Q: I have a question about FDA’s expectations for an electronic signature. Access to our computer system is controlled via two distinct components: username and password. After a user first accesses the system, subsequent electronic signatures ask for a reason for the signing and require a password.
In your opinion, does the initial system log-in — using the two distinct components — satisfy the requirements of Part 11 for an electronic signature? Or do the Part 11 requirements need to be met with the first actual signing, after the user is logged into the system?
I have a user questioning our compliance because the first electronic signature presented to him — after authentication — does not request his username. Instead it shows the signatory group he belongs to. So my question might be more simply worded as: does computer system authentication count as your first electronic signature?
A: We get this question frequently. No, the initial log-in or authentication is NOT the initial signature. Both the username and password need to be entered the first time an electronic signature is executed.
With most software, there is a configuration setting that will request the username on the first signature. By default, most software packages have a default setting that only requires the password the first time.
[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]Software can’t determine intent; it doesn’t know the reason the user logged into the system.[/pullquote]
If the only reason for logging into the system is to execute an electronic signature, then you could argue that the log-in is the first signature because that was the intent of the log-in. However, software can’t determine intent; it doesn’t know the reason the user logged into the system. So the best course is to have the first signature require both the username and the password.
Here’s a real-world example: When I log into a training system that requires my signature after I have completed the training, my initial log-in is meant to access the training, then I’ll sign upon completion. Let’s say that, for some reason, I forget to sign after completing the training and proceed to log out. Later, I log back into the system to execute my signature for the completed training. The system doesn’t know why I logged in again; it doesn’t know that I just want to sign my completed training. It might think I want to take some additional training. So it’s best to require the username and password once again.
Answered by Janis Olson, Vice President of Regulatory & Quality Services at EduQuest (22 years as an expert FDA investigator and as the FDA regional director of information management resources). Jan also is an instructor for EduQuest’s FDA Auditing of Computerized Systems and Part 11/Annex 11 training class, and the lead instructor and developer of EduQuest’s Quality Risk Management for FDA/ISO/ICH Compliance training class.