Has anyone had their electronic system scrutinized in an FDA inspection?

[Mark Meer]

Hoping people can share how they handle electronic signatures, and more generally electronic systems access.

Is there one system administrator with complete control? ...or are administration rights compartmentalized somehow to ensure security?

Presently, for our (simplistic) system, we have a single administrator, which seems to work fine for us...

But now I'm re-reading the US FDA's 21 CFR Part 11 regulations and notice the following (11.200):
"(a) Electronic signatures that are not based upon biometrics shall:
...
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals...."
(emphasis added)

I'm curious how others handle this? Because the system administrator has ultimate control over system access, they could technically forge an electronic signature without the "collaboration of two or more individuals".

 

[Mark Meer]

Re: Electronic signatures and systems security

Replying to my own post here to hopefully encourage input and discussion...

Personally, I feel that the level of security measures employed should be commensurate with the sensitivity of the information, and be appropriate to the scale of the company activities and resources.

In an electronic world, system administrators a given a tremendous amount of power and responsibility, and have to be trusted implicitly.

So the question is: who controls the controllers? What kinds of controls are appropriate and effective?

Look forward to replies...
MM

 

[Mark Meer]

Re: Electronic signatures and systems security

Rather than start another thread, I've got another related inquiries.

Has anyone had their electronic system scrutinized in an FDA inspection?
...if so, how did it go?

Does anyone use software (e.g. such as Adobe Acrobat) to implement electronic signatures?
...if so, what is the burden of validation you implement? Do you have additional controls (e.g. how do you enforce requirements of 21 CFR 11.300)?

 

[Marc]

Good question and discussion topic. I wish a few people in the medical devices industry who visit here have something to say.

 

[lfrost]

Re: Electronic signatures and systems security

Rather than start another thread, I've got another related inquiries.

Has anyone had their electronic system scrutinized in an FDA inspection?
...if so, how did it go?

Does anyone use software (e.g. such as Adobe Acrobat) to implement electronic signatures?
...if so, what is the burden of validation you implement? Do you have additional controls (e.g. how do you enforce requirements of 21 CFR 11.300)?

Mark Meer,

We just had our FDA Inspection and we are a medical device company. We have an electronic system, our CAPA is electronic with the reports being online. The Inspector wasn't very hard on having the signatures digital because we designate it as being such in our procedures.

Although he did find some observations, as they always do, our electronic signatures were not one of them. In fact, because the digital signatures do not move in a MS Word document, we have the person just type their names in the signature block as directed in our procedures.

So I think that you might be overthinking the electronic signature requirement in the CFR. Of course, I am only basing this on the experience that we just had.

 

[Mark Meer]

Re: Electronic signatures and systems security

I think that you might be overthinking the electronic signature requirement in the CFR

It's easy to overthink these CFR requirements, as interpretations seem to vary widely. I'm simply trying to account for strict interpretations, to preempt any future investigator interpretations.

Requirements such as 11.200(a)(3): "...use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals...", if strictly interpreted, can make it very difficult to develop a compliant system.

Thanks for your input all the same... it helps to have some idea of others' experiences...

My other inquiries related to general system security and integrity when there is only one system administrator is more philosophical, and just because I like to discuss things!

 

[Ronen E]

Re: Electronic signatures and systems security

In fact, because the digital signatures do not move in a MS Word document, we have the person just type their names in the signature block as directed in our procedures.

I don't understand "digital signatures do not move in a MS Word document" or how the above arrangement prevents anyone from typing in another's name.

 

[yodon]

Because the system administrator has ultimate control over system access, they could technically forge an electronic signature without the "collaboration of two or more individuals".

I'll jump in on this part...

Indeed, while you couldn't completely prevent forgery (since someone will have the skeleton key), I think the idea is that the user controls his password. It requires 2 forms of authentication; generally username and password. Probably everyone knows the username but only the user should know his / her password. (The admin could reset the password and forge the approval but I think the intent was to prevent someone with a direct interest; e.g., management, from forging the signature).

As far as prevalence in inspections, I've been in a couple and they tiptoed rather lightly through electronic records (no e-sigs were used). I don't think it's that well understood by the average inspector. Both operations were small companies so it would have been next to impossible to even need to forge someone's signature. I expect that a large organization heavily using e-records and e-signatures would get more scrutiny.

 

[lfrost]

Re: Electronic signatures and systems security

I don't understand "digital signatures do not move in a MS Word document" or how the above arrangement prevents anyone from typing in another's name.

Ronen E,

when you use a "digital signature" MS Word interprets it as a picture, or an image. It "anchors" the image to the document. if some one comes along later and edits the document by adding additional notes, then the information is obscured by the digital signature.

 

[MIREGMGR]

Focus on Part 11 has varied over time, particularly in regard to small-company systems, I think in consideration of political heat at FDA by such small companies' complaints to Congress.

When Part 11 was first published, username-and-password wasn't going to be considered a sufficient means of identifying an individual user, both because so many people write their password on a sticky note on their monitor or use "password" as their password; and because when the user of such a system leaves their desk for some reason, the time between most recent user input and screensaver imposition (i.e. security turn-on) probably will be the relatively long default time, and during this time anyone could sit down at the desk and take actions in the absent-but-logged-in user's place.

Thus the original Part 11 called for a biometric user ID system or some similarly secure approach, with user ID required immediately before signing a document,