part 11; electronic records, electronic signatures answers to frequently asked questions p. motise

Part 11; Electronic Records, Part 11; Electronic Records, Electronic SignaturesElectronic Signatures

Part 11; Electronic Records, Part 11; Electronic Records, Electronic SignaturesElectronic Signatures

Answers to Frequently Asked Questions

P. Motise

We will coverWe will coverWe will coverWe will cover Scope

Typewriter excuse Open vs. Closed systems Audit trails/time stamps Certification Enforcement

Legacy systems

Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1

Q. Does part 11 apply to all of our electronic records?


Q. Does part 11 apply to all of our electronic records? Ref: 11.1(b)

A. No Only per codified records

requirements (For submissions) - Per statute


Predicate rule/law requires record: Creation Contents Signature(s) Archiving

Original vs copy


Q. Apply only to signed records? Ref: 11.1(c), (d); comment para 26

A. No Any e-record per codified

requirement


Q. Apply to signatures not required but in required record? Ref: comment para 100

A. Yes; they also need to be trustworthy and reliable.


Q. Must e-records have e-sigs? What about hybrids?


Q. Must e-records have e-sigs? What about hybrids? Ref: 11.1(c), 11.2; 11.70;

A. No; hybrids are possible Hybrids problematic

link h-sig to e-record non-repudiation


Q. Apply to e-record systems that generate paper? (Typewriter excuse) Ref. Comment para 22

A. Yes (unless system=typewriter) Printouts don’t exempt e-records

from part 11


Paper printout of e-record is NOT traditional paper record E-record controls determine Paper:

trustworthiness reliability differ from true paper (typewriter) paper system


Printouts and e-records differ re: Content

e.g., meta data (audit trail), hidden text, e-sigs.

Auditing properties search/sort/send features

Part 11

more...

Part 11Applies

Process In

Process Out

Changes


What is an electronic record? Ref: 11.3(b)(6)

Electronic Record 11.3(b)(6)Electronic Record 11.3(b)(6)Electronic Record 11.3(b)(6)Electronic Record 11.3(b)(6)

any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system


When do “data” become an electronic record, per part 11? Ref: comment paras 22, 45, 72

A. When “saved” to durable medium E.g., disk or tape Retention per predicate regulation


Q. Different e-sigs for types of signing (e.g., initials vs full name)? Ref. 11.1(c), Comment para 28

A. No Any e-sig good for any signing


Q. Will FDA certify/approve part 11 products/services? Ref. Comment para 5

A. No Be wary of endorsement claims

Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3

Q. Are all h-sigs biometric? Ref. 11.3(b)(3) Comment para 39

A. No Biometric = unique/measurable

action or physical feature is measured

Image is NOT an Action

§ 11.3 Definitions § 11.3 Definitions § 11.3 Definitions § 11.3 Definitions Closed system

“an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.”

more...

§ 11.3 Definitions § 11.3 Definitions § 11.3 Definitions § 11.3 Definitions

Open system

“an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.”

Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Open v. Closed SystemOpen v. Closed System

Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Open v. Closed SystemOpen v. Closed System

Q. Does phone access make system open? Ref. 11.3(b)(4) Comment para 44

A. No If persons responsible for record

content control access to system holding record

Company A

System A

For A - System is CLOSED

A’s Records

more...

Company A

System A

For A - System is CLOSED

Company B

A’s Records

B’s Records

For B - System is OPEN

Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)

Q. Can firms archive e-records as paper printouts only? Ref. 11.10(b)&(c), Comment para 71

A. No Saved record must be electronic Must be able to generate e-copies

Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)

Q. Need firms save equipment needed to read e-archives? Ref. 11.10(c); Comment para 70/71

A. No Transcriptions OK for accurate/

complete copies. Keep meta data and e-sig links

Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)

Q. What must audit trail contain? Ref. 11.10(e);Comment paras 72, 75

A. Date/time of operator entries or actions that: create, modify, or delete record

A. Who did what/wrote what & when


Q. Can audit trail be paper? Ref. 11.10(e) Comment paras 72, 73

A. No Must be computer generated

(e-record)


Q. Must audit trail be signed? Ref. 11.10(e) Comment paras 73, 75

A. No Must be independent of operator Operators should not be able to sign

audit trail

Time Stamps, 21 CFR Time Stamps, 21 CFR 11.10(e)/11.50(a)11.10(e)/11.50(a)


Q. Must time stamps synchronize to trusted 3rd party? Ref. 11.10(e) Comment para 73

A. No Ensure clock accuracy - no abuse



Q. Must time be local to activity/ signer? What format? Ref. 11.50; Comment para 101

A. Yes Can have remote time, too Unambiguous format

Signature Manifestations, 21 Signature Manifestations, 21 CFR 11.50CFR 11.50

Signature Manifestations, 21 Signature Manifestations, 21 CFR 11.50CFR 11.50

Q. Can codes substitute for printed name (e.g., people having same name)? Ref. 11.50(a)(1), Comment para 102

A. No. Need unambiguous printed name Augment w/other codes, optional

Signature to Record Linking, Signature to Record Linking, 21 CFR 11.7021 CFR 11.70

Signature to Record Linking, Signature to Record Linking, 21 CFR 11.7021 CFR 11.70

Q. Must encryption based links be re-set, records signed anew, should outdated algorithm break? Ref. 11.70; Comment para 113

A. No. Need reasonable, not bulletproof,

security levels.

Certifications, 21 CFR Certifications, 21 CFR 11.100(c)11.100(c)


Q. One per employee or facility? Personnel updates? Ref. 11.100(c), Comment paras 52,

119 A. No.

Person = organization or individual Institutional certification, global



Q. Example of certification? Ref. 11.100(c), Comment para 120,

pg. 13456, 62 FR, No. 54, 3/20/97 A. Yes

Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of organization] intends that all electronic signatures executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures.

Continuous Sessions, 21 CFR Continuous Sessions, 21 CFR 11.200(a)11.200(a)

Continuous Sessions, 21 CFR Continuous Sessions, 21 CFR 11.200(a)11.200(a)

Q. Can system logon be 1st signing? Ref. 11.200(a), Comment para 124

A. Yes When e-record is signed.

Controls for ID/PWs; Device Controls for ID/PWs; Device Testing, 21 CFR 11.300(e)Testing, 21 CFR 11.300(e)

Controls for ID/PWs; Device Controls for ID/PWs; Device Testing, 21 CFR 11.300(e)Testing, 21 CFR 11.300(e)

Q. Can token/card security negate need for periodic testing? Ref. 11.300(e), Comment para 138

A. No Cards not foolproof Test for unauthorized account

changes, not just id info.

Part 11 EnforcementPart 11 EnforcementPart 11 EnforcementPart 11 Enforcement

Will “legacy systems” really have to comply with part 11?


Will “legacy systems” really have to comply with part 11? Ref. Comment para 9

A. Yes. No “grandfathering”

Part 11 EnforcementPart 11 Enforcement(Default for all regs.)(Default for all regs.)Part 11 EnforcementPart 11 Enforcement(Default for all regs.)(Default for all regs.)

Nature/extent of deviation Impact on product quality/data

integrity Adequacy/timeliness of corrective

action plan Compliance history


Intensified surveillance Customary option

At worst: E-records not usable for predicate

rule Predicate rule violated

Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?

Patent and Trademark Office Environmental Protection Agency Drug Enforcement Admin. Internal Revenue Service Social Security Administration

more...

Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?

Justice Department General Services Admin. Health Care Financing Admin.

45 CFR 142 (Security & E-Sig Standards)

HCFAHCFAHCFAHCFA

45 CFR Part 142 Security and E- Signature Standards Individual health info and e-sigs

Covers: Health plans Health care clearinghouses Health care providers

HCFA v. FDAHCFA v. FDA (Similarities)(Similarities)HCFA v. FDAHCFA v. FDA (Similarities)(Similarities)

Same areas of concern ID & authentication Authorization & access control Accountability Integrity & availability Communication security Security administration

HCFA v. FDAHCFA v. FDA(Differences)(Differences)


Overall emphasis HCFA - Confidentiality/privacy FDA - Record integrity/auditability

Digital signatures HCFA - Mandatory for required sigs. FDA - Optional

more...



Certification HCFA - Compliance w/standards FDA - Intent re: h-sig/e-sig legally

binding equivalence Self Audits

HCFA - Required FDA - Not mentioned more...



General requirements HCFA - 25 FDA - 2

Specific requirements HCFA - 64 FDA - 32

Optional controls HCFA - 15 FDA - 2

HCFA Mapped StandardsHCFA Mapped StandardsHCFA Mapped StandardsHCFA Mapped Standards Practices taken from:

55 standards (including part 11) Issued by 12 organizations:

ANSI ASTM CEN FDA NIST IEEE IETF ISO/IEC PKCS DoD NRC/NAS HMAC

more...

Part 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/Concepts

AIIM/ANSI MS64 - re: Audit trail info NAS/NRC - Report on Health Care

Records - Security/Privacy Italy: Bassanini Act - e-records Germany: Info & Comm. Services Act -

d-signaturesmore...

Part 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/Concepts

DoD; 5015.2std - e-rec. mgmt State Digital Signature Laws

UT, FL, GA, MI, CA, VA, WA, IL, et al ABA Digital Signature Guideline Canada - Univ. of BC, e-rec. archiving

http://www.slais.ubc.ca/users/duranti/

Part 11 Internet SitesPart 11 Internet SitesPart 11 Internet SitesPart 11 Internet Sites

Part 11 Notices/reports http://www.fda.gov/cder/esig/part11.htm

E-Submissions docket http:/www.fda.gov/ohrms/dockets

We have coveredWe have coveredWe have coveredWe have covered Scope

Typewriter excuse Open vs. Closed systems Audit trails/time stamps Certification Enforcement

Legacy systems

7520 Standish PlaceRockville, MD 20855

Paul J. MotiseConsumer Safety Officer

Paul J. MotiseConsumer Safety Officer

Division of Manufacturing and Product Quality, HFD-320Center for Drug Evaluation and Research

Phone: 301 594-0098

Fax: 301 594-2202

E-mail: [email protected]: [email protected]

part 11; electronic records, electronic signatures answers to frequently asked questions p. motise

Documents

u biometric

u image

u content n

scope u typewriter excuse

typewriter excuse u

action slide

3b6 slide

signing slide