21 CFR Part 11 Password Requirement for a Web Service

[QACat]

Our company has a validated 21 CFR part 11 compliant software system. We are developing a web service to interact with another company's software system. The user on the other company's system will imput data that will (via the web service) change data in our system. The user will log into the other company's software. The webservice will be hard coded with a username and password not unique to the individual but rather the company. This non unique username and password is what will allow access to our software.

Is the login to the other company's software sufficient to comply with the electronic signatures requirement?

What if the other company's software is not validated?

 

[Stijloor]

A Quick Bump!

Can someone help?

Thank you very much!!

 

[sagai]

It is a bit vague for me what is the intent of these softwares in order to reply properly.
Part11 applicable in a specific context only, not in general.
Cheers

 

[BradM]

Our company has a validated 21 CFR part 11 compliant software system. We are developing a web service to interact with another company's software system. The user on the other company's system will imput data that will (via the web service) change data in our system. The user will log into the other company's software. The webservice will be hard coded with a username and password not unique to the individual but rather the company. This non unique username and password is what will allow access to our software.

Is the login to the other company's software sufficient to comply with the electronic signatures requirement?

What if the other company's software is not validated?

I don't know if I am well versed enough in the CFR to state that does not meet the intent, but it does not sound like it. Anyone could log on to the website that had the standard password and such and add, change, edit data in the system, and there would be no record of who performed it.

I think you would want a system that uniquely tracks the individual who enters data and such where there is accountability.

 

[QACat]

Thank you for your response. We ended up requiring a unique username and password for the system.

 

[Deep Krothapalli]

FYI -

21 CFR Sec. 11.300 has specific requirements for "identification codes/passwords"

 

[v9991]

Our company has a validated 21 CFR part 11 compliant software system. We are developing a web service to interact with another company's software system. The user on the other company's system will imput data that will (via the web service) change data in our system. The user will log into the other company's software. The webservice will be hard coded with a username and password not unique to the individual but rather the company. This non unique username and password is what will allow access to our software.

Is the login to the other company's software sufficient to comply with the electronic signatures requirement?

What if the other company's software is not validated?

Answer could be potentially 'yes' depending on the following queries...
above approach could be simulating/simplifying the processes, but in order to maintain the state of compliance...(at your end at-least) we need to see the approach in following steps...
1) how does the 'data/info'changed through web-service effect the CFR related activities at your site? (GxP relevance?)
2) what kind of trace-ability is maintained for all such transaction of web services?
3) how do you authenticate the changes made through web services, before implementing/(making them effective...); if not, then your systems activities are not controlled i.e., u r relying on the third party system(s) and processes (from other company which may or may not be part 11 compliant)
4) how do you maintain the audit trail...
*) what kind of web services (technical authentication/challenges/protocols) are in place to ensure the validity of the interface...

hope this helps...
but if you describe brief outline(scenario) of your interface of web-services, then it could more specific to respond...