Overview of 21CFR Part 11: TheFinal Rule

PERI ELECTRONIC RECORDSAND SIGNATURES

21 CFR Part 11 Electronic Records; Electronic Signature

• Milestones

• 11/91 Project Launched

• 7/92 Advanced Notice

• 8/94 Proposed Rule

• 3/97 Final Rule

• 8/97 In Effect

21 CFR Part 11 Electronic Records: Electronic Signature

• AGENDA• • Summary of 21 CFR, Part 11• Subpart A: General Provisions• Subpart B: Electronic Records• Subpart C: Electronic Signatures

• Potential Issues• Advantages and Challenges• Critical Success Factors• Security and Control

Cont...• Subpart A - General Provisions

• Section 11.1 Scope

• Regulations establish the criteria the FDA considers for electronic• records and and electronic signature to be trustworthy, reliable, and• generally equivalent to paper.• Applies to all records in electronic form under any records• requirement within any FDA regulation.• Electronic records are considered equivalent to full handwritten• signatures, initials, and other general signings.• Electronic records may be used in accordance with Part 11 unless• paper records are specifically required.• Computer system (hardware and software), controls, and relevant• documentation must be available for review during FDA• inspections.

Cont...Electronic Record

“Any combination of text, graphics, data, audio,pictorial, or other information representation in digitalform that is created, modified, maintained, archived,retrieved, or distributed by a computer system.”

Cont...Electronic Signature

• “A computer data compilation of any symbol or seriesof symbols executed, adopted, or authorized by anindividual to be the legally binding equivalent of theindividual’s handwritten signature.”

Cont...Handwritten Signature “The scripted name or legal mark of an individual handwritten

by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form.”

“The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.”

Digital Signature

• “An electronic signature based upon cryptographic methods oforiginator authentication, computed by using a set of rules and aset of parameters such that the identity of the signer and theintegrity of the data can be verified.”

Biometrics

• “A method of varifying an individual’s identity based onmeasurement of the individual’s physical feature(s) or repeatableaction(s) where those features and/or actions are both unique tothat individual and measurable.”

Cont...Closed System• “An environment in which system access is controlled by

persons who are persons who are responsible for the content of electronic records that are on the system.”

Open System

• “An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.”

Cont...Subpart B - Electronic Records

Section 11.10-Controls for Closed Systems

• Must develop procedures and controls to ensure authenticity,integrity and confidentiality, and that signer cannot repudiate thesigned record. The controls must:• Be validated• Maintain accurate and complete records• Limit the system to authorized persons• Protect records through retention period• Contain audit trails that are secure, operator independent,computer-generated, time-stamped, cover the creation ,modification and deletion of records and do not obscureprevious information

Cont...Section 11.10-Controls for Closed Systems (cont.)

• Allow for the performance of operational system checks,authority checks, and device checks to ensure system, record,and data integrity• Ensure appropriate personnel qualifications• Policies written and followed to hold personnel accountablefor actions and to deter records falsification• Control over system documentation including distribution,access, use, revision and change control

Cont...

Section 11.30-Controls for Open Systems

• Must develop procedures and controls that ensure

authenticity, integrity, and confidentiality of electronic

records and comply with all other parts of Section 11.10

• Must use additional measures (e.g. document encryption,

digital signature standards) to ensure authenticity, integrity,

and confidentiality.

Cont...Section 11.50-Signature Manifestation

• Signed electronic records must include the printed name of thesigner, date and time of signature, and the purpose of thesignature (e.g. review, approval etc.) Each of these must bereadable by display or printout.

Section 11.70-Signature/Record Linking

• Electronic signature and handwritten signatures must be linked toensure signatures cannot be excised, copied, transferred orfalsified.

Cont...Subpart C-Electronic Signature

Section 11.100-General Requirements

• Must be unique to an individual and not reassigned• Identity of individual must be verified by organization• Must certify electronic signature system to the agency prior to or at

the time of use of the system• Certification must be submitted in paper form and, uponagency request, provide certification that signature is legallybinding

Cont...Section 11.200-Electronic Signature Components and Controls

• Non-Biometric signatures must:•Contain at least two different identification components (e.g.

User ID and Password)• Single sign-on with multiple tasks: Use all identification

components at first, with partial identification for each task thereafter

• Multiple sign-on without continuous access requires all identification components to be used each time• Be used only by the owner• Ensure use by other individuals is precluded and does not occurwithout collaboration by at least two other individuals• Biometric signatures must ensure use by the owner

Cont...Section 11.300-Controls for Identification Codes/Passwords

• Persons using electronic signatures must use controls to ensuresecurity and integrity and should include:• Assuring that no two individuals have the same combination ofidentification code and password• Periodic check, recall, or revision of identification code andpassword• Loss management and replacement procedures• Testing of devices (i.e. tokens or cards) that produce or maintainidentification codes or passwords to ensure proper function andunaltered state.

Cont...

Section 11.300 Controls for ID codes/passwords

• Unauthorized use safeguards• Report attempts in urgent & immediate manner to:

• Security unit• Management, as appropriate

Cont...FDA’s View of What Industry Needs to Do

• Learn Part 11• File 11.100 (c) Certification• E-records maintained

• ID formats FDA can audit/copy• Check with FDA auditors• Watch for guidance documents

Cont...

Part 11 Internet Web Site:

http://www.fda.gov/cder/esig/part11.htm

THE FOUNDATION“The Agency believes that if it is important enough that a record

be signed, human readable displays of such records must include the printed name of the signer, the date and time of signing, and the meaning of the signature”.

Example: a message from a firm’s management toemployees instructing them on a particular course of action

Potential Issues:• The final rule does not establish numerical standards for levels of security or

validation (persons have the option of determining the frequency).• Wide spread implementation of time date stamped audit trails executed

objectively and automatically and controls for limiting access to the database search software may change a company’s current practices.

• The word “ensure” is used in the regulations. It is defined as “to make certain”. How will this be interpreted by a field inspector?

• “Unique nature of passwords”. How is uniqueness determined and what are “good password practices”?

• Part 11 does not apply to paper records that are or have been transmitted by electronic means but it does apply to records in electronic form that are created, modified, maintained, archived, retrieved under any record requirement regulated by FDA.

• Record retention requirements for software and hardware used to create records that are retained in electronic form are subject to part 11.

Cont...• “As the agency’s experience with part 11 increases certain records may need to be

limited to paper if there are problems with the electronic versions of such records.”• “It may be necessary to inspect hardware and software used to generate and maintain

electronic records to determine if the provisions of part 11 are being met.”• The assessment of adequacy of systems validation will include inspection of hardware

to “determine if it matches the system documentation description of the hardware.”• For geographically dispersed systems, inspections would extend to operations,

procedures and controls at one location and the agency would inspect other locations of the network in a separate but coordinated manner.

• Is the implementation of an electronic system significant enough in manufacturing to require an NDA supplement prior to going live?

• Dial-in access over public phone lines can be a closed system if access to the system is under the control of the persons responsible for the content of the record.

Cont...• When an organization’s electronic records are stored on systems operated by third

parties the agency would consider this to be an open system.

• Electronic record is defined as “any combination of text, graphics, data, audio,pictorial or other information representation in digital form that is created,modified, maintained, archived, retrieved or distributed by a computersystem.”

• “The Agency believes that if it is important enough that a record be signed,human readable displays of such records must include the printed name of thesigner, the date and time of signing, and the meaning of the signature”.Example: a message from a firm’s management to employees instructingthem on a particular course of action may be critical in litigation.

• “A single certification may be stated in broad terms that encompass electronic signatures of all current and future employees”.

Certification StatementPursuant to section 11.100 of Title 21 of the code of Federal Regulations, this is to certify that __________________ intends that all electronic signatures Name of organization executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures.

Stringent Controls

“ The agency believes that…it is vital to have stringent controls in place to prevent

impersonation. Such controls include: (1) requiring an individual to remain in close

proximity to the workstation throughout the signing session; (2) use of automatic

inactivity disconnect measures that would “de-log” the first individual if no entries

or actions were taken within a fixed short timeframe; and (3) requiring that the

single component needed for subsequent signings be known to, and usable only

by, the authorized individual

Security and Control

• Procedural

• Physical

• Logical

Procedural - Verification• Obtain and Review Corporate Securitypolicy, security standards and procedures

• Evaluate the effectiveness of the securityorganization

• Evaluate the effectiveness of the process forrequesting, granting and removing access.

Physical Security• Review Physical Access Policy

• Identify sensitive areas (computer room,data rooms, wiring closets).

• Determine process for granting, reviewing,monitoring and removing access

• Verify that process is operating effectively

Logical SecurityObtain and review data access policy

• Identify access “Paths” to cGMP data– Dial-in– Internet– Local Area Network– Operating System– Database Security– Application Security

For each access path, evaluate the following:– user security parameters

• unique user ID/password combinations• password change intervals (90 days)• password composition (e.g., combination of

numbers and letters required)• password length (minimum length of 6 characters)

– access controls that enforce segregation of duties (read,write, delete)– monitoring functionality and audit trail