Easy Signature 21 CFR Part 11 Supplement

Easy Signature 21 CFR Part 11 Supplement

Version 1.0 Date: 2011-11-01

Introduction
Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic Signatures sets out the requirements for the creation, modification, maintenance, archival, retrieval, and transmittal of electronic records and also the use of electronic signatures when complying with the Federal Food, Drug and Cosmetic Act or any other Food and Drug Administration (FDA) regulation. Easy signature is a free digital signature software that enables electronic signing of any type of file. This document presents technical elements of Easy Signature for each summary requirements set out in 21 CFR Part 11. Notice: It is not possible for any vendor to offer a turnkey 'FDA 21 CFR Part 11 compliant system'. 'FDA 21 CFR Part 11' requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place. It is the responsibility of the user to implement the procedural and administrative controls. To discuss and get more information please contact us in www.easysoft.nu.

Free digital signature software Easy Signature

www.easysoft.nu 1

Easy Signature 21 CFR Part 11 Supplement

Subpart B Electronic Records

11.10 Controls for Closed Systems Section 11.10 (a) Section Requirements Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA. Protection of records to enable the accurate and ready retrieval throughout the records retention period. Easy Signature technical response Easy Signature has been designed, developed and tested to Easy Soft documented Product Development lifecycle. Easy signature is using proven cryptographic safe PKI technology to insure digital hierarchical trust and validity of the record. It is possible to print a signed record with Easy Signature in a readable and electronic form. All the cryptographic details as public keys audit trace is available and can be reviewed electronically and in paper form.

11.10(b)

11.10(c)

Easy signature does not provide a specific medium or means to store records. Digitally signatures are basically files that can be stored anywhere. It is the responsibility of the user to insure protection of records. (e.g. access rights in network, periodic backup etc). Easy Signature does however provide AES encryption that can be used for additional protection by the end-user.

11.10(d)

Limiting system access to authorized individuals.

Easy signature protects the digital signature itself by a private password and a private digital signature file. However Easy signature is only a Free digital signature tool and does not provide a specific medium or functionality to store records. (see 11.10c)

Free digital signature software Easy Signature

www.easysoft.nu 2

Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued Section 11.10 (e) Section Requirements Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period of at least as long as that required for the subject electronic records and shall be available for agency review and copying. Use of operational system checks to enforce permitted sequencing of steps in a process, as appropriate. Easy Signature technical response Easy signature is using proven cryptographic safe PKI technology to insure digital hierarchical trust and validity of the record. It is not possible to obscure signed files. All the audit trail and digital hierarchical trust is recorded in the signed digital file and can be reviewed and copied. Notice that the current Easy Signature software version does not provide the technical element of date and time stamp synchronization (with external servers) and rely on local computer time. We recommend that you use free time synchronization software tools in combination with easy signature in your document signature procedures, make sure that the time zone is also clearly documented in the signature.

11.10(f)

11.10(g)

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Easy Signature have a simple workflow capability and can be implemented to ensure that actions is performed in a sequence of steps in a process. It is however needed that the end user describes these processes in documentation and procedures. Easy Signature security model ensures that users with a private unique digital signature file (*.SIG) issued by the "Signature Issuer Responsible" (SIR) can sign files. The digital hierarchical trust is fully maintained. Furthermore the private unique digital signature file (*.SIG) is protected by a password. The end-user can easily introduce authority check by defining the "Signature Issuer Responsible" (SIR) and obtaining a certificate from Easy Signature. Notice that Easy signature is only a free digital signature tool and does not provide a specific medium or means to store records. The protection of files (e.g. shared network, etc) to the public is the responsibility of the end-user.

Free digital signature software Easy Signature

www.easysoft.nu 3

Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued Section 11.10(h) Section Requirements Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Easy Signature technical response Easy signature is free electronic signature software only. It does not provide means to determine validity of the source of data input or operational instruction (e.g. Correct document title or project ID) other that insuring that the digital signature procedure is correct and safe. End-user responsibility.

11.10(i)

11.10(j)

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

11.10(k) (1)

11.10(k) (2)

Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. Use of appropriate controls over End-user responsibility. systems documentation including: Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

The user must develop policies and procedures governing accountability (using Easy Signature PKI security model) however, a full audit trail details transactions in the system where any altered or invalid records would be evident through inconsistencies with the digital signature hierarchical trace and audit trail. (about record storage Read 11.10c). End-user responsibility.

Free digital signature software Easy Signature

www.easysoft.nu 4

Easy Signature 21 CFR Part 11 Supplement

Subpart B Electronic Records

11. 3 0 Controls for Open Systems Section Section Requirements 11.30 Controls for Open Systems Easy Signature technical response Does not apply. Easy Signature is a closed system for intra security.

Subpart B Electronic Records

11. 5 0 Signature Manifestations Section Section Requirements 11.50(a) Signed electronic records shall (1-3) contain information associated with the signing that clearly indicates all the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. 11.50(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). 11. 7 0 Signature/Record Linking Section Section Requirements 11.70 Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Easy Signature technical response Easy Signature allows the user to define 1 (including a scanned signature), 2 and 3 in a digital signature file. All these information is digitally signed and cannot be altered after a digital signature.

It is possible to print a digital signature that contains all the information (1-3)(a) along with cryptographic public keys.

Easy Signature technical response Easy Signature uses SHA512 hashing of electronic record, this along with information in 11.50(a) (1-3) is digitally signed and there are no ordinary means to remove or copy signatures from/to records.

Free digital signature software Easy Signature

www.easysoft.nu 5

Easy Signature 21 CFR Part 11 Supplement

Subpart C Electronic Signatures

11. 1 00 Electronic Signature Components and Control Section Section Requirements Easy Signature technical response Each private signature file (*.SIG) has a 11.100 (a) Each electronic signature shall unique public/private key and is fully be unique to one individual and traceable according to PKI practice. This shall not be reused by, or key is private and protected by a personal reassigned to, anyone else. private password that cannot be altered or reused or reassigned to anyone else.

Subpart C Electronic Signatures

11. 2 00 General Requirements Section Section Requirements 11.200(a) Electronic signatures that are not (1) based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. 11.200(a) When an individual executes a (1)(i) series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. 11.200(a) When an individual executes one or (1)(ii) more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. 11.200(a) Electronic signatures that are not (2) based upon biometrics shall: Be used only by their genuine owners. Easy Signature technical response Easy Signature uses a combination of a private signature file (*.SIG) and an associated password.

The private signature file (*.SIG) and a password is required for each signing. By design the password and private signature file is re-authenticated for every signature event performed.

See (11.200(a)(1)(i)

It is beyond the scope of Easy signature to ensure that users do not provide others with access to their private signature file and password.

Free digital signature software Easy Signature

www.easysoft.nu 6

Easy Signature 21 CFR Part 11 Supplement 11. 2 00 General Requirements continued Section 11.200(a) (3) Section Requirements Electronic signatures that are not based upon biometrics shall: Be administered and executed to ensure that attempted use of an individuals electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. Easy Signature technical response For the digital signature to be breached in this manner, it would require the Collaboration of the "Signature Issuer Responsible" (SIR) and the end user. Notice that the breach can be traced back to SIR and uniquely identified since every private signature (*.SIG) file is digitally unique. Not applicable. Easy signature does not use biometrics.

11.200(b)

Subpart C Electronic Signatures

11 .300 Controls for Identication Codes/Passwords Section Section Requirements 11.300(a) Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. 11.300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). Easy Signature technical response Every private signature (*.SIG) file is digitally unique and protected by a password.

The private signature file (*.SIG) contains a unique public and private cryptographic key that is valid for a fixed period of time defined by the certificate issued to the Signature Issuer Responsible" (SIR). The private signature file shall be kept safe by end-user during this time and is also password protected for additional safety.

Free digital signature software Easy Signature

www.easysoft.nu 7

Easy Signature 21 CFR Part 11 Supplement 11 .300 Controls for Identication Codes/Passwords Continued Section Section Requirements Easy Signature technical response If the private signature (*.SIG) file is lost 11.300(c) Following loss management or stolen a new unique private signature procedures to electronically de(*.SIG) file can be generated. The endauthorize lost, stolen, missing, or otherwise potentially compromised user can make a record of the event and all signatures done with the previous tokens, cards, and other devices private signature (*.SIG) file can be traced that bear or generate identification code or password information, and in time. to issue temporary or permanent replacements using suitable rigorous controls. 11.300(d) Use of transaction safeguards to See (11.300(c)). Not applicable if related prevent unauthorized use of to a device. passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. 11.300(e) Initial and periodic testing of See (11.300(c)). Not applicable if related devices, such as tokens or cards, to a device. that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Free digital signature software Easy Signature

www.easysoft.nu 8