part 11, electronic records; electronic signatures; update ... · pdf file4 part 11,...

1

Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00

P. Motise

Update on Implementation

21 CFR Part 11Electronic Records; Electronic

Signatures

l Part 11 overviewl Program management at FDAl Public conference outcomesl Guidance developmentl Problems we’re findingl Parallel mainstream activitiesl Resources

We’ll Cover

2


l Part 11 - substantive ruleu Records (not computer) reg.

l Minimal standardsl What makes e-recordkeeping

u Trustworthyu Reliableu Compatible w/FDA work

Part 11 - What It Is

l Part 11 complianceu Permits e-recs/e-sigs in place of

paper/h-sigsn All FDA program areasn Tied to predicate regulations

u E-submissionsn Docket 92S-0251

Part 11 - What It Means

l System controls basis (CGMP model)u Technicalu Proceduralu Administrative

l Controls suggested by industrytechnical experts

Part 11 - The Approach

3


l Development Historyu 1990 - Early worku 7/21/92 - ANPRu 8/31/94 - Proposed Ruleu 3/20/97 - Final Ruleu 8/20/97 - Effective Date

Part 11 - Milestones

l Assoc. Commissioner For RegulatoryAffairs/Office of Enforcement (OE)u Regulatory implementation

n Enforcement/Interpretationn Trainingn Industry guidancen Centers have input

Who Does What?

4


l Agency centersu E-submissions (e.g., NDAs)

n What to accept in e-formn File formats and median Delivery methods

Who Does What?

l Part 11 Compliance Committeeu Responsibilities:

n Advise agency on complianceissues

n Develop policy/guidancedocuments

n Inform units re: committee workmore...

Who Does What?

l Part 11 Compliance Committeeu Responsibilities:

n Discuss crosscutting issuesn Recommend implementationuniformity methods

n Promote, develop, coordinateFDA/industry training/education

Who Does What?

5


l Part 11 Compliance Committeeu Managed by OEu Members from

n All centersn Office of Chief Counseln Field

Who Does What?

l Compliance programsu Per routine revisions/renewals

l New predicate rulesu E.g., Dietary Supplement CGMPs

l Field trainingu Part 11 & predicate rule courses

Weaving Part 11 Into Programs

6


l Co-sponsorship w/PDAl For all FDA regulated industriesl Held June 19 & 20, 2000l 900 attendeesl 22 industry speakers

Conference Facts

more...

l Info exchange onu Industry’s experience in

implementing part 11 technicalprovisions

u Available products/services toenable compliance

Conference Purpose

more...

l Not a tutoriall Not to debate rule’s meritsl To help FDA develop guidance

more...

Conference Purpose

7


l FDA guidance needed ASAPl Enabling products/services now

available; more coming fastu Mosaic, not turn-key, solutionsu Effort/creativity needed

n XML, Java, Active-X, Source codecontrol tools, native capabilities

Themes That Emerged

l Suppliers listening/can offerneeded featuresu Users must speak up/be specific

l Part 11 in mainstreamu E-commerce; E-government

l People don’t do their homework

Themes That Emerged

8


l Archivingl Audit trailsl Certificationsl Validationl E-copies of e-records for FDA

Among Likely Topics

l Legacy e-systems less secure thantraditional paperu Record integrity principles and

practices left behindl Implementation given to IT alonel Failure to keep up w/standards and

enabling technologies

General Problems

more...

9


l All users have system admin.privileges

l Network administrator unqualifiedl Passwords posted to directory

Poor Network Security

more...

l E.g., Password = Account Namel Avoid dumb passwords like:

“Password” “Login”“Bob” “Boss”“Goddess” “Diva”“Stud” “Computer”“Dilbert” “GOSKINS!”

Poor Password Controls

more...

l Unvalidatable systemsu System requirements spec. absent

l Program macros not validatedu Assay calculations

n Recall resulted

Validation Problems

more...

10


l Inadequate change control(configuration management)u Remote changes by vendoru Interface changes

more...

Validation Problems

Patient B [Info B]

Patient A [Info B]

Patient B [Info B]

Results of contamination test

Code 330 = Testequipment failed[3 digit results code field]

Code 33 = Tested material is o.k.[2 digit results code field]

11


l No audit trail of operator changes toassay reports

l Inability to generate e-copies for FDAl Batch record lost to overwritel Failure to record non-compliant info

Other Problems

l Preparing e-records technical reportu Help people comply with part 11

n Framework documentn Modules for legacy and new systems

u Two to three year projectn Launched 8/99

PDA Part 11 Task Group

more...

12


l Participants (25 core, 40+ extended)u Regulated industryu Supplier communityu FDAu Attorneys in e-commerce arena

l Liaison w/other groups

PDA Part 11 Task Group

l EU D-Sig Directive (12/99)l White House to agencies (12/99):

n Issue 100,000 d-certs by end of 2000n Promote on-line gov’t services

l OMB to agencies re: Gov. PaperworkElimination Act (5/2/00)u Part 11 named among 9 model regs.

Impetus Directives

l Echoes part 11 principles/particularsu E-records and e-signatures coveredu Legal acceptance, with conditionsu Provides for regulatory standards

n Maintenance and submission recordsu Doesn’t require e-recordkeeping

E-SIGN Act

more...

13


l Echoes part 11 principles/particularsu Technology neutralu Similar definitions

n “Record” if retrievable in perceivableform; tangible media or otherwise

u Signature to record linksu Consumer protection preserved

E-SIGN Act

more...

l Echoes part 11 principles/particularsu E-record archiving

n E-form & accessible to partiesn Migration anticipated (“accuratereflection” of e-record)

n OK for “originals”

E-SIGN Act

more...

l New concept - E-agent

“A computer program or an electronic or otherautomated means used independently toinitiate an action or respond to electronicrecords or performances in whole or in partwithout review or action by an individual at thetime of the action or response.”

E-SIGN Act

more...

14


l Exemptions include:u Wills and family lawu Court ordersu Consumer notices

n Recalls, utility cut-offs

E-SIGN Act

l Cross Media Electronic Reports andRecordkeeping Rule (CROMERRR)u Same principles and particulars

n Systems controls approachu Public meetings held June/July 2000u Proposed rule by end of 2000u Final rule by end of 2001; 40 CFR

Part 11 Emulators - EPA

l CROMERRR principlesu Codify criteria for e-record integrity,

authenticity, non-repudiationu Trustworthy & reliable recordsu Individual responsibilityu Agency wideu Records and signatures covered


15


l CROMERRR principlesu Submissions and maintenance

records coveredu Relation to predicate rulesu Technology neutralu No legacy system exemptions


l CROMERRR particularsu System access controlsu Audit trails; transaction logsu Detect system compromiseu Archiving (migration anticipated)

n Content, metadata, audit trailsn Keep functionality


l CROMERRR particularsu Time stampsu Unique e-sigsu E-sig to record bindingu E-sig manifestations (date/time,

meaning)


16


l CROMERRR particularsu E-copies for EPA investigatorsu E-sig certifications (per record)u E-sig deauthorizations


l Submissionsu PKI via Internet, encryptedu EPA gives software and d-certs

n GSA ACES programu F/R notice per program submissionu EPA to certify state systems


l Application Service Providers (ASPs)(a.k.a., Netsourcing)u Hosted applications, contract facilities

n E.g., archiving, security, and databaseu Attn: security, performance,

availability

Emerging Trends

17


l Vendor acquisition of clientexpertise; strategic alliancesu Consulting services

n Better product use in clientenvironment

n Increased awareness of client needs

Emerging Trends

l States laws enforcing softwarelicensing agreementsu Uniform Computer Information

Transactions Act (UCITA)n National Conference of Commissionerson Uniform State Laws

more...

Emerging Trends

l UCITAu VA, 1st to enact -- effective 7/2001u “Automatic restraint” (in code)

n “Disable” or “repossess” program ifterms not met

n No liability for restraint use harm

more...

Emerging Trends

18


l UCITAu Use limits (time/number) possibleu User bears risk of loss for elect.

delivered copy

Emerging Trends

l Peer to peer distributed computingu Shared computational power

n Encryption hackersu Search and share files (Internet wide)

n No central repositorys Napster for music filess Gnutella for non-music files

Emerging Trends

1 PC

10 PCs

100 PCs

10n PCs

19


FDA Internet Sitesl http://www.fda.gov/ora/compliance_ref/

part11l http://www.fda.gov/dockets

u 6/2000 Conference - 00N-0358

u E-submissions docket 92S-0251

l http://www.fda.gov/cber/summaries.htm

Other Internet Sitesl http://pw1.netcom.com/~jlboet/esiglinks.

htm [John L. Boettcher]l http://www.21CFRPart11.com

(NuGenisis Technologies)

l http://www.pda.org (PDA)l http://www.fcw.com (Federal Computer

Week)

20


l Part 11 overviewl Program management at FDAl Public conference outcomesl Guidance developmentl Problems we’re findingl Parallel mainstream activitiesl Resources

We Covered

“ Record retention serves an importantpublic purpose by allowing agencies tomonitor for compliance, protect taxpayersfrom fraud and abuse, and enforce thelaw.” …

White House on E-SIGN Act

more...

“ The act requires that agencies allow mostrecords to be retained electronically, butgovernment may establish standards forelectronic records to ensure thatcompliance with laws can be determined,taxpayers can be protected, and agencymission can be accomplished.”

White House on E-SIGN Act

21


5600 Fishers LaneRockville, MD 20857

Paul J. MotiseConsumer Safety OfficerOffice of Enforcement, HFC-240

Office of the Associate Commissioner for Regulatory Affairs

Phone: 301 827-0383 Fax: 301 827-0343

E-mail: [email protected]

part 11, electronic records; electronic signatures; update ... · pdf file4 part 11,...

Documents