FDA Draft Guidance for Industry: 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records

Draft Guidance for Industry: 21 CFR Part 11; Electronic Records;Electronic Signatures, Electronic Copies of Electronic RecordsPosted: 11/18/2002, Issue Date: 11/12/2002www.fda.gov/cber/gdlns/esigcopies.pdf-----------Draft Guidance for Industry -- Not For ImplementationGuidance for Industry21 CFR Part 11; Electronic Records;Electronic SignaturesElectronic Copies of Electronic RecordsDraft GuidanceThis guidance document is being distributed for comment purposes only.Comments and suggestions regarding this draft document should be submitted within90 days of publication in the Federal Register of the notice announcing the availability ofthe draft guidance. Submit comments to Dockets Management Branch (HFA-305),Food and Drug Administration, 5630 Fishers Lane, room 1061, Rockville, MD 20852.All comments should be identified with the docket number 00D-1540.For questions regarding this draft document contact Paul J. Motise, Office ofEnforcement, Office of Regulatory Affairs, 301-827-0383, e-mail: pmotise@ora.fda.gov.U.S. Department of Health and Human ServicesFood and Drug AdministrationOffice of Regulatory Affairs (ORA)Center for Biologics Evaluation and Research (CBER)Center for Drug Evaluation and Research (CDER)Center for Devices and Radiological Health (CDRH)Center for Food Safety and Applied Nutrition (CFSAN)Center for Veterinary Medicine (CVM)August 2002Draft Guidance for Industry -- Not For ImplementationiiGuidance For Industry21 CFR Part 11; Electronic Records; Electronic SignaturesElectronic Copies of Electronic RecordsAdditional copies of this draft guidance document are available from the Office ofEnforcement, HFC-200, 5600 Fishers Lane, Rockville, MD 20857; Internethttp://www.fda.gov/ora/compliance_ref/part11/default.htmU.S. Department of Health and Human ServicesFood and Drug AdministrationOffice of Regulatory Affairs (ORA)Center for Biologics Evaluation and Research (CBER)Center for Drug Evaluation and Research (CDER)Center for Devices and Radiological Health (CDRH)Center for Food Safety and Applied Nutrition (CFSAN)Center for Veterinary Medicine (CVM)August 2002Draft Guidance for Industry -- Not For ImplementationiiiGuidance For Industry21 CFR Part 11; Electronic Records; Electronic SignaturesElectronic Copies of Electronic RecordsTable of Contents1. Purpose.................................................................................................................... 12. Scope....................................................................................................................... 22.1 Applicability........................................................................................................... 22.2 Audience .............................................................................................................. 33. Definitions and Terminology..................................................................................... 44. Regulatory Requirements; What Does Part 11 Require?......................................... 45. Key Principles and Practices.................................................................................... 55.1 Electronic copies of electronic records provided to FDA should be accurate andcomplete, but they do not necessarily have to be in the same file format and onthe same media as the original electronic records................................................ 55.2 The process of making an electronic copy of an electronic record in a file formatthat differs from the original should be validated. ................................................. 65.3 Copies of hyperlinked records incorporated by reference should be included withthe electronic copy of the electronic record. ......................................................... 75.4 Electronic copies of database queries should be included with electronic copiesof electronic records, when appropriate................................................................ 75.5 Electronic copies of electronic records should include, or be appended with, anauthentication value.............................................................................................. 85.6 Electronic copies of electronic records should be in a file format and on mediathat enable FDA to read and process record data. ............................................... 85.7 If original electronic records were signed electronically, electronic copies of theoriginal electronic records should have electronic signatures that are capable ofbeing authenticated. ........................................................................................... 10Draft Guidance for Industry -- Not For Implementation1Guidance For Industry121 CFR Part 11; Electronic Records; Electronic SignaturesElectronic Copies of Electronic Records1. PurposeThe purpose of this draft guidance is to describe the Food and Drug Administration's(FDA’s) current thinking regarding considerations in meeting the requirement onelectronic copies of electronic records of Part 11 of Title 21 of the Code of FederalRegulations; Electronic Records; Electronic Signatures. It provides guidance toindustry, and is intended to assist persons who are subject to the rule to comply with theregulation. It may also assist FDA staff who apply part 11 to persons who are subject tothe regulation.1 This draft guidance was prepared under the aegis of the Office of Enforcement by the FDA Part 11Compliance Committee. The committee is composed of representatives from each center within the Foodand Drug Administration, the Office of Chief Counsel and the Office of Regulatory Affairs.This draft guidance, when finalized, will represent the Food and DrugAdministration’s (FDA’s) current thinking on this topic. It does not create or conferany rights for or on any person and does not operate to bind FDA or the public. Analternative approach may be used if such approach satisfies the requirements ofapplicable statutes and regulations.Draft Guidance for Industry -- Not For Implementation22. ScopeThis draft guidance is one of a series of guidances about part 11. We intend to provideinformation with respect to FDA’s current thinking on acceptable ways of meeting part11 requirements to ensure that electronic records and electronic signatures aretrustworthy, reliable, and compatible with FDA’s public health responsibilities.This draft guidance focuses on furnishing FDA with electronic copies of electronicrecords that are subject to part 11. It identifies key principles and practices ingenerating electronic copies of electronic records so that the electronic copies areaccurate, complete and suitable for our inspection, review and copying. This draftguidance also addresses attributes of such electronic copies that make them accurate,complete, and suitable for our inspection, review and copying. It addresses somefrequently asked questions, but is not intended to cover everything about electroniccopies of electronic records.2.1 ApplicabilityThis draft guidance applies to electronic records and electronic signatures that personscreate, modify, maintain, archive, retrieve, or transmit under any records or signaturerequirement set forth in the Federal Food, Drug, and Cosmetic Act (the Act), the PublicHealth Service Act (PHS Act), or any FDA regulation. Any requirements set forth in theAct, the PHS Act, or any FDA regulation, with the exception of part 11, are referred to inthis document as predicate rules. Most predicate rules are contained in Title 21 of theDraft Guidance for Industry -- Not For Implementation3Code of Federal Regulations. In general, predicate rules address the research,production, and control of FDA regulated articles, and fall into several broad categories.Examples of such categories include, but are not limited to, manufacturing practices,laboratory practices, clinical and pre-clinical research, adverse event reporting, producttracking, and pre and post marketing submissions and reports.This draft guidance is not intended to address issues relating to electronic records thatyou submit to FDA but that you are not required to maintain. Generally, for electronicrecords submitted to FDA, we will provide separate guidance on the technical aspectsof making such submissions (e.g., file format and media).2.2 AudienceWe intend this draft guidance to provide useful information and recommendations to:• Persons subject to part 11;• Persons responsible for providing FDA with electronic copies of electronicrecords; and,• Persons who develop products or services to enable implementation of part11 requirements;This draft guidance may also assist FDA staff who apply part 11 to persons subject tothe regulation.Draft Guidance for Industry -- Not For Implementation43. Definitions and TerminologyUnless otherwise specified below, all terms used in this draft guidance are defined inFDA’s draft guidance document, “Guidance For Industry, 21 CFR Part 11; ElectronicRecords; Electronic Signatures, Glossary of Terms,” a document common to the seriesof guidances on part 11.4. Regulatory Requirements; What Does Part 11 Require?• Section 11.10 requires persons to “employ procedures and controls designed toensure the authenticity, integrity, and, when appropriate, the confidentiality ofelectronic records, and to ensure that the signer cannot readily repudiate thesigned record as not genuine.” To satisfy this general requirement, personsmust, among other things, employ procedures and controls that include "[t]heability to generate accurate and complete copies of records in both humanreadable and electronic form suitable for inspection, review, and copying by, theagency." See 21 CFR 11.10(b).• Section 11.10(e) requires that persons use secure, computer-generated, timestampedaudit trails that must, among other things, "be available for agencyreview and copying."Draft Guidance for Industry -- Not For Implementation5• Section 11.50(b) requires that, for signed electronic records, signaturemanifestation information (the signer's printed name, date/time of signing, andwhat the signature means) "be subject to the same controls as for electronicrecords." It follows that, for signed electronic records, accurate and completecopies of electronic records (in both human readable and electronic form suitablefor inspection, review, and copying by the agency) include signaturemanifestation information. See 21 CFR 11.10(b).5. Key Principles and Practices5.1 Electronic copies of electronic records provided to FDA should beaccurate and complete, but they do not necessarily have to be in the samefile format and on the same media as the original electronic records.The file format of the electronic copy of the electronic record might differ from that of theoriginal electronic record, yet still be suitable for our inspection, review, and copying. Ingeneral, we will consider electronic copies of electronic records to be accurate andcomplete if they convey all the information and revisions in the original electronicrecords. For example, we consider it extremely important that electronic copies ofelectronic records that contain text include any embedded notes, comments, and hiddentext contained in the original electronic records. Likewise, we consider it extremelyimportant that metadata, such as audit trails be included with the electronic copy. See62 Fed. Reg. 13430, 13445-13446 (March 20, 1997).Draft Guidance for Industry -- Not For Implementation6We generally review copies of records to help us determine, among other things, if FDArequirements have been met, if there are safety or quality problems with a regulatedarticle or process, and if you have taken appropriate steps to detect, prevent and correctproblems that could impact public health. For us to reach fair and accurate conclusions,it is important that electronic copies of electronic records have accurate and completeinformation.5.2 The process of making an electronic copy of an electronic record in a fileformat that differs from the original should be validated.It is important that any file conversions you perform when you generate an electroniccopy of an electronic record be validated. You should take into account the file formatsand media that are suitable for our inspection, review, and copying, as described below,to determine when conversions may be warranted. The validation should be performedbefore making the copies. When you use a computer’s operating system to make anidentical copy of an electronic record, the system usually has a built-in error checkingmechanism to help ensure that the copy is, in fact, identical. In contrast, thatmechanism might not be present in the process of converting from one file format toanother. The conversion might be more complex, have additional sources of error, andbe more likely to lose or modify information. Hence validation is important. Thevalidation should ensure that information in the original electronic record has not beenaltered in, or deleted from, the electronic copy. As explained above, if information ismissing from the electronic copy you provide to us, it might lead us to believe that youare not in compliance with predicate rules.Draft Guidance for Industry -- Not For Implementation75.3 Copies of hyperlinked records incorporated by reference should beincluded with the electronic copy of the electronic record.Electronic records sometimes use hyperlinks to incorporate other electronic records byreference. For example, an electronic record might read "click here to read the studyprotocol" or "click here to see the test results." Copies of hyperlinked recordsincorporated by reference should be included with the electronic copy of the electronicrecord. The reason is because the linked record might not be available throughout theprimary record's retention period if, for example, the link is to an Internet web page thathas been deleted, relocated, or significantly revised. If the link is broken, you might loseinformation that renders the electronic copy of the electronic record inaccurate orincomplete. In addition, the linked record might change over time even though theauthor of the primary electronic record intended to capture or reference certaininformation as it existed at one time. Accordingly, an electronic copy of the linkedelectronic record itself should be included with, or accompany, the electronic copy of theprimary electronic record that links to it.5.4 Electronic copies of database queries should be included with electroniccopies of electronic records, when appropriate.Where an electronic record is generated as the result of a database query, an electroniccopy of the query file (which is an electronic record itself) should be included with, oraccompany, the electronic copy of the electronic record. We believe it is important toDraft Guidance for Industry -- Not For Implementation8have an electronic copy of the query to demonstrate how the information was extractedfrom the database (for example, to show that information was not inappropriatelyomitted or included).5.5 Electronic copies of electronic records should include, or be appendedwith, an authentication value.At the time you provide our representative(s) with an electronic copy of an electronicrecord, the copy should have an authentication value that can be used to show theelectronic copy was accurate and complete when we received it. Once electroniccopies of electronic records come into our possession we make every effort to ensurethe continued integrity of those electronic copies. Having an authentication value canhelp us in this respect, and help to reassure you, as well, that the electronic copies weuse in assessing your activities will retain their integrity. For example, a digital signaturemessage digest or hash value could serve this purpose. The value should be appliedby the party that makes the electronic copy of the electronic record.5.6 Electronic copies of electronic records should be in a file format and onmedia that enable FDA to read and process record data.In general, FDA can work with media and file formats that are widely availablecommercially. However, different media and data file formats might come into and goout of common use over time. Therefore, we will post on the Internet a listing of mediaand file formats we can manage; the web address isDraft Guidance for Industry -- Not For Implementation9http://www.fda.gov/ora/compliance_ref/Part11/default.htm. In addition, we suggest thatyou provide electronic copies of electronic records in a read-only format. If you areusing an alternative approach that you believe satisfies applicable requirements, andyou have any questions regarding the agency’s ability to inspect, review, and copy suchelectronic records, we encourage you to contact us.We consider it very important that we be able to process the data in electronic recordsusing our own computer hardware and software. See 62 Federal Register 13430,13445-13446 (March 20, 1997). The hardware and software we use to processinformation in electronic copies you give us need not be identical to hardware andsoftware you use to process information in the original electronic records. However, it isimportant that we can perform the same kinds of data processing, and copies shouldnot be in a form that precludes such processing. For example, where you can wordsearch text in your original electronic record, we should be able to word search thesame text in our electronic copy. Likewise, where you can perform computations inyour original spreadsheet electronic record, we should be able to do the samecomputations in our electronic copy. Similarly, where a table of values in an originalelectronic record can be searched and sorted, we should be able to search and sort thevalues in our electronic copy. Id.We recognize that we would not necessarily have to possess the same hardware andsoftware you used to create the original electronic record, in order to conduct asatisfactory review of the electronic copy of an electronic record. A variety ofDraft Guidance for Industry -- Not For Implementation10conversion tools might be available for your use to generate a satisfactory electroniccopy of an electronic record. For example, some software programs have "export" or"save as" functions that can create suitable electronic copies of electronic records.Likewise, some hardware/software combinations might have the ability to emulate otherhardware/software combinations. Therefore, we encourage you to consult our Internetposting when you consider adopting a given electronic record file format and media toensure that (if the file format and media are not listed among those we can manage)conversion tools are available to generate a satisfactory electronic copy of the electronicrecord. Otherwise, an electronic copy of an electronic record might not be suitable forour inspection, review, and copying.5.7 If original electronic records were signed electronically, electronic copiesof the original electronic records should have electronic signatures thatare capable of being authenticated.It is important that where original electronic records were signed using electronicsignatures, electronic copies of the electronic records also replicate the electronicsignatures using the same signature technology used for the original electronic record.We should be able to authenticate any copied electronic signatures.Where electronic signatures are based on combinations of technologies (e.g.,identification codes used in combination with passwords, digital signatures, orbiometrics, as discussed below) methods of authentication should likewise correspondto each technology used to execute the electronic signature in the first place.Draft Guidance for Industry -- Not For Implementation115.7.1 Signature manifestation informationWhere original electronic records were signed using electronic signatures, humanreadable forms (such as video displays and paper printouts) of the electronic copiesshould display signature manifestation information required by section 11.50 (e.g., thesigner's printed name, date/time of signing and what the signature means). Section11.50(b) requires that such information “be subject to the same controls as for electronicrecords.” It follows that, for signed electronic records, accurate and complete copies ofelectronic records (in human readable and electronic form suitable for inspection,review, and copying by the agency) include signature manifestation information.5.7.2 Digital signaturesWe should be able to authenticate any digital signature in an electronic copy of anelectronic record. This authentication might be done by providing us with the means toauthenticate the digital signatures ourselves, or by authenticating the electronic copiesusing your own system, in our presence, before we remove the electronic copies fromyour facility.Where digital signatures are based on public/private key pairs, and you elect to provideus with the means to authenticate these signatures ourselves, you should provide uswith a copy of the signer's public key or digital certificate. You should also identify thesoftware method used to apply the original digital signature, so we may use theappropriate authentication program.Draft Guidance for Industry -- Not For Implementation125.7.3 Electronic signatures based on identification codes combined withpasswordsYou should be prepared to provide documentation that establishes the authenticity ofthe electronic signature and its link to the signed electronic record. We do not expectyou to reveal passwords.5.7.4 Electronic signatures based on biometricsYou should be prepared to provide documentation that establishes the authenticity ofthe biometric based electronic signature and its link to the signed electronic record. Wedo not expect to receive copies of the binary value (or range of values) representingindividuals’ biometric traits (such as a fingerprint or iris pattern that serves as the basisfor the electronic signature).5.7.5 Handwritten signatures on paper used to sign an electronic recordIf you applied a handwritten signature to a piece of paper to sign an electronic record,you should be able to give us a paper copy of the signed piece of paper in addition to anelectronic copy of the electronic record. The piece of paper, and our copy of it, shouldinclude information that links the handwritten signature to the electronic record. Forexample, such information should include the exact (file) name of the electronic record,the size of the record in bytes, the date and time of its creation, and an authenticationvalue, such as a check sum or mathematical hash value that uniquely represents theelectronic record.