FDA citing poor 'log off' SOPs under Part 11.

PHILADELPHIA Citations on 483s for violations of FDA's electronic signature/records rule (21 CFR Part 11) are rare, and warning letters are even more rare.

However, FDA lately has been citing firms for poor log-off procedures, meaning firms should be careful about password-access to computer systems, an executive with a computer validation firm told a Center for Business Intelligence (CBI) meeting here Jan. 29.

Dr. J. Scott Hodges, Ph.D., a project manager for Stelex, Bensalem, PA, advised:

Special focus on computer and software validation, and electronic records...

"If a paper document requires a signature, then so does the electronic document," he said. "If a verbal approval is acceptable for a paper document, then no electronic signature is needed for an electronic document."

He said one FDA-regulated establishment, which he did not identify, received a 483 because it had no written procedures hold individuals accountable for actions taken under their electronic signatures.

"If there are no such written policies, employees may make them with traditional handwritten signatures," Hodges said.

Hodges presented his list of Five Things to Remember about Part 11:

1. Part 11 does not apply to all electronic records, just those required by FDA.

2. Part 11 does not apply to some systems, such as typewriters, chart recorders and simple word processors.

3. A printout of an electronic record cannot be kept as a paper record.

4. FDA does not endorse any commercially available applications.

5. Off the shelf systems cannot be completely compliant without procedures and controls. Primarily, he added, FDA is citing firms for not having procedures to prevent another person from using a computer if the original user steps away without logging off.

"If a computer is not used for a few minutes it should lock up and show a screen saver until you log on again," Hodges advised.

Part 11 does not delve into such specifics, just that firms must have password-protection for "open systems" such as these.

However, Hodges said some companies also are being cited for not having documentation showing if the system can generate accurate and complete copies of records in electronic form. A key purpose of Part 11 is so FDA can review electronic copies of electronic records.

"You should be able to call up your electronic records on command in, say, five minutes," Hodges said. "If your developer sits around for a couple of hours trying to figure out where the data is and how to access it, you will find a 483 in your mailbox."

Internal controls must be in place to show FDA that the electronic signatures are safe, Hodges added.

Passwords should expire

He explained that such controls should include an aging period during which a password expires at a regular interval of 30 or 60 days to prevent ex- employees from gaining access.

"Your user ID need not be secret, but the combination of user ID and password must be confidential and unique," Hodges advised. "Avoid alternating your passwords upon expiration, such as using your son's name then your daughter's then back to your son's."

Common passwords should be avoided, such as the default "AdminAdmin," which Hodges said some users never replace.