On Thursday, April 23, 2015, we delivered a webinar on 21 CFR Part 11, based on a recent blog series. During the Q&A session at the end, someone asked the following question:
Regarding user accounts: During the User Acceptance Testing (UAT) of a system, are these accounts regulated the same way or can ‘generic’ user accounts be used?
Our interpretation of the regulations is that they do not govern user accounts in non-production environments, such as development (DEV) or even validation (VAL). Given that, during the initial validation or as part of a change control, if the UAT is performed in a non-production environment, ‘test’ user accounts can be used that do not adhere to the regulations about being unique for each individual, having a unique combination of user ID and password, etc.
As a best practice, dummy or test user accounts should not be created in production environments. However, in cases where production is the only environment that exists, test user accounts can be created, but should adhere to 21 CFR Part 11 and then disabled after testing.
If you have any comments or follow-up questions on this topic, we’d love to hear from you. To see what other questions were asked during the webinar, click here.
