POLICY ISSUES IN E-COMMERCE APPLICATIONS: ELECTRONIC RECORD AND SIGNATURE COMPLIANCE FDA 21 CFR 11 ALPHATRUST PRONTO ENTERPRISE PLATFORM



Similar documents
Implementation of 21CFR11 Features in Micromeritics Software Software ID

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES CFR Part 11 Compliance PLA 2.1

Self-Assessment of eresearch Compliance with 21 CFR Part 11, Electronic Record; Electronic Signatures

Electronic records and electronic signatures in the regulated environment of the pharmaceutical and medical device industries

FILEHOLD DOCUMENT MANAGEMENT SYSTEM 21 CFR PART 11 COMPLIANCE WHITE PAPER

Compliance Matrix for 21 CFR Part 11: Electronic Records

Oracle WebCenter Content

InfinityQS SPC Quality System & FDA s 21 CFR Part 11 Requirements

FDA Title 21 CFR Part 11:Electronic Records; Electronic Signatures; Final Rule (1997)

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

A ChemoMetec A/S White Paper September 2013

SolidWorks Enterprise PDM and FDA 21CFR Part 11

Enabling SharePoint for 21 CFR Part 11 Compliance - Electronic Signature Use Case

The Impact of 21 CFR Part 11 on Product Development

Full Compliance Contents

21 CFR Part 11 White Paper

21 CFR Part 11 Implementation Spectrum ES

Intland s Medical Template

How To Control A Record System

FDA 21 CFR Part 11 Electronic records and signatures solutions for the Life Sciences Industry

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

Implementing CitectSCADA to meet the requirements of FDA 21 CFR Part 11

AutoSave. Achieving Part 11 Compliance. A White Paper

21 CFR Part 11 Electronic Records & Signatures

rsdm and 21 CFR Part 11

Empower TM 2 Software

DeltaV Capabilities for Electronic Records Management

21 CFR Part 11 Compliance Using STATISTICA

POLICY ISSUES IN E-COMMERCE APPLICATIONS: ELECTRONIC RECORD AND SIGNATURE COMPLIANCE. 15 USC 7001 et. seq. (E-SIGN) and

DeltaV Capabilities for Electronic Records Management

21 CFR Part 11 Checklist

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

21 CFR Part 11 Deployment Guide for Wonderware System Platform 3.1, InTouch 10.1 and Historian 9.0

Software Manual Part IV: FDA 21 CFR part 11. Version 2.20

Compliance Response Edition 07/2009. SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures. simatic wincc DOKUMENTATION

ScreenMaster RVG200 Paperless recorder FDA-approved record keeping. Measurement made easy

Assessment of Vaisala Veriteq vlog Validation System Compliance to 21 CFR Part 11 Requirements

ELECTRONIC RECORD AND SIGNATURE COMPLIANCE. NASD Rules 3010(d) and 3110(c)(1)(C) SEC Rule 17a-4 15 USC 7001 et. seq. (E-SIGN)

Compliance in the BioPharma Industry. White Paper v1.0

Achieving 21 CFR Part 11 Compliance with Appian

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

Compliance Response SIMATIC SIMATIC PCS 7 V8.1. Electronic Records / Electronic Signatures (ERES) Edition 03/2015. Answers for industry.

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

Using the Thermo Scientific Dionex Chromeleon 7 Chromatography Data System (CDS) to Comply with 21 CFR Part 11. Compliance Guide

For technical assistance, please contact: Thermo Nicolet Corporation 5225 Verona Road Madison WI

Electronic Document and Record Compliance for the Life Sciences

Life sciences solutions compliant with FDA 21 CFR Part 11

Guidance for Industry. 21 CFR Part 11; Electronic. Records; Electronic Signatures. Time Stamps

Using Chromeleon Chromatography Management Software to Comply with 21 CFR Part 11

Spectroscopy Configuration Manager (SCM) Software. 21 CFR Part 11 Compliance Booklet

Data Management PACT Workshop: Design & Operation of GMP Cell Therapy Facilities April 10 th -11 th, 2007

Waters Empower 2 Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance

CoSign for 21CFR Part 11 Compliance

Considerations for validating SDS Software v2.x Enterprise Edition for the 7900HT Fast Real-Time PCR System per the GAMP 5 guide

ELECTRONIC PRESENTATION AND E-SIGNATURE FOR ELECTRONIC FORMS, DOCUMENTS AND BUSINESS RECORDS ALPHATRUST PRONTO ENTERPRISE PLATFORM

Thermal Analysis. Subpart A General Provisions 11.1 Scope Implementation Definitions.

Waters Empower Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance

Guidance for Industry. 21 CFR Part 11; Electronic Records; Electronic Signatures. Electronic Copies of Electronic Records

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

Automation for Electronic Forms, Documents and Business Records (NA)

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Sympatec GmbH System-Partikel-Technik WINDOX 4. Electronic Records/ Electronic Signatures Compliance Assessment Worksheet for 21 CFR Part 11

AlphaTrust PRONTO Enterprise Platform Product Overview

Software. For the 21 CFR Part 11 Environment. The Science and Technology of Small Particles

Alfresco CoSign. A White Paper from Zaizi Limited. March 2013

REGULATIONS COMPLIANCE ASSESSMENT

Electronic Records and Signatures: Compliance with Title 21 CFR Part 11 Requirements

Quality Manual # QS MD Logistics, Inc. (Signed copy available upon request) Prepared by Robert Grange, Director Quality

January 30, 2014 Mortgagee Letter

Guidance for Industry. 21 CFR Part 11; Electronic Records; Electronic Signatures. Maintenance of Electronic Records

Why Use Electronic Transactions Instead of Paper? Electronic Signatures, Identity Credentialing, Digital Timestamps and Content Authentication

THE ROLE OF WATERS NUGENESIS SDMS IN 21 CFR PART 11 COMPLIANCE

ELECTRONIC SIGNATURE REQUIREMENTS FOR LENDERS

Manual 074 Electronic Records and Electronic Signatures 1. Purpose

SIMATIC SIMATIC PCS 7 V8.0. Electronic Records / Electronic Signatures. Compliance Response. Answers for industry.

TIBCO Spotfire and S+ Product Family

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

21 CFR Part 11 LIMS Requirements Electronic signatures and records

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Guidance for electronic trial data capturing of clinical trials

Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS

Issues to Address: The Privacy Concerns of Individuals

FDA CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES

Rackspace Archiving Compliance Overview

Electronic Signatures: A New Opportunity for Growth. May 10, 2005

Good Electronic Records Management (GERM) Using IBM Rational ClearCase and IBM Rational ClearQuest

Business Issues in the implementation of Digital signatures

Sponsor Site Questionnaire FAQs Regarding Maestro Care

Guidance for Industry Computerized Systems Used in Clinical Investigations

Shiny Server Pro: Regulatory Compliance and Validation Issues

Eclipsys Sunrise Clinical Manager Enterprise Electronic Medical Record (SCM) and Title 21 Code of Federal Regulations Part 11 (21CFR11)

Electronic Signature, Attestation, and Authorship

The biggest challenges of Life Sciences companies today. Comply or Perish: Maintaining 21 CFR Part 11 Compliance

Neutralus Certification Practices Statement

Transcription:

W H I T E P A P E R POLICY ISSUES IN E-COMMERCE APPLICATIONS: ELECTRONIC RECORD AND SIGNATURE COMPLIANCE FDA 21 CFR 11 ALPHATRUST PRONTO ENTERPRISE PLATFORM This white paper is written for senior executives (CEO, CFO, CIO, CTO), line of business managers, legal staff, risk management staff, technical managers and security managers involved in deploying document solutions intended to comply with US Food and Drug Administration Regulations codified as 21 CFR 11. The implications for additional compliance with other legislative initiatives such as E-SIGN (US), UETA (US), and Electronic Signature Directive (EU) are also discussed. April 2013 Bill Brice, CEO AlphaTrust Corporation billbrice@alphatrust.com (214) 234-9200 1

Executive Summary Electronic records and signatures, that have the legal and commercial equivalence of paper records and handwritten signatures, promise to decrease the cost of business, increase the speed at which business is done, and add needed security to electronic business transactions. Most solutions available today are offered by technology vendors. However, due to the unique business requirements placed on legal records and signatures, business managers find that technology addresses only about 30% of the business problem. An effective electronic record and signature solution must address these business issues: 1. Does the technology deliver the needed technical security requirements (authentication, data integrity, and technical non-repudiation)? 2. Does the solution address the business requirements for: a. Compliance with law and regulation? b. Enforceability of transactions using the solution (legal recourse)? c. Acceptance by users of the solution? 3. Does the solution provide a mechanism for managing business risk? These requirements have been the cornerstone of most successful electronic transactions systems such as EDI, ATM, and credit card systems. In the case of applications seeking compliance with the FDA s requirements under 21 CFR 11, many of these requirements can t be met by technology out of the box. IT vendors can provide you with some of the tools to build your solution, but they leave you to build it. This white paper will discuss the requirements of 21 CFR 11 section by section and demonstrate how AlphaTrust s PRONTO Enterprise Platform, by addressing the technical, business process, and risk management needs of an FDA compliant application, offers the superior solution. It is important also to look at the bigger picture. While you want a solution that will meet the requirements of 21 CFR 11, electronic records and signatures are a major shift in business processes and will affect many business applications. By mid-decade, most business knowledge workers will regularly create legal electronic records and use their own electronic signatures on a daily basis. Your solution should not just address the needs of one FDA application, but be capable of extending to meet the needs of your enterprise, supply chain, industry, and governmental requirements. AlphaTrust s PRONTO Enterprise Platform software meets these requirements today and is architected to meet even larger global requirements in the near future. 2

Detailed Compliance Specifications 21 CFR 11 The table that follows details important section by section requirements spelled out in 21 CFR 11 and details AlphaTrust s PRONTO Enterprise Platform software compliance with those. Requirement 11.3(b)(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual s handwritten signature. 11.10 Controls for closed systems. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. 11.10(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. 11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. 11.10(d) Limiting system access to authorized individuals. 11.10(e) Use of secure, computer generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be AlphaTrust PRONTO Enterprise Platform PRONTO provides the workflow rules specific to 21 CFR 11 that provide for proper acknowledgement, opt-in and authorization that satisfies these requirements as well the requirements of other major legislative and regulatory initiatives such as E-SIGN and UETA. PRONTO defines unique identities for each user and can support multiple authentication methods to create a signature. These include user name/password and digital certificate. Users communicate with PRONTO using a normal Web browser. No client software is required other than a Web browser (and optionally a PDF reader for PDF formatted documents). Any authentication method that can be supported via the Web can be used to secure access to signature creation capability. Electronic records created by web applications (HTML, plain text, or PDF) can be electronically signed and stored in both human readable and electronic form. PRONTO transactions are signed, under user control, on the PRONTO server, logged and routed according to business rules. See 11.10(a) above. PRONTO records all transaction information in its database and can integrate with document archiving solutions. Database entries can be time stamped and digitally signed for high security needs. Operational sequencing is enforced by design and by rules. 3

available for agency review and copying. (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. 11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. 11.10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. 11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Authentication and authorization are designed into PRONTO. User authentication is per 11.10(a) above. Per transaction rules are set up to define who has access to and can sign documents, and signing order can be enforced for multi-party signatures. Data input control is a function of access control. User access control is defined by the transaction and by the user database. User support provided by AlphaTrust. Specific training and consultation is available. Notices can be designed into workflow rules. User accountability is a function of business procedures. 11.10(k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time sequenced development and modification of systems documentation. 11.50 Signature manifestations. (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). 11.70 Signature/record linking. Electronic signatures and hand-written When licensed as a software platform by an organization, PRONTO documentation is restricted under licensing agreement to those who have a need to know. AlphaTrust s PRONTO software, provides for the capture and preservation of all these required data elements and meet the applicable control requirements of this section. User electronic signatures are bound to specific documents using server-side PKI-based digital 4

signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. 11.100 General requirements. (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. 11.100(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. 11.100(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC 100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer s handwritten signature. 11.200 Electronic signature components and controls. (a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of con-trolled system access, each signing shall be executed using all of the electronic signature components. signatures. Signature linking as well as full document data integrity can be checked at any time, including years in the future. Each electronic signature is unique to both the user and the document. Identity information is included in the document. Each digital signature that seals the document is unique to that document and the signature keys are protected in a secure environment. Original user identification procedures are administered by the organization. PRONTO supports unique user name / password enforcement for signing operations. Digital certificate ID can also be supported. FDA certification is provided by the system operator. User acknowledgement of legal enforceability is part of the user registration rules enforced by the system. User access procedures are outlined above in 11.10(a). User access rules meet the requirements of this part. 5

(2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. 11.200(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. 11.300 Controls for identification codes/passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. 11.300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). (c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. Biometric authentication to PRONTO can be supported via biometrically activated digital certificates or using a signature pad with signature dynamics capabilities. User name, password and other token uniqueness are enforced by the PRONTO system. A function of PRONTO processing rules. Passwords can be set to require changing after a defined period. Replacement access control credentials are a function of business procedures. (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Access control rules can be set to lock out failed attempts to access the system and to send notification. If user tokens or cards are used as access control devices, they should be tested periodically by the organizations using them. 6

Summary AlphaTrust s PRONTO Enterprise Platform software is designed from the ground up to meet the historically demonstrated requirements for technical security, transaction enforceability, legal and regulatory compliance and risk management. Significant value delivered by AlphaTrust is in the non-technical arena proper user management, system, and operational procedures, legal and regulatory compliance, and risk management. AlphaTrust is the clear solution for meeting the challenge of FDA, UETA, E-SIGN and other electronic record and electronic signature requirements. We welcome the opportunity to work with you to meet your specific requirements. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information