WAIS Document Retrieval [Federal
Register: March 20, 1997 (Volume 62, Number 54)]
[Rules and Regulations]
[Page 13429-13466]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr20mr97-25]
[[Page 13429]] _______________________________________________________________________
Part II
Department of Health and Human Services
______________________________________________________________________
Food and Drug Administration
_______________________________________________________________________
21 CFR Part 11
Electronic Records; Electronic Signatures; Final Rule
Electronic Submissions; Establishment of Public Docket; Notice
[[Page 13430]]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
21 CFR Part 11
[Docket No. 92N-0251]
RIN 0910-AA29
Electronic Records; Electronic Signatures
AGENCY: Food and Drug Administration, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA) is issuing regulations
that provide criteria for acceptance by FDA, under certain
circumstances, of electronic records, electronic signatures, and
handwritten signatures executed to electronic records as equivalent to
paper records and handwritten signatures executed on paper. These
regulations, which apply to all FDA program areas, are intended to
permit the widest possible use of electronic technology, compatible
with FDA's responsibility to promote and protect public health. The use
of electronic records as well as their submission to FDA is voluntary.
Elsewhere in this issue of the Federal Register, FDA is publishing a
document providing information concerning submissions that the agency
is prepared to accept electronically .
DATES: Effective August 20, 1997. Submit written comments on the
information collection provisions of this final rule by May 19, 1997.
ADDRESSES: Submit written comments on the information collection
provisions of this final rule to the Dockets Management Branch (HFA-
305), Food and Drug Administration, 12420 Parklawn Dr., rm. 1-23,
Rockville, MD 20857.
The final rule is also available electronically via Internet:
http://www.fda.gov.
FOR FURTHER INFORMATION CONTACT:
Paul J. Motise, Center for Drug Evaluation and Research (HFD-325),
Food and Drug Administration, 7520 Standish Pl., Rockville, MD 20855,
301-594-1089. E-mail address via Internet: Motise@CDER.FDA.GOV, [[Note 5/21/2001: Current
address is pmotise@ora.fda.gov]] or
Tom M. Chin, Division of Compliance Policy (HFC-230), Food and Drug
Administration, 5600 Fishers Lane, Rockville, MD 20857, 301-827-0410.
E-mail address via Internet: TChin@FDAEM.SSW.DHHS.GOV [[Note 5/21/2001: Current address is
tchin@ora.fda.gov]]
SUPPLEMENTARY INFORMATION:
I. Background
In 1991, members of the pharmaceutical industry met with the agency
to determine how they could accommodate paperless record systems under
the current good manufacturing practice (CGMP) regulations in parts 210
and 211 (21 CFR parts 210 and 211). FDA created a Task Force on
Electronic Identification/Signatures to develop a uniform approach by
which the agency could accept electronic signatures and records in all
program areas. In a February 24, 1992, report, a task force subgroup,
the Electronic Identification/Signature Working Group, recommended
publication of an advance notice of proposed rulemaking (ANPRM) to
obtain public comment on the issues involved.
In the Federal Register of July 21, 1992 (57 FR 32185), FDA
published the ANPRM, which stated that the agency was considering the
use of electronic identification/signatures, and requested comments on
a number of related topics and concerns. FDA received 53 comments on
the ANPRM. In the Federal Register of August 31, 1994 (59 FR 45160),
the agency published a proposed rule that incorporated many of the
comments to the ANPRM, and requested that comments on the proposed
regulation be submitted by November 29, 1994. A complete discussion of
the options considered by FDA and other background information on the
agency's policy on electronic records and electronic signatures can be
found in the ANPRM and the proposed rule.
FDA received 49 comments on the proposed rule. The commenters
represented a broad spectrum of interested parties: Human and
veterinary pharmaceutical companies as well as biological products,
medical device, and food interest groups, including 11 trade
associations, 25 manufacturers, and 1 Federal agency.
II. Highlights of the Final Rule
The final rule provides criteria under which FDA will consider
electronic records to be equivalent to paper records, and electronic
signatures equivalent to traditional handwritten signatures. Part 11
(21 CFR part 11) applies to any paper records required by statute or
agency regulations and supersedes any existing paper record
requirements by providing that electronic records may be used in lieu
of paper records. Electronic signatures which meet the requirements of
the rule will be considered to be equivalent to full handwritten
signatures, initials, and other general signings required by agency
regulations.
Section 11.2 provides that records may be maintained in electronic
form and electronic signatures may be used in lieu of traditional
signatures. Records and signatures submitted to the agency may be
presented in an electronic form provided the requirements of part 11
are met and the records have been identified in a public docket as the
type of submission the agency accepts in an electronic form. Unless
records are identified in this docket as appropriate for electronic
submission, only paper records will be regarded as official
submissions.
Section 11.3 defines terms used in part 11, including the terms:
Biometrics, closed system, open system, digital signature, electronic
record, electronic signature, and handwritten signature.
Section 11.10 describes controls for closed systems, systems to
which access is controlled by persons responsible for the content of
electronic records on that system. These controls include measures
designed to ensure the integrity of system operations and information
stored in the system. Such measures include: (1) Validation; (2) the
ability to generate accurate and complete copies of records; (3)
archival protection of records; (4) use of computer-generated, time-
stamped audit trails; (5) use of appropriate controls over systems
documentation; and (6) a determination that persons who develop,
maintain, or use electronic records and signature systems have the
education, training, and experience to perform their assigned tasks.
Section 11.10 also addresses the security of closed systems and
requires that: (1) System access be limited to authorized individuals;
(2) operational system checks be used to enforce permitted sequencing
of steps and events as appropriate; (3) authority checks be used to
ensure that only authorized individuals can use the system,
electronically sign a record, access the operation or computer system
input or output device, alter a record, or perform operations; (4)
device (e.g., terminal) checks be used to determine the validity of the
source of data input or operation instruction; and (5) written policies
be established and adhered to holding individuals accountable and
responsible for actions initiated under their electronic signatures, so
as to deter record and signature falsification.
Section 11.30 sets forth controls for open systems, including the
controls required for closed systems in Sec. 11.10 and additional
measures such as document encryption and use of appropriate digital
signature standards
[[Page 13431]]
to ensure record authenticity, integrity, and confidentiality.
Section 11.50 requires signature manifestations to contain
information associated with the signing of electronic records. This
information must include the printed name of the signer, the date and
time when the signature was executed, and the meaning (such as review,
approval, responsibility, and authorship) associated with the
signature. In addition, this information is subject to the same
controls as for electronic records and must be included in any human
readable forms of the electronic record (such as electronic display or
printout).
Under Sec. 11.70, electronic signatures and handwritten signatures
executed to electronic records must be linked to their respective
records so that signatures cannot be excised, copied, or otherwise
transferred to falsify an electronic record by ordinary means.
Under the general requirements for electronic signatures, at
Sec. 11.100, each electronic signature must be unique to one individual
and must not be reused by, or reassigned to, anyone else. Before an
organization establishes, assigns, certifies, or otherwise sanctions an
individual's electronic signature, the organization shall verify the
identity of the individual.
Section 11.200 provides that electronic signatures not based on
biometrics must employ at least two distinct identification components
such as an identification code and password. In addition, when an
individual executes a series of signings during a single period of
controlled system access, the first signing must be executed using all
electronic signature components and the subsequent signings must be
executed using at least one component designed to be used only by that
individual. When an individual executes one or more signings not
performed during a single period of controlled system access, each
signing must be executed using all of the electronic signature
components.
Electronic signatures not based on biometrics are also required to
be used only by their genuine owners and administered and executed to
ensure that attempted use of an individual's electronic signature by
anyone else requires the collaboration of two or more individuals. This
would make it more difficult for anyone to forge an electronic
signature. Electronic signatures based upon biometrics must be designed
to ensure that such signatures cannot be used by anyone other than the
genuine owners.
Under Sec. 11.300, electronic signatures based upon use of
identification codes in combination with passwords must employ controls
to ensure security and integrity. The controls must include the
following provisions: (1) The uniqueness of each combined
identification code and password must be maintained in such a way that
no two individuals have the same combination of identification code and
password; (2) persons using identification codes and/or passwords must
ensure that they are periodically recalled or revised; (3) loss
management procedures must be followed to deauthorize lost, stolen,
missing, or otherwise potentially compromised tokens, cards, and other
devices that bear or generate identification codes or password
information; (4) transaction safeguards must be used to prevent
unauthorized use of passwords and/or identification codes, and to
detect and report any attempt to misuse such codes; (5) devices that
bear or generate identification codes or password information, such as
tokens or cards, must be tested initially and periodically to ensure
that they function properly and have not been altered in an
unauthorized manner.
III. Comments on the Proposed Rule
A. General Comments
1. Many comments expressed general support for the proposed rule.
Noting that the proposal's regulatory approach incorporated several
suggestions submitted by industry in comments on the ANPRM, a number of
comments stated that the proposal is a good example of agency and
industry cooperation in resolving technical issues.
Several comments also noted that both industry and the agency can
realize significant benefits by using electronic records and electronic
signatures, such as increasing the speed of information exchange, cost
savings from the reduced need for storage space, reduced errors, data
integration/trending, product improvement, manufacturing process
streamlining, improved process control, reduced vulnerability of
electronic signatures to fraud and abuse, and job creation in
industries involved in electronic record and electronic signature
technologies.
One comment noted that, when part 11 controls are satisfied,
electronic signatures and electronic records have advantages over paper
systems, advantages that include: (1) Having automated databases that
enable more advanced searches of information, thus obviating the need
for manual searches of paper records; (2) permitting information to be
viewed from multiple perspectives; (3) permitting determination of
trends, patterns, and behaviors; and (4) avoiding initial and
subsequent document misfiling that may result from human error.
There were several comments on the general scope and effect of
proposed part 11. These comments noted that the final regulations will
be viewed as a standard by other Government agencies, and may strongly
influence the direction of electronic record and electronic signature
technologies. One comment said that FDA's position on electronic
signatures/electronic records is one of the most pressing issues for
the pharmaceutical industry and has a significant impact on the
industry's future competitiveness. Another comment said that the rule
constitutes an important milestone along the Nation's information
superhighway.
FDA believes that the extensive industry input and collaboration
that went into formulating the final rule is representative of a
productive partnership that will facilitate the use of advanced
technologies. The agency acknowledges the potential benefits to be
gained by electronic record/electronic signature systems. The agency
expects that the magnitude of these benefits should significantly
outweigh the costs of making these systems, through compliance with
part 11, reliable, trustworthy, and compatible with FDA's
responsibility to promote and protect public health. The agency is
aware of the potential impact of the rule, especially regarding the
need to accommodate and encourage new technologies while maintaining
the agency's ability to carry out its mandate to protect public health.
The agency is also aware that other Federal agencies share the same
concerns and are addressing the same issues as FDA; the agency has held
informal discussions with other Federal agencies and participated in
several interagency groups on electronic records/electronic signatures
and information technology issues. FDA looks forward to exchanging
information and experience with other agencies for mutual benefit and
to promote a consistent Federal policy on electronic records and
signatures. The agency also notes that benefits, such as the ones
listed by the comments, will help to offset any system modification
costs that persons may incur to achieve compliance with part 11.
B. Regulations Versus Guidelines
2. Several comments addressed whether the agency's policy on
electronic signatures and electronic records should be issued as a
regulation
[[Page 13432]]
or recommended in a guideline. Most comments supported a regulation,
citing the need for a practical and workable approach for criteria to
ensure that records can be stored in electronic form and are reliable,
trustworthy, secure, accurate, confidential, and authentic. One comment
specifically supported a single regulation covering all FDA-regulated
products to ensure consistent requirements across all product lines.
Two comments asserted that the agency should only issue guidelines or
``make the regulations voluntary.'' One of these comments said that by
issuing regulations, the agency is shifting from creating tools to
enhance communication (technological quality) to creating tools for
enforcement (compliance quality).
The agency remains convinced, as expressed in the preamble to the
proposed rule (59 FR 45160 at 45165), that a policy statement,
inspection guide, or other guidance would be an inappropriate means for
enunciating a comprehensive policy on electronic signatures and
records. FDA has concluded that regulations are necessary to establish
uniform, enforceable, baseline standards for accepting electronic
signatures and records. The agency believes, however, that supplemental
guidance documents would be useful to address controls in greater
detail than would be appropriate for regulations. Accordingly, the
agency anticipates issuing supplemental guidance as needed and will
afford all interested parties the opportunity to comment on the
guidance documents.
The need for regulations is underscored by several opinions
expressed in the comments. For example, one comment asserted that it
should be acceptable for supervisors to remove the signatures of their
subordinates from signed records and replace them with their own
signatures. Although the agency does not object to the use of a
supervisor's signature to endorse or confirm a subordinate's actions,
removal of an original signature is an action the agency views as
falsification. Several comments also argued that an electronic
signature should consist of only a password, that passwords need not be
unique, that it is acceptable for people to use passwords associated
with their personal lives (like the names of their children or their
pets), and that passwords need only be changed every 2 years. FDA
believes that such procedures would greatly increase the possibility
that a password could be compromised and the chance that any resulting
impersonation and/or falsification would continue for a long time.
Therefore, an enforceable regulation describing the acceptable
characteristics of an electronic signature appears necessary.
C. Flexibility and Specificity
3. Several comments addressed the flexibility and specificity of
the proposed rule. The comments contended that agency acceptance of
electronic records systems should not be based on any particular
technology, but rather on the adequacy of the system controls under
which they are created and managed. Some comments claimed that the
proposed rule was overly prescriptive and that it should not specify
the mechanisms to be used, but rather only require owners/users to
design appropriate safeguards and validate them to reasonably ensure
electronic signature integrity and authenticity. One comment commended
the agency for giving industry the freedom to choose from a variety of
electronic signature technologies, while another urged that the final
rule be more specific in detailing software requirements for electronic
records and electronic notebooks in research and testing laboratories.
The agency believes that the provisions of the final rule afford
firms considerable flexibility while providing a baseline level of
confidence that records maintained in accordance with the rule will be
of high integrity. For example, the regulation permits a wide variety
of existing and emerging electronic signature technologies, from use of
identification codes in conjunction with manually entered passwords to
more sophisticated biometric systems that may necessitate additional
hardware and software. While requiring electronic signatures to be
linked to their respective electronic records, the final rule affords
flexibility in achieving that link through use of any appropriate
means, including use of digital signatures and secure relational
database references. The final rule accepts a wide variety of
electronic record technologies, including those based on optical
storage devices. In addition, as discussed in comment 40 of this
document, the final rule does not establish numerical standards for
levels of security or validation, thus offering firms flexibility in
determining what levels are appropriate for their situations.
Furthermore, while requiring operational checks, authority checks, and
periodic testing of identifying devices, persons have the flexibility
of conducting those controls by any suitable method. When the final
rule calls for a certain control, such as periodic testing of
identification tokens, persons have the option of determining the
frequency.
D. Controls for Electronic Systems Compared with Paper Systems
4. Two comments stated that any controls that do not apply to
paper-based document systems and handwritten signatures should not
apply to electronic record and signature systems unless those controls
are needed to address an identified unique risk associated with
electronic record systems. One comment expressed concern that FDA was
establishing a much higher standard for electronic signatures than
necessary.
In attempting to establish minimum criteria to make electronic
signatures and electronic records trustworthy and reliable and
compatible with FDA's responsibility to promote and protect public
health (e.g., by hastening the availability of new safe and effective
medical products and ensuring the safety of foods), the agency has
attempted to draw analogies to handwritten signatures and paper records
wherever possible. In doing so, FDA has found that the analogy does not
always hold because of the differences between paper and electronic
systems. The agency believes some of those differences necessitate
controls that will be unique to electronic technology and that must be
addressed on their own merits and not evaluated on the basis of their
equivalence to controls governing paper documents.
The agency found that some of the comments served to illustrate the
differences between paper and electronic record technologies and the
need to address controls that may not generally be found in paper
record systems. For example, several comments pointed out that
electronic records built upon information databases, unlike paper
records, are actually transient views or representations of information
that is dispersed in various parts of the database. (The agency notes
that the databases themselves may be geographically dispersed but
linked by networks.) The same software that generates representations
of database information on a screen can also misrepresent that
information, depending upon how the software is written (e.g., how a
query is prepared). In addition, database elements can easily be
changed at any time to misrepresent information, without evidence that
a change was made, and in a manner that destroys the original
information. Finally, more people have potential access to electronic
record
[[Page 13433]]
systems than may have access to paper records.
Therefore, controls are needed to ensure that representations of
database information have been generated in a manner that does not
distort data or hide noncompliant or otherwise bad information, and
that database elements themselves have not been altered so as to
distort truth or falsify a record. Such controls include: (1) Using
time-stamped audit trails of information written to the database, where
such audit trails are executed objectively and automatically rather
than by the person entering the information, and (2) limiting access to
the database search software. Absent effective controls, it is very
easy to falsify electronic records to render them indistinguishable
from original, true records.
The traditional paper record, in comparison, is generally a durable
unitized representation that is fixed in time and space. Information is
recorded directly in a manner that does not require an intermediate
means of interpretation. When an incorrect entry is made, the customary
method of correcting FDA-related records is to cross out the original
entry in a manner that does not obscure the prior data. Although paper
records may be falsified, it is relatively difficult (in comparison to
falsification of electronic records) to do so in a nondetectable
manner. In the case of paper records that have been falsified, a body
of evidence exists that can help prove that the records had been
changed; comparable methods to detect falsification of electronic
records have yet to be fully developed.
In addition, there are significant technological differences
between traditional handwritten signatures (recorded on paper) and
electronic signatures that also require controls unique to electronic
technologies. For example, the traditional handwritten signature cannot
be readily compromised by being ``loaned'' or ``lost,'' whereas an
electronic signature based on a password in combination with an
identification code can be compromised by being ``loaned'' or ``lost.''
By contrast, if one person attempts to write the handwritten signature
of another person, the falsification would be difficult to execute and
a long-standing body of investigational techniques would be available
to detect the falsification. On the other hand, many electronic
signatures are relatively easy to falsify and methods of falsification
almost impossible to detect.
Accordingly, although the agency has attempted to keep controls for
electronic record and electronic signatures analogous to traditional
paper systems, it finds it necessary to establish certain controls
specifically for electronic systems.
E. FDA Certification of Electronic Signature Systems
5. One comment requested FDA certification of what it described as
a low-cost, biometric-based electronic signature system, one which uses
dynamic signature verification with a parameter code recorded on
magnetic stripe cards.
The agency does not anticipate the need to certify individual
electronic signature products. Use of any electronic signature system
that complies with the provisions of part 11 would form the basis for
agency acceptance of the system regardless of what particular
technology or brand is used. This approach is consistent with FDA's
policy in a variety of program areas. The agency, for example, does not
certify manufacturing equipment used to make drugs, medical devices, or
food.
F. Biometric Electronic Signatures
6. One comment addressed the agency's statement in the proposed
rule (59 FR 45160 at 45168) that the owner of a biometric/behavioral
link could not lose or give it away. The comment stated that it was
possible for an owner to ``lend'' the link for a file to be opened, as
a collaborative fraudulent gesture, or to unwittingly assist a
fraudulent colleague in an ``emergency,'' a situation, the comment
said, that was not unknown in the computer industry.
The agency acknowledges that such fraudulent activity is possible
and that people determined to falsify records may find a means to do so
despite whatever technology or preventive measures are in place. The
controls in part 11 are intended to deter such actions, make it
difficult to execute falsification by mishap or casual misdeed, and to
help detect such alterations when they occur (see Sec. 11.10
(introductory paragraph and especially Secs. 11.10(j) and 11.200(b)).
G. Personnel Integrity
7. A few comments addressed the role of individual honesty and
trust in ensuring that electronic records are reliable, trustworthy,
and authentic. One comment noted that firms must rely in large measure
upon the integrity of their employees. Another said that subpart C of
part 11, Electronic Signatures, appears to have been written with the
belief that pharmaceutical manufacturers have an incentive to falsify
electronic signatures. One comment expressed concern about possible
signature falsification when an employee leaves a company to work
elsewhere and the employee uses the electronic signature illegally.
The agency agrees that the integrity of any electronic signature/
electronic record system depends heavily upon the honesty of employees
and that most persons are not motivated to falsify records. However,
the agency's experience with various types of records and signature
falsification demonstrates that some people do falsify information
under certain circumstances. Among those circumstances are situations
in which falsifications can be executed with ease and have little
likelihood of detection. Part 11 is intended to minimize the
opportunities for readily executing falsifications and to maximize the
chances of detecting falsifications.
Concerning signature falsification by former employees, the agency
would expect that upon the departure of an employee, the assigned
electronic signature would be ``retired'' to prevent the former
employee from falsely using the signature.
H. Security of Industry Electronic Records Submitted to FDA
8. Several comments expressed concern about the security and
confidentiality of electronic records submitted to FDA. One suggested
that submissions be limited to such read-only formats as CD-ROM with
raw data for statistical manipulation provided separately on floppy
diskette. One comment suggested that in light of the proposed rule, the
agency should review its own internal security procedures. Another
addressed electronic records that may be disclosed under the Freedom of
Information Act and expressed concern regarding agency deletion of
trade secrets. One comment anticipated FDA's use of open systems to
access industry records (such as medical device production and control
records) and suggested that such access should be restricted to closed
systems.
The agency is well aware of its legal obligation to maintain the
confidentiality of trade secret information in its possession, and is
committed to meet that obligation regardless of the form (paper or
electronic) a record takes. The procedures used to ensure
confidentiality are consistent with the provisions of part 11. FDA is
also examining other controls, such as use of digital signatures, to
ensure submission integrity. To permit legitimate changes to be made,
the agency does not believe that it is necessary to restrict
submissions to those maintained in
[[Page 13434]]
read-only formats in all cases; each agency receiving unit retains the
flexibility to determine whatever format is most suitable. Those
intending to submit material are expected to consult with the
appropriate agency receiving unit to determine the acceptable formats.
Although FDA access to electronic records on open systems
maintained by firms is not anticipated in the near future, the agency
believes it would be inappropriate to rule out such a procedure. Such
access can be a valuable inspection tool and can enhance efficiencies
by reducing the time investigators may need to be on site. The agency
believes it is important to develop appropriate procedures and security
measures in cooperation with industry to ensure that such access does
not jeopardize data confidentiality or integrity.
I. Effective Date/Grandfathering
9. Several comments addressed the proposed effective date of the
final rule, 90 days after publication in the Federal Register, and
suggested potential exemptions (grandfathering) for systems now in use.
Two comments requested an expedited effective date for the final rule.
One comment requested an effective date at least 18 months after
publication of the final rule to permit firms to modify and validate
their systems. One comment expressed concern about how the rule, in
general, will affect current systems, and suggested that the agency
permit firms to continue to use existing electronic record systems that
otherwise conform to good manufacturing or laboratory practices until
these firms make major modifications to those systems or until 5 years
have elapsed, whichever comes first. Several other comments requested
grandfathering for specific sections of the proposed rule.
The agency has carefully considered the comments and suggestions
regarding the final rule's effective date and has concluded that the
effective date should be 5 months after date of publication in the
Federal Register. The agency wishes to accommodate firms that are
prepared now to comply with part 11 or will be prepared soon, so as to
encourage and foster new technologies in a manner that ensures that
electronic record and electronic signature systems are reliable,
trustworthy, and compatible with FDA's responsibility to promote and
protect public health. The agency believes that firms that have
consulted with FDA before adopting new electronic record and electronic
signature technologies (especially technologies that may impact on the
ability of the agency to conduct its work effectively) will need to
make few, if any, changes to systems used to maintain records required
by FDA.
The agency believes that the provisions of part 11 represent
minimal standards and that a general exemption for existing systems
that do not meet these provisions would be inappropriate and not in the
public interest because such systems are likely to generate electronic
records and electronic signatures that are unreliable, untrustworthy,
and not compatible with FDA's responsibility to promote and protect
public health. Such an exemption might, for example, mean that a firm
could: (1) Deny FDA inspectional access to electronic record systems,
(2) permit unauthorized access to those systems, (3) permit individuals
to share identification codes and passwords, (4) permit systems to go
unvalidated, and (5) permit records to be falsified in many ways and in
a manner that goes undetected.
The agency emphasizes that these regulations do not require, but
rather permit, the use of electronic records and signatures. Firms not
confident that their electronic systems meet the minimal requirements
of these regulations are free to continue to use traditional signatures
and paper documents to meet recordkeeping requirements.
J. Comments by Electronic Mail (e-mail) and Electronic Distribution of
FDA Documents
10. One comment specifically noted that the agency has accepted
comments by e-mail and that this provides an additional avenue for
public participation in the rulemaking process. Another comment
encouraged FDA to expand the use of electronic media to provide
information by such open systems as bulletin boards.
The agency intends to explore further the possibility of continuing
to accept public comments by e-mail and other electronic means. For
this current experiment, the agency received only one comment by e-
mail. The comment that addressed this issue was, itself, transmitted in
a letter. The agency recognizes the benefits of distributing
information electronically, has expanded that activity, and intends to
continue that expansion. Although only one e-mail comment was received,
the agency does not attribute that low number to a lack of ability to
send e-mail because the agency received e-mail from 198 persons who
requested the text of the proposed rule, including requests from people
outside the United States.
K. Submissions by Facsimile (Fax)
11. One comment said that part 11 should include a provision for
FDA acceptance of submissions by fax, such as import form FDA 2877. The
comment noted that the U.S. Customs Service accepts fax signatures on
its documents, and claimed that FDA's insistence on hard copies of form
FDA 2877 is an impediment to imports.
The agency advises that part 11 permits the unit that handles
import form FDA 2877 to accept that record in electronic form when it
is prepared logistically to do so. As noted in the discussion on
Sec. 11.1(b) in comment 21 of this document, the agency recognizes that
faxes can be in paper or electronic form, based on the capabilities of
the sender and recipient.
L. Blood Bank Issues
12. Two comments addressed blood bank issues in the context of
electronic records and electronic signatures and said the agency should
clarify that part 11 would permit electronic crossmatching by a central
blood center for individual hospitals. One comment stated that remote
blood center and transfusion facilities should be permitted to rely on
electronically communicated information, such as authorization for
labeling/issuing units of blood, and that the electronic signature of
the supervisor in the central testing facility releasing the product
for labeling and issuance should be sufficient because the proposed
rule guards against security and integrity problems.
One comment questioned whether, under part 11, electronic
signatures would meet the signature requirements for the release of
units of blood, and if there would be instances where a full signature
would be required instead of a technician's identification. Another
comment asserted that it is important to clarify how the term ``batch''
will be interpreted under part 11, and suggested that the term used in
relation to blood products refers to a series of units of blood having
undergone common manufacturing processes and recorded on the same
computerized document. The comment contrasted this to FDA's current
view that each unit of blood be considered a batch.
The agency advises that part 11 permits release records now in
paper form to be in electronic form and traditional handwritten
signatures to be electronic signatures. Under part 11, the name of the
technician must appear in the record display or printout to clearly
identify the technician. The appearance of the technician's
identification code
[[Page 13435]]
alone would not be sufficient. The agency also advises that the
definition of a ``batch'' for blood or other products is not affected
by part 11, which addresses the trustworthiness and reliability of
electronic records and electronic signatures, regardless of how a
batch, which is the subject of those records and signatures, is
defined.
M. Regulatory Flexibility Analysis
13. One comment said that, because part 11 will significantly
impact a substantial number of small businesses, even though the impact
would be beneficial, FDA is required to perform a regulatory
flexibility analysis and should publish such an analysis in the Federal
Register before a final rule is issued.
The comment states that the legislative history of the Regulatory
Flexibility Act is clear that, ``significant economic impact,'' as it
appears at 5 U.S.C. 605(b) is neutral with respect to whether such
impact is beneficial or adverse.
Contrary to the comment's assertion, the legislative history is not
dispositive of this matter. It is well established that the task of
statutory construction must begin with the actual language of the
statute. (See Bailey v. United States, 116 S. Ct. 595, 597 (1996).) A
statutory term must not be construed in isolation; a provision that may
seem ambiguous in isolation is often clarified by the remainder of the
statute. (See Dept. Of Revenue of Oregon v. ACF Industries, 114 S. Ct.
843, 850 (1994).) Moreover, it is a fundamental canon of statutory
construction that identical terms within the same statute must bear the
same meaning. (See Reno v. Koray, 115 S. Ct. 2021, 2026 (1995).)
In addition to appearing in 5 U.S.C. 605(b), the term ``significant
economic impact'' appears elsewhere in the statute. The legislation is
premised upon the congressional finding that alternative regulatory
approaches may be available which ``minimize the significant economic
impact'' of rules (5 U.S.C. 601 note). In addition, an initial
regulatory flexibility analysis must describe significant regulatory
alternatives that ``minimize any significant economic impact'' (5
U.S.C. 603(c)). Similarly, a final regulatory flexibility analysis must
include a description of the steps the agency has taken to ``minimize
any significant economic impact'' (5 U.S.C. 604(a)(5)). The term
appeared as one of the elements of a final regulatory flexibility
analysis, as originally enacted in 1980. (See Pub. L. No. 96-354, 3(a),
94 Stat. 1164, 1167 (1980) (formerly codified at 5 U.S.C. 604(a)(3)).)
In addition, when Congress amended the elements of a final regulatory
flexibility analysis in 1996, it re-enacted the term, as set forth
above. (See Pub. L. 104-121, 241(b), 110 Stat. 857, 865 (1996)
(codified at 5 U.S.C.604(a)(5)).)
Unless the purpose of the statute was intended to increase the
economic burden of regulations by minimizing positive or beneficial
effects, ``significant economic impact'' cannot include such effects.
Because it is beyond dispute that the purpose of the statute is not
increasing economic burdens, the plain meaning of ``significant
economic impact'' is clear and necessarily excludes beneficial or
positive effects of regulations. Even where there are some limited
contrary indications in the statute's legislative history, it is
inappropriate to resort to legislative history to cloud a statutory
text that is clear on its face. (See Ratzlaff v. United States, 114 S.
Ct. 655, 662 (1994).) Therefore, the agency concludes that a final
regulatory flexibility analysis is not required for this regulation or
any regulation for which there is no significant adverse economic
impact on small entities. Notwithstanding these conclusions, FDA has
nonetheless considered the impact of the rule on small entities. (See
section XVI. of this document.)
N. Terminology
14. One comment addressed the agency's use of the word ``ensure''
throughout the rule and argued that the agency should use the word
``assure'' rather than ``ensure'' because ``ensure'' means ``to
guarantee or make certain'' whereas ``assure'' means ``to make
confident.'' The comment added that ``assure'' is also more consistent
with terminology in other regulations.
The agency wishes to emphasize that it does not intend the word
``ensure'' to represent a guarantee. The agency prefers to use the word
``ensure'' because it means to make certain.
O. General Comments Regarding the Prescription Drug Marketing Act of
1987 (PDMA)
15. Three comments addressed the use of handwritten signatures that
are recorded electronically (SRE's) under part 11 and PDMA. One firm
described its delivery information acquisition device and noted its use
of time stamps to record when signatures are executed. The comments
requested clarification that SRE's would be acceptable under the PDMA
regulations. One comment assumed that subpart C of part 11 (Electronic
Signatures) would not apply to SRE's, noting that it was not practical
under PDMA (given the large number of physicians who may be eligible to
receive drug product samples) to use such alternatives as
identification codes combined with passwords.
The agency advises that part 11 applies to handwritten signatures
recorded electronically and that such signatures and their
corresponding electronic records will be acceptable for purposes of
meeting PDMA's requirements when the provisions of part 11 are met.
Although subpart C of part 11 does not apply to handwritten signatures
recorded electronically, the agency advises that controls related to
electronic records (subpart B), and the general provisions of subpart
A, do apply to electronic records in the context of PDMA. The agency
emphasizes, however, that part 11 does not restrict PDMA signings to
SRE's, and that organizations retain the option of using electronic
signatures in conformance with part 11. Furthermore, the agency
believes that the number of people in a given population or
organization should not be viewed as an insurmountable obstacle to use
of electronic signatures. The agency is aware, for example, of efforts
by the American Society of Testing and Materials to develop standards
for electronic medical records in which digital signatures could
theoretically be used on a large scale.
P. Comments on the Unique Nature of Passwords
16. Several comments noted, both generally and with regard to
Secs. 11.100(a), 11.200(a), and 11.300, that the password in an
electronic signature that is composed of a combination of password and
identification code is not, and need not be, unique. Two comments added
that passwords may be known to system security administrators who
assist people who forget passwords and requested that the rule
acknowledge that passwords need not be unique. One comment said that
the rule should describe how uniqueness is to be determined.
The agency acknowledges that when an electronic signature consists
of a combined identification code and password, the password need not
be unique. It is possible that two persons in the same organization may
have the same password. However, the agency believes that where good
password practices are implemented, such coincidence would be highly
unlikely. As discussed in section XIII. of this document in the context
of comments on proposed Sec. 11.300, records are less trustworthy and
reliable if it is relatively easy for someone to deduce or execute, by
chance, a person's electronic
[[Page 13436]]
signature where the identification code of the signature is not
confidential and the password is easily guessed.
The agency does not believe that revising proposed Sec. 11.100(a)
is necessary because what must remain unique is the electronic
signature, which, in the case addressed by the comments, consists not
of the password alone, but rather the password in combination with an
identification code. If the combination is unique, then the electronic
signature is unique.
The agency does not believe that it is necessary to describe in the
regulations the various ways of determining uniqueness or achieving
compliance with the requirement. Organizations thereby maintain
implementation flexibility.
The agency believes that most system administrators or security
managers would not need to know passwords to help people who have
forgotten their own. This is because most administrators or managers
have global computer account privileges to resolve such problems.
IV. Scope (Sec. 11.1)
17. One comment suggested adding a new paragraph to proposed
Sec. 11.1 that would exempt computer record maintenance software
installed before the effective date of the final rule, and that would
exempt electronic records maintained before that date. The comment
argued that such exemptions were needed for economic and constitutional
reasons because making changes to existing systems would be costly and
because the imposition of additional requirements after the fact could
be regarded as an ex post facto rule. The comment said firms have been
using electronic systems that have demonstrated reliability and
security for many years before the agency's publication of the ANPRM,
and that the absence of FDA's objections in inspectional form FDA 483
was evidence of the agency's acceptance of the system.
As discussed in section III.I. of this document, the agency is
opposed to ``grandfathering'' existing systems because such exemptions
may perpetuate environments that provide opportunities for record
falsification and impair FDA's ability to protect and promote public
health. However, the agency wishes to avoid any confusion regarding the
application of the provisions of part 11 to systems and electronic
records in place before the rule's effective date. Important
distinctions need to be made relative to an electronic record's
creation, modification, and maintenance because various portions of
part 11 address matters relating to these actions. Those provisions
apply depending upon when a given electronic record is created,
modified, or maintained.
Electronic records created before the effective date of this rule
are not covered by part 11 provisions that relate to aspects of the
record's creation, such as the signing of the electronic record. Those
records would not, therefore, need to be altered retroactively.
Regarding records that were first created before the effective date,
part 11 provisions relating to modification of records, such as audit
trails for record changes and the requirement that original entries not
be obscured, would apply only to those modifications made on or after
the rule's effective date, not to modifications made earlier. Likewise,
maintenance provisions of part 11, such as measures to ensure that
electronic records can be retrieved throughout their retention periods,
apply to electronic records that are being maintained on or after the
rule's effective date. The hardware and software, as well as
operational procedures used on or after the rule's effective date, to
create, modify, or maintain electronic records must comply with the
provisions of part 11.
The agency does not agree with any suggestion that FDA endorsement
or acceptance of an electronic record system can be inferred from the
absence of objections in an inspection report. Before this rulemaking,
FDA did not have established criteria by which it could determine the
reliability and trustworthiness of electronic records and electronic
signatures and could not sanction electronic alternatives when
regulations called for signatures. A primary reason for issuing part 11
is to develop and codify such criteria. FDA will assess the
acceptability of electronic records and electronic signatures created
prior to the effective date of part 11 on a case-by-case basis.
18. One comment suggested that proposed Sec. 11.1 exempt production
of medical devices and in vitro diagnostic products on the grounds that
the subject was already adequately addressed in the medical device CGMP
regulations currently in effect in Sec. 820.195 (21 CFR 820.195), and
that additional regulations would be confusing and would limit
compliance.
The agency believes that part 11 complements, and is supportive of,
the medical device CGMP regulations and the new medical device quality
system regulation, as well as other regulations, and that compliance
with one does not confound compliance with others. Before publication
of the ANPRM, the agency determined that existing regulations,
including the medical device CGMP regulations, did not adequately
address electronic records and electronic signatures. That
determination was reinforced in the comments to the ANPRM, which
focused on the need to identify what makes electronic records reliable,
trustworthy, and compatible with FDA's responsibility to promote and
protect public health. For example, the provision cited by the comment,
Sec. 820.195, states ``When automated data processing is used for
manufacturing or quality assurance purposes, adequate checks shall be
designed and implemented to prevent inaccurate data output, input, and
programming errors.'' This section does not address the many issues
addressed by part 11, such as electronic signatures, record
falsification, or FDA access to electronic records. The relationship
between the quality system regulation and part 11 is discussed at
various points in the preamble to the quality system regulation.
19. One comment asserted that for purposes of PDMA, the scope of
proposed part 11 should be limited to require only those controls for
assessing signatures in paper-based systems because physicians'
handwritten signatures are executed to electronic records. The comment
further asserted that, because drug manufacturers' representatives
carry computers into physicians' offices (where the physicians then
sign sample requests and receipts), only closed system controls should
be needed.
The agency believes that, for purposes of PDMA, controls needed for
electronic records bearing handwritten signatures are no different from
controls needed for the same kinds of records and signatures used
elsewhere, and that proposed Sec. 11.1 need not make any such
distinction.
In addition, the agency disagrees with the implication that all
PDMA electronic records are, in fact, handled within closed systems.
The classification of a system as open or closed in a particular
situation depends on what is done in that situation. For example, the
agency agrees that a closed system exists where a drug producer's
representative (the person responsible for the content of the
electronic record) has control over access to the electronic record
system by virtue of possessing the portable computer and controlling
who may use the computer to sign electronic records. However, should
the firm's representative transfer copies of those records to a public
online service that stores them for the drug firm's
[[Page 13437]]
subsequent retrieval, the agency considers such transfer and storage to
be within an open system because access to the system holding the
records is controlled by the online service, which is not responsible
for the record's content. Activities in the first example would be
subject to closed system controls and activities in the second example
would be subject to open system controls.
20. One comment urged that proposed Sec. 11.1 contain a clear
statement of what precedence certain provisions of part 11 have over
other regulations.
The agency believes that such statements are found in Sec. 11.1(c):
Where electronic signatures and their associated records meet
the requirements of this part, the agency will consider the
electronic signatures to be equivalent to full handwritten
signatures, initials, and other general signings as required under
agency regulations unless specifically excepted by regulations * *
*.
and Sec. 11.1(d) (``Electronic records that meet the requirements of
this part may be used in lieu of paper records, in accordance with
Sec. 11.2, unless paper records are specifically required.''). These
provisions clearly address the precedence of part 11 and the
equivalence of electronic records and electronic signatures.
To further clarify the scope of the rule, FDA has revised Sec. 11.1
to apply to electronic records submitted to the agency under
requirements of the Federal Food, Drug, and Cosmetic Act (the act) and
the Public Health Service Act (the PHS Act). This clarifies the point
that submissions required by these statutes, but not specifically
mentioned in the Code of Federal Regulations (CFR), are subject to part
11.
21. Proposed Sec. 11.1(b) stated that the regulations would apply
to records in electronic form that are created, modified, maintained,
or transmitted, under any records requirements set forth in Chapter I
of Title 21. One comment suggested that the word ``transmitted'' be
deleted from proposed Sec. 11.1(b) because the wording would
inappropriately apply to paper documents that are transmitted by fax.
The comment noted that if the records are in machine readable form
before or after transmission, they would still be covered by the
revised wording.
The agency does not intend part 11 to apply to paper records even
if such records are transmitted or received by fax. The agency notes
that the records transmitted by fax may be in electronic form at the
sender, the recipient, or both. Part 11 would apply whenever the record
is in electronic form. To remedy the problem noted by the comment, the
agency has added a sentence to Sec. 11.1(b) stating that part 11 does
not apply to paper records that are, or have been, transmitted by
electronic means.
22. One comment asked whether paper records created by computer
would be subject to proposed part 11. The comment cited, as an example,
the situation in which a computer system collects toxicology data that
are printed out and maintained as ``raw data.''
Part 11 is intended to apply to systems that create and maintain
electronic records under FDA's requirements in Chapter I of Title 21,
even though some of those electronic records may be printed on paper at
certain times. The key to determining part 11 applicability, under
Sec. 11.1(b), is the nature of the system used to create, modify, and
maintain records, as well as the nature of the records themselves.
Part 11 is not intended to apply to computer systems that are
merely incidental to the creation of paper records that are
subsequently maintained in traditional paper-based systems. In such
cases, the computer systems would function essentially like manual
typewriters or pens and any signatures would be traditional handwritten
signatures. Record storage and retrieval would be of the traditional
``file cabinet'' variety. More importantly, overall reliability,
trustworthiness, and FDA's ability to access the records would derive
primarily from well-established and generally accepted procedures and
controls for paper records. For example, if a person were to use word
processing software to generate a paper submission to FDA, part 11
would not apply to the computer system used to generate the submission,
even though, technically speaking, an electronic record was initially
created and then printed on paper.
When records intended to meet regulatory requirements are in
electronic form, part 11 would apply to all the relevant aspects of
managing those records (including their creation, signing,
modification, storage, access, and retrieval). Thus, the software and
hardware used to create records that are retained in electronic form
for purposes of meeting the regulations would be subject to part 11.
Regarding the comment about ``raw data,'' the agency notes that
specific requirements in existing regulations may affect the particular
records at issue, regardless of the form such records take. For
example, ``raw data,'' in the context of the good laboratory practices
regulations (21 CFR part 58), include computer printouts from automated
instruments as well as the same data recorded on magnetic media. In
addition, regulations that cover data acquisition systems generally
include requirements intended to ensure the trustworthiness and
reliability of the collected data.
23. Several comments on proposed Sec. 11.1(b) suggested that the
phrase ``or archived and retrieved'' be added to paragraph (b) to
reflect more accurately a record's lifecycle.
The agency intended that record archiving and retrieval would be
part of record maintenance, and therefore already covered by
Sec. 11.1(b). However, for added clarity, the agency has revised
Sec. 11.1(b) to add ``archived and retrieved.''
24. One comment suggested that, in describing what electronic
records are within the scope of part 11, proposed Sec. 11.1(b) should
be revised by substituting ``processed'' for ``modified'' and
``communicated'' for ``transmitted'' because ``communicated'' reflects
the fact that the information was dispatched and also received. The
comment also suggested substituting ``retained'' for ``maintained,'' or
adding the word ``retained,'' because ``maintain'' does not necessarily
convey the retention requirement.
The agency disagrees. The word ``modified'' better describes the
agency's intent regarding changes to a record; the word ``processed''
does not necessarily infer a change to a record. FDA believes
``transmitted'' is preferable to ``communicated'' because
``communicated'' might infer that controls to ensure integrity and
authenticity hinge on whether the intended recipient actually received
the record. Also, as discussed in comment 22 of this document, the
agency intends for the term ``maintain'' to include records retention.
25. Two comments suggested that proposed Sec. 11.1(b) explicitly
state that part 11 supersedes all references to handwritten signatures
in 21 CFR parts 211 through 226 that pertain to a drug, and in 21 CFR
parts 600 through 680 that pertain to biological products for human
use. The comments stated that the revision should clarify coverage and
permit blood centers and transfusion services to take full advantage of
electronic systems that provide process controls.
The agency does not agree that the revision is necessary because,
under Sec. 11.1(b) and (c), part 11 permits electronic records or
submissions under all FDA regulations in Chapter I of Title 21 unless
specifically excepted by future regulations.
26. Several comments expressed concern that the proposed rule had
inappropriately been expanded in scope
[[Page 13438]]
from the ANPRM to address electronic records as well as electronic
signatures. One comment argued that the scope of part 11 should be
restricted only to those records that are currently required to be
signed, witnessed, or initialed, and that the agency should not require
electronic records to contain electronic signatures where the
corresponding paper records are not required to be signed.
The agency disagrees with the assertion that part 11 should address
only electronic signatures and not electronic records for several
reasons. First, based on comments on the ANPRM, the agency is convinced
that the reliability and trustworthiness of electronic signatures
depend in large measure on the reliability and trustworthiness of the
underlying electronic records. Second, the agency has concluded that
electronic records, like paper records, need to be trustworthy,
reliable, and compatible with FDA's responsibility to promote and
protect public health regardless of whether they are signed. In
addition, records falsification is an issue with respect to both signed
and unsigned records. Therefore, the agency concludes that although the
ANPRM focused primarily on electronic signatures, expansion of the
subject to electronic records in the proposed rule was fully justified.
The agency stresses that part 11 does not require that any given
electronic record be signed at all. The requirement that any record
bear a signature is contained in the regulation that mandates the basic
record itself. Where records are signed, however, by virtue of meeting
a signature requirement or otherwise, part 11 addresses controls and
procedures intended to help ensure the reliability and trustworthiness
of those signatures.
27. Three comments asked if there were any regulations, including
CGMP regulations, that might be excepted from part 11 and requested
that the agency identify such regulations.
FDA, at this time, has not identified any current regulations that
are specifically excepted from part 11. However, the agency believes it
is prudent to provide for such exceptions should they become necessary
in the future. It is possible that, as the agency's experience with
part 11 increases, certain records may need to be limited to paper if
there are problems with the electronic versions of such records.
28. One comment requested clarification of the meaning of the term
``general signings'' in proposed Sec. 11.1(c), and said that the
distinction between ``full handwritten'' signatures and ``initials'' is
unnecessary because handwritten includes initials in all common
definitions of handwritten signature. The comment also suggested
changing the term ``equivalent'' to ``at least equivalent'' because
electronic signatures are not precise equivalents of handwritten
signatures and computer-based signatures have the potential of being
more secure.
The agency advises that current regulations that require records to
be signed express those requirements in different ways depending upon
the agency's intent and expectations. Some regulations expressly state
that records must be signed using ``full handwritten'' signatures,
whereas other regulations state that records must be ``signed or
initialed;'' still other regulations implicitly call for some kind of
signing by virtue of requiring record approvals or endorsements. This
last broad category is addressed by the term ``general signings'' in
Sec. 11.1(c).
Where the language is explicit in the regulations, the means of
meeting the requirement are correspondingly precise. Therefore, where a
regulation states that a signature must be recorded as ``full
handwritten,'' the use of initials is not an acceptable substitute.
Furthermore, under part 11, for an electronic signature to be
acceptable in place of any of these signings, the agency only needs to
consider them as equivalent; electronic signatures need not be superior
to those other signings to be acceptable.
29. Several comments requested clarification of which FDA records
are required to be in paper form, and urged the agency to allow and
promote the use of electronic records in all cases. One comment
suggested that proposed Sec. 11.1(d) be revised to read, in part, ``* *
* unless the use of electronic records is specifically prohibited.''
The agency intends to permit the use of electronic records required
to be maintained but not submitted to the agency (as noted in
Sec. 11.2(a)) provided that the requirements of part 11 are met and
paper records are not specifically required. The agency also wishes to
encourage electronic submissions, but is limited by logistic and
resource constraints. The agency is unaware of ``maintenance records''
that are currently explicitly required to be in paper form (explicit
mention of paper is generally unnecessary because, at the time most
regulations were prepared, only paper-based technologies were in use)
but is providing for that possibility in the future. For purposes of
part 11, the agency will not consider that a regulation requires
``maintenance'' records to be in paper form where the regulation is
silent on the form the record must take. FDA believes that the
comments' suggested wording does not offer sufficient advantages to
adopt the change.
However, to enable FDA to accept as many electronic submissions as
possible, the agency is amending Sec. 11.1(b) to include those
submissions that the act and the PHS Act specifically require, even
though such submissions may not be identified in agency regulations. An
example of such records is premarket submissions for Class I and Class
II medical devices, required by section 510(k) of the act (21 U.S.C.
360(k)).
30. Several comments addressed various aspects of the proposed
requirement under Sec. 11.1(e) regarding FDA inspection of electronic
record systems. Several comments objected to the proposal as being too
broad and going beyond the agency's legal inspectional authority. One
comment stated that access inferred by such inspection may include
proprietary financial and sales data to which FDA is not entitled.
Another comment suggested adding the word ``authorized'' before
``inspection.'' Some comments suggested revising proposed Sec. 11.1(e)
to limit FDA inspection only to the electronic records and electronic
signatures themselves, thus excluding inspection of hardware and
software used to manage those records and signatures. Other comments
interpreted proposed Sec. 11.1(e) as requiring them to keep supplanted
or retired hardware and software to enable FDA inspection of those
outdated systems.
The agency advises that FDA inspections under part 11 are subject
to the same legal limitations as FDA inspections under other
regulations. The agency does not believe it is necessary to restate
that limitation by use of the suggested wording. However, within those
limitations, it may be necessary to inspect hardware and software used
to generate and maintain electronic records to determine if the
provisions of part 11 are being met. Inspection of resulting records
alone would be insufficient. For example, the agency may need to
observe the use and maintenance of tokens or devices that contain or
generate identification information. Likewise, to assess the adequacy
of systems validation, it is generally necessary to inspect hardware
that is being used to determine, among other things, if it matches the
system documentation description of such hardware. The agency has
concluded that hardware and software used to generate and maintain
electronic records and signatures are ``pertinent
[[Page 13439]]
equipment'' within the meaning of section 704 of the act (21 U.S.C.
374).
The agency does not expect persons to maintain obsolete and
supplanted computer systems for the sole purpose of enabling FDA
inspection. However, the agency does expect firms to maintain and have
available for inspection documentation relevant to those systems, in
terms of compliance with part 11, for as long as the electronic records
are required by other relevant regulations. Persons should also be
mindful of the need to keep appropriate computer systems that are
capable of reading electronic records for as long as those records must
be retained. In some instances, this may mean retention of otherwise
outdated and supplanted systems, especially where the old records
cannot be converted to a form readable by the newer systems. In most
cases, however, FDA believes that where electronic records are
accurately and completely transcribed from one system to another, it
would not be necessary to maintain older systems.
31. One comment requested that proposed part 11 be revised to give
examples of electronic records subject to FDA inspection, including
pharmaceutical and medical device production records, in order to
reduce the need for questions.
The agency does not believe that it is necessary to include
examples of records it might inspect because the addition of such
examples might raise questions about the agency's intent to inspect
other records that were not identified.
32. One comment said that the regulation should state that certain
security related information, such as private keys attendant to
cryptographic implementation, is not intended to be subject to
inspection, although procedures related to keeping such keys
confidential can be subject to inspection.
The agency would not routinely seek to inspect especially sensitive
information, such as passwords or private keys, attendant to security
systems. However, the agency reserves the right to conduct such
inspections, consistent with statutory limitations, to enforce the
provisions of the act and related statutes. It may be necessary, for
example, in investigating cases of suspected fraud, to access and
determine passwords and private keys, in the same manner as the agency
may obtain specimens of handwritten signatures (``exemplars''). Should
there be any reservations about such inspections, persons may, of
course, change their passwords and private keys after FDA inspection.
33. One comment asked how persons were expected to meet the
proposed requirement, under Sec. 11.1(e), that computer systems be
readily available for inspection when such systems include
geographically dispersed networks. Another comment said FDA
investigators should not be permitted to access industry computer
systems as part of inspections because investigators would be untrained
users.
The agency intends to inspect those parts of electronic record or
signature systems that have a bearing on the trustworthiness and
reliability of electronic records and electronic signatures under part
11. For geographically dispersed systems, inspection at a given
location would extend to operations, procedures, and controls at that
location, along with interaction of that local system with the wider
network. The agency would inspect other locations of the network in a
separate but coordinated manner, much the same way the agency currently
conducts inspections of firms that have multiple facilities in
different parts of the country and outside of the United States.
FDA does not believe it is reasonable to rule out computer system
access as part of an inspection of electronic record or signature
systems. Historically, FDA investigators observe the actions of
establishment employees, and (with the cooperation of establishment
management) sometimes request that those employees perform some of
their assigned tasks to determine the degree of compliance with
established requirements. However, there may be times when FDA
investigators need to access a system directly. The agency is aware
that such access will generally require the cooperation of and, to some
degree, instruction by the firms being inspected. As new, complex
technologies emerge, FDA will need to develop and implement new
inspectional methods in the context of those technologies.
V. Implementation (Sec. 11.2)
34. Proposed Sec. 11.2(a) stated that for ``records required by
chapter I of this title to be maintained, but not submitted to the
agency, persons may use electronic records/signatures in lieu of paper
records/conventional signatures, in whole or in part, * * *.''
Two comments requested clarification of the term ``conventional
signatures.'' One comment suggested that the term ``traditional
signatures'' be used instead. Another suggested rewording in order to
clarify the slash in the phrase ``records/signatures.''
The agency advises that the term ``conventional signature'' means
handwritten signature. The agency agrees that the term ``traditional
signature'' is preferable, and has revised Sec. 11.2(a) and (b)
accordingly. The agency has also clarified proposed Sec. 11.2(a) by
replacing the slash with the word ``or.''
35. One comment asked if the term ``persons'' in proposed
Sec. 11.2(b) would include devices because computer systems frequently
apply digital time stamps on records automatically, without direct
human intervention.
The agency advises that the term ``persons'' excludes devices. The
agency does not consider the application of a time stamp to be the
application of a signature.
36. Proposed Sec. 11.2(b)(2) provides conditions under which
electronic records or signatures could be submitted to the agency in
lieu of paper. One condition is that a document, or part of a document,
must be identified in a public docket as being the type of submission
the agency will accept in electronic form. Two comments addressed the
nature of the submissions to the public docket. One comment asked that
the agency provide specifics, such as the mechanism for updating the
docket and the frequency of such updates. One comment suggested making
the docket available to the public by electronic means. Another comment
suggested that acceptance procedures be uniform among agency units and
that electronic mail be used to hold consultations with the agency. One
comment encouraged the agency units receiving the submissions to work
closely with regulated industry to ensure that no segment of industry
is unduly burdened and that agency guidance is widely accepted.
The agency intends to develop efficient electronic records
acceptance procedures that afford receiving units sufficient
flexibility to deal with submissions according to their capabilities.
Although agencywide uniformity is a laudable objective, to attain such
flexibility it may be necessary to accommodate some differences among
receiving units. The agency considers of primary importance, however,
that all part 11 submissions be trustworthy, reliable, and in keeping
with FDA regulatory activity. The agency expects to work closely with
industry to help ensure that the mechanics and logistics of accepting
electronic submissions do not pose any undue burdens. However, the
agency expects persons to consult with the
[[Page 13440]]
intended receiving units on the technical aspects of the submission,
such as media, method of transmission, file format, archiving needs,
and technical protocols. Such consultations will ensure that
submissions are compatible with the receiving units' capabilities. The
agency has revised proposed Sec. 11.2(b)(2) to clarify this
expectation.
Regarding the public docket, the agency is not at this time
establishing a fixed schedule for updating what types of documents are
acceptable for submission because the agency expects the docket to
change and grow at a rate that cannot be predicted. The agency may,
however, establish a schedule for updating the docket in the future.
The agency agrees that making the docket available electronically is
advisable and will explore this option. Elsewhere in this issue of the
Federal Register, FDA is providing further information on this docket. |
