Part 11; Electronic Records, Electronic Signatures Answers to Frequently Asked Questions P. Motise.
-
Upload
susanna-riley -
Category
Documents
-
view
214 -
download
0
Transcript of Part 11; Electronic Records, Electronic Signatures Answers to Frequently Asked Questions P. Motise.
Part 11; Electronic Records, Part 11; Electronic Records, Electronic SignaturesElectronic Signatures
Part 11; Electronic Records, Part 11; Electronic Records, Electronic SignaturesElectronic Signatures
Answers to Frequently Asked Questions
P. Motise
We will coverWe will coverWe will coverWe will cover Scope
Typewriter excuse Open vs. Closed systems Audit trails/time stamps Certification Enforcement
Legacy systems
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Does part 11 apply to all of our electronic records?
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Does part 11 apply to all of our electronic records? Ref: 11.1(b)
A. No Only per codified records
requirements (For submissions) - Per statute
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Predicate rule/law requires record: Creation Contents Signature(s) Archiving
Original vs copy
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Apply only to signed records? Ref: 11.1(c), (d); comment para 26
A. No Any e-record per codified
requirement
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Apply to signatures not required but in required record? Ref: comment para 100
A. Yes; they also need to be trustworthy and reliable.
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Must e-records have e-sigs? What about hybrids?
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Must e-records have e-sigs? What about hybrids? Ref: 11.1(c), 11.2; 11.70;
A. No; hybrids are possible Hybrids problematic
link h-sig to e-record non-repudiation
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Apply to e-record systems that generate paper? (Typewriter excuse) Ref. Comment para 22
A. Yes (unless system=typewriter) Printouts don’t exempt e-records
from part 11
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Paper printout of e-record is NOT traditional paper record E-record controls determine Paper:
trustworthiness reliability differ from true paper (typewriter) paper system
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Printouts and e-records differ re: Content
e.g., meta data (audit trail), hidden text, e-sigs.
Auditing properties search/sort/send features
Part 11
more...
Part 11Applies
Process In
Process Out
Changes
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
What is an electronic record? Ref: 11.3(b)(6)
Electronic Record 11.3(b)(6)Electronic Record 11.3(b)(6)Electronic Record 11.3(b)(6)Electronic Record 11.3(b)(6)
any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
When do “data” become an electronic record, per part 11? Ref: comment paras 22, 45, 72
A. When “saved” to durable medium E.g., disk or tape Retention per predicate regulation
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Different e-sigs for types of signing (e.g., initials vs full name)? Ref. 11.1(c), Comment para 28
A. No Any e-sig good for any signing
Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1Scope, 21 CFR 11.1
Q. Will FDA certify/approve part 11 products/services? Ref. Comment para 5
A. No Be wary of endorsement claims
Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3
Q. Are all h-sigs biometric? Ref. 11.3(b)(3) Comment para 39
A. No Biometric = unique/measurable
action or physical feature is measured
Image is NOT an Action
§ 11.3 Definitions § 11.3 Definitions § 11.3 Definitions § 11.3 Definitions Closed system
“an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.”
more...
§ 11.3 Definitions § 11.3 Definitions § 11.3 Definitions § 11.3 Definitions
Open system
“an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.”
Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Open v. Closed SystemOpen v. Closed System
Definitions, 21 CFR 11.3Definitions, 21 CFR 11.3Open v. Closed SystemOpen v. Closed System
Q. Does phone access make system open? Ref. 11.3(b)(4) Comment para 44
A. No If persons responsible for record
content control access to system holding record
Company A
System A
For A - System is CLOSED
A’s Records
more...
Company A
System A
For A - System is CLOSED
A’s Records
more...
Company A
System A
For A - System is CLOSED
Company B
A’s Records
B’s Records
For B - System is OPEN
Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)
Q. Can firms archive e-records as paper printouts only? Ref. 11.10(b)&(c), Comment para 71
A. No Saved record must be electronic Must be able to generate e-copies
Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)Archiving, 21 CFR 11.10(c)
Q. Need firms save equipment needed to read e-archives? Ref. 11.10(c); Comment para 70/71
A. No Transcriptions OK for accurate/
complete copies. Keep meta data and e-sig links
Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)
Q. What must audit trail contain? Ref. 11.10(e);Comment paras 72, 75
A. Date/time of operator entries or actions that: create, modify, or delete record
A. Who did what/wrote what & when
Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)
Q. Can audit trail be paper? Ref. 11.10(e) Comment paras 72, 73
A. No Must be computer generated
(e-record)
Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)Audit Trails, 21 CFR 11.10(e)
Q. Must audit trail be signed? Ref. 11.10(e) Comment paras 73, 75
A. No Must be independent of operator Operators should not be able to sign
audit trail
Time Stamps, 21 CFR Time Stamps, 21 CFR 11.10(e)/11.50(a)11.10(e)/11.50(a)
Time Stamps, 21 CFR Time Stamps, 21 CFR 11.10(e)/11.50(a)11.10(e)/11.50(a)
Q. Must time stamps synchronize to trusted 3rd party? Ref. 11.10(e) Comment para 73
A. No Ensure clock accuracy - no abuse
Time Stamps, 21 CFR Time Stamps, 21 CFR 11.10(e)/11.50(a)11.10(e)/11.50(a)
Time Stamps, 21 CFR Time Stamps, 21 CFR 11.10(e)/11.50(a)11.10(e)/11.50(a)
Q. Must time be local to activity/ signer? What format? Ref. 11.50; Comment para 101
A. Yes Can have remote time, too Unambiguous format
Signature Manifestations, 21 Signature Manifestations, 21 CFR 11.50CFR 11.50
Signature Manifestations, 21 Signature Manifestations, 21 CFR 11.50CFR 11.50
Q. Can codes substitute for printed name (e.g., people having same name)? Ref. 11.50(a)(1), Comment para 102
A. No. Need unambiguous printed name Augment w/other codes, optional
Signature to Record Linking, Signature to Record Linking, 21 CFR 11.7021 CFR 11.70
Signature to Record Linking, Signature to Record Linking, 21 CFR 11.7021 CFR 11.70
Q. Must encryption based links be re-set, records signed anew, should outdated algorithm break? Ref. 11.70; Comment para 113
A. No. Need reasonable, not bulletproof,
security levels.
Certifications, 21 CFR Certifications, 21 CFR 11.100(c)11.100(c)
Certifications, 21 CFR Certifications, 21 CFR 11.100(c)11.100(c)
Q. One per employee or facility? Personnel updates? Ref. 11.100(c), Comment paras 52,
119 A. No.
Person = organization or individual Institutional certification, global
Certifications, 21 CFR Certifications, 21 CFR 11.100(c)11.100(c)
Certifications, 21 CFR Certifications, 21 CFR 11.100(c)11.100(c)
Q. Example of certification? Ref. 11.100(c), Comment para 120,
pg. 13456, 62 FR, No. 54, 3/20/97 A. Yes
Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of organization] intends that all electronic signatures executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures.
Continuous Sessions, 21 CFR Continuous Sessions, 21 CFR 11.200(a)11.200(a)
Continuous Sessions, 21 CFR Continuous Sessions, 21 CFR 11.200(a)11.200(a)
Q. Can system logon be 1st signing? Ref. 11.200(a), Comment para 124
A. Yes When e-record is signed.
Controls for ID/PWs; Device Controls for ID/PWs; Device Testing, 21 CFR 11.300(e)Testing, 21 CFR 11.300(e)
Controls for ID/PWs; Device Controls for ID/PWs; Device Testing, 21 CFR 11.300(e)Testing, 21 CFR 11.300(e)
Q. Can token/card security negate need for periodic testing? Ref. 11.300(e), Comment para 138
A. No Cards not foolproof Test for unauthorized account
changes, not just id info.
Part 11 EnforcementPart 11 EnforcementPart 11 EnforcementPart 11 Enforcement
Will “legacy systems” really have to comply with part 11?
Part 11 EnforcementPart 11 EnforcementPart 11 EnforcementPart 11 Enforcement
Will “legacy systems” really have to comply with part 11? Ref. Comment para 9
A. Yes. No “grandfathering”
Part 11 EnforcementPart 11 Enforcement(Default for all regs.)(Default for all regs.)Part 11 EnforcementPart 11 Enforcement(Default for all regs.)(Default for all regs.)
Nature/extent of deviation Impact on product quality/data
integrity Adequacy/timeliness of corrective
action plan Compliance history
Part 11 EnforcementPart 11 EnforcementPart 11 EnforcementPart 11 Enforcement
Intensified surveillance Customary option
At worst: E-records not usable for predicate
rule Predicate rule violated
Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?
Patent and Trademark Office Environmental Protection Agency Drug Enforcement Admin. Internal Revenue Service Social Security Administration
more...
Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?Part 11 Adopters?
Justice Department General Services Admin. Health Care Financing Admin.
45 CFR 142 (Security & E-Sig Standards)
HCFAHCFAHCFAHCFA
45 CFR Part 142 Security and E- Signature Standards Individual health info and e-sigs
Covers: Health plans Health care clearinghouses Health care providers
HCFA v. FDAHCFA v. FDA (Similarities)(Similarities)HCFA v. FDAHCFA v. FDA (Similarities)(Similarities)
Same areas of concern ID & authentication Authorization & access control Accountability Integrity & availability Communication security Security administration
HCFA v. FDAHCFA v. FDA(Differences)(Differences)
HCFA v. FDAHCFA v. FDA(Differences)(Differences)
Overall emphasis HCFA - Confidentiality/privacy FDA - Record integrity/auditability
Digital signatures HCFA - Mandatory for required sigs. FDA - Optional
more...
HCFA v. FDAHCFA v. FDA(Differences)(Differences)
HCFA v. FDAHCFA v. FDA(Differences)(Differences)
Certification HCFA - Compliance w/standards FDA - Intent re: h-sig/e-sig legally
binding equivalence Self Audits
HCFA - Required FDA - Not mentioned more...
HCFA v. FDAHCFA v. FDA(Differences)(Differences)
HCFA v. FDAHCFA v. FDA(Differences)(Differences)
General requirements HCFA - 25 FDA - 2
Specific requirements HCFA - 64 FDA - 32
Optional controls HCFA - 15 FDA - 2
HCFA Mapped StandardsHCFA Mapped StandardsHCFA Mapped StandardsHCFA Mapped Standards Practices taken from:
55 standards (including part 11) Issued by 12 organizations:
ANSI ASTM CEN FDA NIST IEEE IETF ISO/IEC PKCS DoD NRC/NAS HMAC
more...
Part 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/Concepts
AIIM/ANSI MS64 - re: Audit trail info NAS/NRC - Report on Health Care
Records - Security/Privacy Italy: Bassanini Act - e-records Germany: Info & Comm. Services Act -
d-signaturesmore...
Part 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/ConceptsPart 11 Controls/Concepts
DoD; 5015.2std - e-rec. mgmt State Digital Signature Laws
UT, FL, GA, MI, CA, VA, WA, IL, et al ABA Digital Signature Guideline Canada - Univ. of BC, e-rec. archiving
http://www.slais.ubc.ca/users/duranti/
Part 11 Internet SitesPart 11 Internet SitesPart 11 Internet SitesPart 11 Internet Sites
Part 11 Notices/reports http://www.fda.gov/cder/esig/part11.htm
E-Submissions docket http:/www.fda.gov/ohrms/dockets
We have coveredWe have coveredWe have coveredWe have covered Scope
Typewriter excuse Open vs. Closed systems Audit trails/time stamps Certification Enforcement
Legacy systems
7520 Standish PlaceRockville, MD 20855
Paul J. MotiseConsumer Safety Officer
Paul J. MotiseConsumer Safety Officer
Division of Manufacturing and Product Quality, HFD-320Center for Drug Evaluation and Research
Phone: 301 594-0098
Fax: 301 594-2202
E-mail: [email protected]: [email protected]