Q: You discussed the pros and cons of Single Sign-On Systems (SSOs) in an earlier issue of EduQuest-ions & Answers. Could you expand on your answer about the risks single sign-on systems represent in creating effective audit trails in a Part 11 compliant system?
A: Certainly. Let’s start by remembering that the computer is using SSO to 1) authenticate the user, 2) identify what authorities the user has in the system, and 3) identify the user in the system.
In comparison, the audit trail created by the computer must be a history of all changes to a specific document or record.
That history must include:
1. The identity of the person making the change:
– On paper, changing the initials;
– In a computerized system, showing the system ID of the person making the change.
2. Identification of what’s been changed, without obscuring the original data:
– On paper, a single line crossing out the old data but leaving it readable;
– In a computerized system, a recording of the original data as well as the changes made. The record must be both readable and obvious – clearly showing that a change has been made and what was changed.
3. A recording of when the change was made:
– On paper, usually just the date is acceptable, but on time-sensitive entries – such as during manufacturing steps – it may be important to show process interruptions in more detailed hours/minutes/seconds;
– In a computerized system, the system provides a time stamp with both the date and the specific time.
4. And to complete the “history”: the reason for the change:
– On paper, documenting the specific reason for the change in some sort of log, batch record, maintenance log, change history, etc. The easiest and best way is to show the reason on the changed document/record itself (which is specifically required under the GLP regulations);
– In a computerized system, the reason must be recorded either in the computerized audit trail or as required by whatever procedure controls that part of the documentation process. Again, under the GLP regulations, the reason must be recorded in the computerized audit trail maintained as part of the electronic document itself.
The audit trail must be a complete history of change documenting the Who, What, Where, When, and How behind the change.
In summary: the audit trail must be a complete history of change documenting the WHO, WHAT, WHERE and WHEN (according to an established procedure – the HOW). Otherwise the audit trail and the record changed are incomplete and non-compliant.
With all that in mind, let’s look closer at using electronic signatures with a Single Sign-On System. For the first electronic signing, you should re-enter the user name and password as your electronic signature. FDA allows you to have the same user name and password for log-in and for your electronic signature.
The Preamble (Background) to the Part 11 Final Rule says that if you have sufficient controls, the log-in can be the first part of the signature. But a separate act of entering an electronic signature is needed for each signing act unless the sole purpose of initially signing into a system is to apply electronic signatures and you’re signing more than one “document/record” as a continuous act (for example, one continuous review and signature after another without other work being done).
But what if two or more users – each with different user names – have the same password? The combination may be unique, but the password is not. So you’d need to develop and enforce additional controls for “no duplicate passwords within a company” or use tokens that change numbers that can’t be shared.
As a result – because users rarely log into their computers just to sign records – it’s my observation that Single Sign-On Systems (SSOs) don’t work well for electronic signatures and are rarely compliant with the intent of Part 11.
Answered by Janis Olson, EduQuest VP of Regulatory and Quality Services (22 years as an FDA investigator and office director). Jan also is the co-developer and instructor for EduQuest’s FDA Auditing of Computerized Systems and Part 11/Annex 11 Compliance training class.