In January 2025, the Task Force “Data Integrity” of the Quality Group of APIC (CEFIC), has published the version 2.0 of the document “Data Integrity Frequently Asked Questions (FAQ)“.
This document contains a collection of frequently asked questions that have been submitted by the industry to the Data Integrity taskforce. Since this is a living document, it is updated as new questions are posed to the group.
Updated questions are written in red: the new questions and answers can be found in the “Password management” and “Access management” sections.
- Password management
Q1: When I logged into a system, do I need to re-authenticate myself for every data entry?
A: No, it depends upon the criticality of the data/action. This criticality should be based upon process mapping and a risk assessment as explained in the guide. Criticality of the data and/or responsibility associated with the action should be taken into account when evaluating electronic signature requirements.
Q2: What are the requirements for e-signature components? (This question in version 1 of the FAQ was worded differently whereas it has now been revised as above)
A: This practice is described in 21CFR11, chapter 11.200 “e-signature and components”:
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components (= user ID and password or biometrics); subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components
- Access management
Q2: Can we extend the time of a user session before this is automatically locked for inactivity because of a HSE (health-safety-environment) concern?
A: The inactive time of a user session should be managed by the user locking their computer station when they move away for an extend period of time to prevent unauthorised actions been taken by other persons. The automatic lock is a security measure. A reasonable amount of time should be supported by a risk assessment. This type of HSE concern should be managed independently of the GXP system with an emergency stop button as an example. If this is approach is not feasible, the computerized system should be designed as such that a fast intervention is possible. It is best practice for a system like a DCS to be configured in such a way that the screen does not completely goes into operating system lock and actions can be taken by clicking on the valve or object and entering a password to confirm the action.
SOURCES:
https://apic.cefic.org/wp-content/uploads/2025/01/FAQ-DI-APIC-TF-Version-2-Jan-25-1.pdf
