Our company has a validated 21 CFR part 11 compliant software system. We are developing a web service to interact with another company's software system. The user on the other company's system will imput data that will (via the web service) change data in our system. The user will log into the other company's software. The webservice will be hard coded with a username and password not unique to the individual but rather the company. This non unique username and password is what will allow access to our software.
Is the login to the other company's software sufficient to comply with the electronic signatures requirement?
What if the other company's software is not validated?
Answer could be potentially 'yes' depending on the following queries...
above approach could be simulating/simplifying the processes, but in order to maintain the state of compliance...(at your end at-least) we need to see the approach in following steps...
1) how does the 'data/info'changed through web-service effect the CFR related activities at your site? (GxP relevance?)
2) what kind of trace-ability is maintained for all such transaction of web services?
3) how do you authenticate the changes made through web services, before implementing/(making them effective...); if not, then your systems activities are not controlled i.e., u r relying on the third party system(s) and processes (from other company which may or may not be part 11 compliant)
4) how do you maintain the audit trail...
*) what kind of web services (technical authentication/challenges/protocols) are in place to ensure the validity of the interface...
hope this helps...
but if you describe brief outline(scenario) of your interface of web-services, then it could more specific to respond...