overview of 21cfr part 11: the final rule presentation by daniel worden peri electronic records and...

Overview of 21CFR Part 11: The Final Rule

Presentation by Daniel Worden

PERI ELECTRONIC RECORDS AND SIGNATURES WORKSHOP

PhiladelphiaNovember 8, 1999

21 CFR Part 11 Electronic Records; Electronic Signature

Milestones

11/91 Project Launched

7/92 Advanced Notice

8/94 Proposed Rule

3/97 Final Rule

8/97 In Effect

Paul Motise

E - Record / E - Signature Acceptance

Trust

wor

thy

Reliable

Authentic & Legal

Part 11

21 CFR Part 11 Electronic Records: Electronic Signature

AGENDA

• Summary of 21 CFR, Part 11

Subpart A: General ProvisionsSubpart B: Electronic RecordsSubpart C: Electronic Signatures

• Potential Issues

• Advantages and Challenges

• Critical Success Factors

• Security and Control


Subpart A - General Provisions

Section 11.1 Scope

• Regulations establish the criteria the FDA considers for electronic records and and electronic signature to be trustworthy, reliable, and generally equivalent to paper.

• Applies to all records in electronic form under any records requirement within any FDA regulation.

• Electronic records are considered equivalent to full handwritten signatures, initials, and other general signings.

• Electronic records may be used in accordance with Part 11 unless paper records are specifically required.

• Computer system (hardware and software), controls, and relevant documentation must be available for review during FDA inspections.

Electronic Record

• “Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”



Electronic Signature

• “A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”


Handwritten Signature

• “The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form.”

• “The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.”


Digital Signature

• “An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”

Biometrics

• “A method of varifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.”


Closed System

• “An environment in which system access is controlled by persons who are persons who are responsible for the content of electronic records that are on the system.”

Open System

• “An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.”


Subpart B - Electronic Records

Section 11.10-Controls for Closed Systems

• Must develop procedures and controls to ensure authenticity, integrity and confidentiality, and that signer cannot repudiate the signed record. The controls must:

• Be validated• Maintain accurate and complete records• Limit the system to authorized persons• Protect records through retention period• Contain audit trails that are secure, operator independent,

computer-generated, time-stamped, cover the creation , modification and deletion of records and do not obscure previous information


Section 11.10-Controls for Closed Systems (cont.)

• Allow for the performance of operational system checks, authority checks, and device checks to ensure system, record, and data integrity

• Ensure appropriate personnel qualifications• Policies written and followed to hold personnel accountable

for actions and to deter records falsification• Control over system documentation including distribution,

access, use, revision and change control


Section 11.30-Controls for Open Systems

• Must develop procedures and controls that ensure authenticity, integrity, and confidentiality of electronic records and comply with all other parts of Section 11.10

• Must use additional measures (e.g. document encryption, digital signature standards) to ensure authenticity, integrity, and confidentiality


Section 11.50-Signature Manifestation

• Signed electronic records must include the printed name of the signer, date and time of signature, and the purpose of the signature (e.g. review, approval etc.) Each of these must be readable by display or printout.

Section 11.70-Signature/Record Linking

• Electronic signature and handwritten signatures must be linked to ensure signatures cannot be excised, copied, transferred or falsified.


Subpart C-Electronic Signature

Section 11.100-General Requirements

• Must be unique to an individual and not reassigned• Identity of individual must be verified by organization• Must certify electronic signature system to the agency prior to or at

the time of use of the system• Certification must be submitted in paper form and, upon

agency request, provide certification that signature is legally binding


Section 11.200-Electronic Signature Components and Controls• Non-Biometric signatures must:

• Contain at least two different identification components (e.g. User ID and Password)

• Single sign-on with multiple tasks: Use all identification components at first, with partial identification for each task thereafter

• Multiple sign-on without continuous access requires all identification components to be used each time

• Be used only by the owner• Ensure use by other individuals is precluded and does not

occur without collaboration by at least two other individuals

• Biometric signatures must ensure use by the owner


Section 11.300-Controls for Identification Codes/Passwords

• Persons using electronic signatures must use controls to ensure security and integrity and should include:

• Assuring that no two individuals have the same combination of identification code and password

• Periodic check, recall, or revision of identification code and password

• Loss management and replacement procedures• Testing of devices (i.e. tokens or cards) that produce or maintain

identification codes or passwords to ensure proper function and unaltered state.


Section 11.300 Controls for ID codes/passwords

• Unauthorized use safeguards• Report attempts in urgent & immediate manner to:

• Security unit• Management, as appropriate


FDA’s View of What Industry Needs to Do

• Learn Part 11• File 11.100 (c) Certification• E-records maintained

• ID formats FDA can audit/copy• Check with FDA auditors• Watch for guidance documents


Part 11 Internet Web Site:

http://www.fda.gov/cder/esig/part11.htm


7520 Standish PlaceRockville, MD 20855

Paul J. MotiseConsumer Safety Officer

Division of Manufacturing and Product Quality, HFD-320Center for Drug Evaluation and Research

Phone: 301-594-1089 Fax: 301-594-2202E-mail: [email protected]

22

FORMULATE AN INFORMATION STRATEGYFORMULATE AN INFORMATION STRATEGY

ENTERPRISE GOALSENTERPRISE GOALS

DE

VE

LO

PM

EN

T P

RO

CE

SS

DE

VE

LO

PM

EN

T P

RO

CE

SS

INF

OR

MA

TIO

N S

TR

UC

TU

RE

&IN

FO

RM

AT

ION

ST

RU

CT

UR

E &

RE

GU

LA

TO

RY

RE

QU

IRE

ME

NT

SR

EG

UL

AT

OR

Y R

EQ

UIR

EM

EN

TS

INFORMATION SYSTEMS TECHNOLOGYINFORMATION SYSTEMS TECHNOLOGY

STRATEGIC PLANSTRATEGIC PLANDRUG DEVELOPMENTDRUG DEVELOPMENT

INFORMATION INFORMATION MANAGEMENTMANAGEMENT

Time to MarketTime to Market““Quality” of DevelopmentQuality” of DevelopmentLink to Market & Customer InformationLink to Market & Customer InformationOrganizational EffectivenessOrganizational Effectiveness

Global Information ArchitectureGlobal Information ArchitectureApplication PortfolioApplication PortfolioEnabling Technologies/ToolsEnabling Technologies/ToolsLegacy SystemsLegacy Systems

Cross-functional process flows Cross-functional process flows Cross-functional Information Cross-functional Information flowsflowsContinuous Process Continuous Process ImprovementImprovementGlobal resource managementGlobal resource managementProcess ValidationProcess Validation

Regulatory InterfaceRegulatory InterfaceAccelerated Review & Accelerated Review & ApprovalApprovalStandardized SubmissionsStandardized SubmissionsComputer ValidationComputer Validation

-Manufacturing Execution (MES)-Maintenance Management (MMS)-Calibration Management (MCS)-Facility Management Systems-Enterprise Resource Plan ( ERP) -SCADA Systems-Supply Chain Planning (SCP)-Internet Applications-EDI-PLC Systems

-Manufacturing Execution (MES)-Maintenance Management (MMS)-Calibration Management (MCS)-Facility Management Systems-Enterprise Resource Plan ( ERP) -SCADA Systems-Supply Chain Planning (SCP)-Internet Applications-EDI-PLC Systems

APPLICABILITY OF PART 11APPLICABILITY OF PART 11

GLP GISP *GMPGCP

[ quality management systems ]

-Data Acquisition-Laboratory Information Management (LIMS)-Laboratory Robotics -Toxicology Systems-Stability Systems-Environmental Impact

-Data Acquisition-Laboratory Information Management (LIMS)-Laboratory Robotics -Toxicology Systems-Stability Systems-Environmental Impact

-GXP Training-GXP Tracking-SOP Systems

-GXP Training-GXP Tracking-SOP Systems

-Centralized Laboratory-Data Acquisition & Reporting-Remote Data Entry-Case Report Form Systems -Clinical Data management-Adverse Event Reporting-Clinical Supply Systems-Statistical Analysis Systems

-Centralized Laboratory-Data Acquisition & Reporting-Remote Data Entry-Case Report Form Systems -Clinical Data management-Adverse Event Reporting-Clinical Supply Systems-Statistical Analysis Systems

-Document Management-Quality Management-Computer Assisted NDA (CANDA)

-Document Management-Quality Management-Computer Assisted NDA (CANDA)

GXP

*GISP- Good Information System Practices

Non-Biometric BiometricHandwrittenNone

Sec. 11.10 + Sec. 11.70

+ Sec. 11.50+ Sec. 11.100+ Sec. 11.200a+ Sec. 11.300

N / A

Electronic RecordsPaper

Signature

Sec. 11.10

Sec. 11.10 + Sec. 11.70

+ Sec. 11.50+ Sec. 11.100+ Sec. 11.200b

Sec. 11.10 + Sec. 11.70

Sec. +11.30

+Sec. 11.30

+Sec. 11.30

+Sec. 11.30

PROGRESSIVE APPLICATION OF REGULATIONSPROGRESSIVE APPLICATION OF REGULATIONS

Closed Systems

Open Systems

““The Agency believes that The Agency believes that if it is important if it is important

enough that a record be signedenough that a record be signed, human , human

readable displays of such records must readable displays of such records must

include the printed name of the signer, the include the printed name of the signer, the

date and time of signing, and the meaning date and time of signing, and the meaning

of the signature”. of the signature”.

Example: a message from a firm’s management to Example: a message from a firm’s management to employees instructing them on a particular course of action employees instructing them on a particular course of action may be critical in litigation.may be critical in litigation.

THE FOUNDATIONTHE FOUNDATION

Potential Issues

• The final rule does not establish numerical standards for levels of security or validation (persons have the option of determining the frequency).

• Wide spread implementation of time date stamped audit trails executed objectively and automatically and controls for limiting access to the database search software may change a company’s current practices.

• The word “ensure” is used in the regulations. It is defined as “to make certain”. How will this be interpreted by a field inspector?

• “Unique nature of passwords”. How is uniqueness determined and what are “good password practices”?

• Part 11 does not apply to paper records that are or have been transmitted by electronic means but it does apply to records in electronic form that are created, modified, maintained, archived, retrieved under any record requirement regulated by FDA.

• Record retention requirements for software and hardware used to create records that are retained in electronic form are subject to part 11.

Potential Issues (Cont’d)

• “As the agency’s experience with part 11 increases certain records may need to be limited to paper if there are problems with the electronic versions of such records.”

• “It may be necessary to inspect hardware and software used to generate and maintain electronic records to determine if the provisions of part 11 are being met.”

• The assessment of adequacy of systems validation will include inspection of hardware to “determine if it matches the system documentation description of the hardware.”

• For geographically dispersed systems, inspections would extend to operations, procedures and controls at one location and the agency would inspect other locations of the network in a separate but coordinated manner.

• Is the implementation of an electronic system significant enough in manufacturing to require an NDA supplement prior to going live?

• Dial-in access over public phone lines can be a closed system if access to the system is under the control of the persons responsible for the content of the record.


• When an organization’s electronic records are stored on systems operated by third parties the agency would consider this to be an open system.

• Electronic record is defined as “any combination of text, graphics, data, audio, pictorial or other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system.”

• “The Agency believes that if it is important enough that a record be signed, human readable displays of such records must include the printed name of the signer, the date and time of signing, and the meaning of the signature”. Example: a message from a firm’s management to employees instructing them on a particular course of action may be critical in litigation.

• “A single certification may be stated in broad terms that encompass electronic signatures of all current and future employees”.


• 21CFR11 applies only to those records required to be created, archived, and/or signed or initialed in accordance with another (predicate rule) FDA regulation. Failure to comply with Part 11 effectively invalidates the electronic record, thus placing the firm in violation of the predicate rule requiring the record.

• The FDA is being lenient in enforcing the rule unless the investigator has reason to question the integrity of the data.

• PhRMA feels that FDA’s interpretation of the electronic record portion of the rule is flawed since many computer systems in use in R&D, clinical and QC lack the capability of generating time-date audit trails (e.g.SAS and HPLC).

• 21CFR11 has evolved from an approach to facilitate a paperless system into an FDA enforcement tool .

• PhRMA claims that the FDA definition of raw data has changed. Previous to the rule, raw data was considered to be paper documents with a handwritten signature. If the data were generated from a computer, the printout was signed and archived as the official record.


• FDA is considering additional guidance to try to create a procedure to ensure that electronic records can not be changed after a hardcopy has been signed.

• FDA would like to obtain a copy of each electronic file, manipulate it, study it, and pick out trends.

• The transition to paperless systems has proven to be gradual and potentially very expensive. Industry, therefore, has opted to maintain hybrid systems because many systems currently in use in R&D and Manufacturing are not able to comply with the electronic signature section of Part 11.

• As of August 20, 1997 firms that used hybrid systems had the choice of maintaining the hybrids or converting to an electronic environment, in whole or in part, to meet FDA maintenance record requirements.

• ID’s should not be reused even if the person using the ID leaves the company.

• Passwords should consist of a minimum of six characters using a combination of letters and numbers.

Certification Statement

Pursuant to section 11.100 of Title 21 of the code of Federal Regulations, this

is to certify that __________________ intends that all electronic signatures Name of organization

executed by our employees, agents, or representatives, located anywhere in the

world, are the legally binding equivalent of traditional handwritten signatures.

Stringent Controls

“The agency believes that…it is vital to have stringent controls in place to prevent impersonation. Such controls include: (1) requiring an individual to remain in close proximity to the workstation throughout the signing session; (2) use of automatic inactivity disconnect measures that would “de-log” the first individual if no entries or actions were taken within a fixed short timeframe; and (3) requiring that the single component needed for subsequent signings be known to, and usable only by, the authorized individual

Electronic Signatures and Electronic Records

Advantages

• Electronic Batch records can eliminate mountains of paper work, speed processing and allow for statistical and trend analyses.

• NDA’s and other submissions can be submitted electronically in place of paper submission.

• Increases the speed of information exchange.

• Cost savings from reduced need for storage space.

• Manufacturing process streamlining.

• Job creation in industries involved in electronic record and electronic signature technologies.

Challenges

• Firms planning on using electronic signatures in FDA regulated environments will be required to validate the computer related systems.

• Design of systems must be well thought out and tested thoroughly.

• Critical control points must be identified which can be monitored through electronic audit trails.

• Adequate testing of security.

• Fraud Detection

Electronic Signatures and Electronic Documents

Critical Success Factors

• Validation activities in manufacturing, toxicology, clinical, regulatory and perhaps marketing (label approval) will need to be better process focussed, requiring definition of inputs and outputs with, procedural controls governing the process activities and standards dictating the format and content of inputs and outputs and well documented.

• Configuration management, security management and periodic review and quality management must be a continual process.

• Record retention and record disposal practices need to be revised to reflect company requirements to comply with new regulatory requirements.

• Documentation standards and practices should be created that systematize the processes for creating and maintaining documents.

• Planning will have to take into consideration re-engineering, replacement, or retirement of a computer system when operating costs increase or business process changes.

• Requires effective change control.

• Procedural

• Physical

• Logical

Security and Control

Procedural - Verification

Obtain and Review Corporate Security policy, security standards and procedures

Evaluate the effectiveness of the security organization

Evaluate the effectiveness of the process for requesting, granting and removing access.

Physical Security

Review Physical Access Policy Identify sensitive areas (computer room,

data rooms, wiring closets). Determine process for granting, reviewing,

monitoring and removing access. Verify that process is operating effectively.

Logical Security

• Obtain and review data access policy

• Identify access “Paths” to cGMP data– Dial-in– Internet– Local Area Network– Operating System– Database Security– Application Security

Logical Security

For each access path, evaluate the following:

– user security parameters

• unique user ID/password combinations

• password change intervals (90 days)

• password composition (e.g., combination of numbers and letters required)

• password length (minimum length of 6 characters)

– access controls that enforce segregation of duties (read, write, delete)

– monitoring functionality and audit trail

THE PATH FORWARD• GAP ANALYSIS

“As Is” processes

Design Specs

Risk Exposure

• SYSTEM CONTROLS

Security

Electronic Record Retention

Monitoring

• FRAUD

• MONITORING 483s

Questions and answers from Paul Motise at various industry meetings, as well as Questions and answers from Paul Motise at various industry meetings, as well as conversations and his e-mail updatesconversations and his e-mail updates

Q:Q: Can a firm which maintains regulatory records in computer files be exempt from FDA’s signature Can a firm which maintains regulatory records in computer files be exempt from FDA’s signature rule rule if periodically the firm prints paper hard copies of all documents as it’s official if periodically the firm prints paper hard copies of all documents as it’s official record?record?

A:A: Paul Motise says no. On 10/22/97 US District Judge Paul Friedman nullified a National Paul Motise says no. On 10/22/97 US District Judge Paul Friedman nullified a National Archives Regulation authorizing all Government Agencies to erase electronic documents if paper is Archives Regulation authorizing all Government Agencies to erase electronic documents if paper is archived. Example: Spreadsheet shows results but not the archived. Example: Spreadsheet shows results but not the algorithm.algorithm.

Q:Q: What must the audit trail contain?What must the audit trail contain?

A:A: Date/time of operator entries that create, modify, or delete information and who did what, Date/time of operator entries that create, modify, or delete information and who did what, wrote what, and when.wrote what, and when.

Q:Q: Can an audit trail be paper?Can an audit trail be paper?

A:A: No. It must be a computer generated electronic record.No. It must be a computer generated electronic record.

Q:Q: Must an audit trail be signed?Must an audit trail be signed?

A:A: No. It must be independent of the operator and operators must not be able to sign the audit No. It must be independent of the operator and operators must not be able to sign the audit trail.trail.

QUESTIONS AND ANSWERS --FDA’s PAUL MOTISE [1]

Q:Q: Will an electronic signature with only a date stamp be acceptable or does the time of day Will an electronic signature with only a date stamp be acceptable or does the time of day need to be included?need to be included?

A:A: Time is vital and must be included.Time is vital and must be included.

Q:Q: Do you really expect to have certifications from every regulated company as in part 11.100, Do you really expect to have certifications from every regulated company as in part 11.100, even if even if they are only using electronic signatures for open systems (such as e-mail) and are they are only using electronic signatures for open systems (such as e-mail) and are not not using using electronic signatures for collecting original data, authorizing documents or electronic electronic signatures for collecting original data, authorizing documents or electronic submissions?submissions?

A:A: Yes. We are asking for that certification from every company that is using an electronic Yes. We are asking for that certification from every company that is using an electronic signature to meet FDA signature requirements. It doesn’t matter if it is open or closed.signature to meet FDA signature requirements. It doesn’t matter if it is open or closed.

Q:Q: In the GLPs [Part 58.81(a)] the requirement is that changes to SOPs “be authorized in writing by In the GLPs [Part 58.81(a)] the requirement is that changes to SOPs “be authorized in writing by management”. Does 21CFR11 broaden the meaning of “in writing” to include “be authorized in management”. Does 21CFR11 broaden the meaning of “in writing” to include “be authorized in writing or electronically by management”?writing or electronically by management”?

A.A. In GLPs, if you have a particular record, then Part 11 applies to the record. If you are In GLPs, if you have a particular record, then Part 11 applies to the record. If you are going to going to create an endorsement electronically, then Part 11 applies. If a record is required by create an endorsement electronically, then Part 11 applies. If a record is required by FDA then FDA then Part 11 applies.Part 11 applies.

Q:Q: If I scan in CRFs to get into a report and I will be signing the final report as the preparer of the If I scan in CRFs to get into a report and I will be signing the final report as the preparer of the submission, would that be acceptable to the agency?submission, would that be acceptable to the agency?

A.A. Yes. This is a hybrid system, but for the electronic record you will apply an electronic Yes. This is a hybrid system, but for the electronic record you will apply an electronic signature to the entire thing. What is signed should be protected so that later on signature to the entire thing. What is signed should be protected so that later on

nothing can nothing can be switched.be switched.

QUESTIONS AND ANSWERS --FDA’s PAUL MOTISE [2]

Field Notice FMD 146 10/22/97 tells investigators to check the ORA Intranet site to Field Notice FMD 146 10/22/97 tells investigators to check the ORA Intranet site to determine if an electronic signature certification has been filed prior to arriving at determine if an electronic signature certification has been filed prior to arriving at the inspection site.the inspection site.

Guidance to FDA Inspectors for Making and Maintaining Copies of Electronic Guidance to FDA Inspectors for Making and Maintaining Copies of Electronic Records:Records:

1)1) Use digital signature software to authenticate your copy file; signature Use digital signature software to authenticate your copy file; signature verification would detect any post signing record changes.verification would detect any post signing record changes.

2)2) Obtain an affidavit from the firm confirming that the copy is accurate Obtain an affidavit from the firm confirming that the copy is accurate and complete.and complete.

3)3) Place the disk or tape holding your electronic copy in a container under Place the disk or tape holding your electronic copy in a container under official seal and documenting a chain of custody for the container in a official seal and documenting a chain of custody for the container in a manner similar to official samples.manner similar to official samples.

MORE FROM THE FDA