Q: I have a question about generic logins.
We’re getting computers on our production floor. Some colleagues have suggested we allow one generic login for all production personnel to view and print SOPs (with a watermark) and also to print the forms they need to use.
I don’t feel comfortable with using generic logins in this situation. Am I correct in saying it’s not compliant with 21 CFR Part 11?
A: Like most FDA regulations, Part 11 is focused on USE — in this case how the computers on the production floor are going to be used.
Part 11 is first and foremost a recordkeeping regulation. In your description, “…print SOPs (with a watermark) and also print the forms they need to use”, there’s no explicit recordkeeping indicated. It sounds like the forms will be printed and filled-in by hand, with no entry into the computer.
However, your reference to watermarked SOPs also implies that a system or network will be responsible for maintaining the correct, up-to-date SOPs. Likewise, I assume the system or network will be responsible for assuring that only current and approved versions of SOPs can be displayed/printed for use. Validation of this assurance will be required.
It’s important that only the users responsible for updating your SOPs and forms have access to them for modification and approval purposes.
This particular use (SOP and proper form retention and control) is certainly covered by Part 11, because SOPs and forms are considered records and documents under Part 11.
It’s important that only the users responsible for updating your SOPs and forms have access to them for modification and approval purposes. In that case, there may be no need for your production personnel to have generic logins at all — that is, if your use on the production floor remains consistent with your description and if you exercise control over the printed SOPs and forms (meaning only current and approved ones are available for use).
As for the forms themselves, they should continue to be accessible only to personnel who currently have access to the physical forms — those forms you’re using prior to the computer installations on the production floor. In other words, if you currently control access to the physical forms, be sure to continue controlling their access on the new computer system.
A word of caution: My answer is restricted to the very specific computer uses and the application of generic logins you’ve described. If your uses of the computers on the production floor expand, the impact of Part 11 may increase dramatically.
Answered by Martin Browning, President and Co-Founder of EduQuest, who co-wrote FDA’s rules on electronic records and signatures (21 CFR Part 11) during his 22-year career at FDA. Martin also is the chairman of EduQuest’s FDA Auditing of Computerized Systems and Part 11/Annex 11 Compliance training class.This class was originally developed to train FDA’s own investigators how to audit computerized systems, then was modified for industry. During the past 20 years, it has trained thousands of auditors, quality managers, and IT specialists in FDA-regulated companies.