With the increased use of electronic submissions and documents in electronic format, pharmaceutical companies should understand the regulations that pertain to them.
Twenty-one Code of Federal Regulations Part 11 is the section that deals with the use of electronic records, electronic signatures, and handwritten signatures committed to electronic format. It consists of Subparts A, B, and C.
Subpart A
Subpart A includes general provisions regarding the use of electronic records and signatures.
Subpart B
Subpart B describes controls for open and closed systems, electronic signatures, and linking of an electronic signature with a document.
Subpart C
Subpart C describes the requirements related to electronic signatures.
In general, the Food and Drug Administration believes that the use of electronic information and the use of electronic means of storing such information are acceptable and equivalent to their handwritten counterparts; however, these records must conform to a number of regulations.
For records that the sponsor is required to maintain but not submit to the Food and Drug Administration, electronic records are acceptable if they conform to the regulations regarding security, integrity, and confidentiality.
Electronic submission of Part 11
Documents that the sponsor is required to submit to the Food and Drug Administration must be identified in public docket No. 92S-0251 as documents that the Food and Drug Administration accepts in electronic form.
If they are not identified in the docket, the Food and Drug Administration will not consider them official and the sponsor must also provide paper versions. Pharmaceutical companies should consult with the Food and Drug Administration to ascertain whether and how to proceed with an electronic submission.
Management systems for pharmaceutical companies
Signed electronic records are subject to the same controls as unsigned electronic records. However, they should also include the printed name of the signer, the date and time when the document was signed, and the purpose of the signature (such as review, approval, or authorship). These components should be included as part of the electronic record.
Linking signatures and records with Part 11
Handwritten and electronic signatures should be linked to their respective electronic records so that they cannot be removed or copied for the purposes of falsifying a document.
Electronic signatures should be unique to each individual and should not be assigned to another individual. An organization must verify an individual's identity before assigning an electronic signature to that individual.
Anyone who uses an electronic signature must certify that that the electronic signatures are the legally binding equivalent of a handwritten signature. They should submit this certification in paper form to the Office of Regional Operations.
They should also manually sign this certification with a handwritten signature. If necessary, the Food and Drug Administration may require them to provide additional certifications regarding the legally binding status of the signature.
Non-biometric electronic signatures
Electronic signatures that are not based on biometrics should have two distinctive components such as a password and an identification code. If an individual signs multiple document during a single session, he or she should use all the components when he or she signs the first time. For subsequent signatures, only one component is necessary.
However, if a person signs multiple documents on different occasions, he or she must use all of the components each time. Only the person to which a signature is assigned can use a given signature. A signature should be executed so that any attempt to use a signature by an unauthorized individual would require at least two people to collaborate.
The identification code and password for people who use electronic signatures should be unique. No two individuals should have the same password and identification code combination. The identification codes and passwords should be checked periodically and revised or recalled if necessary.
Personnel should follow Loss management procedures to deauthorize lost, stolen, or missing passwords, identification codes, and other security devices and to issue replacements. Transaction safeguards should be used to prevent unauthorized transactions and unauthorized attempts should be reported. Personnel should periodically test safety measures to ensure that they work correctly and have not been altered.
By understanding the appropriate requirements for electronic submissions, pharmaceutical companies can ensure that their submissions conform to the regulations. This will result in fewer delays and more expedient approvals by the Food and Drug Administration.
For Further Reading
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11
http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm