I work for a small (<20 employee) software development company in
Beverly, Massachusetts. We are currently developing an FDA-compliant
software solution that utilizes Electronic Signatures. We have a
question regarding the interpretation of Electronic Signatures as
releated to the 21 CFR Part 11 standard.
Background: In order to collect Electronic Signatures in our software,
we are requiring users to re-enter their password when committing a
change to a file (as well as provide a reason and additional notes, if
Question: Does the password used for the Electronic Signature have to
be different than the users log in password for the system? In other
words, does each user need to have TWO passwords for a single system;
one for initial log-in, and one for Electronic Signatures?
A client brought up the issue of a second password, and we are unaware
of any regulation that states this as a requirement for FDA compliance.
We have reviewed the 21 CFR Part 11 ruling and have not found any
verbiage to support this two-password paradigm. (The only reference to
two passwords we could find relates to a supervisory user appending the
first signature with their own.)
Any information you can provide would be extremely helpful.