One of the most difficult mazes to navigate in the entire federal government of the United States is the United States Food and Drug Administration (FDA). This agency is the authority under which new drugs and new medical devices receive approval. The requirements of the FDA are so complex that they issued a Guidance for Industry, entitled Part 11, Electronic Records; Electronic Signatures-Scope and Application.
About the Guidance
The Part 11 guidance has its roots in 1997 when the Food and Drug Administration issued requirements about transferring paper documentation to electronic document storage as part of an effort to support a lessening of paper used for FDA documentation. Nevertheless, the FDA believes that falsifying electronic documentation takes less effort than paper-based documentation, Part 11 establishes the criteria used by the FDA for recognizing electronic signatures and records as being truthful and equal to the status of paper-based documents.
Compliance with CFR Part 11
When it comes to signatures, the FDA insists upon strict security measures. 21 CFR Part 11 mandates that electronic signatures be
“… based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”
How to Comply
Electronic signature need specific information linked to the signing that associates the signing with the printed name of the signer, the time and date the record was electronically signed, the purpose of the signature (approval, acknowledgement, review, etc.). An electronic signature or a handwritten signature on an electronic record have to be associated with their electronic records in a way that prevents tampering (erasure, copying or transferring to falsify a record). Company’s must notify the FDA of their intent to substitute electronic signatures as legally binding signatures before beginning to use them.
For the FDA to accept an electronic signature, its authenticity must be assured. Acceptable security measures for the FDA are dual authenticity; which is the use two distinct methods of identification such as an identification code and a password. The other acceptable method is biometrics such as retina scan or fingerprints.
Electronic records have been in use since the 1990s. Twenty-one CFR Part 11 defines an electronic record:
“Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system….the system is an environment in which system access is controlled by person who are responsible for the content of electronic records that are on the system”
How to Comply
Restrict access to the system based on need. Users identification credentials allow them access to only those parts of the records that they need to see and make entries. Activities governed by the user’s credentials. Some records may available for review and not for editing. This is why ID credentials and electronic signatures are so important. Other important record security features include:
- Logging of all changes are in the audit trail
- The system has built-in redundancy. If a part fails the redundant associate takes over immediately so there is no loss of data or interruption of operations
How ConvergePoint Can Help
CFR Part 11 compliance for Policy and Procedure is a combination of good training, best practices and best of breed technology tools. ConvergePoint Policy Management Software has the best of breed technology tool aspect covered with permission based document access, complete audit trails of reviews & approvals, version history and document level dual authentication controls.
Contact a CFR Part 11 Compliance expert to discuss how ConvergePoint can help you with CFR Part 11 and Policy Management.