21 CFR 11 Timeframe of Inactivity after which all Signature Components are Required?

R

ryno fan

Hi,

The FDA regulation on CFR 11-Electronic Records; Electronic Signatures (specifically 11.200 Electronic signature components and controls) requires that:


(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

In the scenario where the authorized user has control over the system but is simply not using it (has it open, but is performing other tasks at his desk) - Does anyone know of a standard amount of time (from FDA or other guidance) after which an electronic system is expected to prompt the user for "all of the electronic signature components" after such a period of inactivity? (are there rules on "system timeouts"?) :cfingers:

Thanks
 
Last edited by a moderator:

yodon

Leader
Super Moderator
Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Haven't heard of / seen any hard-and-fast rules. The decision (time) should be risk-based.

I've seen 30 minutes as a reasonable time for not-high risks. I think you would have a hard time defending something like 24 hours. Whatever you decide, you may have to defend it so documenting the decision is a good idea.
 
G

Gert Sorensen

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

All the systems that I have worked with, or evaluated, has been using 15 minutes of inactivity as the set period before signing the user out. :bigwave:
 
P

phloQS

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Hi,
I have another question related to this topic: Do we need a automatic timeout? We have an instructio in one of our procedures, that nobody is allowed to leave his desk without logging the computer, so unauthorized access is not possible. Where is the benefit on security, when a person has to use both components again, after lets say 15 minutes? Accidentally given signature is not possible, because everybody needs one component to sign something. I think typing in the password "accidentally" is not possible. It is different to just clicking ok or setting a checkbox. Any thought on this?

regards


phloQS
 
G

Gert Sorensen

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Part 11 is pretty clear on this subject:

Part 11 ? 11.200 Electronic signature components
and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual?s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.


Your procedure regarding logging of is common sense, but employees do not always demonstrate that :) therefore the requirement for controls to be in place for electronic systems.
:bigwave:
 
P

phloQS

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

We always interpreted the point 3 in the way that there must be at least two other persons to supply username/ password. I thought this number says that it is prohibited that another person knows combination of password/username and that it is prohibited that there is kind of a list where these combinations are readable.

regards

phloQS
 
G

Gert Sorensen

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Sure there is to be no list, and no-one is to know your user password etc. But in the real world people use post-it's on their screen, or in their drawer where they list their passwords, and IT always has access to more than we like. So, to prevent misuse the time-out has been invented. It is not an ideal solution, but it does increase security.
 
P

phloQS

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

So the question is: Is it mandatory to have a timeout with a defined time or not. I am sorry that i hang on this point but our company is just establishing elctronic signature and we are able to change something now. But such a tool must be integrated in the software we use and this has to be done by developers. We are not selling to US-Market at the moment, so I am not very familiar with that topic. We use what a consultant told us.

regards

phloQS
 
G

Gert Sorensen

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

My take on that is: Yes, it is mandatory to have controls that ensure that need to use a two-component signature. You will have a hard time explaining that your procedure always ensures that. You will not have a hard time demonstrating that your have validated the security measures and controls.
 
P

phloQS

Re: 21 CFR 11 Timeframe of Inactivity after which all Signature Components are Requir

Thanks for your advise. Just for my understanding: We are just talikng about a timeout when user is inactive (No input over standard IO-Hardware like mouse, keyboard, etc) over a defined timeframe (15min.).
A gerneral session timeout, even when user is active (Typing clicking etc.) is NOT necessary. Did I get it? What about just moving mouse (whithout clicking)?

regards

phlo QS
 
Top Bottom