SBS - The Best Value in QMS software

How to make Single Sign On (SSO) Comply e-sig requirements?

SGquality

Quite Involved in Discussions
#1
We have a training software that is part of multiple but independent software systems operating on Single Sign-On (SSO) access controls. In the training software, the trainee "reads and understands" the procedure. With the SSO in place, the trainee need not use his user name and password to acknowledge the training - is this acceptable per e-sig requirement of 21 CFR Part 11? If not what controls need to be pit in place to make it compliant?
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
Regulations don't mandate signatures on training records. If your procedures do, though, you might be a bit stuck. The single sign-on would constitute the initial set of credentials in a 'continuous period of controlled access.' Subsequent signature applications would require one component each time (which would be the password to ensure it's the component only usable by that individual).
 

SGquality

Quite Involved in Discussions
#3
Thank you.

Could you clarify what is "Subsequent signature applications"? Being SSO, the software would not ask for password - is this something that has to be built in the software?
 

yodon

Staff member
Super Moderator
#4
The regulation defines 2 scenarios: a 'continuous period of controlled access and individual signings. During a period of continuous controlled access, the user signs on once with full credentials (typically username and password) and then for each signature, supplies the component only usable by the individual (i.e., the password). So in your case, to be fully compliant with e-signature requirements, you would need to prompt for the password for each item signed. And yes, this is built into the software (don't see how that could be done otherwise).

Note that there are considerations for the continuous controlled access; e.g., timeouts after some period of inactivity.

I believe the FDA is still using enforcement discretion. Given that training records aren't required by regulation to be signed and the relative low risk, it *may* never come up in an inspection. I wouldn't just ignore it, though. I'd at least document an assessment of the impact of non-compliance and have that available should it ever come up. That would at least show you considered it and made a rational decision.
 

MC Eistee

Starting to get Involved
#5
I took this from the preamble of 21 CFR Part 11:

"The agency acknowledges that there are some situations involving repetitive signings in which it may not be necessary for an individual to execute each component of a nonbiometric electronic signature for every signing. The agency is persuaded by the comments that such situations generally involve certain conditions. For example, an individual performs an initial system access or ‘‘log on,’’ which is effectively the first signing, by executing all components of the electronic signature (typically both an identification code and a password). The individual then performs subsequent signings by executing at least one component of the electronic signature, under controlled conditions that prevent another person from impersonating the legitimate signer. The agency’s concern here is the possibility that, if the person leaves the workstation, someone else could access the workstation (or other computer device used to execute the signing) and impersonate the legitimate signer by entering an identification code or password."

I am really unsure if this actually works with SSO. With system the FDA usually means the Software itself like your Training System, Document Management System, PLM System...
By using SSO you would make Windows part of that System.

So from my understanding it is either one of these options:

1. You have SSO in place but then the first signing of a training record will require you to have to enter both username and password. Further signings can use only the password.
2. You don't have SSO and have to enter both username and password when accessing the training system. Then for the signing itself only the password needs to be reentered.


@yodon : what are your thoughts on this?
 
Thread starter Similar threads Forum Replies Date
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 2
N Is this a single integral drug device combination product EU MDR CE Marking (Conformité Européene) / CB Scheme 1
R CND nomenclature for single use instruments CE Marking (Conformité Européene) / CB Scheme 1
P Violation of CE mark - Re-use of single-use Products CE Marking (Conformité Européene) / CB Scheme 2
M What are the basics of Medical Device Single Audit Program (MDSAP)? ISO 13485:2016 - Medical Device Quality Management Systems 7
D SINGLE FAULT CONDITION, short circuit and open circuit of any component (IEC 60601-1 3.1) IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
shimonv Single lot release for sterile packaging 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
N Where to find Regulations for Reprocessing and Reuse of Single-Use Devices Other Medical Device Related Standards 2
T Single Fault Condition IEC 60601 Clause 8.7.1 shorting Cr/Cl in Patient Applied Part IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
D Partial FAI - AS9102 - One single drawing has 10 part numbers AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
Sidney Vianna Informational IAF and ILAC Seek Contractor for Establishment of a Single International Organization for Accreditation ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 2
F UDI - Unit of Use and Class I, single-use devices EU Medical Device Regulations 4
A Single use non-sterile syringe used in the oral cavity - Laboratory test advice US Food and Drug Administration (FDA) 7
D How to get EUDAMED Single Registration Number (SRN) EU Medical Device Regulations 19
CycleMike GD&T - Hole pattern - Print (attached) has a single Datum Reference Frame Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
K Does company who manufacture but does not design or carry out clinical trials is responsible for CE marking for single use medical devices? ISO 13485:2016 - Medical Device Quality Management Systems 3
F 2017/745 Article 31 Single Registration Number Medical Device and FDA Regulations and Standards News 5
M Informational EU draft act – Single-use medical devices – safety and performance requirements for reprocessing Medical Device and FDA Regulations and Standards News 0
Q IATF rule for single site - Ingots from scrap metal recycling company IATF 16949 - Automotive Quality Systems Standard 0
R Supplier Controls we can place on Single-Source Suppliers ISO 13485:2016 - Medical Device Quality Management Systems 2
R Critical suppliers (Definition of) and MDSAP (Medical Device Single Audit Program) ISO 13485:2016 - Medical Device Quality Management Systems 17
A Touch current in single fault conditions test and earth leakage current in normal conditions test, are they really different tests? IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
Ed Panek Can a single supplier fit two or more categories for risk? ISO 13485:2016 - Medical Device Quality Management Systems 2
T No Defined Shelf Life/Expiration Date - Disposable single-use, non-invasive, non-sterile Other Medical Device Regulations World-Wide 2
F Reprocessing or refurbishing? Single Use Medical Device CE Marking (Conformité Européene) / CB Scheme 0
E Sample size for design verification of variable in single use device Design and Development of Products and Processes 20
Ed Panek Sensitive Supplier Issue - Single source supplier ISO 13485:2016 - Medical Device Quality Management Systems 6
G Single DFU for multiple medical devices in one box Other Medical Device Regulations World-Wide 0
M Medical Device News Health Canada - Medical Device Single Audit Program (MDSAP) Transition Plan Canada Medical Device Regulations 2
A ISO 2859 Single Sampling - Clarification regarding the sampling table Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
bio_subbu Indian government issues guidance on Grouping Medical Devices in a Single Submission Other Medical Device Regulations World-Wide 1
F Marketing a single medical device with multiple indications Other US Medical Device Regulations 4
G IEC 61010 - Single Fault Condition - Protective Impedance Implementation IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
T Definition Sole source VS. Single Source - Definitions Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 2
Edward Reesor MDSAP (Medical Device Single Audit Program) Costs Canada Medical Device Regulations 7
Mikey324 GR&R - Little to no part to part variation in single part number Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 14
R How many Corrective Action Request can be Issued by DCMA for a single issue? Nonconformance and Corrective Action 2
I Label Expiration Date - Single Use Combination Medical Device EU Medical Device Regulations 2
M What are Single Fault Conditions and how to test - IEC 80601-2-13 Other Medical Device Related Standards 0
M Merge Technical File, DMR, and Device File into a single document? Other Medical Device and Orthopedic Related Topics 3
P Single Use Disposable Dental Syringe - CE Marking Advice EU Medical Device Regulations 4
S IEC 60601-1 - Label Physical Requirements for Disposable (Single Use) Medical Devices IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
E Single Fault Condition Simulation IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
N Reliability Testing of a Single-Use (Disposable) Medical Device Reliability Analysis - Predictions, Testing and Standards 4
R Standards Specific to Single Channel ECG Medical Device IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Ronen E FDA encourages industry to participate in Medical Device Single Audit Program (MDSAP) Other US Medical Device Regulations 10
J QMS and ISO 9001 for a Single Person Machine Shop ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
P Question related to Single Fault Conditions IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
T Single Point Contact / DoC CE Marking (Conformité Européene) / CB Scheme 2
R How to combine ISO 9001:2015 and ISO 29001:2010 into a single QMS Quality Manager and Management Related Issues 3

Similar threads

Top Bottom