1 MD&M East 98 Conference New York June 1998 Presentation by Daniel E. Worden PRACTICAL APPROACHES TO ELECTRONIC SIGNATURES
2 AGENDA Summary of 21 CFR, Part 11 Subpart A: General Provisions Subpart B: Electronic Records Subpart C: Electronic Signatures Potential Issues Advantages and Challenges Critical Success Factors Security and Control
3 SUBPART A - GENERAL PROVISIONS Section 11.1 Scope Regulations establish the criteria the FDA considers for electronic records and and electronic signature to be trustworthy, reliable, and generally equivalent to paper. Applies to all records in electronic form under any records requirement within any FDA regulation. Electronic records are considered equivalent to full handwritten signatures, initials, and other general signings. Electronic records may be used in accordance with Part 11 unless paper records are specifically required. Computer system (hardware and software), controls, and relevant documentation must be available for review during FDA inspections.
4 DEFINITIONS Electronic Record “Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” Electronic Signature “A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”
5 DEFINITIONS (cont.) Handwritten Signature “The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form.” “The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.” Digital Signature “An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”
6 DEFINITIONS (cont.) Closed System “An environment in which system access is controlled by persons who are persons who are responsible for the content of electronic records that are on the system.” Open System “An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.” Biometrics “A method of verifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.”
7 SUBPART B - ELECTRONIC RECORDS Section Controls for Closed Systems Must develop procedures and controls to ensure authenticity, integrity and confidentiality, and that signer cannot repudiate the signed record. The controls must: Be validated Maintain accurate and complete records Limit the system to authorized persons Protect records through retention period Contain audit trails that are secure, operator independent, computer-generated, time-stamped, cover the creation, modification and deletion of records and do not obscure previous information
8 SUBPART B - ELECTRONIC RECORDS Section Controls for Closed Systems (cont.) Allow for the performance of operational system checks, authority checks, and device checks to ensure system, record, and data integrity Ensure appropriate personnel qualifications Policies written and followed to hold personnel accountable for actions and to deter records falsification Control over system documentation including distribution, access, use, revision and change control
9 SUBPART B - ELECTRONIC RECORDS Section Controls for closed systems (cont.) Allow for the performance of operational system checks, authority checks, and device checks to ensure system, record, and data integrity Ensure appropriate personnel qualifications Policies written and followed to hold personnel accountable for actions and to deter records falsification Control over system documentation including distribution, access, use, revision and change control
10 SUBPART B - ELECTRONIC RECORDS Section Signature Manifestation Signed electronic records must include the printed name of the signer, date and time of signature, and the purpose of the signature (e.g. review, approval etc.) Each of these must be readable by display or printout. Section Signature/Record Linking Electronic signature and handwritten signatures must be linked to ensure signatures cannot be excised, copied, transferred or falsified.
11 SUBPART C - ELECTRONIC SIGNATURE Section General Requirements Must be unique to an individual and not reassigned Identity of individual must be verified by organization Must certify electronic signature system to the agency prior to or at the time of use of the system Certification must be submitted in paper form and, upon agency request, provide certification that signature is legally binding
12 SUBPART C - ELECTRONIC SIGNATURE Section Electronic Signature Components and Controls Non-Biometric signatures must: Contain at least two different identification components (e.g. User ID and Password) Single sign-on with multiple tasks: Use all identification components at first, with partial identification for each task thereafter Multiple sign-on without continuous access requires all identification components to be used each time Be used only by the owner Ensure use by other individuals is precluded and does not occur without collaboration by at least two other individuals Biometric signatures must ensure use by the owner
13 SUBPART C - ELECTRONIC SIGNATURE Section Controls for Identification Codes/Passwords Persons using electronic signatures must use controls to ensure security and integrity and should include: Assuring that no two individuals have the same combination of identification code and password Periodic check, recall, or revision of identification code and password Loss management and replacement procedures Testing of devices (i.e. tokens or cards) that produce or maintain identification codes or passwords to ensure proper function and unaltered state. Unauthorized use safeguards Report attempts in urgent & immediate manner to: Security unit and Management, as appropriate
14 POTENTIAL ISSUES The final rule does not establish numerical standards for levels of security or validation (persons have the option of determining the frequency). Wide spread implementation of time date stamped audit trails executed objectively and automatically and controls for limiting access to the database search software may change a company’s current practices. The word “ensure” is used in the regulations. It is defined as “to make certain”. How will this be interpreted by a field inspector? “Unique nature of passwords”. How is uniqueness determined and what are “good password practices”? Part 11 does not apply to paper records that are or have been transmitted by electronic means but it does apply to records in electronic form that are created, modified, maintained, archived, retrieved under any record requirement regulated by FDA. Record retention requirements for software and hardware used to create records that are retained in electronic form are subject to part 11.
15 POTENTIAL ISSUES (cont.) “As the agency’s experience with part 11 increases certain records may need to be limited to paper if there are problems with the electronic versions of such records.” “It may be necessary to inspect hardware and software used to generate and maintain electronic records to determine if the provisions of part 11 are being met.” The assessment of adequacy of systems validation will include inspection of hardware to “determine if it matches the system documentation description of the hardware.” For geographically dispersed systems, inspections would extend to operations, procedures and controls at one location and the agency would inspect other locations of the network in a separate but coordinated manner. Is the implementation of an electronic system significant enough in manufacturing to require an NDA supplement prior to going live? Dial-in access over public phone lines can be a closed system if access to the system is under the control of the persons responsible for the content of the record.
16 POTENTIAL ISSUES (cont.) When an organization’s electronic records are stored on systems operated by third parties the agency would consider this to be an open system. Electronic record is defined as “any combination of text, graphics, data, audio, pictorial or other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system.” “The Agency believes that if it is important enough that a record be signed, human readable displays of such records must include the printed name of the signer, the date and time of signing, and the meaning of the signature”. Example: a message from a firm’s management to employees instructing them on a particular course of action may be critical in litigation. “A single certification may be stated in broad terms that encompass electronic signatures of all current and future employees”.
17 ADVANTAGES / CHALLENGES Advantages Electronic Batch records can eliminate mountains of paper work, speed processing and allow for statistical and trend analyses. NDA’s and other submissions can be submitted electronically in place of paper submission. Increases the speed of information exchange. Cost savings from reduced need for storage space. Manufacturing process streamlining. Job creation in industries involved in electronic record and electronic signature technologies. Challenges Firms planning on using electronic signatures in FDA regulated environments will be required to validate the computer related systems. Design of systems must be well thought out and tested thoroughly. Critical control points must be identified which can be monitored through electronic audit trails. Adequate testing of security.
18 CRITICAL SUCCESS FACTORS Validation activities in manufacturing, toxicology, clinical, regulatory and perhaps marketing (label approval) will need to be better process focussed, requiring definition of inputs and outputs with, procedural controls governing the process activities and standards dictating the format and content of inputs and outputs and well documented. Configuration management, security management and periodic review and quality management must be a continual process. Record retention and record disposal practices need to be revised to reflect company requirements to comply with new regulatory requirements. Documentation standards and practices should be created that systematize the processes for creating and maintaining documents. Planning will have to take into consideration re-engineering, replacement, or retirement of a computer system when operating costs increase or business process changes. Requires effective change control.
19 SECURITY AND CONTROL 4Obtain and Review Corporate Security policy, security standards and procedures 4Evaluate the effectiveness of the security organization 4Evaluate the effectiveness of the process for requesting, granting and removing access. PROCEDURAL PHYSICAL LOGICAL 4Review Physical Access Policy 4Identify sensitive areas (computer room, data rooms, wiring closets). 4Determine process for granting, reviewing, monitoring and removing access. 4Verify that process is operating effectively. 4Obtain and review data access policy 4Identify access “Paths” to cGMP data 4Dial-in / Internet / Local Area Network / Wide Area Network 4Operating System 4Database Security / Application Security
20 AN ENTERPRISE-WIDE SECURITY STRATEGY An Enterprise-wide security strategy should: Identify risk, threats and potential vulnerabilities Classify information based on sensitivity (sensitive, public, cGMP vs. non-cGMP, etc.) Determine and implement appropriate controls based on risk assessment/classification Ensure a consistent process to maintain an effective level of security and control Document this approach in the form of an SOP
21 FDA’S VIEW OF WHAT INDUSTRY NEEDS TO DO Learn Part 11 File (c) Certification E-records maintained ID formats FDA can audit/copy Check with FDA auditors Watch for guidance docs E-records submitted to FDA Check docket 92S Attn: logistics and guidance file format/media Transmission methods/archiving