Has anyone had their electronic system scrutinized in an FDA inspection?

Mark Meer

Trusted Information Resource
#1
Hoping people can share how they handle electronic signatures, and more generally electronic systems access.

Is there one system administrator with complete control? ...or are administration rights compartmentalized somehow to ensure security?

Presently, for our (simplistic) system, we have a single administrator, which seems to work fine for us...

But now I'm re-reading the US FDA's 21 CFR Part 11 regulations and notice the following (11.200):
"(a) Electronic signatures that are not based upon biometrics shall:
...
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals...."

(emphasis added)

I'm curious how others handle this? Because the system administrator has ultimate control over system access, they could technically forge an electronic signature without the "collaboration of two or more individuals".
 
Last edited:
Elsmar Forum Sponsor

Mark Meer

Trusted Information Resource
#2
Re: Electronic signatures and systems security

Replying to my own post here to hopefully encourage input and discussion...

Personally, I feel that the level of security measures employed should be commensurate with the sensitivity of the information, and be appropriate to the scale of the company activities and resources.

In an electronic world, system administrators a given a tremendous amount of power and responsibility, and have to be trusted implicitly.

So the question is: who controls the controllers? What kinds of controls are appropriate and effective?

Look forward to replies...
MM
 

Mark Meer

Trusted Information Resource
#3
Re: Electronic signatures and systems security

Rather than start another thread, I've got another related inquiries. :eek:

Has anyone had their electronic system scrutinized in an FDA inspection?
...if so, how did it go?

Does anyone use software (e.g. such as Adobe Acrobat) to implement electronic signatures?
...if so, what is the burden of validation you implement? Do you have additional controls (e.g. how do you enforce requirements of 21 CFR 11.300)?
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#4
Good question and discussion topic. I wish a few people in the medical devices industry who visit here have something to say.
 
L

lfrost

#5
Re: Electronic signatures and systems security

Rather than start another thread, I've got another related inquiries. :eek:

Has anyone had their electronic system scrutinized in an FDA inspection?
...if so, how did it go?

Does anyone use software (e.g. such as Adobe Acrobat) to implement electronic signatures?
...if so, what is the burden of validation you implement? Do you have additional controls (e.g. how do you enforce requirements of 21 CFR 11.300)?
Mark Meer,

We just had our FDA Inspection and we are a medical device company. We have an electronic system, our CAPA is electronic with the reports being online. The Inspector wasn't very hard on having the signatures digital because we designate it as being such in our procedures.

Although he did find some observations, as they always do, our electronic signatures were not one of them. In fact, because the digital signatures do not move in a MS Word document, we have the person just type their names in the signature block as directed in our procedures.

So I think that you might be overthinking the electronic signature requirement in the CFR. Of course, I am only basing this on the experience that we just had.
 

Mark Meer

Trusted Information Resource
#6
Re: Electronic signatures and systems security

I think that you might be overthinking the electronic signature requirement in the CFR
It's easy to overthink these CFR requirements, as interpretations seem to vary widely. I'm simply trying to account for strict interpretations, to preempt any future investigator interpretations.

Requirements such as 11.200(a)(3): "...use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals...", if strictly interpreted, can make it very difficult to develop a compliant system.

Thanks for your input all the same... it helps to have some idea of others' experiences...

My other inquiries related to general system security and integrity when there is only one system administrator is more philosophical, and just because I like to discuss things! :argue: :agree1:
 

Ronen E

Problem Solver
Staff member
Moderator
#7
Re: Electronic signatures and systems security

In fact, because the digital signatures do not move in a MS Word document, we have the person just type their names in the signature block as directed in our procedures.
I don't understand "digital signatures do not move in a MS Word document" or how the above arrangement prevents anyone from typing in another's name.

:confused:
 

yodon

Staff member
Super Moderator
#8
Because the system administrator has ultimate control over system access, they could technically forge an electronic signature without the "collaboration of two or more individuals".
I'll jump in on this part...

Indeed, while you couldn't completely prevent forgery (since someone will have the skeleton key), I think the idea is that the user controls his password. It requires 2 forms of authentication; generally username and password. Probably everyone knows the username but only the user should know his / her password. (The admin could reset the password and forge the approval but I think the intent was to prevent someone with a direct interest; e.g., management, from forging the signature).

As far as prevalence in inspections, I've been in a couple and they tiptoed rather lightly through electronic records (no e-sigs were used). I don't think it's that well understood by the average inspector. Both operations were small companies so it would have been next to impossible to even need to forge someone's signature. I expect that a large organization heavily using e-records and e-signatures would get more scrutiny.
 
L

lfrost

#9
Re: Electronic signatures and systems security

I don't understand "digital signatures do not move in a MS Word document" or how the above arrangement prevents anyone from typing in another's name.

:confused:
Ronen E,

when you use a "digital signature" MS Word interprets it as a picture, or an image. It "anchors" the image to the document. if some one comes along later and edits the document by adding additional notes, then the information is obscured by the digital signature.
 
M

MIREGMGR

#10
Focus on Part 11 has varied over time, particularly in regard to small-company systems, I think in consideration of political heat at FDA by such small companies' complaints to Congress.

When Part 11 was first published, username-and-password wasn't going to be considered a sufficient means of identifying an individual user, both because so many people write their password on a sticky note on their monitor or use "password" as their password; and because when the user of such a system leaves their desk for some reason, the time between most recent user input and screensaver imposition (i.e. security turn-on) probably will be the relatively long default time, and during this time anyone could sit down at the desk and take actions in the absent-but-logged-in user's place.

Thus the original Part 11 called for a biometric user ID system or some similarly secure approach, with user ID required immediately before signing a document,
 
Thread starter Similar threads Forum Replies Date
M Has anyone has been through an MDR audit? (3/2020) EU Medical Device Regulations 1
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 14
B ASA Aviation Supply Association - Has anyone heard of ASA? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
B Has anyone done an IEC 60601-1 gap analysis to IEC 60335? Medical Device and FDA Regulations and Standards News 4
D Has anyone had sudden challenges from Korea-MFDS? Other Medical Device Regulations World-Wide 1
D FDA Biomarker Qualification Program - Has anyone prepared an application? Medical Device and FDA Regulations and Standards News 0
L Has anyone heard of the 2 pan system? Manufacturing and Related Processes 6
M Has anyone here assessed the latest Abbreviated 510(K) guidance document? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M Does anyone has a good verification and validation plan template? ISO 13485:2016 - Medical Device Quality Management Systems 3
D Has anyone undergone a BARDA (HHS) audit as part of their grant process? Other Medical Device Regulations World-Wide 0
Sidney Vianna LinkedIn bug - Anyone has any idea of how to fix this? Posts not showing for me in a Group feed. Coffee Break and Water Cooler Discussions 2
K Has anyone used QAI for training? Training - Internal, External, Online and Distance Learning 7
D Has anyone here had any experience with PQ-FMEA software? FMEA and Control Plans 1
S Has anyone completed IATF 16949 Certification - Share your Audit Experience? IATF 16949 - Automotive Quality Systems Standard 2
S Has anyone created a Turtle Diagram reflecting the new ISO 9001:2015 Structure? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
M Has anyone done a Gage R&R for Spectrophotometer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 10
T Has anyone completed the AS9100D Quality Manual transition? Quality Management System (QMS) Manuals 1
D Has anyone taken the AS9100 Delta course / exam? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 37
D Medica show in Dusseldorf - Has anyone else gone? Other Medical Device and Orthopedic Related Topics 3
A AS9100C to D - Has anyone done a gap analysis? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
T Has anyone been through the ISO 14001:2015 process? ISO 14001:2015 Specific Discussions 12
Marc Has anyone here gotten Gigabyte Fiberoptics (Internet) to home? Coffee Break and Water Cooler Discussions 3
P Has anyone ever heard of the Eastern Weighing and Inspection Bureau? Calibration and Metrology Software and Hardware 1
M Has anyone successfully challenged the new IATF site extension change? IATF 16949 - Automotive Quality Systems Standard 36
R Does anyone know why the TC 176 website has been hijacked by CSA? ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 1
GStough Rx-360 - Has Anyone Used This and What Was Your Experience? Supplier Quality Assurance and other Supplier Issues 3
A Has anyone made an ISO9001:2015 vs. ISO9001:2008 Matrix ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 32
I Has anyone read BIP 0115:2014? ISO 13485:2016 - Medical Device Quality Management Systems 5
D ?Pa? Capability Index - Has anyone ever heard of this? Capability, Accuracy and Stability - Processes, Machines, etc. 5
optomist1 Has anyone recently taken the GD&T ASME Y14.5M Certification Exam Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
T Has anyone considered what logic is? Coffee Break and Water Cooler Discussions 23
Jim Wynne Has Anyone Had Trouble with IMDS 8.0? RoHS, REACH, ELV, IMDS and Restricted Substances 17
G Has anyone used shlomo Aviv-lean consultant? Lean in Manufacturing and Service Industries 1
M Has anyone purchased their powerball tickets? 17 May 2013 Coffee Break and Water Cooler Discussions 8
T Has anyone done both Quality and Facility Security Officer (FSO) roles ? Career and Occupation Discussions 8
M Has anyone used SGS as a CB (Certification Body)? Registrars and Notified Bodies 4
R Mix Multi-Site/Individual Certification - Has this ever happened to anyone? Miscellaneous Environmental Standards and EMS Related Discussions 14
B Has anyone used Arena Software Simulation? Process Maps, Process Mapping and Turtle Diagrams 10
C Has anyone used GageWare Software? Quality Assurance and Compliance Software Tools and Solutions 4
M Has anyone used "Paradigm 3" software to Control their Quality or Management System? Quality Tools, Improvement and Analysis 2
Q Has Anyone Heard of Quality University (Online Courses) Training - Internal, External, Online and Distance Learning 2
P Has anyone ever heard of "Quality Gates" (Volkswagen term?) - APQP and PPAP APQP and PPAP 11
A Has anyone tried a DAC (Digital to Analog Converter)? After Work and Weekend Discussion Topics 5
I Has anyone ever heard of Registrar QSRD-International? Registrars and Notified Bodies 36
M Has anyone of you have experience with the World Class Manufacturing system? Lean in Manufacturing and Service Industries 6
K Does anyone has experience with determining if Lubricants and Greases are Food Grade? Food Safety - ISO 22000, HACCP (21 CFR 120) 6
R SOPs in Manufacturing - Has anyone got a management process that works? Document Control Systems, Procedures, Forms and Templates 4
K Has anyone had experience dealing with SEDEX (Supplier Ethical Data Exchange)? Customer and Company Specific Requirements 4
B Has anyone developed an OHSAS 18001 Safety Management System Balanced Scorecard? Occupational Health & Safety Management Standards 13
D Has anyone used Mango as their Quality Software? Quality Assurance and Compliance Software Tools and Solutions 9
Similar threads


















































Top Bottom