Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Batch Management

TABLE OF CONTENTS

Components and Controls – 11​.200

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 12, 2025
  • 4 minute read

Non-Biometric Signatures - 11.200 (a)

21 CFR Part 11:

(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password."

Each security type (Standard, OS or ArchestrA) that can be associated with AVEVA Batch Management supports the two distinct identification components. The OS security is recommended as it additionally allows specifying password complexity requirements.

The Active directory should put procedures in place on all user accounts (except the service ones) to:

  • Require a minimum number of characters in passwords

  • Deactivate user accounts after a number of consecutive password failures

  • Force the user to change their passwords on a regular basis

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

The AVEVA Batch Management “User Id timeout” system parameter shall be set as depicted in Figure 35 to specify the number of seconds that the current User ID is retained before it must be re-entered. The default value of 0 retains the User ID indefinitely.

A very small number such as 1 (second) will force users to re-enter their user id every time. The proper timeout should be carefully determined by the customer since this is a system wide parameter and depending on the duration of each phase, it may require a lot of entries from the AVEVA Batch Management users. Regardless of the specified timeout, user are required to enter their password every time.

Figure 35 - User id timeout

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

If the time between two signatures exceeds the AVEVA Batch Management system parameter “User ID timeout”, then both components of the signature popup are set to blank and the user is required to re-enter their respective user id in addition to the always required password.

(2) Be used only by their genuine owners;

There is no technological control to prevent unauthorized use of IDs or passwords if those ID and password combinations are compromised or known to more than the individual assigned a specific ID and password combination.

(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.”

The risk of two following situations happening needs to be evaluated by the customer and appropriate procedures need to be put in place to address the identified level of risk:

  1. An IT administrator with the ability to reset a password would reset the password of a user who accesses AVEVA Batch Management or the SQL Server database and then use it to manipulate the Batch system.

    The customer should put procedures in place on all Active directory user accounts (except the service ones) to force the user to change the password after being initially assigned. The active directory should be set so that a notification (such as an email) is sent to an administrator and to the user who changed his password when a password change occurs so that a fraudulent password change can be detected and reported by the user.

  2. An IT administrator with the ability to assign roles would assign the AVEVA Batch Management roles to himself and then use his own user name to enter AVEVA Batch Management.

    The Active directory should put procedures in place to control the addition of users to an OS group and generate necessary notifications or audit trail so that new assignments to an OS group used by AVEVA Batch Management are reviewed by proper authorities in a timely manner.

    If no mechanism is available to detect such an event in the operating system, then the usage of OS User based security provides better control than OS role based security; OS users are created by an IT administrator but their AVEVA Batch Management roles are configured by the AVEVA Batch Management system administrators which are defined in the AVEVA Batch Management Security editor. With this configuration, at least two persons are required to use the system in a fraudulent way: an IT administrator and an AVEVA Batch Management administrator. The AVEVA Batch Management security editor access can also be set to require a different user from the Environment Display access so that even an AVEVA Batch Management administrator cannot change access without the collaboration of a second user.

    In addition to the previous security features, a report can be printed from the AVEVA Batch Management security editor showing the AVEVA Batch Management roles vs OS groups or users. A manual customer procedure can require verifying and archiving this report after any security change. Access to this report from the security editor is depicted in Figure 36.

    Figure 36 - Security report

    A part of the output of this report is depicted in Figure 37. We can see here that the role ADM is associated to a few Active directory users. The applications and functions on the right are available to a user with engineering role for the specified “Done By” and/or ”Check By” signature.

    Figure 37 - Security report - partial output example

TitleResults for “How to create a CRG?”Also Available in