Documente Academic
Documente Profesional
Documente Cultură
Introduction
Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic Signatures sets out the requirements for the creation, modification, maintenance, archival, retrieval, and transmittal of electronic records and also the use of electronic signatures when complying with the Federal Food, Drug and Cosmetic Act or any other Food and Drug Administration (FDA) regulation. Easy signature is a free digital signature software that enables electronic signing of any type of file. This document presents technical elements of Easy Signature for each summary requirements set out in 21 CFR Part 11. Notice: It is not possible for any vendor to offer a turnkey 'FDA 21 CFR Part 11 compliant system'. 'FDA 21 CFR Part 11' requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place. It is the responsibility of the user to implement the procedural and administrative controls. To discuss and get more information please contact us in www.easysoft.nu.
www.easysoft.nu 1
11.10(b)
11.10(c)
Easy signature does not provide a specific medium or means to store records. Digitally signatures are basically files that can be stored anywhere. It is the responsibility of the user to insure protection of records. (e.g. access rights in network, periodic backup etc). Easy Signature does however provide AES encryption that can be used for additional protection by the end-user.
11.10(d)
Easy signature protects the digital signature itself by a private password and a private digital signature file. However Easy signature is only a Free digital signature tool and does not provide a specific medium or functionality to store records. (see 11.10c)
www.easysoft.nu 2
Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued Section 11.10 (e) Section Requirements Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period of at least as long as that required for the subject electronic records and shall be available for agency review and copying. Use of operational system checks to enforce permitted sequencing of steps in a process, as appropriate. Easy Signature technical response Easy signature is using proven cryptographic safe PKI technology to insure digital hierarchical trust and validity of the record. It is not possible to obscure signed files. All the audit trail and digital hierarchical trust is recorded in the signed digital file and can be reviewed and copied. Notice that the current Easy Signature software version does not provide the technical element of date and time stamp synchronization (with external servers) and rely on local computer time. We recommend that you use free time synchronization software tools in combination with easy signature in your document signature procedures, make sure that the time zone is also clearly documented in the signature.
11.10(f)
11.10(g)
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Easy Signature have a simple workflow capability and can be implemented to ensure that actions is performed in a sequence of steps in a process. It is however needed that the end user describes these processes in documentation and procedures. Easy Signature security model ensures that users with a private unique digital signature file (*.SIG) issued by the "Signature Issuer Responsible" (SIR) can sign files. The digital hierarchical trust is fully maintained. Furthermore the private unique digital signature file (*.SIG) is protected by a password. The end-user can easily introduce authority check by defining the "Signature Issuer Responsible" (SIR) and obtaining a certificate from Easy Signature. Notice that Easy signature is only a free digital signature tool and does not provide a specific medium or means to store records. The protection of files (e.g. shared network, etc) to the public is the responsibility of the end-user.
www.easysoft.nu 3
Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued Section 11.10(h) Section Requirements Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Easy Signature technical response Easy signature is free electronic signature software only. It does not provide means to determine validity of the source of data input or operational instruction (e.g. Correct document title or project ID) other that insuring that the digital signature procedure is correct and safe. End-user responsibility.
11.10(i)
11.10(j)
Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
11.10(k) (1)
11.10(k) (2)
Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. Use of appropriate controls over End-user responsibility. systems documentation including: Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
The user must develop policies and procedures governing accountability (using Easy Signature PKI security model) however, a full audit trail details transactions in the system where any altered or invalid records would be evident through inconsistencies with the digital signature hierarchical trace and audit trail. (about record storage Read 11.10c). End-user responsibility.
www.easysoft.nu 4
It is possible to print a digital signature that contains all the information (1-3)(a) along with cryptographic public keys.
Easy Signature technical response Easy Signature uses SHA512 hashing of electronic record, this along with information in 11.50(a) (1-3) is digitally signed and there are no ordinary means to remove or copy signatures from/to records.
www.easysoft.nu 5
The private signature file (*.SIG) and a password is required for each signing. By design the password and private signature file is re-authenticated for every signature event performed.
See (11.200(a)(1)(i)
It is beyond the scope of Easy signature to ensure that users do not provide others with access to their private signature file and password.
www.easysoft.nu 6
Easy Signature 21 CFR Part 11 Supplement 11. 2 00 General Requirements continued Section 11.200(a) (3) Section Requirements Electronic signatures that are not based upon biometrics shall: Be administered and executed to ensure that attempted use of an individuals electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. Easy Signature technical response For the digital signature to be breached in this manner, it would require the Collaboration of the "Signature Issuer Responsible" (SIR) and the end user. Notice that the breach can be traced back to SIR and uniquely identified since every private signature (*.SIG) file is digitally unique. Not applicable. Easy signature does not use biometrics.
11.200(b)
The private signature file (*.SIG) contains a unique public and private cryptographic key that is valid for a fixed period of time defined by the certificate issued to the Signature Issuer Responsible" (SIR). The private signature file shall be kept safe by end-user during this time and is also password protected for additional safety.
www.easysoft.nu 7
Easy Signature 21 CFR Part 11 Supplement 11 .300 Controls for Identication Codes/Passwords Continued Section Section Requirements Easy Signature technical response If the private signature (*.SIG) file is lost 11.300(c) Following loss management or stolen a new unique private signature procedures to electronically de(*.SIG) file can be generated. The endauthorize lost, stolen, missing, or otherwise potentially compromised user can make a record of the event and all signatures done with the previous tokens, cards, and other devices private signature (*.SIG) file can be traced that bear or generate identification code or password information, and in time. to issue temporary or permanent replacements using suitable rigorous controls. 11.300(d) Use of transaction safeguards to See (11.300(c)). Not applicable if related prevent unauthorized use of to a device. passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. 11.300(e) Initial and periodic testing of See (11.300(c)). Not applicable if related devices, such as tokens or cards, to a device. that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
www.easysoft.nu 8