 21 CFR Part 11 Qualification and Validation (including 21 CFR Part 11) 4

Similar threads

Top Bottom