Title 21 CFR Part 11: E-Signature Compliance

January 18, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
E-Signature implementation details:

e-signatures are part of the law required for part 11 compliance here is what the law says itself

Subpart C–Electronic Signatures

Sec. 11.100 General requirements.

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.

Sec. 11.200 Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

(2) Be used only by their genuine owners; and

(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

E-Signatures are required when you are replacing a regulated process that is paper-based (required signatures) with electronic signatures. There are 2 parts to this

1 -  As an organization you need to accept e-signatures as physical signatures (or the client running the software)

2- You need to implement the baseline features and have training and signatures of people accepting the signature requirement.

Here are some foundation e-signature requirements for a part 11 compliant system

1 – Unique accounts for each user who signs

2 – Encrypted connection to the system (SSL)

3 – They need to see and agree to the statement of intent to validate this you require some unique data like a username/password, digital identity (biometrics, dongle, rsa token), passphrase, they must provide this with the statement of intent for the signature so they understand they are signing it.

4 – Any user must be able to see all things they have signed in the system (a history of signatures and versions of documents)

5 – Auditing of the entire data stored in an immutable form with full history to prevent falsification (image with checksum etc..)

6- Each signature needs

a. the name of person

b. the date/time of signature

c. a storage mechanism to prevent tampering and ensure integrity

d. statement of intent

e. the role of person

7 – The things being signed cannot be pre-loaded with data, the person must fill out the form on their own, no defaults.

8 – If signing more than 1 thing within a 20 minute window, you can only require password for each signature rather than name/password within the session after 20 minuets they must enter both name and password.

9 – Signature and Data must be stored together and not be separable.

Title 21 CFR Part 11: Security Compliance

January 17, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Security implementation details:

security is part of the law required for part 11 compliance here is what the law says itself

Sec. 11.300 Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Here are some foundation security requirements for a part 11 compliant system

1 – Unique accounts for each user

2 – Encrypted connection to the system (SSL)

3-  Complex Password required (numbers, symbols, length)

4 – Required to change password every 90 days

5 – Password history no reuse within a year

6 – 3 failed attempts lockout system (send notification to administrator)

7 – synchronize time on all servers

8 – show the username, name, and last logged in date on the screen at all times

9 – after 20 minutes log out account

10 – only allow one login at a time per an account

11 – log all activity in an audit log

12 – display version of software on screen (about screen)

13 – encrypt password is hash so it is irreversible and not viewable by anyone

14 – train people on security to thwart attempts at social engineering

With these feature requirements you can see that a part 11 security system has a pretty high level of requirement, but having the features is not enough you need to validation process and training to complete compliance.

Title 21 CFR Part 11: Auditing

January 16, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Auditing implementation details:

Auditing is part of the law required for part 11 compliance here is what the law says itself

e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

This essentially means you need to collect who is performing the action, what they are doing (record the before and after values), the date and time of the activity, a reason for the activity if not specified implemented in the module.

There are several other aspects of auditing required including time synchronization and unique usernames and passwords.  Without these two things the audit logs don’t really mean anything it is a holistic thing and this explains why it is so important!

It is really valuable to have auditing across the entire system so that you can confirm roles security and authorization levels as well.  Security logging, system access logging, and electronic signature logging are all required and useful for testing of a system as well.

Title 21 CFR Part 11: Compliance

January 15, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 

The 3 areas (pillars) of compliance

1 – Features

When you are building software for part 11 compliance you need to ensure you meet the features present in the law, this is known as feature level compliance and is only applicable to a specific version. Any change in a system requires revalidation of the features

2 – Validation

Validation of the features listed above is a second-level where you have the features to meet the law, now you have to prove with empirical evidence that you meet the requirements this evidence needs to be physical and linked to a process with integrity. The key works here are you need physical artifacts that stand on their own as validation (Test worksheets, signatures and reviewers signatures, screen captures, logs, etc..)

3 – Training

An often overlooked aspect of any system is training and proof of training, you must ensure the people who use the validated software are trained in it, and that training maps to the validation and features to ensure proper function without training the other 2 areas are pointless as there can be user errors and no accountability.

We will map the features of the law into a software system in a later exercise but essentially there are two main areas of specialty

1. Auditing: This is proof of what is happening by who and how it is changing, in a way that there is no chance of the system not working

2. Security: This is the biggest nut to crack in that you have to have best practice security (encryption, Authentication/Authorization, unique accounts, on screen indicators, password resets, 90 day password changes, password history, complexity, etc.. secure communication lines this is a large area and one of most important, and synchronized time on all system.

3. E-Signatures (optional):If your software is converting paper to electronic and electronic is the primary store, then you must create an e-signature system that has security, auditing and is also a statement of intent within the system to ensure the signature is valid.

Validation is another big piece you need a process that maps features to specifications to tests and this all is robust and transparent.  Any function of software must be validated, with empirical evidence and physical artifacts, all best practice with  clear and concise process.

Training is the third and this entails with going through all functions for each role, and having the student and instructor confirm that they understand and agree training was adequate, this is for the entire process.

In a later segment we will go through more detail of the processes required for compliance and meeting the requirements.

Title 21 CFR Part 11: What is it and why is it important?

January 13, 2012 by · 2 Comments
Filed under: Business, Healthcare, Regulatory 


What is it?

The FDA is a government regulatory authority and CFR is short for “Code of Federal Regulations” which is basically another work for Federal Law.  Each Cabinet in government and governmental body has a Title in the CFR that dictates the laws that apply to a particular governmental body so the first part of this CFR 21 is basically CFR Title 21, which is the body of laws under which the FDA is regulated.  the second part (“Part 11”) is a sub-section under the law that is applied to specific circumstances.  Part 11 in this case applies to Clinical Trials and electronic record keeping for clinical trials.

Sec. 11.1 Scope.

(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

(b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means.

An interesting thing about CFR 21 Part 11 or more specifically and generally referred to as Part 11 compliance is that there are 2 points of view.

1 – it is just a law and has some ambiguity at that, you can see the law here: Law :and information here:  Title 21 CFR Part 11, it is very small barley fits on 2 pieces of paper and has enormous consequences for software used in the regulated area of Clinical Trials.

2 – Whenever you have a legal area there is what the law says and second is the interpretation of the law, or more specially the interpretation and enforcement of the law. 
You have cases that have been taken to court and interestingly enough have had impact on how things are enforced and what you need to do to come under compliance.  One such court case : here, essentially explains that you cannot grand-father electronic systems into compliance because of the risks and downstream effect, so this court case says that any systems that fall into compliance need to meet the new laws circa 1998.


What is this important?

If you wanted to innovate and differentiate yourself in this industry there is a big barrier to entry and interestingly enough regulatory compliance is expensive and also risky business so it creates a value moat if you can understand and use regulatory compliance to your advantage. 

If you can pass a Part 11 Audit it has extreme value to show not only that your software does what it says it does, it does what the law requires, which ensures safety, security and proper function. 

The most important part of this regulation is that you need to be certain that data in a clinical trial are true and exact, this impacts whether people live or die.  Because of high risk and importance of the software systems once you get a system compliant it reaps enormous benefits in that you charge more money for the software, training, and validation of the system setups.