[Federal Register Volume 62, Number 54 (Thursday, March 20, 1997)]
[Rules and Regulations]
[Pages 13430-13466]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-6833]
[[Page 13429]]
_______________________________________________________________________
Part II
Department of Health and Human Services
_______________________________________________________________________
Food and Drug Administration
_______________________________________________________________________
21 CFR Part 11
Electronic Records; Electronic Signatures; Final Rule
Electronic Submissions; Establishment of Public Docket; Notice
��Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules
and Regulations��
[[Page 13430]]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
21 CFR Part 11
[Docket No. 92N-0251]
RIN 0910-AA29
Electronic Records; Electronic Signatures
AGENCY: Food and Drug Administration, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA) is issuing regulations
that provide criteria for acceptance by FDA, under certain
circumstances, of electronic records, electronic signatures, and
handwritten signatures executed to electronic records as equivalent to
paper records and handwritten signatures executed on paper. These
regulations, which apply to all FDA program areas, are intended to
permit the widest possible use of electronic technology, compatible
with FDA's responsibility to promote and protect public health. The use
of electronic records as well as their submission to FDA is voluntary.
Elsewhere in this issue of the Federal Register, FDA is publishing a
document providing information concerning submissions that the agency
is prepared to accept electronically .
DATES: Effective August 20, 1997. Submit written comments on the
information collection provisions of this final rule by May 19, 1997.
ADDRESSES: Submit written comments on the information collection
provisions of this final rule to the Dockets Management Branch (HFA-
305), Food and Drug Administration, 12420 Parklawn Dr., rm. 1-23,
Rockville, MD 20857.
The final rule is also available electronically via Internet:
http://www.fda.gov.
FOR FURTHER INFORMATION CONTACT:
Paul J. Motise, Center for Drug Evaluation and Research (HFD-325),
Food and Drug Administration, 7520 Standish Pl., Rockville, MD 20855,
301-594-1089. E-mail address via Internet: [email protected], or
Tom M. Chin, Division of Compliance Policy (HFC-230), Food and Drug
Administration, 5600 Fishers Lane, Rockville, MD 20857, 301-827-0410.
E-mail address via Internet: [email protected]
SUPPLEMENTARY INFORMATION:
I. Background
In 1991, members of the pharmaceutical industry met with the agency
to determine how they could accommodate paperless record systems under
the current good manufacturing practice (CGMP) regulations in parts 210
and 211 (21 CFR parts 210 and 211). FDA created a Task Force on
Electronic Identification/Signatures to develop a uniform approach by
which the agency could accept electronic signatures and records in all
program areas. In a February 24, 1992, report, a task force subgroup,
the Electronic Identification/Signature Working Group, recommended
publication of an advance notice of proposed rulemaking (ANPRM) to
obtain public comment on the issues involved.
In the Federal Register of July 21, 1992 (57 FR 32185), FDA
published the ANPRM, which stated that the agency was considering the
use of electronic identification/signatures, and requested comments on
a number of related topics and concerns. FDA received 53 comments on
the ANPRM. In the Federal Register of August 31, 1994 (59 FR 45160),
the agency published a proposed rule that incorporated many of the
comments to the ANPRM, and requested that comments on the proposed
regulation be submitted by November 29, 1994. A complete discussion of
the options considered by FDA and other background information on the
agency's policy on electronic records and electronic signatures can be
found in the ANPRM and the proposed rule.
FDA received 49 comments on the proposed rule. The commenters
represented a broad spectrum of interested parties: Human and
veterinary pharmaceutical companies as well as biological products,
medical device, and food interest groups, including 11 trade
associations, 25 manufacturers, and 1 Federal agency.
II. Highlights of the Final Rule
The final rule provides criteria under which FDA will consider
electronic records to be equivalent to paper records, and electronic
signatures equivalent to traditional handwritten signatures. Part 11
(21 CFR part 11) applies to any paper records required by statute or
agency regulations and supersedes any existing paper record
requirements by providing that electronic records may be used in lieu
of paper records. Electronic signatures which meet the requirements of
the rule will be considered to be equivalent to full handwritten
signatures, initials, and other general signings required by agency
regulations.
Section 11.2 provides that records may be maintained in electronic
form and electronic signatures may be used in lieu of traditional
signatures. Records and signatures submitted to the agency may be
presented in an electronic form provided the requirements of part 11
are met and the records have been identified in a public docket as the
type of submission the agency accepts in an electronic form. Unless
records are identified in this docket as appropriate for electronic
submission, only paper records will be regarded as official
submissions.
Section 11.3 defines terms used in part 11, including the terms:
Biometrics, closed system, open system, digital signature, electronic
record, electronic signature, and handwritten signature.
Section 11.10 describes controls for closed systems, systems to
which access is controlled by persons responsible for the content of
electronic records on that system. These controls include measures
designed to ensure the integrity of system operations and information
stored in the system. Such measures include: (1) Validation; (2) the
ability to generate accurate and complete copies of records; (3)
archival protection of records; (4) use of computer-generated, time-
stamped audit trails; (5) use of appropriate controls over systems
documentation; and (6) a determination that persons who develop,
maintain, or use electronic records and signature systems have the
education, training, and experience to perform their assigned tasks.
Section 11.10 also addresses the security of closed systems and
requires that: (1) System access be limited to authorized individuals;
(2) operational system checks be used to enforce permitted sequencing
of steps and events as appropriate; (3) authority checks be used to
ensure that only authorized individuals can use the system,
electronically sign a record, access the operation or computer system
input or output device, alter a record, or perform operations; (4)
device (e.g., terminal) checks be used to determine the validity of the
source of data input or operation instruction; and (5) written policies
be established and adhered to holding individuals accountable and
responsible for actions initiated under their electronic signatures, so
as to deter record and signature falsification.
Section 11.30 sets forth controls for open systems, including the
controls required for closed systems in Sec. 11.10 and additional
measures such as document encryption and use of appropriate digital
signature standards
[[Page 13431]]
to ensure record authenticity, integrity, and confidentiality.
Section 11.50 requires signature manifestations to contain
information associated with the signing of electronic records. This
information must include the printed name of the signer, the date and
time when the signature was executed, and the meaning (such as review,
approval, responsibility, and authorship) associated with the
signature. In addition, this information is subject to the same
controls as for electronic records and must be included in any human
readable forms of the electronic record (such as electronic display or
printout).
Under Sec. 11.70, electronic signatures and handwritten signatures
executed to electronic records must be linked to their respective
records so that signatures cannot be excised, copied, or otherwise
transferred to falsify an electronic record by ordinary means.
Under the general requirements for electronic signatures, at
Sec. 11.100, each electronic signature must be unique to one individual
and must not be reused by, or reassigned to, anyone else. Before an
organization establishes, assigns, certifies, or otherwise sanctions an
individual's electronic signature, the organization shall verify the
identity of the individual.
Section 11.200 provides that electronic signatures not based on
biometrics must employ at least two distinct identification components
such as an identification code and password. In addition, when an
individual executes a series of signings during a single period of
controlled system access, the first signing must be executed using all
electronic signature components and the subsequent signings must be
executed using at least one component designed to be used only by that
individual. When an individual executes one or more signings not
performed during a single period of controlled system access, each
signing must be executed using all of the electronic signature
components.
Electronic signatures not based on biometrics are also required to
be used only by their genuine owners and administered and executed to
ensure that attempted use of an individual's electronic signature by
anyone else requires the collaboration of two or more individuals. This
would make it more difficult for anyone to forge an electronic
signature. Electronic signatures based upon biometrics must be designed
to ensure that such signatures cannot be used by anyone other than the
genuine owners.
Under Sec. 11.300, electronic signatures based upon use of
identification codes in combination with passwords must employ controls
to ensure security and integrity. The controls must include the
following provisions: (1) The uniqueness of each combined
identification code and password must be maintained in such a way that
no two individuals have the same combination of identification code and
password; (2) persons using identification codes and/or passwords must
ensure that they are periodically recalled or revised; (3) loss
management procedures must be followed to deauthorize lost, stolen,
missing, or otherwise potentially compromised tokens, cards, and other
devices that bear or generate identification codes or password
information; (4) transaction safeguards must be used to prevent
unauthorized use of passwords and/or identification codes, and to
detect and report any attempt to misuse such codes; (5) devices that
bear or generate identification codes or password information, such as
tokens or cards, must be tested initially and periodically to ensure
that they function properly and have not been altered in an
unauthorized manner.
III. Comments on the Proposed Rule
A. General Comments
1. Many comments expressed general support for the proposed rule.
Noting that the proposal's regulatory approach incorporated several
suggestions submitted by industry in comments on the ANPRM, a number of
comments stated that the proposal is a good example of agency and
industry cooperation in resolving technical issues.
Several comments also noted that both industry and the agency can
realize significant benefits by using electronic records and electronic
signatures, such as increasing the speed of information exchange, cost
savings from the reduced need for storage space, reduced errors, data
integration/trending, product improvement, manufacturing process
streamlining, improved process control, reduced vulnerability of
electronic signatures to fraud and abuse, and job creation in
industries involved in electronic record and electronic signature
technologies.
One comment noted that, when part 11 controls are satisfied,
electronic signatures and electronic records have advantages over paper
systems, advantages that include: (1) Having automated databases that
enable more advanced searches of information, thus obviating the need
for manual searches of paper records; (2) permitting information to be
viewed from multiple perspectives; (3) permitting determination of
trends, patterns, and behaviors; and (4) avoiding initial and
subsequent document misfiling that may result from human error.
There were several comments on the general scope and effect of
proposed part 11. These comments noted that the final regulations will
be viewed as a standard by other Government agencies, and may strongly
influence the direction of electronic record and electronic signature
technologies. One comment said that FDA's position on electronic
signatures/electronic records is one of the most pressing issues for
the pharmaceutical industry and has a significant impact on the
industry's future competitiveness. Another comment said that the rule
constitutes an important milestone along the Nation's information
superhighway.
FDA believes that the extensive industry input and collaboration
that went into formulating the final rule is representative of a
productive partnership that will facilitate the use of advanced
technologies. The agency acknowledges the potential benefits to be
gained by electronic record/electronic signature systems. The agency
expects that the magnitude of these benefits should significantly
outweigh the costs of making these systems, through compliance with
part 11, reliable, trustworthy, and compatible with FDA's
responsibility to promote and protect public health. The agency is
aware of the potential impact of the rule, especially regarding the
need to accommodate and encourage new technologies while maintaining
the agency's ability to carry out its mandate to protect public health.
The agency is also aware that other Federal agencies share the same
concerns and are addressing the same issues as FDA; the agency has held
informal discussions with other Federal agencies and participated in
several interagency groups on electronic records/electronic signatures
and information technology issues. FDA looks forward to exchanging
information and experience with other agencies for mutual benefit and
to promote a consistent Federal policy on electronic records and
signatures. The agency also notes that benefits, such as the ones
listed by the comments, will help to offset any system modification
costs that persons may incur to achieve compliance with part 11.
B. Regulations Versus Guidelines
2. Several comments addressed whether the agency's policy on
electronic signatures and electronic records should be issued as a
regulation
[[Page 13432]]
or recommended in a guideline. Most comments supported a regulation,
citing the need for a practical and workable approach for criteria to
ensure that records can be stored in electronic form and are reliable,
trustworthy, secure, accurate, confidential, and authentic. One comment
specifically supported a single regulation covering all FDA-regulated
products to ensure consistent requirements across all product lines.
Two comments asserted that the agency should only issue guidelines or
``make the regulations voluntary.'' One of these comments said that by
issuing regulations, the agency is shifting from creating tools to
enhance communication (technological quality) to creating tools for
enforcement (compliance quality).
The agency remains convinced, as expressed in the preamble to the
proposed rule (59 FR 45160 at 45165), that a policy statement,
inspection guide, or other guidance would be an inappropriate means for
enunciating a comprehensive policy on electronic signatures and
records. FDA has concluded that regulations are necessary to establish
uniform, enforceable, baseline standards for accepting electronic
signatures and records. The agency believes, however, that supplemental
guidance documents would be useful to address controls in greater
detail than would be appropriate for regulations. Accordingly, the
agency anticipates issuing supplemental guidance as needed and will
afford all interested parties the opportunity to comment on the
guidance documents.
The need for regulations is underscored by several opinions
expressed in the comments. For example, one comment asserted that it
should be acceptable for supervisors to remove the signatures of their
subordinates from signed records and replace them with their own
signatures. Although the agency does not object to the use of a
supervisor's signature to endorse or confirm a subordinate's actions,
removal of an original signature is an action the agency views as
falsification. Several comments also argued that an electronic
signature should consist of only a password, that passwords need not be
unique, that it is acceptable for people to use passwords associated
with their personal lives (like the names of their children or their
pets), and that passwords need only be changed every 2 years. FDA
believes that such procedures would greatly increase the possibility
that a password could be compromised and the chance that any resulting
impersonation and/or falsification would continue for a long time.
Therefore, an enforceable regulation describing the acceptable
characteristics of an electronic signature appears necessary.
C. Flexibility and Specificity
3. Several comments addressed the flexibility and specificity of
the proposed rule. The comments contended that agency acceptance of
electronic records systems should not be based on any particular
technology, but rather on the adequacy of the system controls under
which they are created and managed. Some comments claimed that the
proposed rule was overly prescriptive and that it should not specify
the mechanisms to be used, but rather only require owners/users to
design appropriate safeguards and validate them to reasonably ensure
electronic signature integrity and authenticity. One comment commended
the agency for giving industry the freedom to choose from a variety of
electronic signature technologies, while another urged that the final
rule be more specific in detailing software requirements for electronic
records and electronic notebooks in research and testing laboratories.
The agency believes that the provisions of the final rule afford
firms considerable flexibility while providing a baseline level of
confidence that records maintained in accordance with the rule will be
of high integrity. For example, the regulation permits a wide variety
of existing and emerging electronic signature technologies, from use of
identification codes in conjunction with manually entered passwords to
more sophisticated biometric systems that may necessitate additional
hardware and software. While requiring electronic signatures to be
linked to their respective electronic records, the final rule affords
flexibility in achieving that link through use of any appropriate
means, including use of digital signatures and secure relational
database references. The final rule accepts a wide variety of
electronic record technologies, including those based on optical
storage devices. In addition, as discussed in comment 40 of this
document, the final rule does not establish numerical standards for
levels of security or validation, thus offering firms flexibility in
determining what levels are appropriate for their situations.
Furthermore, while requiring operational checks, authority checks, and
periodic testing of identifying devices, persons have the flexibility
of conducting those controls by any suitable method. When the final
rule calls for a certain control, such as periodic testing of
identification tokens, persons have the option of determining the
frequency.
D. Controls for Electronic Systems Compared with Paper Systems
4. Two comments stated that any controls that do not apply to
paper-based document systems and handwritten signatures should not
apply to electronic record and signature systems unless those controls
are needed to address an identified unique risk associated with
electronic record systems. One comment expressed concern that FDA was
establishing a much higher standard for electronic signatures than
necessary.
In attempting to establish minimum criteria to make electronic
signatures and electronic records trustworthy and reliable and
compatible with FDA's responsibility to promote and protect public
health (e.g., by hastening the availability of new safe and effective
medical products and ensuring the safety of foods), the agency has
attempted to draw analogies to handwritten signatures and paper records
wherever possible. In doing so, FDA has found that the analogy does not
always hold because of the differences between paper and electronic
systems. The agency believes some of those differences necessitate
controls that will be unique to electronic technology and that must be
addressed on their own merits and not evaluated on the basis of their
equivalence to controls governing paper documents.
The agency found that some of the comments served to illustrate the
differences between paper and electronic record technologies and the
need to address controls that may not generally be found in paper
record systems. For example, several comments pointed out that
electronic records built upon information databases, unlike paper
records, are actually transient views or representations of information
that is dispersed in various parts of the database. (The agency notes
that the databases themselves may be geographically dispersed but
linked by networks.) The same software that generates representations
of database information on a screen can also misrepresent that
information, depending upon how the software is written (e.g., how a
query is prepared). In addition, database elements can easily be
changed at any time to misrepresent information, without evidence that
a change was made, and in a manner that destroys the original
information. Finally, more people have potential access to electronic
record
[[Page 13433]]
systems than may have access to paper records.
Therefore, controls are needed to ensure that representations of
database information have been generated in a manner that does not
distort data or hide noncompliant or otherwise bad information, and
that database elements themselves have not been altered so as to
distort truth or falsify a record. Such controls include: (1) Using
time-stamped audit trails of information written to the database, where
such audit trails are executed objectively and automatically rather
than by the person entering the information, and (2) limiting access to
the database search software. Absent effective controls, it is very
easy to falsify electronic records to render them indistinguishable
from original, true records.
The traditional paper record, in comparison, is generally a durable
unitized representation that is fixed in time and space. Information is
recorded directly in a manner that does not require an intermediate
means of interpretation. When an incorrect entry is made, the customary
method of correcting FDA-related records is to cross out the original
entry in a manner that does not obscure the prior data. Although paper
records may be falsified, it is relatively difficult (in comparison to
falsification of electronic records) to do so in a nondetectable
manner. In the case of paper records that have been falsified, a body
of evidence exists that can help prove that the records had been
changed; comparable methods to detect falsification of electronic
records have yet to be fully developed.
In addition, there are significant technological differences
between traditional handwritten signatures (recorded on paper) and
electronic signatures that also require controls unique to electronic
technologies. For example, the traditional handwritten signature cannot
be readily compromised by being ``loaned'' or ``lost,'' whereas an
electronic signature based on a password in combination with an
identification code can be compromised by being ``loaned'' or ``lost.''
By contrast, if one person attempts to write the handwritten signature
of another person, the falsification would be difficult to execute and
a long-standing body of investigational techniques would be available
to detect the falsification. On the other hand, many electronic
signatures are relatively easy to falsify and methods of falsification
almost impossible to detect.
Accordingly, although the agency has attempted to keep controls for
electronic record and electronic signatures analogous to traditional
paper systems, it finds it necessary to establish certain controls
specifically for electronic systems.
E. FDA Certification of Electronic Signature Systems
5. One comment requested FDA certification of what it described as
a low-cost, biometric-based electronic signature system, one which uses
dynamic signature verification with a parameter code recorded on
magnetic stripe cards.
The agency does not anticipate the need to certify individual
electronic signature products. Use of any electronic signature system
that complies with the provisions of part 11 would form the basis for
agency acceptance of the system regardless of what particular
technology or brand is used. This approach is consistent with FDA's
policy in a variety of program areas. The agency, for example, does not
certify manufacturing equipment used to make drugs, medical devices, or
food.
F. Biometric Electronic Signatures
6. One comment addressed the agency's statement in the proposed
rule (59 FR 45160 at 45168) that the owner of a biometric/behavioral
link could not lose or give it away. The comment stated that it was
possible for an owner to ``lend'' the link for a file to be opened, as
a collaborative fraudulent gesture, or to unwittingly assist a
fraudulent colleague in an ``emergency,'' a situation, the comment
said, that was not unknown in the computer industry.
The agency acknowledges that such fraudulent activity is possible
and that people determined to falsify records may find a means to do so
despite whatever technology or preventive measures are in place. The
controls in part 11 are intended to deter such actions, make it
difficult to execute falsification by mishap or casual misdeed, and to
help detect such alterations when they occur (see Sec. 11.10
(introductory paragraph and especially Secs. 11.10(j) and 11.200(b)).
G. Personnel Integrity
7. A few comments addressed the role of individual honesty and
trust in ensuring that electronic records are reliable, trustworthy,
and authentic. One comment noted that firms must rely in large measure
upon the integrity of their employees. Another said that subpart C of
part 11, Electronic Signatures, appears to have been written with the
belief that pharmaceutical manufacturers have an incentive to falsify
electronic signatures. One comment expressed concern about possible
signature falsification when an employee leaves a company to work
elsewhere and the employee uses the electronic signature illegally.
The agency agrees that the integrity of any electronic signature/
electronic record system depends heavily upon the honesty of employees
and that most persons are not motivated to falsify records. However,
the agency's experience with various types of records and signature
falsification demonstrates that some people do falsify information
under certain circumstances. Among those circumstances are situations
in which falsifications can be executed with ease and have little
likelihood of detection. Part 11 is intended to minimize the
opportunities for readily executing falsifications and to maximize the
chances of detecting falsifications.
Concerning signature falsification by former employees, the agency
would expect that upon the departure of an employee, the assigned
electronic signature would be ``retired'' to prevent the former
employee from falsely using the signature.
H. Security of Industry Electronic Records Submitted to FDA
8. Several comments expressed concern about the security and
confidentiality of electronic records submitted to FDA. One suggested
that submissions be limited to such read-only formats as CD-ROM with
raw data for statistical manipulation provided separately on floppy
diskette. One comment suggested that in light of the proposed rule, the
agency should review its own internal security procedures. Another
addressed electronic records that may be disclosed under the Freedom of
Information Act and expressed concern regarding agency deletion of
trade secrets. One comment anticipated FDA's use of open systems to
access industry records (such as medical device production and control
records) and suggested that such access should be restricted to closed
systems.
The agency is well aware of its legal obligation to maintain the
confidentiality of trade secret information in its possession, and is
committed to meet that obligation regardless of the form (paper or
electronic) a record takes. The procedures used to ensure
confidentiality are consistent with the provisions of part 11. FDA is
also examining other controls, such as use of digital signatures, to
ensure submission integrity. To permit legitimate changes to be made,
the agency does not believe that it is necessary to restrict
submissions to those maintained in
[[Page 13434]]
read-only formats in all cases; each agency receiving unit retains the
flexibility to determine whatever format is most suitable. Those
intending to submit material are expected to consult with the
appropriate agency receiving unit to determine the acceptable formats.
Although FDA access to electronic records on open systems
maintained by firms is not anticipated in the near future, the agency
believes it would be inappropriate to rule out such a procedure. Such
access can be a valuable inspection tool and can enhance efficiencies
by reducing the time investigators may need to be on site. The agency
believes it is important to develop appropriate procedures and security
measures in cooperation with industry to ensure that such access does
not jeopardize data confidentiality or integrity.
I. Effective Date/Grandfathering
9. Several comments addressed the proposed effective date of the
final rule, 90 days after publication in the Federal Register, and
suggested potential exemptions (grandfathering) for systems now in use.
Two comments requested an expedited effective date for the final rule.
One comment requested an effective date at least 18 months after
publication of the final rule to permit firms to modify and validate
their systems. One comment expressed concern about how the rule, in
general, will affect current systems, and suggested that the agency
permit firms to continue to use existing electronic record systems that
otherwise conform to good manufacturing or laboratory practices until
these firms make major modifications to those systems or until 5 years
have elapsed, whichever comes first. Several other comments requested
grandfathering for specific sections of the proposed rule.
The agency has carefully considered the comments and suggestions
regarding the final rule's effective date and has concluded that the
effective date should be 5 months after date of publication in the
Federal Register. The agency wishes to accommodate firms that are
prepared now to comply with part 11 or will be prepared soon, so as to
encourage and foster new technologies in a manner that ensures that
electronic record and electronic signature systems are reliable,
trustworthy, and compatible with FDA's responsibility to promote and
protect public health. The agency believes that firms that have
consulted with FDA before adopting new electronic record and electronic
signature technologies (especially technologies that may impact on the
ability of the agency to conduct its work effectively) will need to
make few, if any, changes to systems used to maintain records required
by FDA.
The agency believes that the provisions of part 11 represent
minimal standards and that a general exemption for existing systems
that do not meet these provisions would be inappropriate and not in the
public interest because such systems are likely to generate electronic
records and electronic signatures that are unreliable, untrustworthy,
and not compatible with FDA's responsibility to promote and protect
public health. Such an exemption might, for example, mean that a firm
could: (1) Deny FDA inspectional access to electronic record systems,
(2) permit unauthorized access to those systems, (3) permit individuals
to share identification codes and passwords, (4) permit systems to go
unvalidated, and (5) permit records to be falsified in many ways and in
a manner that goes undetected.
The agency emphasizes that these regulations do not require, but
rather permit, the use of electronic records and signatures. Firms not
confident that their electronic systems meet the minimal requirements
of these regulations are free to continue to use traditional signatures
and paper documents to meet recordkeeping requirements.
J. Comments by Electronic Mail (e-mail) and Electronic Distribution of
FDA Documents
10. One comment specifically noted that the agency has accepted
comments by e-mail and that this provides an additional avenue for
public participation in the rulemaking process. Another comment
encouraged FDA to expand the use of electronic media to provide
information by such open systems as bulletin boards.
The agency intends to explore further the possibility of continuing
to accept public comments by e-mail and other electronic means. For
this current experiment, the agency received only one comment by e-
mail. The comment that addressed this issue was, itself, transmitted in
a letter. The agency recognizes the benefits of distributing
information electronically, has expanded that activity, and intends to
continue that expansion. Although only one e-mail comment was received,
the agency does not attribute that low number to a lack of ability to
send e-mail because the agency received e-mail from 198 persons who
requested the text of the proposed rule, including requests from people
outside the United States.
K. Submissions by Facsimile (Fax)
11. One comment said that part 11 should include a provision for
FDA acceptance of submissions by fax, such as import form FDA 2877. The
comment noted that the U.S. Customs Service accepts fax signatures on
its documents, and claimed that FDA's insistence on hard copies of form
FDA 2877 is an impediment to imports.
The agency advises that part 11 permits the unit that handles
import form FDA 2877 to accept that record in electronic form when it
is prepared logistically to do so. As noted in the discussion on
Sec. 11.1(b) in comment 21 of this document, the agency recognizes that
faxes can be in paper or electronic form, based on the capabilities of
the sender and recipient.
L. Blood Bank Issues
12. Two comments addressed blood bank issues in the context of
electronic records and electronic signatures and said the agency should
clarify that part 11 would permit electronic crossmatching by a central
blood center for individual hospitals. One comment stated that remote
blood center and transfusion facilities should be permitted to rely on
electronically communicated information, such as authorization for
labeling/issuing units of blood, and that the electronic signature of
the supervisor in the central testing facility releasing the product
for labeling and issuance should be sufficient because the proposed
rule guards against security and integrity problems.
One comment questioned whether, under part 11, electronic
signatures would meet the signature requirements for the release of
units of blood, and if there would be instances where a full signature
would be required instead of a technician's identification. Another
comment asserted that it is important to clarify how the term ``batch''
will be interpreted under part 11, and suggested that the term used in
relation to blood products refers to a series of units of blood having
undergone common manufacturing processes and recorded on the same
computerized document. The comment contrasted this to FDA's current
view that each unit of blood be considered a batch.
The agency advises that part 11 permits release records now in
paper form to be in electronic form and traditional handwritten
signatures to be electronic signatures. Under part 11, the name of the
technician must appear in the record display or printout to clearly
identify the technician. The appearance of the technician's
identification code
[[Page 13435]]
alone would not be sufficient. The agency also advises that the
definition of a ``batch'' for blood or other products is not affected
by part 11, which addresses the trustworthiness and reliability of
electronic records and electronic signatures, regardless of how a
batch, which is the subject of those records and signatures, is
defined.
M. Regulatory Flexibility Analysis
13. One comment said that, because part 11 will significantly
impact a substantial number of small businesses, even though the impact
would be beneficial, FDA is required to perform a regulatory
flexibility analysis and should publish such an analysis in the Federal
Register before a final rule is issued.
The comment states that the legislative history of the Regulatory
Flexibility Act is clear that, ``significant economic impact,'' as it
appears at 5 U.S.C. 605(b) is neutral with respect to whether such
impact is beneficial or adverse.
Contrary to the comment's assertion, the legislative history is not
dispositive of this matter. It is well established that the task of
statutory construction must begin with the actual language of the
statute. (See Bailey v. United States, 116 S. Ct. 595, 597 (1996).) A
statutory term must not be construed in isolation; a provision that may
seem ambiguous in isolation is often clarified by the remainder of the
statute. (See Dept. Of Revenue of Oregon v. ACF Industries, 114 S. Ct.
843, 850 (1994).) Moreover, it is a fundamental canon of statutory
construction that identical terms within the same statute must bear the
same meaning. (See Reno v. Koray, 115 S. Ct. 2021, 2026 (1995).)
In addition to appearing in 5 U.S.C. 605(b), the term ``significant
economic impact'' appears elsewhere in the statute. The legislation is
premised upon the congressional finding that alternative regulatory
approaches may be available which ``minimize the significant economic
impact'' of rules (5 U.S.C. 601 note). In addition, an initial
regulatory flexibility analysis must describe significant regulatory
alternatives that ``minimize any significant economic impact'' (5
U.S.C. 603(c)). Similarly, a final regulatory flexibility analysis must
include a description of the steps the agency has taken to ``minimize
any significant economic impact'' (5 U.S.C. 604(a)(5)). The term
appeared as one of the elements of a final regulatory flexibility
analysis, as originally enacted in 1980. (See Pub. L. No. 96-354, 3(a),
94 Stat. 1164, 1167 (1980) (formerly codified at 5 U.S.C. 604(a)(3)).)
In addition, when Congress amended the elements of a final regulatory
flexibility analysis in 1996, it re-enacted the term, as set forth
above. (See Pub. L. 104-121, 241(b), 110 Stat. 857, 865 (1996)
(codified at 5 U.S.C.604(a)(5)).)
Unless the purpose of the statute was intended to increase the
economic burden of regulations by minimizing positive or beneficial
effects, ``significant economic impact'' cannot include such effects.
Because it is beyond dispute that the purpose of the statute is not
increasing economic burdens, the plain meaning of ``significant
economic impact'' is clear and necessarily excludes beneficial or
positive effects of regulations. Even where there are some limited
contrary indications in the statute's legislative history, it is
inappropriate to resort to legislative history to cloud a statutory
text that is clear on its face. (See Ratzlaff v. United States, 114 S.
Ct. 655, 662 (1994).) Therefore, the agency concludes that a final
regulatory flexibility analysis is not required for this regulation or
any regulation for which there is no significant adverse economic
impact on small entities. Notwithstanding these conclusions, FDA has
nonetheless considered the impact of the rule on small entities. (See
section XVI. of this document.)
N. Terminology
14. One comment addressed the agency's use of the word ``ensure''
throughout the rule and argued that the agency should use the word
``assure'' rather than ``ensure'' because ``ensure'' means ``to
guarantee or make certain'' whereas ``assure'' means ``to make
confident.'' The comment added that ``assure'' is also more consistent
with terminology in other regulations.
The agency wishes to emphasize that it does not intend the word
``ensure'' to represent a guarantee. The agency prefers to use the word
``ensure'' because it means to make certain.
O. General Comments Regarding the Prescription Drug Marketing Act of
1987 (PDMA)
15. Three comments addressed the use of handwritten signatures that
are recorded electronically (SRE's) under part 11 and PDMA. One firm
described its delivery information acquisition device and noted its use
of time stamps to record when signatures are executed. The comments
requested clarification that SRE's would be acceptable under the PDMA
regulations. One comment assumed that subpart C of part 11 (Electronic
Signatures) would not apply to SRE's, noting that it was not practical
under PDMA (given the large number of physicians who may be eligible to
receive drug product samples) to use such alternatives as
identification codes combined with passwords.
The agency advises that part 11 applies to handwritten signatures
recorded electronically and that such signatures and their
corresponding electronic records will be acceptable for purposes of
meeting PDMA's requirements when the provisions of part 11 are met.
Although subpart C of part 11 does not apply to handwritten signatures
recorded electronically, the agency advises that controls related to
electronic records (subpart B), and the general provisions of subpart
A, do apply to electronic records in the context of PDMA. The agency
emphasizes, however, that part 11 does not restrict PDMA signings to
SRE's, and that organizations retain the option of using electronic
signatures in conformance with part 11. Furthermore, the agency
believes that the number of people in a given population or
organization should not be viewed as an insurmountable obstacle to use
of electronic signatures. The agency is aware, for example, of efforts
by the American Society of Testing and Materials to develop standards
for electronic medical records in which digital signatures could
theoretically be used on a large scale.
P. Comments on the Unique Nature of Passwords
16. Several comments noted, both generally and with regard to
Secs. 11.100(a), 11.200(a), and 11.300, that the password in an
electronic signature that is composed of a combination of password and
identification code is not, and need not be, unique. Two comments added
that passwords may be known to system security administrators who
assist people who forget passwords and requested that the rule
acknowledge that passwords need not be unique. One comment said that
the rule should describe how uniqueness is to be determined.
The agency acknowledges that when an electronic signature consists
of a combined identification code and password, the password need not
be unique. It is possible that two persons in the same organization may
have the same password. However, the agency believes that where good
password practices are implemented, such coincidence would be highly
unlikely. As discussed in section XIII. of this document in the context
of comments on proposed Sec. 11.300, records are less trustworthy and
reliable if it is relatively easy for someone to deduce or execute, by
chance, a person's electronic
[[Page 13436]]
signature where the identification code of the signature is not
confidential and the password is easily guessed.
The agency does not believe that revising proposed Sec. 11.100(a)
is necessary because what must remain unique is the electronic
signature, which, in the case addressed by the comments, consists not
of the password alone, but rather the password in combination with an
identification code. If the combination is unique, then the electronic
signature is unique.
The agency does not believe that it is necessary to describe in the
regulations the various ways of determining uniqueness or achieving
compliance with the requirement. Organizations thereby maintain
implementation flexibility.
The agency believes that most system administrators or security
managers would not need to know passwords to help people who have
forgotten their own. This is because most administrators or managers
have global computer account privileges to resolve such problems.
IV. Scope (Sec. 11.1)
17. One comment suggested adding a new paragraph to proposed
Sec. 11.1 that would exempt computer record maintenance software
installed before the effective date of the final rule, and that would
exempt electronic records maintained before that date. The comment
argued that such exemptions were needed for economic and constitutional
reasons because making changes to existing systems would be costly and
because the imposition of additional requirements after the fact could
be regarded as an ex post facto rule. The comment said firms have been
using electronic systems that have demonstrated reliability and
security for many years before the agency's publication of the ANPRM,
and that the absence of FDA's objections in inspectional form FDA 483
was evidence of the agency's acceptance of the system.
As discussed in section III.I. of this document, the agency is
opposed to ``grandfathering'' existing systems because such exemptions
may perpetuate environments that provide opportunities for record
falsification and impair FDA's ability to protect and promote public
health. However, the agency wishes to avoid any confusion regarding the
application of the provisions of part 11 to systems and electronic
records in place before the rule's effective date. Important
distinctions need to be made relative to an electronic record's
creation, modification, and maintenance because various portions of
part 11 address matters relating to these actions. Those provisions
apply depending upon when a given electronic record is created,
modified, or maintained.
Electronic records created before the effective date of this rule
are not covered by part 11 provisions that relate to aspects of the
record's creation, such as the signing of the electronic record. Those
records would not, therefore, need to be altered retroactively.
Regarding records that were first created before the effective date,
part 11 provisions relating to modification of records, such as audit
trails for record changes and the requirement that original entries not
be obscured, would apply only to those modifications made on or after
the rule's effective date, not to modifications made earlier. Likewise,
maintenance provisions of part 11, such as measures to ensure that
electronic records can be retrieved throughout their retention periods,
apply to electronic records that are being maintained on or after the
rule's effective date. The hardware and software, as well as
operational procedures used on or after the rule's effective date, to
create, modify, or maintain electronic records must comply with the
provisions of part 11.
The agency does not agree with any suggestion that FDA endorsement
or acceptance of an electronic record system can be inferred from the
absence of objections in an inspection report. Before this rulemaking,
FDA did not have established criteria by which it could determine the
reliability and trustworthiness of electronic records and electronic
signatures and could not sanction electronic alternatives when
regulations called for signatures. A primary reason for issuing part 11
is to develop and codify such criteria. FDA will assess the
acceptability of electronic records and electronic signatures created
prior to the effective date of part 11 on a case-by-case basis.
18. One comment suggested that proposed Sec. 11.1 exempt production
of medical devices and in vitro diagnostic products on the grounds that
the subject was already adequately addressed in the medical device CGMP
regulations currently in effect in Sec. 820.195 (21 CFR 820.195), and
that additional regulations would be confusing and would limit
compliance.
The agency believes that part 11 complements, and is supportive of,
the medical device CGMP regulations and the new medical device quality
system regulation, as well as other regulations, and that compliance
with one does not confound compliance with others. Before publication
of the ANPRM, the agency determined that existing regulations,
including the medical device CGMP regulations, did not adequately
address electronic records and electronic signatures. That
determination was reinforced in the comments to the ANPRM, which
focused on the need to identify what makes electronic records reliable,
trustworthy, and compatible with FDA's responsibility to promote and
protect public health. For example, the provision cited by the comment,
Sec. 820.195, states ``When automated data processing is used for
manufacturing or quality assurance purposes, adequate checks shall be
designed and implemented to prevent inaccurate data output, input, and
programming errors.'' This section does not address the many issues
addressed by part 11, such as electronic signatures, record
falsification, or FDA access to electronic records. The relationship
between the quality system regulation and part 11 is discussed at
various points in the preamble to the quality system regulation.
19. One comment asserted that for purposes of PDMA, the scope of
proposed part 11 should be limited to require only those controls for
assessing signatures in paper-based systems because physicians'
handwritten signatures are executed to electronic records. The comment
further asserted that, because drug manufacturers' representatives
carry computers into physicians' offices (where the physicians then
sign sample requests and receipts), only closed system controls should
be needed.
The agency believes that, for purposes of PDMA, controls needed for
electronic records bearing handwritten signatures are no different from
controls needed for the same kinds of records and signatures used
elsewhere, and that proposed Sec. 11.1 need not make any such
distinction.
In addition, the agency disagrees with the implication that all
PDMA electronic records are, in fact, handled within closed systems.
The classification of a system as open or closed in a particular
situation depends on what is done in that situation. For example, the
agency agrees that a closed system exists where a drug producer's
representative (the person responsible for the content of the
electronic record) has control over access to the electronic record
system by virtue of possessing the portable computer and controlling
who may use the computer to sign electronic records. However, should
the firm's representative transfer copies of those records to a public
online service that stores them for the drug firm's
[[Page 13437]]
subsequent retrieval, the agency considers such transfer and storage to
be within an open system because access to the system holding the
records is controlled by the online service, which is not responsible
for the record's content. Activities in the first example would be
subject to closed system controls and activities in the second example
would be subject to open system controls.
20. One comment urged that proposed Sec. 11.1 contain a clear
statement of what precedence certain provisions of part 11 have over
other regulations.
The agency believes that such statements are found in Sec. 11.1(c):
Where electronic signatures and their associated records meet
the requirements of this part, the agency will consider the
electronic signatures to be equivalent to full handwritten
signatures, initials, and other general signings as required under
agency regulations unless specifically excepted by regulations * *
*.
and Sec. 11.1(d) (``Electronic records that meet the requirements of
this part may be used in lieu of paper records, in accordance with
Sec. 11.2, unless paper records are specifically required.''). These
provisions clearly address the precedence of part 11 and the
equivalence of electronic records and electronic signatures.
To further clarify the scope of the rule, FDA has revised Sec. 11.1
to apply to electronic records submitted to the agency under
requirements of the Federal Food, Drug, and Cosmetic Act (the act) and
the Public Health Service Act (the PHS Act). This clarifies the point
that submissions required by these statutes, but not specifically
mentioned in the Code of Federal Regulations (CFR), are subject to part
11.
21. Proposed Sec. 11.1(b) stated that the regulations would apply
to records in electronic form that are created, modified, maintained,
or transmitted, under any records requirements set forth in Chapter I
of Title 21. One comment suggested that the word ``transmitted'' be
deleted from proposed Sec. 11.1(b) because the wording would
inappropriately apply to paper documents that are transmitted by fax.
The comment noted that if the records are in machine readable form
before or after transmission, they would still be covered by the
revised wording.
The agency does not intend part 11 to apply to paper records even
if such records are transmitted or received by fax. The agency notes
that the records transmitted by fax may be in electronic form at the
sender, the recipient, or both. Part 11 would apply whenever the record
is in electronic form. To remedy the problem noted by the comment, the
agency has added a sentence to Sec. 11.1(b) stating that part 11 does
not apply to paper records that are, or have been, transmitted by
electronic means.
22. One comment asked whether paper records created by computer
would be subject to proposed part 11. The comment cited, as an example,
the situation in which a computer system collects toxicology data that
are printed out and maintained as ``raw data.''
Part 11 is intended to apply to systems that create and maintain
electronic records under FDA's requirements in Chapter I of Title 21,
even though some of those electronic records may be printed on paper at
certain times. The key to determining part 11 applicability, under
Sec. 11.1(b), is the nature of the system used to create, modify, and
maintain records, as well as the nature of the records themselves.
Part 11 is not intended to apply to computer systems that are
merely incidental to the creation of paper records that are
subsequently maintained in traditional paper-based systems. In such
cases, the computer systems would function essentially like manual
typewriters or pens and any signatures would be traditional handwritten
signatures. Record storage and retrieval would be of the traditional
``file cabinet'' variety. More importantly, overall reliability,
trustworthiness, and FDA's ability to access the records would derive
primarily from well-established and generally accepted procedures and
controls for paper records. For example, if a person were to use word
processing software to generate a paper submission to FDA, part 11
would not apply to the computer system used to generate the submission,
even though, technically speaking, an electronic record was initially
created and then printed on paper.
When records intended to meet regulatory requirements are in
electronic form, part 11 would apply to all the relevant aspects of
managing those records (including their creation, signing,
modification, storage, access, and retrieval). Thus, the software and
hardware used to create records that are retained in electronic form
for purposes of meeting the regulations would be subject to part 11.
Regarding the comment about ``raw data,'' the agency notes that
specific requirements in existing regulations may affect the particular
records at issue, regardless of the form such records take. For
example, ``raw data,'' in the context of the good laboratory practices
regulations (21 CFR part 58), include computer printouts from automated
instruments as well as the same data recorded on magnetic media. In
addition, regulations that cover data acquisition systems generally
include requirements intended to ensure the trustworthiness and
reliability of the collected data.
23. Several comments on proposed Sec. 11.1(b) suggested that the
phrase ``or archived and retrieved'' be added to paragraph (b) to
reflect more accurately a record's lifecycle.
The agency intended that record archiving and retrieval would be
part of record maintenance, and therefore already covered by
Sec. 11.1(b). However, for added clarity, the agency has revised
Sec. 11.1(b) to add ``archived and retrieved.''
24. One comment suggested that, in describing what electronic
records are within the scope of part 11, proposed Sec. 11.1(b) should
be revised by substituting ``processed'' for ``modified'' and
``communicated'' for ``transmitted'' because ``communicated'' reflects
the fact that the information was dispatched and also received. The
comment also suggested substituting ``retained'' for ``maintained,'' or
adding the word ``retained,'' because ``maintain'' does not necessarily
convey the retention requirement.
The agency disagrees. The word ``modified'' better describes the
agency's intent regarding changes to a record; the word ``processed''
does not necessarily infer a change to a record. FDA believes
``transmitted'' is preferable to ``communicated'' because
``communicated'' might infer that controls to ensure integrity and
authenticity hinge on whether the intended recipient actually received
the record. Also, as discussed in comment 22 of this document, the
agency intends for the term ``maintain'' to include records retention.
25. Two comments suggested that proposed Sec. 11.1(b) explicitly
state that part 11 supersedes all references to handwritten signatures
in 21 CFR parts 211 through 226 that pertain to a drug, and in 21 CFR
parts 600 through 680 that pertain to biological products for human
use. The comments stated that the revision should clarify coverage and
permit blood centers and transfusion services to take full advantage of
electronic systems that provide process controls.
The agency does not agree that the revision is necessary because,
under Sec. 11.1(b) and (c), part 11 permits electronic records or
submissions under all FDA regulations in Chapter I of Title 21 unless
specifically excepted by future regulations.
26. Several comments expressed concern that the proposed rule had
inappropriately been expanded in scope
[[Page 13438]]
from the ANPRM to address electronic records as well as electronic
signatures. One comment argued that the scope of part 11 should be
restricted only to those records that are currently required to be
signed, witnessed, or initialed, and that the agency should not require
electronic records to contain electronic signatures where the
corresponding paper records are not required to be signed.
The agency disagrees with the assertion that part 11 should address
only electronic signatures and not electronic records for several
reasons. First, based on comments on the ANPRM, the agency is convinced
that the reliability and trustworthiness of electronic signatures
depend in large measure on the reliability and trustworthiness of the
underlying electronic records. Second, the agency has concluded that
electronic records, like paper records, need to be trustworthy,
reliable, and compatible with FDA's responsibility to promote and
protect public health regardless of whether they are signed. In
addition, records falsification is an issue with respect to both signed
and unsigned records. Therefore, the agency concludes that although the
ANPRM focused primarily on electronic signatures, expansion of the
subject to electronic records in the proposed rule was fully justified.
The agency stresses that part 11 does not require that any given
electronic record be signed at all. The requirement that any record
bear a signature is contained in the regulation that mandates the basic
record itself. Where records are signed, however, by virtue of meeting
a signature requirement or otherwise, part 11 addresses controls and
procedures intended to help ensure the reliability and trustworthiness
of those signatures.
27. Three comments asked if there were any regulations, including
CGMP regulations, that might be excepted from part 11 and requested
that the agency identify such regulations.
FDA, at this time, has not identified any current regulations that
are specifically excepted from part 11. However, the agency believes it
is prudent to provide for such exceptions should they become necessary
in the future. It is possible that, as the agency's experience with
part 11 increases, certain records may need to be limited to paper if
there are problems with the electronic versions of such records.
28. One comment requested clarification of the meaning of the term
``general signings'' in proposed Sec. 11.1(c), and said that the
distinction between ``full handwritten'' signatures and ``initials'' is
unnecessary because handwritten includes initials in all common
definitions of handwritten signature. The comment also suggested
changing the term ``equivalent'' to ``at least equivalent'' because
electronic signatures are not precise equivalents of handwritten
signatures and computer-based signatures have the potential of being
more secure.
The agency advises that current regulations that require records to
be signed express those requirements in different ways depending upon
the agency's intent and expectations. Some regulations expressly state
that records must be signed using ``full handwritten'' signatures,
whereas other regulations state that records must be ``signed or
initialed;'' still other regulations implicitly call for some kind of
signing by virtue of requiring record approvals or endorsements. This
last broad category is addressed by the term ``general signings'' in
Sec. 11.1(c).
Where the language is explicit in the regulations, the means of
meeting the requirement are correspondingly precise. Therefore, where a
regulation states that a signature must be recorded as ``full
handwritten,'' the use of initials is not an acceptable substitute.
Furthermore, under part 11, for an electronic signature to be
acceptable in place of any of these signings, the agency only needs to
consider them as equivalent; electronic signatures need not be superior
to those other signings to be acceptable.
29. Several comments requested clarification of which FDA records
are required to be in paper form, and urged the agency to allow and
promote the use of electronic records in all cases. One comment
suggested that proposed Sec. 11.1(d) be revised to read, in part, ``* *
* unless the use of electronic records is specifically prohibited.''
The agency intends to permit the use of electronic records required
to be maintained but not submitted to the agency (as noted in
Sec. 11.2(a)) provided that the requirements of part 11 are met and
paper records are not specifically required. The agency also wishes to
encourage electronic submissions, but is limited by logistic and
resource constraints. The agency is unaware of ``maintenance records''
that are currently explicitly required to be in paper form (explicit
mention of paper is generally unnecessary because, at the time most
regulations were prepared, only paper-based technologies were in use)
but is providing for that possibility in the future. For purposes of
part 11, the agency will not consider that a regulation requires
``maintenance'' records to be in paper form where the regulation is
silent on the form the record must take. FDA believes that the
comments' suggested wording does not offer sufficient advantages to
adopt the change.
However, to enable FDA to accept as many electronic submissions as
possible, the agency is amending Sec. 11.1(b) to include those
submissions that the act and the PHS Act specifically require, even
though such submissions may not be identified in agency regulations. An
example of such records is premarket submissions for Class I and Class
II medical devices, required by section 510(k) of the act (21 U.S.C.
360(k)).
30. Several comments addressed various aspects of the proposed
requirement under Sec. 11.1(e) regarding FDA inspection of electronic
record systems. Several comments objected to the proposal as being too
broad and going beyond the agency's legal inspectional authority. One
comment stated that access inferred by such inspection may include
proprietary financial and sales data to which FDA is not entitled.
Another comment suggested adding the word ``authorized'' before
``inspection.'' Some comments suggested revising proposed Sec. 11.1(e)
to limit FDA inspection only to the electronic records and electronic
signatures themselves, thus excluding inspection of hardware and
software used to manage those records and signatures. Other comments
interpreted proposed Sec. 11.1(e) as requiring them to keep supplanted
or retired hardware and software to enable FDA inspection of those
outdated systems.
The agency advises that FDA inspections under part 11 are subject
to the same legal limitations as FDA inspections under other
regulations. The agency does not believe it is necessary to restate
that limitation by use of the suggested wording. However, within those
limitations, it may be necessary to inspect hardware and software used
to generate and maintain electronic records to determine if the
provisions of part 11 are being met. Inspection of resulting records
alone would be insufficient. For example, the agency may need to
observe the use and maintenance of tokens or devices that contain or
generate identification information. Likewise, to assess the adequacy
of systems validation, it is generally necessary to inspect hardware
that is being used to determine, among other things, if it matches the
system documentation description of such hardware. The agency has
concluded that hardware and software used to generate and maintain
electronic records and signatures are ``pertinent
[[Page 13439]]
equipment'' within the meaning of section 704 of the act (21 U.S.C.
374).
The agency does not expect persons to maintain obsolete and
supplanted computer systems for the sole purpose of enabling FDA
inspection. However, the agency does expect firms to maintain and have
available for inspection documentation relevant to those systems, in
terms of compliance with part 11, for as long as the electronic records
are required by other relevant regulations. Persons should also be
mindful of the need to keep appropriate computer systems that are
capable of reading electronic records for as long as those records must
be retained. In some instances, this may mean retention of otherwise
outdated and supplanted systems, especially where the old records
cannot be converted to a form readable by the newer systems. In most
cases, however, FDA believes that where electronic records are
accurately and completely transcribed from one system to another, it
would not be necessary to maintain older systems.
31. One comment requested that proposed part 11 be revised to give
examples of electronic records subject to FDA inspection, including
pharmaceutical and medical device production records, in order to
reduce the need for questions.
The agency does not believe that it is necessary to include
examples of records it might inspect because the addition of such
examples might raise questions about the agency's intent to inspect
other records that were not identified.
32. One comment said that the regulation should state that certain
security related information, such as private keys attendant to
cryptographic implementation, is not intended to be subject to
inspection, although procedures related to keeping such keys
confidential can be subject to inspection.
The agency would not routinely seek to inspect especially sensitive
information, such as passwords or private keys, attendant to security
systems. However, the agency reserves the right to conduct such
inspections, consistent with statutory limitations, to enforce the
provisions of the act and related statutes. It may be necessary, for
example, in investigating cases of suspected fraud, to access and
determine passwords and private keys, in the same manner as the agency
may obtain specimens of handwritten signatures (``exemplars''). Should
there be any reservations about such inspections, persons may, of
course, change their passwords and private keys after FDA inspection.
33. One comment asked how persons were expected to meet the
proposed requirement, under Sec. 11.1(e), that computer systems be
readily available for inspection when such systems include
geographically dispersed networks. Another comment said FDA
investigators should not be permitted to access industry computer
systems as part of inspections because investigators would be untrained
users.
The agency intends to inspect those parts of electronic record or
signature systems that have a bearing on the trustworthiness and
reliability of electronic records and electronic signatures under part
11. For geographically dispersed systems, inspection at a given
location would extend to operations, procedures, and controls at that
location, along with interaction of that local system with the wider
network. The agency would inspect other locations of the network in a
separate but coordinated manner, much the same way the agency currently
conducts inspections of firms that have multiple facilities in
different parts of the country and outside of the United States.
FDA does not believe it is reasonable to rule out computer system
access as part of an inspection of electronic record or signature
systems. Historically, FDA investigators observe the actions of
establishment employees, and (with the cooperation of establishment
management) sometimes request that those employees perform some of
their assigned tasks to determine the degree of compliance with
established requirements. However, there may be times when FDA
investigators need to access a system directly. The agency is aware
that such access will generally require the cooperation of and, to some
degree, instruction by the firms being inspected. As new, complex
technologies emerge, FDA will need to develop and implement new
inspectional methods in the context of those technologies.
V. Implementation (Sec. 11.2)
34. Proposed Sec. 11.2(a) stated that for ``records required by
chapter I of this title to be maintained, but not submitted to the
agency, persons may use electronic records/signatures in lieu of paper
records/conventional signatures, in whole or in part, * * *.''
Two comments requested clarification of the term ``conventional
signatures.'' One comment suggested that the term ``traditional
signatures'' be used instead. Another suggested rewording in order to
clarify the slash in the phrase ``records/signatures.''
The agency advises that the term ``conventional signature'' means
handwritten signature. The agency agrees that the term ``traditional
signature'' is preferable, and has revised Sec. 11.2(a) and (b)
accordingly. The agency has also clarified proposed Sec. 11.2(a) by
replacing the slash with the word ``or.''
35. One comment asked if the term ``persons'' in proposed
Sec. 11.2(b) would include devices because computer systems frequently
apply digital time stamps on records automatically, without direct
human intervention.
The agency advises that the term ``persons'' excludes devices. The
agency does not consider the application of a time stamp to be the
application of a signature.
36. Proposed Sec. 11.2(b)(2) provides conditions under which
electronic records or signatures could be submitted to the agency in
lieu of paper. One condition is that a document, or part of a document,
must be identified in a public docket as being the type of submission
the agency will accept in electronic form. Two comments addressed the
nature of the submissions to the public docket. One comment asked that
the agency provide specifics, such as the mechanism for updating the
docket and the frequency of such updates. One comment suggested making
the docket available to the public by electronic means. Another comment
suggested that acceptance procedures be uniform among agency units and
that electronic mail be used to hold consultations with the agency. One
comment encouraged the agency units receiving the submissions to work
closely with regulated industry to ensure that no segment of industry
is unduly burdened and that agency guidance is widely accepted.
The agency intends to develop efficient electronic records
acceptance procedures that afford receiving units sufficient
flexibility to deal with submissions according to their capabilities.
Although agencywide uniformity is a laudable objective, to attain such
flexibility it may be necessary to accommodate some differences among
receiving units. The agency considers of primary importance, however,
that all part 11 submissions be trustworthy, reliable, and in keeping
with FDA regulatory activity. The agency expects to work closely with
industry to help ensure that the mechanics and logistics of accepting
electronic submissions do not pose any undue burdens. However, the
agency expects persons to consult with the
[[Page 13440]]
intended receiving units on the technical aspects of the submission,
such as media, method of transmission, file format, archiving needs,
and technical protocols. Such consultations will ensure that
submissions are compatible with the receiving units' capabilities. The
agency has revised proposed Sec. 11.2(b)(2) to clarify this
expectation.
Regarding the public docket, the agency is not at this time
establishing a fixed schedule for updating what types of documents are
acceptable for submission because the agency expects the docket to
change and grow at a rate that cannot be predicted. The agency may,
however, establish a schedule for updating the docket in the future.
The agency agrees that making the docket available electronically is
advisable and will explore this option. Elsewhere in this issue of the
Federal Register, FDA is providing further information on this docket.
VI. Definitions (Sec. 11.3)
37. One comment questioned the incorporation in proposed
Sec. 11.3(a) of definitions under section 201 of the act (21 U.S.C.
321), noting that other FDA regulations (such as 21 CFR parts 807 and
820) lack such incorporation, and suggested that it be deleted.
The agency has retained the incorporation by reference to
definitions under section 201 of the act because those definitions are
applicable to part 11.
38. One comment suggested adding the following definition for the
term ``digital signature:'' ``data appended to, or a cryptographic
transformation of, a data unit that allows a recipient of the data unit
to prove the source and integrity of the data unit and protect against
forgery, e.g., by the recipient.''
The agency agrees that the term digital signature should be defined
and has added new Sec. 11.3(b)(5) to provide a definition for digital
signature that is consistent with the Federal Information Processing
Standard 186, issued May 19, 1995, and effective December 1, 1995, by
the U.S. Department of Commerce, National Institute of Standards and
Technology (NIST). Generally, a digital signature is ``an electronic
signature based upon cryptographic methods of originator
authentication, computed by using a set of rules and a set of
parameters such that the identity of the signer and the integrity of
the data can be verified.'' FDA advises that the set of rules and
parameters is established in each digital signature standard.
39. Several comments suggested various modifications of the
proposed definition of biometric/behavioral links, and suggested
revisions that would exclude typing a password or identification code
which, the comments noted, is a repeatable action. The comments
suggested that actions be unique and measurable to meet the intent of a
biometric method.
The agency agrees that the proposed definition of biometric/
behavioral links should be revised to clarify the agency's intent that
repetitive actions alone, such as typing an identification code and
password, are not considered to be biometric in nature. Because
comments also indicated that it would be preferable to simplify the
term, the agency is changing the term ``biometric/behavioral link'' to
``biometrics.'' Accordingly, Sec. 11.3(b)(3) defines the term
``biometrics'' to mean ``a method of verifying an individual's identity
based on measurement of the individual's physical feature(s) or
repeatable action(s) where those features and/or actions are both
unique to that individual and measurable.''
40. One comment said that the agency should identify what biometric
methods are acceptable to verify a person's identity and what
validation acceptance criteria the agency has used to determine that
biometric technologies are superior to other methods, such as use of
identification codes and passwords.
The agency believes that there is a wide variety of acceptable
technologies, regardless of whether they are based on biometrics, and
regardless of the particular type of biometric mechanism that may be
used. Under part 11, electronic signatures that employ at least two
distinct identification components such as identification codes and
passwords, and electronic signatures based on biometrics are equally
acceptable substitutes for traditional handwritten signatures.
Furthermore, all electronic record systems are subject to the same
requirements of subpart B of part 11 regardless of the electronic
signature technology being used. These provisions include requirements
for validation.
Regarding the comment's suggestion that FDA apply quantitative
acceptance criteria, the agency is not seeking to set specific
numerical standards or statistical performance criteria in determining
the threshold of acceptability for any type of technology. If such
standards were to be set for biometrics-based electronic signatures,
similar numerical performance and reliability requirements would have
to be applied to other technologies as well. The agency advises,
however, that the differences between system controls for biometrics-
based electronic signatures and other electronic signatures are a
result of the premise that biometrics-based electronic signatures, by
their nature, are less prone to be compromised than other methods such
as identification codes and passwords. Should it become evident that
additional controls are warranted for biometrics-based electronic
signatures, the agency will propose to revise part 11 accordingly.
41. Proposed Sec. 11.3(b)(4) defined a closed system as an
environment in which there is communication among multiple persons, and
where system access is restricted to people who are part of the
organization that operates the system.
Many comments requested clarification of the term ``organization''
and stated that the rule should account for persons who, though not
strictly employees of the operating organization, are nonetheless
obligated to it in some manner, or who would otherwise be granted
system access by the operating organization. As examples of such
persons, the comments cited outside contractors, suppliers, temporary
employees, and consultants. The comments suggested a variety of
alternative wording, including a change of emphasis from organizational
membership to organizational control over system access. One comment
requested clarification of whether the rule intends to address specific
disciplines within a company.
Based on the comments, the agency has revised the proposed
definition of closed system to state ``an environment in which system
access is controlled by persons who are responsible for the content of
electronic records that are on the system.'' The agency agrees that the
most important factor in classifying a system as closed or open is
whether the persons responsible for the content of the electronic
records control access to the system containing those records. A system
is closed if access is controlled by persons responsible for the
content of the records. If those persons do not control such access,
then the system is open because the records may be read, modified, or
compromised by others to the possible detriment of the persons
responsible for record content. Hence, those responsible for the
records would need to take appropriate additional measures in an open
system to protect those records from being read, modified, destroyed,
or otherwise compromised by unauthorized and potentially unknown
parties. The agency does not believe it is necessary to codify the
basis or criteria for authorizing system access, such as existence of a
fiduciary
[[Page 13441]]
responsibility or contractual relationship. By being silent on such
criteria, the rule affords maximum flexibility to organizations by
permitting them to determine those criteria for themselves.
42. Concerning the proposed definition of closed system, one
comment suggested adding the words ``or devices'' after ``persons''
because communications may involve nonhuman entities.
The agency does not believe it is necessary to adopt the suggested
revision because the primary intent of the regulation is to address
communication among humans, not devices.
43. One comment suggested defining a closed system in terms of
functional characteristics that include physical access control, having
professionally written and approved procedures with employees and
supervisors trained to follow them, conducting investigations when
abnormalities may have occurred, and being under legal obligation to
the organization responsible for operating the system.
The agency agrees that the functional characteristics cited by the
comment are appropriate for a closed system, but has decided that it is
unnecessary to include them in the definition. The functional
characteristics themselves, however, such as physical access controls,
are expressed as requirements elsewhere in part 11.
44. Two comments said that the agency should regard as closed a
system in which dial-in access via public phone lines is permitted, but
where access is authorized by, and under the control of, the
organization that operates the system.
The agency advises that dial-in access over public phone lines
could be considered part of a closed system where access to the system
that holds the electronic records is under the control of the persons
responsible for the content of those records. The agency cautions,
however, that, where an organization's electronic records are stored on
systems operated by third parties, such as commercial online services,
access would be under control of the third parties and the agency would
regard such a system as being open. The agency also cautions that, by
permitting access to its systems by public phone lines, organizations
lose the added security that results from restricting physical access
to computer terminal and other input devices. In such cases, the agency
believes firms would be prudent to implement additional security
measures above and beyond those controls that the organization would
use if the access device was within its facility and commensurate with
the potential consequences of such unauthorized access. Such additional
controls might include, for example, use of input device checks, caller
identification checks (phone caller identification), call backs, and
security cards.
45. Proposed Sec. 11.3(b)(5) defined electronic record as a
document or writing comprised of any combination of text, graphic
representation, data, audio information, or video information, that is
created, modified, maintained, or transmitted in digital form by a
computer or related system. Many comments suggested revising the
proposed definition to reflect more accurately the nature of electronic
records and how they differ from paper records. Some comments suggested
distinguishing between machine readable records and paper records
created by machine. Some comments noted that the term ``document or
writing'' is inappropriate for electronic records because electronic
records could be any combination of pieces of information assembled
(sometimes on a transient basis) from many noncontiguous places, and
because the term does not accurately describe such electronic
information as raw data or voice mail. Two comments suggested that the
agency adopt definitions of electronic record that were established,
respectively, by the United Nations Commission on International Trade
Law (UNCITRAL) Working Group on Electronic Data Interchange, and the
American National Standards Institute/Institute of Electrical and
Electronic Engineers Software Engineering (ANSI/IEEE) Standard (729-
1983).
The agency agrees with the suggested revisions and has revised the
definition of ``electronic record'' to emphasize this unique nature and
to clarify that the agency does not regard a paper record to be an
electronic record simply because it was created by a computer system.
The agency has removed ``document or writing'' from this definition and
elsewhere in part 11 for the sake of clarity, simplicity, and
consistency.
However, the agency believes it is preferable to adapt or modify
the words ``document'' and ``writing'' to electronic technologies
rather than discard them entirely from the lexicon of computer
technology. The agency is aware that the terms ``document'' and
``electronic document'' are used in contexts that clearly do not intend
to describe paper. Therefore, the agency considers the terms
``electronic record'' and ``electronic document'' to be generally
synonymous and may use the terms ``writing,'' ``electronic document,''
or ``document'' in other publications to describe records in electronic
form. The agency believes that such usage is a prudent conservation of
language and is consistent with the use of other terms and expressions
that have roots in older technologies, but have nonetheless been
adapted to newer technologies. Such terms include telephone
``dialing,'' internal combustion engine ``horse power,'' electric light
luminance expressed as ``foot candles,'' and (more relevant to computer
technology) execution of a ``carriage return.''
Accordingly, the agency has revised the definition of electronic
record to mean ``any combination of text, graphics, data, audio,
pictorial, or other information representation in digital form that is
created, modified, maintained, archived, retrieved, or distributed by a
computer system.''
46. Proposed Sec. 11.3(b)(6) defined an electronic signature as the
entry in the form of a magnetic impulse or other form of computer data
compilation of any symbol or series of symbols, executed, adopted or
authorized by a person to be the legally binding equivalent of the
person's handwritten signature. One comment supported the definition as
proposed, noting its consistency with dictionary definitions (Random
House Dictionary of the English Language, Unabridged Ed. 1983, and
American Heritage Dictionary, 1982). Several other comments, however,
suggested revisions. One comment suggested replacing ``electronic
signature'' with ``computer based signature,'' ``authentication,'' or
``computer based authentication'' because ``electronic signature'' is
imprecise and lacks clear and recognized meaning in the information
security and legal professions. The comment suggested a definition
closer to the UNCITRAL draft definition:
(1) [a] method used to identify the originator of the data
message and to indicate the originator's approval of the information
contained therein; and (2) that method is as reliable as was
appropriate for the purpose for which the data message was generated
or communicated, in the light of all circumstances, including any
agreement between the originator and the addressee of the data
message.
One comment suggested replacing ``electronic signature'' with
``electronic identification'' or ``electronic authorization'' because
the terms include many types of technologies that are not easily
distinguishable and because the preamble to the proposed rule gave a
rationale for using ``electronic signature'' that was too ``esoteric
for practical consideration.''
[[Page 13442]]
The agency disagrees that ``electronic signature'' as proposed
should be replaced with other terms and definitions. As noted in the
preamble to the proposed rule, the agency believes that it is vital to
retain the word ``signature'' to maintain the equivalence and
significance of various electronic technologies with the traditional
handwritten signature. By not using the word ``signature,'' people may
treat the electronic alternatives as less important, less binding, and
less in need of controls to prevent falsification. The agency also
believes that use of the word signature provides a logical bridge
between paper and electronic technologies that facilitates the general
transition from paper to electronic environments. The term helps people
comply with current FDA regulations that specifically call for
signatures. Nor does the agency agree that this reasoning is beyond the
reach of practical consideration.
The agency declines to accept the suggested UNCITRAL definition
because it is too narrow in context in that there is not always a
specified message addressee for electronic records required by FDA
regulations (e.g., a batch production record does not have a specific
``addressee'').
47. Concerning the proposed definition of ``electronic signature,''
other comments suggested deletion of the term ``magnetic impulse'' to
render the term media neutral and thus allow for such alternatives as
an optical disk. Comments also suggested that the term ``entry'' was
unclear and recommended its deletion. Two comments suggested revisions
that would classify symbols as an electronic signature only when they
are committed to permanent storage because not every computer entry is
a signature and processing to permanent storage must occur to indicate
completion of processing.
The agency advises that the proposal did not limit electronic
signature recordings to ``magnetic impulse'' because the proposed
definition added, ``or other form of computer data * * *.'' However, in
keeping with the agency's intent to accept a broad range of
technologies, the terms ``magnetic impulse'' and ``entry'' have been
removed from the proposed definition. The agency believes that
recording of computer data to ``permanent'' storage is not a necessary
or warranted qualifier because it is not relevant to the concept of
equivalence to a handwritten signature. In addition, use of the
qualifier regarding permanent storage could impede detection of
falsified records if, for example, the signed falsified record was
deleted after a predetermined period (thus, technically not recorded to
``permanent'' storage). An individual could disavow a signature because
the record had ceased to exist.
For consistency with the proposed definition of handwritten
signature, and to clarify that electronic signatures are those of
individual human beings, and not those of organizations (as included in
the act's definition of ``person''), FDA is changing ``person'' to
``individual'' in the final rule.
Accordingly, Sec. 11.3(b)(7) defines electronic signature as a
computer data compilation of any symbol or series of symbols executed,
adopted, or authorized by an individual to be the legally binding
equivalent of the individual's handwritten signature.
48. Proposed Sec. 11.3(b)(7) (redesignated Sec. 11.3(b)(8) in the
final rule) defined ``handwritten signature'' as the name of an
individual, handwritten in script by that individual, executed or
adopted with the present intention to authenticate a writing in a
permanent form. The act of signing with a writing or marking instrument
such as a pen or stylus is preserved. The proposed definition also
stated that the scripted name, while conventionally applied to paper,
may also be applied to other devices which capture the written name.
Many comments addressed this proposed definition. Two comments
suggested that it be deleted on the grounds it is redundant and that,
when handwritten signatures are recorded electronically, the result
fits the definition of electronic signature.
The agency disagrees that the definition of handwritten signature
should be deleted. In stating the criteria under which electronic
signatures may be used in place of traditional handwritten signatures,
the agency believes it is necessary to define handwritten signature. In
addition, the agency believes that it is necessary to distinguish
handwritten signatures from electronic signatures because, with
handwritten signatures, the traditional act of signing one's name is
preserved. Although the handwritten signature recorded electronically
and electronic signatures, as defined in part 11, may both ultimately
result in magnetic impulses or other forms of computerized symbol
representations, the means of achieving those recordings and, more
importantly, the controls needed to ensure their reliability and
trustworthiness are quite different. In addition, the agency believes
that a definition for handwritten signature is warranted to accommodate
persons who wish to implement record systems that are combinations of
paper and electronic technologies.
49. Several comments suggested replacing the reference to
``scripted name'' in the proposed definition of handwritten signature
with ``legal mark'' so as to accommodate individuals who are physically
unable to write their names in script. The comments asserted that the
term ``legal mark'' would bring the definition to closer agreement with
generally recognized legal interpretations of signature.
The agency agrees and has added the term ``legal mark'' to the
definition of handwritten signature.
50. One comment recommended that the regulation state that, when
the handwritten signature is not the result of the act of signing with
a writing or marking instrument, but is applied to another device that
captures the written name, a system should verify that the owner of the
signature has authorized the use of the handwritten signature.
The agency declines to accept this comment because, if the act of
signing or marking is not preserved, the type of signature would not be
considered a handwritten signature. The comment appears to be referring
to instances in which one person authorizes someone else to use his or
her stamp or device. The agency views this as inappropriate when the
signed record does not clearly show that the stamp owner did not
actually execute the signature. As discussed elsewhere in this
preamble, the agency believes that where one person authorizes another
to sign a document on his or her behalf, the second person must sign
his or her own name (not the name of the first person) along with some
notation that, in doing so, he or she is acting in the capacity, or on
behalf, of the first person.
51. One comment suggested that where handwritten signatures are
captured by devices, there should be a register of manually written
signatures to enable comparison for authenticity and the register also
include the typed names of individuals.
The agency agrees that the practice of establishing a signature
register has merit, but does not believe that it is necessary, in light
of other part 11 controls. As noted elsewhere in this preamble (in the
discussion of proposed Sec. 11.50), the agency agrees that human
readable displays of electronic records must display the name of the
signer.
52. Several comments suggested various editorial changes to the
proposed definition of handwritten signature including: (1) Changing
the word ``also'' in the last sentence to ``alternatively,'' (2)
clarifying the
[[Page 13443]]
difference between the words ``individual'' and ``person,'' (3)
deleting the words ``in a permanent form,'' and (4) changing
``preserved'' to ``permitted.'' One comment asserted that the last
sentence of the proposed definition was unnecessary.
The agency has revised the definition of handwritten signature to
clarify its intent and to keep the regulation as flexible as possible.
The agency believes that the last sentence of the proposed definition
is needed to address devices that capture handwritten signatures. The
agency is not adopting the suggestion that the word ``preserved'' be
changed to ``permitted'' because ``preserved'' more accurately states
the agency's intent and is a qualifier to help distinguish handwritten
signatures from others. The agency advises that the word ``individual''
is used, rather than ``person,'' because the act's definition of person
extends beyond individual human beings to companies and partnerships.
The agency has retained the term ``permanent'' to discourage the use of
pencils, but recognizes that ``permanent'' does not mean eternal.
53. One comment asked whether a signature that is first handwritten
and then captured electronically (e.g., by scanning) is an electronic
signature or a handwritten signature, and asked how a handwritten
signature captured electronically (e.g., by using a stylus-sensing pad
device) that is affixed to a paper copy of an electronic record would
be classified.
FDA advises that when the act of signing with a stylus, for
example, is preserved, even when applied to an electronic device, the
result is a handwritten signature. The subsequent printout of the
signature on paper would not change the classification of the original
method used to execute the signature.
54. One comment asserted that a handwritten signature recorded
electronically should be considered to be an electronic signature,
based on the medium used to capture the signature. The comment argued
that the word signature should be limited to paper technology.
The agency disagrees and believes it is important to classify a
signature as handwritten based upon the preserved action of signing
with a stylus or other writing instrument.
55. One comment asked if the definition of handwritten signature
encompasses handwritten initials.
The agency advises that, as revised, the definition of handwritten
signature includes handwritten initials if the initials constitute the
legal mark executed or adopted with the present intention to
authenticate a writing in a permanent form, and where the method of
recording such initials involves the act of writing with a pen or
stylus.
56. Proposed Sec. 11.3(b)(8) (redesignated as Sec. 11.3(b)(9) in
the final rule) defined an open system as an environment in which there
is electronic communication among multiple persons, where system access
extends to people who are not part of the organization that operates
the system.
Several comments suggested that, for simplicity, the agency define
``open system'' as any system that does not meet the definition of a
closed system. One comment suggested that the definition be deleted on
the grounds it is redundant, and that it is the responsibility of
individual firms to take appropriate steps to ensure the validity and
security of applications and information, regardless of whether systems
are open or closed. Other comments suggested definitions of ``open
system'' that were opposite to what they suggested for a closed system.
The agency has revised the definition of open system to mean ``an
environment in which system access is not controlled by persons who are
responsible for the content of electronic records that are on the
system.'' The agency believes that, for clarity, the definition should
stand on its own rather than as any system that is not closed. The
agency rejects the suggestion that the term need not be defined at all
because FDA believes that controls for open systems merit distinct
provisions in part 11 and defining the term is basic to understanding
which requirements apply to a given system. The agency agrees that
companies have the responsibility to take steps to ensure the validity
and security of their applications and information. However, FDA finds
it necessary to establish part 11 as minimal requirements to help
ensure that those steps are, in fact, acceptable.
VII. Electronic Records--Controls for Closed Systems (Sec. 11.10)
The introductory paragraph of proposed Sec. 11.10 states that:
Closed systems used to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to
ensure the authenticity, integrity, and confidentiality of
electronic records, and to ensure that the signer cannot readily
repudiate the signed record as not genuine. * * *
The rest of the section lists specific procedures and controls.
57. One comment expressed full support for the list of proposed
controls, calling them generally appropriate and stated that the agency
is correctly accommodating the fluid nature of various electronic
record and electronic signature technologies. Another comment, however,
suggested that controls should not be implemented at the time
electronic records are first created, but rather only after a document
is accepted by a company.
The agency disagrees with this suggestion. To ignore such controls
at a stage before official acceptance risks compromising the record.
For example, if ``preacceptance'' records are signed by technical
personnel, it is vital to ensure the integrity of their electronic
signatures to prevent record alteration. The need for such integrity is
no less important at preacceptance stages than at later stages when
managers officially accept the records. The possibility exists that
some might seek to disavow, or avoid FDA examination of, pertinent
records by declaring they had not been formally ``accepted.'' In
addition, FDA routinely can and does inspect evolving paper documents
(e.g., standard operating procedures and validation protocols) even
though they have yet to receive a firm's final acceptance.
58. One comment said proposed Sec. 11.10 contained insufficient
requirements for firms to conduct periodic inspection and monitoring of
their own systems and procedures to ensure compliance with the
regulations. The comment also called for a clear identification of the
personnel in a firm who would be responsible for system implementation,
operation, change control, and monitoring.
The agency does not believe it is necessary at this time to codify
a self-auditing requirement, as suggested by the comment. Rather, the
agency intends to afford organizations flexibility in establishing
their own internal mechanisms to ensure compliance with part 11. Self-
audits, however, may be considered as a general control, within the
context of the introductory paragraph of Sec. 11.10. The agency
encourages firms to conduct such audits periodically as part of an
overall approach to ensure compliance with FDA regulations generally.
Likewise, the agency does not believe it is necessary or practical to
codify which individuals in an organization should be responsible for
compliance with various provisions of part 11. However, ultimate
responsibility for part 11 will generally rest with persons responsible
for electronic record content, just as responsibility for compliance
with paper record requirements generally lies with those responsible
for the record's content.
[[Page 13444]]
59. Several comments interpreted proposed Sec. 11.10 as applying
all procedures and controls to closed systems and suggested revising it
to permit firms to apply only those procedures and controls they deem
necessary for their own operations, because some requirements are
excessive in some cases.
The agency advises that, where a given procedure or control is not
intended to apply in all cases, the language of the rule so indicates.
Specifically, use of operational checks (Sec. 11.10(f)) and device
checks (Sec. 11.10(h)) is not required in all cases. The remaining
requirements do apply in all cases and are, in the agency's opinion,
the minimum needed to ensure the trustworthiness and reliability of
electronic record systems. In addition, certain controls that firms
deem adequate for their routine internal operations might nonetheless
leave records vulnerable to manipulation and, thus, may be incompatible
with FDA's responsibility to protect public health. The suggested
revision would effectively permit firms to implement various controls
selectively and possibly shield records from FDA, employ unqualified
personnel, or permit employees to evade responsibility for fraudulent
use of their electronic signatures.
The agency believes that the controls in Sec. 11.10 are vital, and
notes that almost all of them were suggested by comments on the ANPRM.
The agency believes the wording of the regulation nonetheless permits
firms maximum flexibility in how to meet those requirements.
60. Two comments suggested that the word ``confidentiality'' in the
introductory paragraph of proposed Sec. 11.10 be deleted because it is
unnecessary and inappropriate. The comments stated that firms should
determine if certain records need to be confidential, and that as long
as records could not be altered or deleted without appropriate
authority, it would not matter whether they could read the records.
The agency agrees that not all records required by FDA need to be
kept confidential within a closed system and has revised the reference
in the introductory paragraph of Sec. 11.10 to state ``* * * and, when
appropriate, the confidentiality of electronic records.'' The agency
believes, however that the need for retaining the confidentiality of
certain records is not diminished because viewers cannot change them.
It may be prudent for persons to carefully assess the need for record
confidentiality. (See, e.g., 21 CFR 1002.42, Confidentiality of records
furnished by dealers and distributors, with respect to certain
radiological health products.) In addition, FDA's obligation to retain
the confidentiality of information it receives in some submissions
hinges on the degree to which the submitter maintains confidentiality,
even within its own organization. (See, e.g., 21 CFR 720.8(b) with
respect to cosmetic ingredient information in voluntary filings of
cosmetic product ingredient and cosmetic raw material composition
statements.)
61. One comment asked if the procedures and controls required by
proposed Sec. 11.10 were to be built into software or if they could
exist in written form.
The agency expects that, by their nature, some procedures and
controls, such as use of time-stamped audit trails and operational
checks, will be built into hardware and software. Others, such as
validation and determination of personnel qualifications, may be
implemented in any appropriate manner regardless of whether the
mechanisms are driven by, or are external to, software or hardware. To
clarify this intent, the agency has revised the introductory paragraph
of proposed Sec. 11.10 to read, in part, ``Persons who use closed
systems to create, modify * * *.'' Likewise, for clarity and
consistency, the agency is introducing the same phrase, ``persons who
use * * *'' in Secs. 11.30 and 11.300.
62. One comment contended that the distinction between open and
closed systems should not be predominant because a $100,000 transaction
in a closed system should not have fewer controls than a $1 transaction
in an open system.
The agency believes that, within part 11, firms have the
flexibility they need to adjust the extent and stringency of controls
based on any factors they choose, including the economic value of the
transaction. The agency does not believe it is necessary to modify part
11 at this time so as to add economic criteria.
63. One comment suggested that the reference to repudiation in the
introductory paragraph of Sec. 11.10 should be deleted because
repudiation can occur at any time in legal proceedings. Another
comment, noting that the proposed rule appeared to address only
nonrepudiation of a signer, said the rule should address nonrepudiation
of record ``genuineness'' or extend to nonrepudiation of submission,
delivery, and receipt. The comment stated that some firms provide
nonrepudiation services that can prevent someone from successfully
claiming that a record has been altered.
In response to the first comment, the agency does not agree that
the reference to repudiation should be deleted because reducing the
likelihood that someone can readily repudiate an electronic signature
as not his or her own, or that the signed record had been altered, is
vital to the agency's basic acceptance of electronic signatures. The
agency is aware that the need to deter such repudiation has been
addressed in many forums and publications that discuss electronic
signatures. Absent adequate controls, FDA believes some people would be
more likely to repudiate an electronically-signed record because of the
relative ease with which electronic records may be altered and the ease
with which one individual could impersonate another. The agency notes,
however, that the rule does not call for nonrepudiation as an absolute
guarantee, but requires that the signer cannot ``readily'' repudiate
the signature.
In response to the second comment, the agency agrees that it is
also important to establish nonrepudiation of submission, delivery, and
receipt of electronic records, but advises that, for purposes of
Sec. 11.10, the agency's intent is to limit nonrepudiation to the
genuineness of the signer's record. In other words, an individual
should not be able to readily say that: (1) He or she did not, in fact,
sign the record; (2) a given electronic record containing the
individual's signature was not, in fact, the record that the person
signed; or (3) the originally signed electronic record had been altered
after having been signed.
64. Proposed Sec. 11.10(a) states that controls for closed systems
are to include the validation of systems to ensure accuracy,
reliability, consistent intended performance, and the ability to
conclusively discern invalid or altered records.
Many comments objected to this proposed requirement because the
word ``conclusively'' inferred an unreasonably high and unattainable
standard, one which is not applied to paper records.
The agency intends to apply the same validation concepts and
standards to electronic record and electronic signature systems as it
does to paper systems. As such, FDA does not intend the word
``conclusively'' to suggest an unattainable absolute and has,
therefore, deleted the word from the final rule.
65. One comment suggested qualifying the proposed validation
requirement in Sec. 11.10(a) to state that validation be performed
``where
[[Page 13445]]
necessary'' and argued that validation of commercially available
software is not necessary because such software has already been
thoroughly validated. The comment acknowledged that validation may be
required for application programs written by manufacturers and others
for special needs.
The agency disagrees with the comment's claim that all commercial
software has been validated. The agency believes that commercial
availability is no guarantee that software has undergone ``thorough
validation'' and is unaware of any regulatory entity that has
jurisdiction over general purpose software producers. The agency notes
that, in general, commercial software packages are accompanied not by
statements of suitability or compliance with established standards, but
rather by disclaimers as to their fitness for use. The agency is aware
of the complex and sometimes controversial issues in validating
commercial software. However, the need to validate such software is not
diminished by the fact that it was not written by those who will use
the software.
In the future, the agency may provide guidance on validation of
commercial software used in electronic record systems. FDA has
addressed the matter of software validation in general in such
documents as the ``Draft Guideline for the Validation of Blood
Establishment Computer Systems,'' which is available from the
Manufacturers Assistance and Communications Staff, Center for Biologics
Evaluation and Research (HFM-42), Food and Drug Administration, 1401
Rockville Pike, Rockville, MD 20852-1448, 301-594-2000. This guideline
is also available by sending e-mail to the following Internet address:
[email protected]). For the purposes of part 11, however, the
agency believes it is vital to retain the validation requirement.
66. One comment requested an explanation of what was meant by the
phrase ``consistent intended'' in proposed Sec. 11.10(a) and why
``consistent performance'' was not used instead. The comment suggested
that the rule should distinguish consistent intended performance from
well-recognized service ``availability.''
The agency advises that the phrase ``consistent intended
performance'' relates to the general principle of validation that
planned and expected performance is based upon predetermined design
specifications (hence, ``intended''). This concept is in accord with
the agency's 1987 ``Guideline on General Principles of Process
Validation,'' which is available from the Division of Manufacturing and
Product Quality, Center for Drug Evaluation and Research (HFD-320),
Food and Drug Administration, 7520 Standish Pl., Rockville, MD 20855,
301-594-0093). This guideline defines validation as establishing
documented evidence that provides a high degree of assurance that a
specific process will consistently produce a product meeting its
predetermined specifications and quality attributes. The agency
believes that the comment's concepts are accommodated by this
definition to the extent that system ``availability'' may be one of the
predetermined specifications or quality attributes.
67. One comment said the rule should indicate whether validation of
systems does, or should, require any certification or accreditation.
The agency believes that although certification or accreditation
may be a part of validation of some systems, such certification or
accreditation is not necessary in all cases, outside of the context of
any such approvals within an organization itself. Therefore, part 11 is
silent on the matter.
68. One comment said the rule should clarify whether system
validation should be capable of discerning the absence of electronic
records, in light of agency concerns about falsification. The comment
added that the agency's concerns regarding invalid or altered records
can be mitigated by use of cryptographically enhanced methods,
including secure time and date stamping.
The agency does not believe that it is necessary at this time to
include an explicit requirement that systems be capable of detecting
the absence of records. The agency advises that the requirement in
Sec. 11.10(e) for audit trails of operator actions would cover those
actions intended to delete records. Thus, the agency would expect firms
to document such deletions, and would expect the audit trail mechanisms
to be included in the validation of the electronic records system.
69. Proposed Sec. 11.10(b) states that controls for closed systems
must include the ability to generate true copies of records in both
human readable and electronic form suitable for inspection, review, and
copying by the agency, and that if there were any questions regarding
the ability of the agency to perform such review and copying, persons
should contact the agency.
Several comments objected to the requirement for ``true'' copies of
electronic records. The comments asserted that information in an
original record (as may be contained in a database) may be presented in
a copy in a different format that may be more usable. The comments
concluded that, to generate precise ``true'' copies of electronic
records, firms may have to retain the hardware and software that had
been used to create those records in the first place (even when such
hardware and software had been replaced by newer systems). The comments
pointed out that firms may have to provide FDA with the application
logic for ``true'' copies, and that this may violate copyright
provisions. One comment illustrated the difference between ``true''
copies and other equally reliable, but not exact, copies of electronic
records by noting that pages from FDA's paper publications (such as the
CFR and the Compliance Policy Guidance Manual) look quite different
from electronic copies posted to FDA's bulletin board. The comments
suggested different wording that would effectively require accurate and
complete copies, but not necessarily ``true'' copies.
The agency agrees that providing exact copies of electronic records
in the strictest meaning of the word ``true'' may not always be
feasible. The agency nonetheless believes it is vital that copies of
electronic records provided to FDA be accurate and complete.
Accordingly, in Sec. 11.10(b), ``true'' has been replaced with
``accurate and complete.'' The agency expects that this revision should
obviate the potential problems noted in the comments. The revision
should also reduce the costs of providing copies by making clear that
firms need not maintain obsolete equipment in order to make copies that
are ``true'' with respect to format and computer system.
70. Many comments objected to the proposed requirement that systems
be capable of generating electronic copies of electronic records for
FDA inspection and copying, although they generally agreed that it was
appropriate to provide FDA with readable paper copies. Alternative
wording was suggested that would make providing electronic copies
optional, such that persons could provide FDA with nothing but paper
copies if they so wished. The comments argued that providing FDA with
electronic copies was unnecessary, unjustified, not practical
considering the different types of computer systems that may be in use,
and would unfairly limit firms in their selection of hardware and
software if they could only use systems that matched FDA's capabilities
(capabilities which, it was argued, would not be uniform throughout the
United States). One comment suggested that the rule specify
[[Page 13446]]
a particular format, such as ASCII, for electronic copies to FDA.
The agency disagrees with the assertion that FDA need only be
provided with paper copies of electronic records. To operate
effectively, the agency must function on the same technological plane
as the industries it regulates. Just as firms realize efficiencies and
benefits in the use of electronic records, FDA should be able to
conduct audits efficiently and thoroughly using the same technology.
For example, where firms perform computerized trend analyses of
electronic records to improve their processes, FDA should be able to
use computerized methods to audit electronic records (on site and off,
as necessary) to detect trends, inconsistencies, and potential problem
areas. If FDA is restricted to reviewing only paper copies of those
records, the results would severely impede its operations. Inspections
would take longer to complete, resulting in delays in approvals of new
medical products, and expenditure of additional resources both by FDA
(in performing the inspections and transcribing paper records to
electronic format) and by the inspected firms, which would generate the
paper copies and respond to questions during the resulting lengthened
inspections.
The agency believes that it also may be necessary to require that
persons furnish certain electronic copies of electronic records to FDA
because paper copies may not be accurate and complete if they lack
certain audit trail (metadata) information. Such information may have a
direct bearing on record trustworthiness and reliability. These data
could include information, for example, on when certain items of
electronic mail were sent and received.
The agency notes that people who use different computer systems
routinely provide each other with electronic copies of electronic
records, and there are many current and developing tools to enable such
sharing. For example, at a basic level, records may be created in, or
transferred to, the ASCII format. Many different commercial programs
have the capability to import from, and export to, electronic records
having different formats. Firms use electronic data interchange
(commonly known as EDI) and agreed upon transaction set formats to
enable them to exchange copies of electronic records effectively. Third
parties are also developing portable document formats to enable
conversion among several diverse formats.
Concerning the ability of FDA to handle different formats of
electronic records, based upon the emergence of format conversion tools
such as those mentioned above, the agency's experience with electronic
submissions such as computer assisted new drug applications (commonly
known as CANDA's), and the agency's planned Submissions Management and
Review Tracking System (commonly known as SMART), FDA is confident that
it can work with firms to minimize any formatting difficulties. In
addition, substitution of the words ``accurate and complete'' for
``true,'' as discussed in comment 69, should make it easier for firms
to provide FDA with electronic copies of their electronic records. FDA
does not believe it is necessary to specify any particular format in
part 11 because it prefers, at this time, to afford industry and the
agency more flexibility in deciding which formats meet the capabilities
of all parties. Accordingly, the agency has revised proposed
Sec. 11.10(b) to read:
The ability to generate accurate and complete copies of records
in both human readable and electronic form suitable for inspection,
review, and copying by the agency. Persons should contact the agency
if there are any questions regarding the ability of the agency to
perform such review and copying of the electronic records.
71. Proposed Sec. 11.10(c) states that procedures and controls for
closed systems must include the protection of records to enable their
accurate and ready retrieval throughout the records retention period.
One firm commented that, because it replaces systems often (about
every 3 years), it may have to retain supplanted systems to meet these
requirements. Another comment suggested that the rule be modified to
require records retention only for as long as ``legally mandated.''
The agency notes that, as discussed in comment 70 of this document,
persons would not necessarily have to retain supplanted hardware and
software systems provided they implemented conversion capabilities when
switching to replacement technologies. The agency does not believe it
is necessary to add the qualifier ``legally mandated'' because the
retention period for a given record will generally be established by
the regulation that requires the record. Where the regulations do not
specify a given time, the agency would expect firms to establish their
own retention periods. Regardless of the basis for the retention
period, FDA believes that the requirement that a given electronic
record be protected to permit it to be accurately and readily retrieved
for as long as it is kept is reasonable and necessary.
72. Proposed Sec. 11.10(e) would require the use of time-stamped
audit trails to document record changes, all write-to-file operations,
and to independently record the date and time of operator entries and
actions. Record changes must not obscure previously recorded
information and such audit trail documentation must be retained for a
period at least as long as required for the subject electronic
documents and must be available for agency review and copying.
Many comments objected to the proposed requirement that all write-
to-file operations be documented in the audit trail because it is
unnecessary to document all such operations. The comments said that
this would require audit trails for such automated recordings as those
made to internal buffers, data swap files, or temporary files created
by word processing programs. The comments suggested revising
Sec. 11.10(e) to require audit trails only for operator entries and
actions.
Other comments suggested that audit trails should cover: (1)
Operator data inputs but not actions, (2) only operator changes to
records, (3) only critical write-to-file information, (4) operator
changes as well as all actions, (5) only new entries, (6) only systems
where data can be altered, (7) only information recorded by humans, (8)
information recorded by both humans and devices, and (9) only entries
made upon adoption of the records as official. One comment said audit
trails should not be required for data acquisition systems, while
another comment said audit trails are critical for data acquisition
systems.
It is the agency's intent that the audit trail provide a record of
essentially who did what, wrote what, and when. The write-to-file
operations referenced in the proposed rule were not intended to cover
the kind of ``background'' nonhuman recordings the comments identified.
The agency considers such operator actions as activating a
manufacturing sequence or turning off an alarm to warrant the same
audit trail coverage as operator data entries in order to document a
thorough history of events and those responsible for such events.
Although FDA acknowledges that not every operator ``action,'' such as
switching among screen displays, need be covered by audit trails, the
agency is concerned that revising the rule to cover only ``critical''
operations would result in excluding much information and actions that
are necessary to document events thoroughly.
[[Page 13447]]
The agency believes that, in general, the kinds of operator actions
that need to be covered by an audit trail are those important enough to
memorialize in the electronic record itself. These are actions which,
for the most part, would be recorded in corresponding paper records
according to existing recordkeeping requirements.
The agency intends that the audit trail capture operator actions
(e.g., a command to open a valve) at the time they occur, and operator
information (e.g., data entry) at the time the information is saved to
the recording media (such as disk or tape), in much the same manner as
such actions and information are memorialized on paper. The audit trail
need not capture every keystroke and mistake that is held in a
temporary buffer before those commitments. For example, where an
operator records the lot number of an ingredient by typing the lot
number, followed by the ``return key'' (where pressing the return key
would cause the information to be saved to a disk file), the audit
trail need not record every ``backspace delete'' key the operator may
have previously pressed to correct a typing error. Subsequent ``saved''
corrections made after such a commitment, however, must be part of the
audit trail.
At this time, the agency's primary concern relates to the integrity
of human actions. Should the agency's experience with part 11
demonstrate a need to require audit trails of device operations and
entries, the agency will propose appropriate revisions to these
regulations. Accordingly, the agency has revised proposed Sec. 11.10(e)
by removing reference to all write-to-file operations and clarifying
that the audit trail is to cover operator entries and actions that
create, modify, or delete electronic records.
73. A number of comments questioned whether proposed Sec. 11.10(e)
mandated that the audit trail be part of the electronic record itself
or be kept as a separate record. Some comments interpreted the word
``independently'' as requiring a separate record. Several comments
focused on the question of whether audit trails should be generated
manually under operator control or automatically without operator
control. One comment suggested a revision that would require audit
trails to be generated by computer, because the system, not the
operator, should record the audit trail. Other comments said the rule
should facilitate date and time recording by software, not operators,
and that the qualifier ``securely'' be added to the language describing
the audit trail. One comment, noting that audit trails require
validation and qualification to ensure that time stamps are accurate
and independent, suggested that audit trails be required only when
operator actions are witnessed.
The agency advises that audit trail information may be contained as
part of the electronic record itself or as a separate record. FDA does
not intend to require one method over the other. The word
``independently'' is intended to require that the audit trail not be
under the control of the operator and, to prevent ready alteration,
that it be created independently of the operator.
To maintain audit trail integrity, the agency believes it is vital
that the audit trail be created by the computer system independently of
operators. The agency believes it would defeat the purpose of audit
trails to permit operators to write or change them. The agency believes
that, at this time, the source of such independent audit trails may
effectively be within the organization that creates the electronic
record. However, the agency is aware of a situation under which time
and date stamps are provided by trusted third parties outside of the
creating organization. These third parties provide, in effect, a public
electronic notary service. FDA will monitor development of such
services in light of part 11 to determine if a requirement for such
third party services should be included in these regulations. For now,
the agency considers the advent of such services as recognition of the
need for strict objectivity in recording time and date stamps.
The agency disagrees with the premise that only witnessed operator
actions need be covered by audit trails because the opportunities for
record falsification are not limited to cases where operator actions
are witnessed. Also, the need for validating audit trails does not
diminish the need for their implementation.
FDA agrees with the suggestion that the proposed rule be revised to
require a secure audit trail--a concept inherent in having such a
control at all. Accordingly, proposed Sec. 11.10(e) has been revised to
require use of ``secure, computer-generated'' audit trails.
74. A few comments objected to the requirement that time be
recorded, in addition to dates, and suggested that time be recorded
only when necessary and feasible. Other comments specifically supported
the requirement for recording time, noting that time stamps make
electronic signatures less vulnerable to fraud and abuse. The comments
noted that, in any setting, there is a need to identify the date, time,
and person responsible for adding to or changing a value. One of the
comments suggested that the rule require recording the reason for
making changes to electronic records. Other comments implicitly
supported recording time.
FDA believes that recording time is a critical element in
documenting a sequence of events. Within a given day a number of events
and operator actions may take place, and without recording time,
documentation of those events would be incomplete. For example, without
time stamps, it may be nearly impossible to determine such important
sequencing as document approvals and revisions and the addition of
ingredients in drug production. Thus, the element of time becomes vital
to establishing an electronic record's trustworthiness and reliability.
The agency notes that comments on the ANPRM frequently identified
use of date/time stamps as an important system control. Time recording,
in the agency's view, can also be an effective deterrent to records
falsification. For example, event sequence codes alone would not
necessarily document true time in a series of events, making
falsification of that sequence easier if time stamps are not used. The
agency believes it should be very easy for firms to implement time
stamps because there is a clock in every computer and document
management software, electronic mail systems and other electronic
record/electronic applications, such as digital signature programs,
commonly apply date and time stamps. The agency does not intend that
new technologies, such as cryptographic technologies, will be needed to
comply with this requirement. The agency believes that implementation
of time stamps should be feasible in virtually all computer systems
because effective computer operations depend upon internal clock or
timing mechanisms and, in the agency's experience, most computer
systems are capable of precisely recording such time entries as when
records are saved.
The agency is implementing the time stamp requirement based on the
understanding that all current computers, electronic document software,
electronic mail, and related electronic record systems include such
technologies. The agency also understands that time stamps are applied
automatically by these systems, meaning firms would not have to install
additional hardware, software, or incur additional burden to implement
this control. In recognition of this, the agency wishes to clarify that
a primary intent of this provision is to ensure that people take
reasonable measures to
[[Page 13448]]
ensure that those built in time stamps are accurate and that people do
not alter them casually so as to readily mask unauthorized record
changes.
The agency advises that, although part 11 does not specify the time
units (e.g., tenth of a second, or even the second) to be used, the
agency expects the unit of time to be meaningful in terms of
documenting human actions.
The agency does not believe part 11 needs to require recording the
reason for record changes because such a requirement, when needed, is
already in place in existing regulations that pertain to the records
themselves.
75. One comment stated that proposed Sec. 11.10(e) should not
require an electronic signature for each write-to-file operation.
The agency advises that Sec. 11.10(e) does not require an
electronic signature as the means of authenticating each write-to-file
operation. The agency expects the audit trail to document who did what
and when, documentation that can be recorded without electronic
signatures themselves.
76. Several comments, addressing the proposed requirement that
record changes not obscure previously recorded information, suggested
revising proposed Sec. 11.10(e) to apply only to those entries intended
to update previous information.
The agency disagrees with the suggested revision because the
rewording is too narrow. The agency believes that some record changes
may not be ``updates'' but significant modifications or falsifications
disguised as updates. All changes to existing records need to be
documented, regardless of the reason, to maintain a complete and
accurate history, to document individual responsibility, and to enable
detection of record falsifications.
77. Several comments suggested replacing the word ``document'' with
``record'' in the phrase ``Such audit trails shall be retained for a
period at least as long as required for the subject electronic
documents * * *'' because not all electronic documents are electronic
records and because the word document connotes paper.
As discussed in section III.D. of this document, the agency equates
electronic documents with electronic records, but for consistency, has
changed the phrase to read ``Such audit trail documentation shall be
retained for a period at least as long as that required for the subject
electronic records * * *.''
78. Proposed Sec. 11.10(k)(ii) (Sec. 11.10(k)(2) in this
regulation) addresses electronic audit trails as a systems
documentation control. One comment noted that this provision appears to
be the same as the audit trail provision of proposed Sec. 11.10(e) and
requested clarification.
The agency wishes to clarify that the kinds of records subject to
audit trails in the two provisions cited by the comment are different.
Section 11.10(e) pertains to those records that are required by
existing regulations whereas Sec. 11.10(k)(2) covers the system
documentation records regarding overall controls (such as access
privilege logs, or system operational specification diagrams).
Accordingly, the first sentence of Sec. 11.10(e) has been revised to
read ``Use of secure, computer-generated, time-stamped audit trails to
independently record and date the time of operator entries and actions
that create, modify, or delete electronic records.''
79. Proposed Sec. 11.10(f) states that procedures and controls for
closed systems must include the use of operational checks to enforce
permitted sequencing of events, as appropriate.
Two comments requested clarification of the agency's intent
regarding operational checks.
The agency advises that the purpose of performing operational
checks is to ensure that operations (such as manufacturing production
steps and signings to indicate initiation or completion of those steps)
are not executed outside of the predefined order established by the
operating organization.
80. Several comments suggested that, for clarity, the phrase
``operational checks'' be modified to ``operational system checks.''
The agency agrees that the added modifier ``system'' more
accurately reflects the agency's intent that operational checks be
performed by the computer systems and has revised proposed
Sec. 11.10(f) accordingly.
81. Several comments suggested revising proposed Sec. 11.10(f) to
clarify what is to be checked. The comments suggested that ``steps'' in
addition to ``events'' be checked, only critical steps be checked, and
that ``records'' also be checked.
The agency intends the word ``event'' to include ``steps'' such as
production steps. For clarity, however, the agency has revised proposed
Sec. 11.10(f) by adding the word ``steps.'' The agency does not,
however, agree that only critical steps need be subject to operational
checks because a given specific step or event may not be critical, yet
it may be very important that the step be executed at the proper time
relative to other steps or events. The agency does not believe it
necessary to add the modifier ``records'' to proposed Sec. 11.10(f)
because creation, deletion, or modification of a record is an event.
Should it be necessary to create, delete, or modify records in a
particular sequence, operational system checks would ensure that the
proper sequence is followed.
82. Proposed Sec. 11.10(g) states that procedures and controls for
closed systems must include the use of authority checks to ensure that
only authorized individuals use the system, electronically sign a
record, access the operation or device, alter a record, or perform the
operation at hand.
One comment suggested that the requirement for authority checks be
qualified with the phrase ``as appropriate,'' on the basis that it
would not be necessary for certain parts of a system, such as those not
affecting an electronic record. The comment cited pushing an emergency
stop button as an example of an event that would not require an
authority check. Another comment suggested deleting the requirement on
the basis that some records can be read by all employees in an
organization.
The agency advises that authority checks, and other controls under
Sec. 11.10, are intended to ensure the authenticity, integrity, and
confidentiality of electronic records, and to ensure that signers
cannot readily repudiate a signed record as not genuine. Functions
outside of this context, such as pressing an emergency stop button,
would not be covered. However, even in this example, the agency finds
it doubtful that a firm would permit anyone, such as a stranger from
outside the organization, to enter a facility and press the stop button
at will regardless of the existence of an emergency. Thus, there would
likely be some generalized authority checks built into the firm's
operations.
The agency believes that few organizations freely permit anyone
from within or without the operation to use their computer system,
electronically sign a record, access workstations, alter records, or
perform operations. It is likely that authority checks shape the
activities of almost every organization. The nature, scope, and
mechanism of performing such checks is up to the operating
organization. FDA believes, however, that performing such checks is one
of the most fundamental measures to ensure the integrity and
trustworthiness of electronic records.
Proposed Sec. 11.10(g) does not preclude all employees from being
permitted to read certain electronic records. However, the fact that
some records may be read by all employees would not
[[Page 13449]]
justify deleting the requirement for authority checks entirely. The
agency believes it is highly unlikely that all of a firm's employees
would have authority to read, write, and sign all of its electronic
records.
83. One comment said authority checks are appropriate for document
access but not system access, and suggested that the phrase ``access
the operation or device'' be deleted. The comment added, with respect
to authority checks on signing records, that in many organizations,
more than one individual has the authority to sign documents required
under FDA regulations and that such authority should be vested with the
individual as designated by the operating organization. Another comment
said proposed Sec. 11.10(g) should explicitly require access authority
checks and suggested that the phrase ``use the system'' be changed to
``access and use the system.'' The comment also asked for clarification
of the term ``device.''
The agency disagrees that authority checks should not be required
for system access because, as discussed in comment 82 of this document,
it is unlikely that a firm would permit any unauthorized individuals to
access its computer systems. System access control is a basic security
function because system integrity may be impeached even if the
electronic records themselves are not directly accessed. For example,
someone could access a system and change password requirements or
otherwise override important security measures, enabling individuals to
alter electronic records or read information that they were not
authorized to see. The agency does not believe it necessary to add the
qualifier ``access and'' because Sec. 11.10(d) already requires that
system access be limited to authorized individuals. The agency intends
the word ``device'' to mean a computer system input or output device
and has revised proposed Sec. 11.10(g) to clarify this point.
Concerning signature authority, FDA advises that the requirement
for authority checks in no way limits organizations in authorizing
individuals to sign multiple records. Firms may use any appropriate
mechanism to implement such checks. Organizations do not have to embed
a list of authorized signers in every record to perform authority
checks. For example, a record may be linked to an authority code that
identifies the title or organizational unit of people who may sign the
record. Thus, employees who have that corresponding code, or belong to
that unit, would be able to sign the record. Another way to implement
controls would be to link a list of authorized records to a given
individual, so that the system would permit the individual to sign only
records in that list.
84. Two comments addressed authority checks within the context of
PDMA and suggested that such checks not be required for drug sample
receipt records. The comments said that different individuals may be
authorized to accept drug samples at a physician's office, and that the
large number of physicians who would potentially qualify to receive
samples would be too great to institute authority checks.
The agency advises that authority checks need not be automated and
that in the context of PDMA such checks would be as valid for
electronic records as they are for paper sample requests because only
licensed practitioners or their designees may accept delivery of drug
samples. The agency, therefore, acknowledges that many individuals may
legally accept samples and, thus, have the authority to sign electronic
receipts. However, authority checks for electronic receipts could
nonetheless be performed by sample manufacturer representatives by
using the same procedures as the representatives use for paper
receipts. Accordingly, the agency disagrees with the comment that
proposed Sec. 11.10(g) should not apply to PDMA sample receipts.
The agency also advises that under PDMA, authority checks would be
particularly important in the case of drug sample request records
because only licensed practitioners may request drug samples.
Accordingly, proposed Sec. 11.10(g) has been revised to read: ``Use
of authority checks to ensure that only authorized individuals can use
the system, electronically sign a record, access the operation or
computer system input or output device, alter a record, or perform the
operation at hand.''
85. Proposed Sec. 11.10(h) states that procedures and controls for
closed systems must include the use of device (e.g., terminal) location
checks to determine, as appropriate, the validity of the source of data
input or operational instruction. Several comments objected to this
proposed requirement and suggested its deletion because it is: (1)
Unnecessary (because the data source is always known by virtue of
system design and validation); (2) problematic with respect to mobile
devices, such as those connected by modem; (3) too much of a ``how
to;'' (4) not explicit enough to tell firms what to do; (5) unnecessary
in the case of PDMA; and (6) technically challenging. One comment
stated that a device's identification, in addition to location, may be
important and suggested that the proposed rule be revised to require
device identification as well.
FDA advises that, by use of the term ``as appropriate,'' it does
not intend to require device checks in all cases. The agency believes
that these checks are warranted where only certain devices have been
selected as legitimate sources of data input or commands. In such
cases, the device checks would be used to determine if the data or
command source was authorized. In a network, for example, it may be
necessary for security reasons to limit issuance of critical commands
to only one authorized workstation. The device check would typically
interrogate the source of the command to ensure that only the
authorized workstation, and not some other device, was, in fact,
issuing the command.
The same approach applies for remote sources connected by modem, to
the extent that device identity interrogations could be made
automatically regardless of where the portable devices were located. To
clarify this concept, the agency has removed the word ``location'' from
proposed Sec. 11.10(h). Device checks would be necessary under PDMA
when the source of commands or data is relevant to establishing
authenticity, such as when licensed practitioners order drug samples
directly from the manufacturer or authorized distributor without the
intermediary of a sales representative. Device checks may also be
useful to firms in documenting and identifying which sales
representatives are transmitting drug sample requests from licensed
practitioners.
FDA believes that, although validation may demonstrate that a given
terminal or workstation is technically capable of sending information
from one point to another, validation alone would not be expected to
address whether or not such device is authorized to do so.
86. Proposed Sec. 11.10(i) states that procedures and controls for
closed systems must include confirmation that persons who develop,
maintain, or use electronic record or signature systems have the
education, training, and experience to perform their assigned tasks.
Several comments objected to the word ``confirmation'' because it
is redundant with, or more restrictive than, existing regulations, and
suggested alternate wording, such as ``evidence.'' Two comments
interpreted the proposed wording as requiring that checks of personnel
qualifications be performed automatically by computer systems that
perform database type
[[Page 13450]]
matches between functions and personnel training records.
The agency advises that, although there may be some overlap in
proposed Sec. 11.10(i) and other regulations regarding the need for
personnel to be properly qualified for their duties, part 11 is
specific to functions regarding electronic records, an issue that other
regulations may or may not adequately address. Therefore, the agency is
retaining the requirement.
The agency does not intend to require that the check of personnel
qualifications be performed automatically by a computer system itself
(although such automation is desirable). The agency has revised the
introductory paragraph of Sec. 11.10, as discussed in section VII. of
this document, to clarify this point. The agency agrees that another
word should be used in place of ``confirmation,'' and for clarity has
selected ``determination.''
87. One comment suggested that the word ``training'' be deleted
because it has the same meaning as ``education'' and ``experience,''
and objected to the implied requirement for records of employee
training. Another comment argued that applying this provision to system
developers was irrelevant so long as systems perform as required and
have been appropriately validated. The comment suggested revising
proposed Sec. 11.10(i) to require employees to be trained only ``as
necessary.'' One comment, noting that training and experience are very
important, suggested expanding proposed Sec. 11.10(i) to require
appropriate examination and certification of persons who perform
certain high-risk, high-trust functions and tasks.
The agency regards this requirement as fundamental to the proper
operation of a facility. Personnel entrusted with important functions
must have sufficient training to do their jobs. In FDA's view, formal
education (e.g., academic studies) and general industry experience
would not necessarily prepare someone to begin specific, highly
technical tasks at a given firm. Some degree of on-the-job training
would be customary and expected. The agency believes that documentation
of such training is also customary and not unreasonable.
The agency also disagrees with the assertion that personnel
qualifications of system developers are irrelevant. The qualifications
of personnel who develop systems are relevant to the expected
performance of the systems they build and their ability to explain and
support these systems. Validation does not lessen the need for
personnel to have the education, training, and experience to do their
jobs properly. Indeed, it is highly unlikely that poorly qualified
developers would be capable of producing a system that could be
validated. The agency advises that, although the intent of proposed
Sec. 11.10(i) is to address qualifications of those personnel who
develop systems within an organization, rather than external
``vendors'' per se, it is nonetheless vital that vendor personnel are
likewise qualified to do their work. The agency agrees that periodic
examination or certification of personnel who perform certain critical
tasks is desirable. However, the agency does not believe that at this
time a specific requirement for such examination and certification is
necessary.
88. Proposed Sec. 11.10(j) states that procedures and controls for
closed systems must include the establishment of, and adherence to,
written policies that hold individuals accountable and liable for
actions initiated under their electronic signatures, so as to deter
record and signature falsification.
Several comments suggested changing the word ``liable'' to
``responsible'' because the word ``responsible'' is broader, more
widely understood by employees, more positive and inclusive of elements
of honesty and trust, and more supportive of a broad range of
disciplinary measures. One comment argued that the requirement would
not deter record or signature falsification because employee honesty
and integrity cannot be regulated.
The agency agrees because, although the words ``responsible'' and
``liable'' are generally synonymous, ``responsible'' is preferable
because it is more positive and supportive of a broad range of
disciplinary measures. There may be a general perception that
electronic records and electronic signatures (particularly
identification codes and passwords) are less significant and formal
than traditional paper records and handwritten signatures. Individuals
may therefore not fully equate the seriousness of electronic record
falsification with paper record falsification. Employees need to
understand the gravity and consequences of signature or record
falsification. Although FDA agrees that employee honesty cannot be
ensured by requiring it in a regulation, the presence of strong
accountability and responsibility policies is necessary to ensure that
employees understand the importance of maintaining the integrity of
electronic records and signatures.
89. Several comments expressed concern regarding employee liability
for actions taken under their electronic signatures in the event that
such signatures are compromised, and requested ``reasonable
exceptions.'' The comments suggested revising proposed Sec. 11.10(j) to
hold people accountable only where there has been intentional
falsification or corruption of electronic data.
The agency considers the compromise of electronic signatures to be
a very serious matter, one that should precipitate an appropriate
investigation into any causative weaknesses in an organization's
security controls. The agency nonetheless recognizes that where such
compromises occur through no fault or knowledge of individual
employees, there would be reasonable limits on the extent to which
disciplinary action would be taken. However, to maintain emphasis on
the seriousness of such security breeches and deter the deliberate
fabrication of ``mistakes,'' the agency believes Sec. 11.10 should not
provide for exceptions that may lessen the import of such a
fabrication.
90. One comment said the agency should consider the need for
criminal law reform because current computer crime laws do not address
signatures when unauthorized access or computer use is not an issue.
Another comment argued that proposed Sec. 11.10(j) should be expanded
beyond ``individual'' accountability to include business entities.
The agency will consider the need for recommending legislative
initiatives to address electronic signature falsification in light of
the experience it gains with this regulation. The agency does not
believe it necessary to address business entity accountability
specifically in Sec. 11.10 because the emphasis is on actions and
accountability of individuals, and because individuals, rather than
business entities, apply signatures.
91. One comment suggested that proposed Sec. 11.10(j) should be
deleted because it is unnecessary because individuals are presumably
held accountable for actions taken under their authority, and because,
in some organizations, individuals frequently delegate authority to
sign their names.
As discussed in comments 88 to 90 of this document, the agency has
concluded that this section is necessary. Furthermore it does not limit
delegation of authority as described in the comment. However, where one
individual signs his or her name on behalf of someone else, the
signature applied should be that of the delegatee, with some notation
of that fact, and not the name of the delegator. This is the
[[Page 13451]]
same procedure commonly used on paper documents, noted as ``X for Y.''
92. Proposed Sec. 11.10(k) states that procedures and controls for
closed systems must include the use of appropriate systems
documentation controls, including: (1) Adequate controls over the
distribution, access to, and use of documentation for system operation
and maintenance; and (2) records revision and change control procedures
to maintain an electronic audit trail that documents time-sequenced
development and modification of records. Several comments requested
clarification of the type of documents covered by proposed
Sec. 11.10(k). One comment noted that this section failed to address
controls for record retention. Some comments suggested limiting the
scope of systems documentation to application and configurable
software, or only to software that could compromise system security or
integrity. Other comments suggested that this section should be deleted
because some documentation needs wide distribution within an
organization, and that it is an onerous burden to control user manuals.
The agency advises that Sec. 11.10(k) is intended to apply to
systems documentation, namely, records describing how a system operates
and is maintained, including standard operating procedures. The agency
believes that adequate controls over such documentation are necessary
for various reasons. For example, it is important for employees to have
correct and updated versions of standard operating and maintenance
procedures. If this documentation is not current, errors in procedures
and/or maintenance are more likely to occur. Part 11 does not limit an
organization's discretion as to how widely or narrowly any document is
to be distributed, and FDA expects that certain documents will, in
fact, be widely disseminated. However, some highly sensitive
documentation, such as instructions on how to modify system security
features, would not routinely be widely distributed. Hence, it is
important to control distribution of, access to, and use of such
documentation.
Although the agency agrees that the most critical types of system
documents would be those directly affecting system security and
integrity, FDA does not agree that control over system documentation
should only extend to security related software or to application or
configurable software. Documentation that relates to operating systems,
for example, may also have an impact on security and day-to-day
operations. The agency does not agree that it is an onerous burden to
control documentation that relates to effective operation and security
of electronic records systems. Failure to control such documentation,
as discussed above, could permit and foster records falsification by
making the enabling instructions for these acts readily available to
any individual.
93. Concerning the proposed requirement for adequate controls over
documentation for system operation and maintenance, one comment
suggested that it be deleted because it is under the control of system
vendors, rather than operating organizations. Several comments
suggested that the proposed provision be deleted because it duplicates
Sec. 11.10(e) with respect to audit trails. Some comments also objected
to maintaining the change control procedures in electronic form and
suggested deleting the word ``electronic'' from ``electronic audit
trails.''
The agency advises that this section is intended to apply to
systems documentation that can be changed by individuals within an
organization. If systems documentation can only be changed by a vendor,
this provision does not apply to the vendor's customers. The agency
acknowledges that systems documentation may be in paper or electronic
form. Where the documentation is in paper form, an audit trail of
revisions need not be in electronic form. Where systems documentation
is in electronic form, however, the agency intends to require the audit
trail also be in electronic form, in accordance with Sec. 11.10(e). The
agency acknowledges that, in light of the comments, the proposed rule
may not have been clear enough regarding audit trails addressed in
Sec. 11.10(k) compared to audit trails addressed in Sec. 11.10(e) and
has revised the final rule to clarify this matter.
The agency does not agree, however, that the audit trail provisions
of Sec. 11.10(e) and (k), as revised, are entirely duplicative. Section
11.10(e) applies to electronic records in general (including systems
documentation); Sec. 11.10(k) applies exclusively to systems
documentation, regardless of whether such documentation is in paper or
electronic form.
As revised, Sec. 11.10(k) now reads as follows:
(k) Use of appropriate controls over systems documentation
including:
(1) Adequate controls over the distribution of, access to, and
use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit
trail that documents time-sequenced development and modification of
systems documentation.
VIII. Electronic Records--Controls for Open Systems (Sec. 11.30)
Proposed Sec. 11.30 states that: ``Open systems used to create,
modify, maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the authenticity, integrity
and confidentiality of electronic records from the point of their
creation to the point of their receipt.'' In addition, Sec. 11.30
states:
* * * Such procedures and controls shall include those
identified in Sec. 11.10, as appropriate, and such additional
measures as document encryption and use of established digital
signature standards acceptable to the agency, to ensure, as
necessary under the circumstances, record authenticity, integrity,
and confidentiality.
94. One comment suggested that the reference to digital signature
standards be deleted because the agency should not be setting standards
and should not dictate how to ensure record authenticity, integrity,
and confidentiality. Other comments requested clarification of the
agency's expectations with regard to digital signatures: (1) The kinds
that would be acceptable, (2) the mechanism for announcing which
standards were acceptable (and whether that meant FDA would be
certifying particular software), and (3) a definition of digital
signature. One comment asserted that FDA should accept international
standards for digital signatures. Some comments also requested a
definition of encryption. One comment encouraged the agency to further
define open systems.
The agency advises that Sec. 11.30 requires additional controls,
beyond those identified in Sec. 11.10, as needed under the
circumstances, to ensure record authenticity, integrity, and
confidentiality for open systems. Use of digital signatures is one
measure that may be used, but is not specifically required. The agency
wants to ensure that the digital signature standard used is, in fact,
appropriate. Development of digital signature standards is a complex
undertaking, one FDA does not expect to be performed by individual
firms on an ad hoc basis, and one FDA does not now seek to perform.
The agency is nonetheless concerned that such standards be robust
and secure. Currently, the agency is aware of two such standards, the
RSA (Rivest-Shamir-Adleman), and NIST's Digital Signature Standard
(DSS). The DSS became Federal Information Processing Standard (FIPS)
186 on December 1, 1994. These standards are incorporated in different
software programs. The agency does not seek to certify or otherwise
approve of such programs,
[[Page 13452]]
but expects people who use such programs to ensure that they are
suitable for their intended use. FDA is aware that NIST provides
certifications regarding mathematical conformance to the DSS core
algorithms, but does not formally evaluate the broader programs that
contain those algorithms. The agency has revised the final rule to
clarify its intent that firms retain the flexibility to use any
appropriate digital signature as an additional system control for open
systems. FDA is also including a definition of digital signature under
Sec. 11.3(b)(5).
The agency does not believe it necessary to codify the term
``encryption'' because, unlike the term digital signature, it has been
in general use for many years and is generally understood to mean the
transforming of a writing into a secret code or cipher. The agency is
aware that there are several commercially available software programs
that implement both digital signatures and encryption.
95. Two comments noted that use of digital signatures and
encryption is not necessary in the context of PDMA, where access to an
electronic record is limited once it is signed and stored. One of the
comments suggested that proposed Sec. 11.30 be revised to clarify this
point.
As discussed in comment 94 of this document, use of digital
signatures and encryption would be an option when extra measures are
necessary under the circumstances. In the case of PDMA records, such
measures may be warranted in certain circumstances, and unnecessary in
others. For example, if electronic records were to be transmitted by a
firm's representative by way of a public online service to a central
location, additional measures would be necessary. On the other hand,
where the representative's records are hand delivered to that location,
or transferred by direct connection between the representative and the
central location, such additional measures to ensure record
authenticity, confidentiality, and integrity may not be necessary. The
agency does not believe that it is practical to revise Sec. 11.30 to
elaborate on every possible situation in which additional measures
would or would not be needed.
96. One comment addressed encryption of submissions to FDA and
asked if people making those submissions would have to give the agency
the appropriate ``keys'' and, if so, how the agency would protect the
security of such information.
The agency intends to develop appropriate procedures regarding the
exchange of ``keys'' attendant to use of encryption and digital
signatures, and will protect those keys that must remain confidential,
in the same manner as the agency currently protects trade secrets.
Where the agency and a submitter agree to use a system that calls for
the exchange of secret keys, FDA will work with submitters to achieve
mutually agreeable procedures. The agency notes, however, that not all
encryption and digital signature systems require that enabling keys be
secret.
97. One comment noted that proposed Sec. 11.30 does not mention
availability and nonrepudiation and requested clarification of the term
``point of receipt.'' The comment noted that, where an electronic
record is received at a person's electronic mailbox (which resides on
an open system), additional measures may be needed when the record is
transferred to the person's own local computer because such additional
transfer entails additional security risks. The comment suggested
wording that would extend open system controls to the point where
records are ultimately retained.
The agency agrees that, in the situation described by the comment,
movement of the electronic record from an electronic mailbox to a
person's local computer may necessitate open system controls. However,
situations may vary considerably as to the ultimate point of receipt,
and FDA believes proposed Sec. 11.30 offers greater flexibility in
determining open system controls than revisions suggested by the
comment. The agency advises that the concept of nonrepudiation is part
of record authenticity and integrity, as already covered by
Sec. 11.10(c). Therefore, FDA is not revising Sec. 11.30 as suggested.
IX. Electronic Records--Signature Manifestations (Sec. 11.50)
Proposed Sec. 11.50 requires that electronic records that are
electronically signed must display in clear text the printed name of
the signer, and the date and time when the electronic signature was
executed. This section also requires that electronic records clearly
indicate the meaning (such as review, approval, responsibility, and
authorship) associated with their attendant signatures.
98. Several comments suggested that the information required under
proposed Sec. 11.50 need not be contained in the electronic records
themselves, but only in the human readable format (screen displays and
printouts) of such records. The comments explained that the records
themselves need only contain links, such as signature attribute codes,
to such information to produce the displays of information required.
The comments noted, for example, that, where electronic signatures
consist of an identification code in combination with a password, the
combined code and password itself would not be part of the display.
Some comments suggested that proposed Sec. 11.50 be revised to clarify
what items are to be displayed.
The agency agrees and has revised proposed Sec. 11.50 accordingly.
The intent of this section is to require that human readable forms of
signed electronic records, such as computer screen displays and
printouts bear: (1) The printed name of the signer (at the time the
record is signed as well as whenever the record is read by humans); (2)
the date and time of signing; and (3) the meaning of the signature. The
agency believes that revised Sec. 11.50 will afford persons the
flexibility they need to implement the display of information
appropriate for their own electronic records systems, consistent with
other system controls in part 11, to ensure record integrity and
prevent falsification.
99. One comment stated that the controls in proposed Sec. 11.50
would not protect against inaccurate entries.
FDA advises that the purpose of this section is not to protect
against inaccurate entries, but to provide unambiguous documentation of
the signer, when the signature was executed, and the signature's
meaning. The agency believes that such a record is necessary to
document individual responsibility and actions.
In a paper environment, the printed name of the individual is
generally present in the signed record, frequently part of a
traditional ``signature block.'' In an electronic environment, the
person's name may not be apparent, especially where the signature is
based on identification codes combined with passwords. In addition, the
meaning of a signature is generally apparent in a paper record by
virtue of the context of the record or, more often, explicit phrases
such as ``approved by,'' ``reviewed by,'' and ``performed by.'' Thus,
the agency believes that for clear documentation purposes it is
necessary to carry such meanings into the electronic record
environment.
100. One comment suggested that proposed Sec. 11.50 should apply
only to those records that are required to be signed, and that the
display of the date and time should be performed in a secure manner.
The agency intends that this section apply to all signed electronic
records regardless of whether other regulations require them to be
signed. The agency believes that if it is important enough that a
record be signed, human readable
[[Page 13453]]
displays of such records must include the printed name of the signer,
the date and time of signing, and the meaning of the signature. Such
information is crucial to the agency's ability to protect public
health. For example, a message from a firm's management to employees
instructing them on a particular course of action may be critical in
litigation. This requirement will help ensure clear documentation and
deter falsification regardless of whether the signature is electronic
or handwritten.
The agency agrees that the display of information should be carried
out in a secure manner that preserves the integrity of that
information. The agency, however, does not believe it is necessary at
this time to revise Sec. 11.50 to add specific security measures
because other requirements of part 11 have the effect of ensuring
appropriate security.
Because signing information is important regardless of the type of
signature used, the agency has revised Sec. 11.50 to cover all types of
signings.
101. Several comments objected to the requirement in proposed
Sec. 11.50(a) that the time of signing be displayed in addition to the
date on the grounds that such information is: (1) Unnecessary, (2)
costly to implement, (3) needed in the electronic record for auditing
purposes, but not needed in the display of the record, and (4) only
needed in critical applications. Some comments asserted that recording
time should be optional. One comment asked whether the time should be
local to the signer or to a central network when electronic record
systems cross different time zones.
The agency believes that it is vital to record the time when a
signature is applied. Documenting the time when a signature was applied
can be critical to demonstrating that a given record was, or was not,
falsified. Regarding systems that may span different time zones, the
agency advises that the signer's local time is the one to be recorded.
102. One comment assumed that a person's user identification code
could be displayed instead of the user's printed name, along with the
date and time of signing.
This assumption is incorrect. The agency intends that the printed
name of the signer be displayed for purposes of unambiguous
documentation and to emphasize the importance of the act of signing to
the signer. The agency believes that because an identification code is
not an actual name, it would not be a satisfactory substitute.
103. One comment suggested that the word ``printed'' in the phrase
``printed name'' be deleted because the word was superfluous. The
comment also stated that the rule should state when the clear text must
be created or displayed because some computer systems, in the context
of electronic data interchange transactions, append digital signatures
to records before, or in connection with, communication of the record.
The agency disagrees that the word ``printed'' is superfluous
because the intent of this section is to show the name of the person in
an unambiguous manner that can be read by anyone. The agency believes
that requiring the printed name of the signer instead of codes or other
manifestations, more effectively provides clarity.
The agency has revised this section to clarify the point at which
the signer's information must be displayed, namely, as part of any
human readable form of the electronic record. The revision, in the
agency's view, addresses the comment's concern regarding the
application of digital signatures. The agency advises that under
Sec. 11.50, any time after an electronic record has been signed,
individuals who see the human readable form of the record will be able
to immediately tell who signed the record, when it was signed, and what
the signature meant. This includes the signer who, as with a
traditional signature to paper, will be able to review the signature
instantly.
104. One comment asked if the operator would have to see the
meaning of the signature, or if the information had to be stored on the
physical electronic record.
As discussed in comment 100 of this document, the information
required by Sec. 11.50(b) must be displayed in the human readable
format of the electronic record. Persons may elect to store that
information directly within the electronic record itself, or in
logically associated records, as long as such information is displayed
any time a person reads the record.
105. One comment noted that proposed Sec. 11.50(b) could be
interpreted to require lengthy explanations of the signatures and the
credentials of the signers. The comment also stated that this
information would more naturally be contained in standard operating
procedures, manuals, or accompanying literature than in the electronic
records themselves.
The agency believes that the comment misinterprets the intent of
this provision. Recording the meaning of the signature does not infer
that the signer's credentials or other lengthy explanations be part of
that meaning. The statement must merely show what is meant by the act
of signing (e.g., review, approval, responsibility, authorship).
106. One comment noted that the meaning of a signature may be
included in a (digital signature) public key certificate and asked if
this would be acceptable. The comment also noted that the certificate
might be easily accessible by a record recipient from either a
recognized database or one that might be part of, or associated with,
the electronic record itself. The comment further suggested that FDA
would benefit from participating in developing rules of practice
regarding certificate-based public key cryptography and infrastructure
with the Information Security Committee, Section of Science and
Technology, of the American Bar Association (ABA).
The intent of this provision is to clearly discern the meaning of
the signature when the electronic record is displayed in human readable
form. The agency does not expect such meaning to be contained in or
displayed by a public key certificate because the public key is
generally a fixed value associated with an individual. The certificate
is used by the recipient to authenticate a digital signature that may
have different meanings, depending upon the record being signed. FDA
acknowledges that it is possible for someone to establish different
public keys, each of which may indicate a different signature meaning.
Part 11 would not prohibit multiple ``meaning'' keys provided the
meaning of the signature itself was still clear in the display of the
record, a feature that could conceivably be implemented by software.
Regarding work of the ABA and other standard-setting organizations,
the agency welcomes an open dialog with such organizations, for the
mutual benefit of all parties, to establish and facilitate the use of
electronic record/electronic signature technologies. FDA's
participation in any such activities would be in accordance with the
agency's policy on standards stated in the Federal Register of October
11, 1995 (60 FR 53078).
Revised Sec. 11.50, signature manifestations, reads as follows:
(a) Signed electronic records shall contain information
associated with the signing that clearly indicates all of the
following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or
authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and
(a)(3) of this section shall be subject to the same controls as for
electronic records and shall be included as part of any human
readable form of the electronic record (such as electronic display
or printout).
[[Page 13454]]
X. Electronic Records--Signature/Record Linking (Sec. 11.70)
107. Proposed Sec. 11.70 states that electronic signatures and
handwritten signatures executed to electronic records must be
verifiably bound to their respective records to ensure that signatures
could not be excised, copied, or otherwise transferred to falsify
another electronic record.
Many comments objected to this provision as too prescriptive,
unnecessary, unattainable, and excessive in comparison to paper-based
records. Some comments asserted that the objectives of the section
could be attained through appropriate procedural and administrative
controls. The comments also suggested that objectives of the provision
could be met by appropriate software (i.e., logical) links between the
electronic signatures and electronic records, and that such links are
common in systems that use identification codes in combination with
passwords. One firm expressed full support for the provision, and noted
that its system implements such a feature and that signature-to-record
binding is similar to the record-locking provision of the proposed PDMA
regulations.
The agency did not intend to mandate use of any particular
technology by use of the word ``binding.'' FDA recognizes that, because
it is relatively easy to copy an electronic signature to another
electronic record and thus compromise or falsify that record, a
technology based link is necessary. The agency does not believe that
procedural or administrative controls alone are sufficient to ensure
that objective because such controls could be more easily circumvented
than a straightforward technology based approach. In addition, when
electronic records are transferred from one party to another, the
procedural controls used by the sender and recipient may be different.
This could result in record falsification by signature transfer.
The agency agrees that the word ``link'' would offer persons
greater flexibility in implementing the intent of this provision and in
associating the names of individuals with their identification codes/
passwords without actually recording the passwords themselves in
electronic records. The agency has revised proposed Sec. 11.70 to state
that signatures shall be linked to their electronic records.
108. Several comments argued that proposed Sec. 11.70 requires
absolute protection of electronic records from falsification, an
objective that is unrealistic to the extent that determined individuals
could falsify records.
The agency acknowledges that, despite elaborate system controls,
certain determined individuals may find a way to defeat
antifalsification measures. FDA will pursue such illegal activities as
vigorously as it does falsification of paper records. For purposes of
part 11, the agency's intent is to require measures that prevent
electronic records falsification by ordinary means. Therefore, FDA has
revised Sec. 11.70 by adding the phrase ``by ordinary means'' at the
end of this section.
109. Several comments suggested changing the phrase ``another
electronic record'' to ``an electronic record'' to clarify that the
antifalsification provision applies to the current record as well as
any other record.
The agency agrees and has revised Sec. 11.70 accordingly.
110. Two comments argued that signature-to-record binding is
unnecessary, in the context of PDMA, beyond the point of record
creation (i.e., when records are transmitted to a point of receipt).
The comments asserted that persons who might be in a position to
separate a signature from a record (for purposes of falsification) are
individuals responsible for record integrity and thus unlikely to
falsify records. The comments also stated that signature-to-record
binding is produced by software coding at the time the record is
signed, and suggested that proposed Sec. 11.70 clarify that binding
would be necessary only up to the point of actual transmission of the
electronic record to a central point of receipt.
The agency disagrees with the comment's premise that the need for
binding to prevent falsification depends on the disposition of people
to falsify records. The agency believes that reliance on individual
tendencies is insufficient insurance against falsification. The agency
also notes that in the traditional paper record, the signature remains
bound to its corresponding record regardless of where the record may
go.
111. One comment suggested that proposed Sec. 11.70 be deleted
because it appears to require that all records be kept on inalterable
media. The comment also suggested that the phrase ``otherwise
transferred'' be deleted on the basis that it should be permissible for
copies of handwritten signatures (recorded electronically) to be made
when used, in addition to another unique individual identification
mechanism.
The agency advises that neither Sec. 11.70, nor other sections in
part 11, requires that records be kept on inalterable media. What is
required is that whenever revisions to a record are made, the original
entries must not be obscured. In addition, this section does not
prohibit copies of handwritten signatures recorded electronically from
being made for legitimate reasons that do not relate to record
falsification. Section 11.70 merely states that such copies must not be
made that falsify electronic records.
112. One comment suggested that proposed Sec. 11.70 be revised to
require application of response cryptographic methods because only
those methods could be used to comply with the regulation. The comment
noted that, for certificate based public key cryptographic methods, the
agency should address verifiable binding between the signer's name and
public key as well as binding between digital signatures and electronic
records. The comment also suggested that the regulation should
reference electronic signatures in the context of secure time and date
stamping.
The agency intends to permit maximum flexibility in how
organizations achieve the linking called for in Sec. 11.70, and, as
discussed above, has revised the regulation accordingly. Therefore, FDA
does not believe that cryptographic and digital signature methods would
be the only ways of linking an electronic signature to an electronic
document. In fact, one firm commented that its system binds a person's
handwritten signature to an electronic record. The agency agrees that
use of digital signatures accomplishes the same objective because, if a
digital signature were to be copied from one record to another, the
second record would fail the digital signature verification procedure.
Furthermore, FDA notes that concerns regarding binding a person's name
with the person's public key would be addressed in the context of
Sec. 11.100(b) because an organization must establish an individual's
identity before assigning or certifying an electronic signature (or any
of the electronic signature components).
113. Two comments requested clarification of the types of
technologies that could be used to meet the requirements of proposed
Sec. 11.70.
As discussed in comment 107 of this document, the agency is
affording persons maximum flexibility in using any appropriate method
to link electronic signatures to their respective electronic records to
prevent record falsification. Use of digital signatures is one such
method, as is use of software locks to prevent sections of codes
[[Page 13455]]
representing signatures from being copied or removed. Because this is
an area of developing technology, it is likely that other linking
methods will emerge.
XI. Electronic Signatures--General Requirements (Sec. 11.100)
Proposed Sec. 11.100(a) states that each electronic signature must
be unique to one individual and not be reused or reassigned to anyone
else.
114. One comment asserted that several people should be permitted
to share a common identification code and password where access control
is limited to inquiry only.
Part 11 does not prohibit the establishment of a common group
identification code/password for read only access purposes. However,
such commonly shared codes and passwords would not be regarded, and
must not be used, as electronic signatures. Shared access to a common
database may nonetheless be implemented by granting appropriate common
record access privileges to groups of people, each of whom has a unique
electronic signature.
115. Several comments said proposed Sec. 11.100(a) should permit
identification codes to be reused and reassigned from one employee to
another, as long as an audit trail exists to associate an
identification code with a given individual at any one time, and
different passwords are used. Several comments said the section should
indicate if the agency intends to restrict authority delegation by the
nonreassignment or nonreuse provision, or by the provision in
Sec. 11.200(a)(2) requiring electronic signatures to be used only by
their genuine owners. The comments questioned whether reuse means
restricting one noncryptographic based signature to only one record and
argued that passwords need not be unique if the combined identification
code and password are unique to one individual. One comment recommended
caution in using the term ``ownership'' because of possible confusion
with intellectual property rights or ownership of the computer systems
themselves.
The agency advises that, where an electronic signature consists of
the combined identification code and password, Sec. 11.100 would not
prohibit the reassignment of the identification code provided the
combined identification code and password remain unique to prevent
record falsification. The agency believes that such reassignments are
inadvisable, however, to the extent that they might be combined with an
easily guessed password, thus increasing the chances that an individual
might assume a signature belonging to someone else. The agency also
advises that where people can read identification codes (e.g., printed
numbers and letters that are typed at a keyboard or read from a card),
the risks of someone obtaining that information as part of a
falsification effort would be greatly increased as compared to an
identification code that is not in human readable form (one that is,
for example, encoded on a ``secure card'' or other device).
Regarding the delegation of authority to use electronic signatures,
FDA does not intend to restrict the ability of one individual to sign a
record or otherwise act on behalf of another individual. However, the
applied electronic signature must be the assignee's and the record
should clearly indicate the capacity in which the person is acting
(e.g., on behalf of, or under the authority of, someone else). This is
analogous to traditional paper records and handwritten signatures when
person ``A'' signs his or her own name under the signature block of
person ``B,'' with appropriate explanatory notations such as ``for'' or
``as representative of'' person B. In such cases, person A does not
simply sign the name of person B. The agency expects the same procedure
to be used for electronic records and electronic signatures.
The agency intends the term ``reuse'' to refer to an electronic
signature used by a different person. The agency does not regard as
``reuse'' the replicate application of a noncryptographic based
electronic signature (such as an identification code and password) to
different electronic records. For clarity, FDA has revised the phrase
``not be reused or reassigned to'' to state ``not be reused by, or
reassigned to,'' in Sec. 11.100(a).
The reference in Sec. 11.200(a) to ownership is made in the context
of an individual owning or being assigned a particular electronic
signature that no other individual may use. FDA believes this is clear
and that concerns regarding ownership in the context of intellectual
property rights or hardware are misplaced.
116. One comment suggested that proposed Sec. 11.100(a) should
accommodate electronic signatures assigned to organizations rather than
individuals.
The agency advises that, for purposes of part 11, electronic
signatures are those of individual human beings and not organizations.
For example, FDA does not regard a corporate seal as an individual's
signature. Humans may represent and obligate organizations by signing
records, however. For clarification, the agency is substituting the
word ``individual'' for ``person'' in the definition of electronic
signature (Sec. 11.3(b)(7)) because the broader definition of person
within the act includes organizations.
117. Proposed Sec. 11.100(b) states that, before an electronic
signature is assigned to a person, the identity of the individual must
be verified by the assigning authority.
Two comments noted that where people use identification codes in
combination with passwords only the identification code portion of the
electronic signature is assigned, not the password. Another comment
argued that the word ``assigned'' is inappropriate in the context of
electronic signatures based upon public key cryptography because the
appropriate authority certifies the bind between the individual's
public key and identity, and not the electronic signature itself.
The agency acknowledges that, for certain types of electronic
signatures, the authorizing or certifying organization issues or
approves only a portion of what eventually becomes an individual's
electronic signature. FDA wishes to accommodate a broad variety of
electronic signatures and is therefore revising Sec. 11.100(b) to
require that an organization verify the identity of an individual
before it establishes, assigns, certifies, or otherwise sanctions an
individual's electronic signature or any element of such electronic
signature.
118. One comment suggested that the word ``verified'' in proposed
Sec. 11.100(b) be changed to ``confirmed.'' Other comments addressed
the method of verifying a person's identity and suggested that the
section specify acceptable verification methods, including high level
procedures regarding the relative strength of that verification, and
the need for personal appearances or supporting documentation such as
birth certificates. Two comments said the verification provision should
be deleted because normal internal controls are adequate, and that it
was impractical for multinational companies whose employees are
globally dispersed.
The agency does not believe that there is a sufficient difference
between ``verified'' and ``confirmed'' to warrant a change in this
section. Both words indicate that organizations substantiate a person's
identity to prevent impersonations when an electronic signature, or any
of its elements, is being established or certified. The agency
disagrees with the assertion that this requirement is unnecessary.
Without verifying someone's identity at the outset of establishing or
certifying
[[Page 13456]]
an individual's electronic signature, or a portion thereof, an imposter
might easily access and compromise many records. Moreover, an imposter
could continue this activity for a prolonged period of time despite
other system controls, with potentially serious consequences.
The agency does not believe that the size of an organization, or
global dispersion of its employees, is reason to abandon this vital
control. Such dispersion may, in fact, make it easier for an impostor
to pose as someone else in the absence of such verification. Further,
the agency does not accept the implication that multinational firms
would not verify the identity of their employees as part of other
routine procedures, such as when individuals are first hired.
In addition, in cases where an organization is widely dispersed and
electronic signatures are established or certified centrally,
Sec. 11.100(b) does not prohibit organizations from having their local
units perform the verification and relaying this information to the
central authority. Similarly, local units may conduct the electronic
signature assignment or certification.
FDA does not believe it is necessary at this time to specify
methods of identity verification and expects that organizations will
consider risks attendant to sanctioning an erroneously assigned
electronic signature.
119. Proposed Sec. 11.100(c) states that persons using electronic
signatures must certify to the agency that their electronic signature
system guarantees the authenticity, validity, and binding nature of any
electronic signature. Persons utilizing electronic signatures would,
upon agency request, provide additional certification or testimony that
a specific electronic signature is authentic, valid, and binding. Such
certification would be submitted to the FDA district office in which
territory the electronic signature system is in use.
Many comments objected to the proposed requirement that persons
provide FDA with certification regarding their electronic signature
systems. The comments asserted that the requirement was: (1)
Unprecedented, (2) unrealistic, (3) unnecessary, (4) contradictory to
the principles and intent of system validation, (5) too burdensome for
FDA to manage logistically, (6) apparently intended only to simplify
FDA litigation, (7) impossible to meet regarding ``guarantees'' of
authenticity, and (8) an apparent substitute for FDA inspections.
FDA agrees in part with these comments. This final rule reduces the
scope and burden of certification to a statement of intent that
electronic signatures are the legally binding equivalent of handwritten
signatures.
As noted previously, the agency believes it is important, within
the context of its health protection activities, to ensure that persons
who implement electronic signatures fully equate the legally binding
nature of electronic signatures with the traditional handwritten paper-
based signatures. The agency is concerned that individuals might
disavow an electronic signature as something completely different from
a traditional handwritten signature. Such contention could result in
confusion and possibly extensive litigation.
Moreover, a limited certification as provided in this final rule is
consistent with other legal, regulatory, and commercial practices. For
example, electronic data exchange trading partner agreements are often
written on paper and signed with traditional handwritten signatures to
establish that certain electronic identifiers are recognized as
equivalent to traditional handwritten signatures.
FDA does not expect electronic signature systems to be guaranteed
foolproof. The agency does not intend, under Sec. 11.100(c), to
establish a requirement that is unattainable. Certification of an
electronic signature system as the legally binding equivalent of a
traditional handwritten signature is separate and distinct from system
validation. This provision is not intended as a substitute for FDA
inspection and such inspection alone may not be able to determine in a
conclusive manner an organization's intent regarding electronic
signature equivalency.
The agency has revised proposed Sec. 11.100(c) to clarify its
intent. The agency wishes to emphasize that the final rule dramatically
curtails what FDA had proposed and is essential for the agency to be
able to protect and promote the public health because FDA must be able
to hold people to the commitments they make under their electronic
signatures. The certification in the final rule is merely a statement
of intent that electronic signatures are the legally binding equivalent
of traditional handwritten signatures.
120. Several comments questioned the procedures necessary for
submitting the certification to FDA, including: (1) The scheduling of
the certification; (2) whether to submit certificates for each
individual or for each electronic signature; (3) the meaning of
``territory'' in the context of wide area networks; (4) whether such
certificates could be submitted electronically; and (5) whether
organizations, after submitting a certificate, had to wait for a
response from FDA before implementing their electronic signature
systems. Two comments suggested revising proposed Sec. 11.100(c) to
require that all certifications be submitted to FDA only upon agency
request. One comment suggested changing ``should'' to ``shall'' in the
last sentence of Sec. 11.100(c) if the agency's intent is to require
certificates to be submitted to the respective FDA district office.
The agency intends that certificates be submitted once, in the form
of a paper letter, bearing a traditional handwritten signature, at the
time an organization first establishes an electronic signature system
after the effective date of part 11, or, where such systems have been
used before the effective date, upon continued use of the electronic
signature system.
A separate certification is not needed for each electronic
signature, although certification of a particular electronic signature
is to be submitted if the agency requests it. The agency does not
intend to establish certification as a review and approval function. In
addition, organizations need not await FDA's response before putting
electronic signature systems into effect, or before continuing to use
an existing system.
A single certification may be stated in broad terms that encompass
electronic signatures of all current and future employees, thus
obviating the need for subsequent certifications submitted on a
preestablished schedule.
To further simplify the process and to minimize the number of
certifications that persons would have to provide, the agency has
revised Sec. 11.100(c) to permit submission of a single certification
that covers all electronic signatures used by an organization. The
revised rule also simplifies the process by providing a single agency
receiving unit. The final rule instructs persons to send certifications
to FDA's Office of Regional Operations (HFC-100), 5600 Fishers Lane,
Rockville, MD 20857. Persons outside the United States may send their
certifications to the same office.
The agency offers, as guidance, an example of an acceptable
Sec. 11.100(c) certification:
Pursuant to Section 11.100 of Title 21 of the Code of Federal
Regulations, this is to certify that [name of organization] intends
that all electronic signatures executed by our employees, agents, or
representatives, located anywhere in the world, are the legally
binding equivalent of traditional handwritten signatures.
[[Page 13457]]
The agency has revised Sec. 11.100 to clarify where and when
certificates are to be submitted.
The agency does not agree that the initial certification be
provided only upon agency request because FDA believes it is vital to
have such certificates, as a matter of record, in advance of any
possible litigation. This would clearly establish the intent of
organizations to equate the legally binding nature of electronic
signatures with traditional handwritten signatures. In addition, the
agency believes that having the certification on file ahead of time
will have the beneficial effect of reinforcing the gravity of
electronic signatures by putting an organization's employees on notice
that the organization has gone on record with FDA as equating
electronic signatures with handwritten signatures.
121. One comment suggested that proposed Sec. 11.100(c) be revised
to exclude from certification instances in which the purported signer
claims that he or she did not create or authorize the signature.
The agency declines to make this revision because a provision for
nonrepudiation is already contained in Sec. 11.10.
As a result of the considerations discussed in comments 119 and 120
of this document, the agency has revised proposed Sec. 11.100(c) to
state that:
(c) Persons using electronic signatures shall, prior to or at
the time of such use, certify to the agency that the electronic
signatures in their system, used on or after August 20, 1997, are
intended to be the legally binding equivalent of traditional
handwritten signatures.
(1) The certification shall be submitted in paper form and
signed with a traditional handwritten signature to the Office of
Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD
20857.
(2) Persons using electronic signatures shall, upon agency
request, provide additional certification or testimony that a
specific electronic signature is the legally binding equivalent of
the signer's handwritten signature.
XII. Electronic Signature Components and Controls (Sec. 11.200)
122. Proposed Sec. 11.200 sets forth requirements for electronic
signature identification mechanisms and controls. Two comments
suggested that the term ``identification code'' should be defined.
Several comments suggested that the term ``identification mechanisms''
should be changed to ``identification components'' because each
component of an electronic signature need not be executed by a
different mechanism.
The agency believes that the term ``identification code'' is
sufficiently broad and generally understood and does not need to be
defined in these regulations. FDA agrees that the word ``component''
more accurately reflects the agency's intent than the word
``mechanism,'' and has substituted ``component'' for ``mechanism'' in
revised Sec. 11.200. The agency has also revised the section heading to
read ``Electronic signature components and controls'' to be consistent
with the wording of the section.
123. Proposed Sec. 11.200(a) states that electronic signatures not
based upon biometric/behavioral links must: (1) Employ at least two
distinct identification mechanisms (such as an identification code and
password), each of which is contemporaneously executed at each signing;
(2) be used only by their genuine owners; and (3) be administered and
executed to ensure that attempted use of an individual's electronic
signature by anyone other than its genuine owner requires collaboration
of two or more individuals.
Two comments said that proposed Sec. 11.200(a) should acknowledge
that passwords may be known not only to their genuine owners, but also
to system administrators in case people forget their passwords.
The agency does not believe that system administrators would
routinely need to know an individual's password because they would have
sufficient privileges to assist those individuals who forget passwords.
124. Several comments argued that the agency should accept a single
password alone as an electronic signature because: (1) Combining the
password with an identification code adds little security, (2)
administrative controls and passwords are sufficient, (3) authorized
access is more difficult when two components are needed, (4) people
would not want to gain unauthorized entry into a manufacturing
environment, and (5) changing current systems that use only a password
would be costly.
The comments generally addressed the need for two components in
electronic signatures within the context of the requirement that all
components be used each time an electronic signature is executed.
Several comments suggested that, for purposes of system access,
individuals should enter both a user identification code and password,
but that, for subsequent signings during one period of access, a single
element (such as a password) known only to, and usable by, the
individual should be sufficient.
The agency believes that it is very important to distinguish
between those (nonbiometric) electronic signatures that are executed
repetitively during a single, continuous controlled period of time
(access session or logged-on period) and those that are not. The agency
is concerned, from statements made in comments, that people might use
passwords that are not always unique and are frequently words that are
easily associated with an individual. Accordingly, where nonbiometric
electronic signatures are not executed repetitively during a single,
continuous controlled period, it would be extremely bad practice to use
a password alone as an electronic signature. The agency believes that
using a password alone in such cases would clearly increase the
likelihood that one individual, by chance or deduction, could enter a
password that belonged to someone else and thereby easily and readily
impersonate that individual. This action could falsify electronic
records.
The agency acknowledges that there are some situations involving
repetitive signings in which it may not be necessary for an individual
to execute each component of a nonbiometric electronic signature for
every signing. The agency is persuaded by the comments that such
situations generally involve certain conditions. For example, an
individual performs an initial system access or ``log on,'' which is
effectively the first signing, by executing all components of the
electronic signature (typically both an identification code and a
password). The individual then performs subsequent signings by
executing at least one component of the electronic signature, under
controlled conditions that prevent another person from impersonating
the legitimate signer. The agency's concern here is the possibility
that, if the person leaves the workstation, someone else could access
the workstation (or other computer device used to execute the signing)
and impersonate the legitimate signer by entering an identification
code or password.
The agency believes that, in such situations, it is vital to have
stringent controls in place to prevent the impersonation. Such controls
include: (1) Requiring an individual to remain in close proximity to
the workstation throughout the signing session; (2) use of automatic
inactivity disconnect measures that would ``de-log'' the first
individual if no entries or actions were taken within a fixed short
timeframe; and (3) requiring that the single component needed for
subsequent signings be known to, and usable only by, the authorized
individual.
The agency's objective in accepting the execution of fewer than all
the components of a nonbiometric
[[Page 13458]]
electronic signature for repetitive signings is to make it impractical
to falsify records. The agency believes that this would be attained by
complying with all of the following procedures where nonbiometric
electronic signatures are executed more than once during a single,
continuous controlled session: (1) All electronic signature components
are executed for the first signing; (2) at least one electronic
signature component is executed at each subsequent signing; (3) the
electronic signature component executed after the initial signing is
only used by its genuine owner, and is designed to ensure it can only
be used by its genuine owner; and (4) the electronic signatures are
administered and executed to ensure that their attempted use by anyone
other than their genuine owners requires collaboration of two or more
individuals. Items 1 and 4 are already incorporated in proposed
Sec. 11.200(a). FDA has included items 2 and 3 in final Sec. 11.200(a).
The agency cautions, however, that if its experience with
enforcement of part 11 demonstrates that these controls are
insufficient to deter falsifications, FDA may propose more stringent
controls.
125. One comment asserted that, if the agency intends the term
``identification code'' to mean the typical user identification, it
should not characterize the term as a distinct mechanism because such
codes do not necessarily exhibit security attributes. The comment also
suggested that proposed Sec. 11.200(a) address the appropriate
application of each possible combination of a two-factor authentication
method.
The agency acknowledges that the identification code alone does not
exhibit security attributes. Security derives from the totality of
system controls used to prevent falsification. However, uniqueness of
the identification code when combined with another electronic signature
component, which may not be unique (such as a password), makes the
combination unique and thereby enables a legitimate electronic
signature. FDA does not now believe it necessary to address, in
Sec. 11.200(a), the application of all possible combinations of
multifactored authentication methods.
126. One comment requested clarification of ``each signing,''
noting that a laboratory employee may enter a group of test results
under one signing.
The agency advises that each signing means each time an individual
executes a signature. Particular requirements regarding what records
need to be signed derive from other regulations, not part 11. For
example, in the case of a laboratory employee who performs a number of
analytical tests, within the context of drug CGMP regulations, it is
permissible for one signature to indicate the performance of a group of
tests (21 CFR 211.194(a)(7)). A separate signing is not required in
this context for each separate test as long as the record clearly shows
that the single signature means the signer performed all the tests.
127. One comment suggested that the proposed requirement, that
collaboration of at least two individuals is needed to prevent attempts
at electronic signature falsification, be deleted because a responsible
person should be allowed to override the electronic signature of a
subordinate. Several comments addressed the phrase ``attempted use''
and suggested that it be deleted or changed to ``unauthorized use.''
The comments said that willful breaking or circumvention of any
security measure does not require two or more people to execute, and
that the central question is whether collaboration is required to use
the electronic signature.
The agency advises that the intent of the collaboration provision
is to require that the components of a nonbiometric electronic
signature cannot be used by one individual without the prior knowledge
of a second individual. One type of situation the agency seeks to
prevent is the use of a component such as a card or token that a person
may leave unattended. If an individual must collaborate with another
individual by disclosing a password, the risks of betrayal and
disclosure are greatly increased and this helps to deter such actions.
Because the agency is not condoning such actions, Sec. 11.200(a)(2)
requires that electronic signatures be used only by the genuine owner.
The agency disagrees with the comments that the term ``attempted use''
should be changed to ``unauthorized uses,'' because ``unauthorized
uses'' could infer that use of someone else's electronic signature is
acceptable if it is authorized.
Regarding electronic signature ``overrides,'' the agency would
consider as falsification the act of substituting the signature of a
supervisor for that of a subordinate. The electronic signature of the
subordinate must remain inviolate for purposes of authentication and
documentation. Although supervisors may overrule the actions of their
staff, the electronic signatures of the subordinates must remain a
permanent part of the record, and the supervisor's own electronic
signature must appear separately. The agency believes that such an
approach is fully consistent with procedures for paper records.
As a result of the revisions noted in comments 123 to 127 of this
document, Sec. 11.200(a) now reads as follows:
(a) Electronic signatures that are not based upon biometrics
shall:
(1) Employ at least two distinct identification components such
as an identification code and password.
(i) When an individual executes a series of signings during a
single, continuous period of controlled system access, the first
signing shall be executed using all electronic signature components;
subsequent signings shall be executed using at least one electronic
signature component that is only executable by, and designed to be
used only by, the individual.
(ii) When an individual executes one or more signings not
performed during a single, continuous period of controlled system
access, each signing shall be executed using all of the electronic
signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of
an individual's electronic signature by anyone other than its
genuine owner requires collaboration of two or more individuals.
128. Proposed Sec. 11.200(b) states that electronic signatures
based upon biometric/behavioral links be designed to ensure that they
could not be used by anyone other than their genuine owners.
One comment suggested that the agency make available, by public
workshop or other means, any information it has regarding existing
biometric systems so that industry can provide proper input. Another
comment asserted that proposed Sec. 11.200(b) placed too great an
emphasis on biometrics, did not establish particular levels of
assurance for biometrics, and did not provide for systems using
mixtures of biometric and nonbiometric electronic signatures. The
comment recommended revising the phrase ``designed to ensure they
cannot be used'' to read ``provide assurances that prevent their
execution.''
The agency's experience with biometric electronic signatures is
contained in the administrative record for this rulemaking, under
docket no. 92N-0251, and includes recommendations from public comments
to the ANPRM and the proposed rule. The agency has also gathered, and
continues to gather, additional information from literature reviews,
general press reports, meetings, and the agency's experience with this
technology. Interested persons have had extensive opportunity for input
and comment regarding biometrics in part 11. In addition, interested
persons may continue to contact the agency at any time regarding
biometrics or any other relevant technologies. The agency notes
[[Page 13459]]
that the rule does not require the use of biometric-based electronic
signatures.
As the agency's experience with biometric electronic signatures
increases, FDA will consider holding or participating in public
workshops if that approach would be helpful to those wishing to adopt
such technologies to comply with part 11.
The agency does not believe that proposed Sec. 11.200(b) places too
much emphasis on biometric electronic signatures. As discussed above,
the regulation makes a clear distinction between electronic signatures
that are and are not based on biometrics, but treats their acceptance
equally.
The agency recognizes the inherent security advantages of
biometrics, however, in that record falsification is more difficult to
perform. System controls needed to make biometric-based electronic
signatures reliable and trustworthy are thus different in certain
respects from controls needed to make nonbiometric electronic
signatures reliable and trustworthy. The requirements in part 11
reflect those differences.
The agency does not believe that it is necessary at this time to
set numerical security assurance standards that any system would have
to meet.
The regulation does not prohibit individuals from using
combinations of biometric and nonbiometric-based electronic signatures.
However, when combinations are used, FDA advises that requirements for
each element in the combination would also apply. For example, if
passwords are used in combination with biometrics, then the benefits of
using passwords would only be realized, in the agency's view, by
adhering to controls that ensure password integrity (see Sec. 11.300).
In addition, the agency believes that the phrase ``designed to
ensure that they cannot be used'' more accurately reflects the agency's
intent than the suggested alternate wording, and is more consistent
with the concept of systems validation. Under such validation,
falsification preventive attributes would be designed into the
biometric systems.
To be consistent with the revised definition of biometrics in
Sec. 11.3(b)(3), the agency has revised Sec. 11.200(b) to read,
``Electronic signatures based upon biometrics shall be designed to
ensure that they cannot be used by anyone other than their genuine
owners.''
XIII. Electronic Signatures--Controls for Identification Codes/
Passwords (Sec. 11.300)
The introductory paragraph of proposed Sec. 11.300 states that
electronic signatures based upon use of identification codes in
combination with passwords must employ controls to ensure their
security and integrity.
To clarify the intent of this provision, the agency has added the
words ``[p]ersons who use'' to the first sentence of Sec. 11.300. This
change is consistent with Secs. 11.10 and 11.30. The introductory
paragraph now reads, ``Persons who use electronic signatures based upon
use of identification codes in combination with passwords shall employ
controls to ensure their security and integrity. Such controls shall
include: * * *.''
129. One comment suggested deletion of the phrase ``in combination
with passwords'' from the first sentence of this section.
The agency disagrees with the suggested revision because the change
is inconsistent with FDA's intent to address controls for electronic
signatures based on combinations of identification codes and passwords,
and would, in effect, permit a single component nonbiometric-based
electronic signature.
130. Proposed Sec. 11.300(a) states that controls for
identification codes/passwords must include maintaining the uniqueness
of each issuance of identification code and password.
One comment alleged that most passwords are commonly used words,
such as a child's name, a State, city, street, month, holiday, or date,
that are significant to the person who creates the password. Another
stated that the rule should explain uniqueness and distinguish between
issuance and use because identification code/password combinations
generally do not change for each use.
FDA does not intend to require that individuals use a completely
different identification code/password combination each time they
execute an electronic signature. For reasons explained in the response
to comment 16, what is required to be unique is each combined password
and identification code and FDA has revised the wording of
Sec. 11.300(a) to clarify this provision. The agency is aware, however,
of identification devices that generate new passwords on a continuous
basis in synchronization with a ``host'' computer. This results in
unique passwords for each system access. Thus, it is possible in theory
to generate a unique nonbiometric electronic signature for each
signing.
The agency cautions against using passwords that are common words
easily associated with their originators because such a practice would
make it relatively easy for someone to impersonate someone else by
guessing the password and combining it with an unsecured (or even
commonly known) identification code.
131. Proposed Sec. 11.300(b) states that controls for
identification codes/passwords must ensure that code/password issuances
are periodically checked, recalled, or revised.
Several comments objected to this proposed requirement because: (1)
It is unnecessary, (2) it excessively prescribes ``how to,'' (3) it
duplicates the requirements in Sec. 11.300(c), and (4) it is
administratively impractical for larger organizations. However, the
comments said individuals should be encouraged to change their
passwords periodically. Several comments suggested that proposed
Sec. 11.300(b) include a clarifying example such as ``to cover events
such as password aging.'' One comment said that the section should
indicate who is to perform the periodic checking, recalling, or
revising.
The agency disagrees with the objections to this provision. FDA
does not view the provision as a ``how to'' because organizations have
full flexibility in determining the frequency and methods of checking,
recalling, or revising their code/password issuances. The agency does
not believe that this paragraph duplicates the regulation in
Sec. 11.300(c) because paragraph (c) specifically addresses followup to
losses of electronic signature issuances, whereas Sec. 11.300(b)
addresses periodic issuance changes to ensure against their having been
unknowingly compromised. This provision would be met by ensuring that
people change their passwords periodically.
FDA disagrees that this system control is unnecessary or
impractical in large organizations because the presence of more people
may increase the opportunities for compromising identification codes/
passwords. The agency is confident that larger organizations will be
fully capable of handling periodic issuance checks, revisions, or
recalls.
FDA agrees with the comments that suggested a clarifying example
and has revised Sec. 11.300(b) to include password aging as such an
example. The agency cautions, however, that the example should not be
taken to mean that password expiration would be the only rationale for
revising, recalling, and checking issuances. If, for example,
identification codes and passwords have been copied or compromised,
they should be changed.
FDA does not believe it necessary at this time to specify who in an
organization is to carry out this system control, although the agency
expects
[[Page 13460]]
that units that issue electronic signatures would likely have this
duty.
132. Proposed Sec. 11.300(c) states that controls for
identification codes/passwords must include the following of loss
management procedures to electronically deauthorize lost tokens, cards,
etc., and to issue temporary or permanent replacements using suitable,
rigorous controls for substitutes.
One comment suggested that this section be deleted because it
excessively prescribes ``how to.'' Another comment argued that the
proposal was not detailed enough and should distinguish among
fundamental types of cards (e.g., magstripe, integrated circuit, and
optical) and include separate sections that address their respective
use. Two comments questioned why the proposal called for ``rigorous
controls'' in this section as opposed to other sections. One of the
comments recommended that this section should also apply to cards or
devices that are stolen as well as lost.
The agency believes that the requirement that organizations
institute loss management procedures is neither too detailed nor too
general. Organizations retain full flexibility in establishing the
details of such procedures. The agency does not believe it necessary at
this time to offer specific provisions relating to different types of
cards or tokens. Organizations that use such devices retain full
flexibility to establish appropriate controls for their operations. To
clarify the agency's broad intent to cover all types of devices that
contain or generate identification code or password information, FDA
has revised Sec. 11.300(c) to replace ``etc.'' with ``and other devices
that bear or generate identification code or password information.''
The agency agrees that Sec. 11.300(c) should cover loss management
procedures regardless of how devices become potentially compromised,
and has revised this section by adding, after the word ``lost,'' the
phrase ``stolen, missing, or otherwise potentially compromised.'' FDA
uses the term ``rigorous'' because device disappearance may be the
result of inadequate controls over the issuance and management of the
original cards or devices, thus necessitating more stringent measures
to prevent problem recurrence. For example, personnel training on
device safekeeping may need to be strengthened.
133. Proposed Sec. 11.300(d) states that controls for
identification codes/passwords must include the use of transaction
safeguards to prevent unauthorized use of passwords and/or
identification codes, and, detecting and reporting to the system
security unit and organizational management in an emergent manner any
attempts at their unauthorized use.
Several comments suggested that the term ``emergent'' in proposed
Sec. 11.300(d) be replaced with ``timely'' to describe reports
regarding attempted unauthorized use of identification codes/passwords
because: (1) A timely report would be sufficient, (2) technology to
report emergently is not available, and (3) timely is a more
recognizable and common term.
FDA agrees in part. The agency considers attempts at unauthorized
use of identification codes and passwords to be extremely serious
because such attempts signal potential electronic signature and
electronic record falsification, data corruption, or worse--
consequences that could also ultimately be very costly to
organizations. In FDA's view, the significance of such attempts
requires the immediate and urgent attention of appropriate security
personnel in the same manner that individuals would respond to a fire
alarm. To clarify its intent with a more widely recognized term, the
agency is replacing ``emergent'' with ``immediate and urgent'' in the
final rule. The agency believes that the same technology that accepts
or rejects an identification code and password can be used to relay to
security personnel an appropriate message regarding attempted misuse.
134. One comment suggested that the word ``any'' be deleted from
the phrase ``any attempts'' in proposed Sec. 11.300(d) because it is
excessive. Another comment, noting that the question of attempts to
enter a system or access a file by unauthorized personnel is very
serious, urged the agency to substitute ``all'' for ``any.'' This
comment added that there are devices on the market that can be used by
unauthorized individuals to locate personal identification codes and
passwords.
The agency believes the word ``any'' is sufficiently broad to cover
all attempts at misuse of identification codes and passwords, and
rejects the suggestion to delete the word. If the word ``any'' were
deleted, laxity could result from any inference that persons are less
likely to be caught in an essentially permissive, nonvigilant system.
FDA is aware of the ``sniffing'' devices referred to by one comment and
cautions persons to establish suitable countermeasures against them.
135. One comment suggested that proposed Sec. 11.300(d) be deleted
because it is impractical, especially when simple typing errors are
made. Another suggested that this section pertain to access to
electronic records, not just the system, on the basis that simple
miskeys may be typed when accessing a system.
As discussed in comments 133 and 134 of this document, the agency
believes this provision is necessary and reasonable. The agency's
security concerns extend to system as well as record access. Once
having gained unauthorized system access, an individual could
conceivably alter passwords to mask further intrusion and misdeeds. If
this section were removed, falsifications would be more probable to the
extent that some establishments would not alert security personnel.
However, the agency advises that a simple typing error may not
indicate an unauthorized use attempt, although a pattern of such
errors, especially in short succession, or such an apparent error
executed when the individual who ``owns'' that identification code or
password is deceased, absent, or otherwise known to be unavailable,
could signal a security problem that should not be ignored. FDA notes
that this section offers organizations maximum latitude in deciding
what they perceive to be attempts at unauthorized use.
136. One comment suggested substituting the phrase ``electronic
signature'' for ``passwords and/or identification codes.''
The agency disagrees with this comment because the net effect of
the revision might be to ignore attempted misuse of important elements
of an electronic signature such as a ``password'' attack on a system.
137. Several comments argued that: (1) It is not necessary to
report misuse attempts simultaneously to management when reporting to
the appropriate security unit, (2) security units would respond to
management in accordance with their established procedures and lines of
authority, and (3) management would not always be involved.
The agency agrees that not every misuse attempt would have to be
reported simultaneously to an organization's management if the security
unit that was alerted responded appropriately. FDA notes, however, that
some apparent security breeches could be serious enough to warrant
management's immediate and urgent attention. The agency has revised
proposed Sec. 11.300(d) to give organizations maximum flexibility in
establishing criteria for management notification. Accordingly,
Sec. 11.300(d) now states that controls for identification codes/
passwords must include:
Use of transaction safeguards to prevent unauthorized use of
passwords and/or identification codes, and to detect and report
[[Page 13461]]
in an immediate and urgent manner any attempts at their unauthorized
use to the system security unit, and, as appropriate, to
organizational management.
138. Proposed Sec. 11.300(e) states that controls for
identification codes/passwords must include initial and periodic
testing of devices, such as tokens or cards, bearing identifying
information, for proper function.
Many comments objected to this proposed device testing requirement
as unnecessary because it is part of system validation and because
devices are access fail-safe in that nonworking devices would deny
rather than permit system access. The comments suggested revising this
section to require that failed devices deny user access. One comment
stated that Sec. 11.300(e) is unclear on the meaning of ``identifying
information'' and that the phrase ``tokens or cards'' is redundant
because cards are a form of tokens.
FDA wishes to clarify the reason for this proposed requirement, and
to emphasize that proper device functioning includes, in addition to
system access, the correctness of the identifying information and
security performance attributes. Testing for system access alone could
fail to discern significant unauthorized device alterations. If, for
example, a device has been modified to change the identifying
information, system access may still be allowed, which would enable
someone to assume the identity of another person. In addition, devices
may have been changed to grant individuals additional system privileges
and action authorizations beyond those granted by the organization. Of
lesser significance would be simple wear and tear on such devices,
which result in reduced performance. For instance, a bar code may not
be read with the same consistent accuracy as intended if the code
becomes marred, stained, or otherwise disfigured. Access may be
granted, but only after many more scannings than desired. The agency
expects that device testing would detect such defects.
Because validation of electronic signature systems would not cover
unauthorized device modifications, or subsequent wear and tear,
validation would not obviate the need for periodic testing.
The agency notes that Sec. 11.300(e) does not limit the types of
devices organizations may use. In addition, not all tokens may be
cards, and identifying information is intended to include
identification codes and passwords. Therefore, FDA has revised proposed
Sec. 11.300(e) to clarify the agency's intent and to be consistent with
Sec. 11.300(c). Revised Sec. 11.300(e) requires initial and periodic
testing of devices, such as tokens or cards, that bear or generate
identification code or password information to ensure that they
function properly and have not been altered in an unauthorized manner.
XIV. Paperwork Reduction Act of 1995
This final rule contains information collection provisions that are
subject to review by the Office of Management and Budget (OMB) under
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). Therefore,
in accordance with 5 CFR 1320, the title, description, and description
of respondents of the collection of information requirements are shown
below with an estimate of the annual reporting and recordkeeping
burdens. Included in the estimate is the time for reviewing
instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
Most of the burden created by the information collection provision
of this final rule will be a one-time burden associated with the
creation of standard operating procedures, validation, and
certification. The agency anticipates the use of electronic media will
substantially reduce the paperwork burden associated with maintaining
FDA-required records.
Title: Electronic records; Electronic signatures.
Description: FDA is issuing regulations that provide criteria for
acceptance of electronic records, electronic signatures, and
handwritten signatures executed to electronic records as equivalent to
paper records. Rules apply to any FDA records requirements unless
specific restrictions are issued in the future. Records required to be
submitted to FDA may be submitted electronically, provided the agency
has stated its ability to accept the records electronically in an
agency established public docket.
Description of Respondents: Businesses and other for-profit
organizations, state or local governments, Federal agencies, and
nonprofit institutions.
Although the August 31, 1994, proposed rule (59 FR 45160) provided
a 90-day comment period under the Paperwork Reduction Act of 1980, FDA
is providing an additional opportunity for public comment under the
Paperwork Reduction Act of 1995, which was enacted after the expiration
of the comment period and applies to this final rule. Therefore, FDA
now invites comments on: (1) Whether the proposed collection of
information is necessary for the proper performance of FDA's functions,
including whether the information will have practical utility; (2) the
accuracy of FDA's estimate of the burden of the proposed collection of
information, including the validity of the methodology and assumptions
used; (3) ways to enhance the quality, utility, and clarity of the
information to be collected; and (4) ways to minimize the burden of the
collection of information on respondents, including through the use of
automated collection techniques, when appropriate, and other forms of
information technology. Individuals and organizations may submit
comments on the information collection provisions of this final rule by
May 19, 1997. Comments should be directed to the Dockets Management
Branch (address above).
At the close of the 60-day comment period, FDA will review the
comments received, revise the information collection provisions as
necessary, and submit these provisions to OMB for review and approval.
FDA will publish a notice in the Federal Register when the information
collection provisions are submitted to OMB, and an opportunity for
public comment to OMB will be provided at that time. Prior to the
effective date of this final rule, FDA will publish a notice in the
Federal Register of OMB's decision to approve, modify, or disapprove
the information collection provisions. An agency may not conduct or
sponsor, and a person is not required to respond to, a collection of
information unless it displays a currently valid OMB control number.
Table 1.--Estimated Annual Recordkeeping Burden
------------------------------------------------------------------------
Annual No. of Hours per
21 CFR Section Recordkeepers Recordkeeper Total Hours
------------------------------------------------------------------------
11.10 50 40 2,000
11.30 50 40 2,000
11.50 50 40 2,000
[[Page 13462]]
11.300 50 40 2,000
Total annual burden
hours 8,000
------------------------------------------------------------------------
Table 2.--Estimated Annual Reporting Burden
------------------------------------------------------------------------
Annual No. of Hours per Total Burden
21 CFR Section Respondents Response Hours
------------------------------------------------------------------------
11.100 1,000 1 1,000
Total annual burden
hours 1,000
------------------------------------------------------------------------
XV. Environmental Impact
The agency has determined under 21 CFR 25.24(a)(8) that this action
is of a type that does not individually or cumulatively have a
significant effect on the human environment. Therefore, neither an
environmental assessment nor an environmental impact statement is
required.
XVI. Analysis of Impacts
FDA has examined the impacts of the final rule under Executive
Order 12866, under the Regulatory Flexibility Act (5 U.S.C. 601-612),
and under the Unfunded Mandates Reform Act (Pub. L. 104-4). Executive
Order 12866 directs agencies to assess all costs and benefits of
available regulatory alternatives and, when regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety, and other
advantages; and distributive impacts and equity). Unless an agency
certifies that a rule will not have a significant economic impact on a
substantial number of small entities, the Regulatory Flexibility Act
requires an analysis of regulatory options that would minimize any
significant impact of a rule on small entities. The Unfunded Mandates
Reform Act requires that agencies prepare an assessment of anticipated
costs and benefits before proposing any rule that may result in an
annual expenditure by State, local and tribal governments, in the
aggregate, or by the private sector, of $100 million (adjusted annually
for inflation).
The agency believes that this final rule is consistent with the
regulatory philosophy and principles identified in the Executive Order.
This rule permits persons to maintain any FDA required record or report
in electronic format. It also permits FDA to accept electronic records,
electronic signatures, and handwritten signatures executed to
electronic records as equivalent to paper records and handwritten
signatures executed on paper. The rule applies to any paper records
required by statute or agency regulations. The rule was substantially
influenced by comments to the ANPRM and the proposed rule. The
provisions of this rule permit the use of electronic technology under
conditions that the agency believes are necessary to ensure the
integrity of electronic systems, records, and signatures, and the
ability of the agency to protect and promote the public health.
This rule is a significant regulatory action as defined by the
Executive Order and is subject to review under the Executive Order.
This rule does not impose any mandates on State, local, or tribal
governments, nor is it a significant regulatory action under the
Unfunded Mandates Reform Act.
The activities regulated by this rule are voluntary; no entity is
required by this rule to maintain or submit records electronically if
it does not wish to do so. Presumably, no firm (or other regulated
entity) will implement electronic recordkeeping unless the benefits to
that firm are expected to exceed any costs (including capital and
maintenance costs). Thus, the industry will incur no net costs as a
result of this rule.
Based on the fact that the activities regulated by this rule are
entirely voluntary and will not have any net adverse effects on small
entities, the Commissioner of Food and Drugs certifies that this rule
will not have a significant economic impact on a substantial number of
small entities. Therefore, under the Regulatory Flexibility Act, no
further regulatory flexibility analysis is required.
Although no further analysis is required, in developing this rule,
FDA has considered the impact of the rule on small entities. The agency
has also considered various regulatory options to maximize the net
benefits of the rule to small entities without compromising the
integrity of electronic systems, records, and signatures, or the
agency's ability to protect and promote the public health. The
following analysis briefly examines the potential impact of this rule
on small businesses and other small entities, and describes the
measures that FDA incorporated in this final rule to reduce the costs
of applying electronic record/signature systems consistent with the
objectives of the rule. This analysis includes each of the elements
required for a final regulatory flexibility analysis under 5 U.S.C.
604(a).
A. Objectives
The purpose of this rule is to permit the use of a technology that
was not contemplated when most existing FDA regulations were written,
without undermining in any way the integrity of records and reports or
the ability of FDA to carry out its statutory health protection
mandate. The rule will permit regulated industry and FDA to operate
with greater flexibility, in ways that will improve both the efficiency
and the speed of industry's operations and the regulatory process. At
the same time, it ensures that individuals will assign the same level
of importance to affixing an electronic signature, and the records to
which that signature attests, as they currently do to a handwritten
signature.
B. Small Entities Affected
This rule potentially affects all large and small entities that are
required by any statute administered by FDA, or any FDA regulation, to
keep records or make reports or other submissions to FDA, including
small businesses, nonprofit organizations, and small government
entities. Because the rule affects such a broad range of industries, no
data currently exist to estimate precisely the total number of small
entities that will potentially benefit from the rule, but the number is
substantial. For example, within the medical devices industry alone,
the Small Business
[[Page 13463]]
Administration (SBA) estimates that over 3,221 firms are small
businesses (i.e., have fewer than 500 employees). SBA also estimates
that 504 pharmaceutical firms are small businesses with fewer than 500
employees. Of the approximately 2,204 registered blood and plasma
establishments that are neither government-owned nor part of the
American Red Cross, most are nonprofit establishments that are not
nationally dominant and thus may be small entities as defined by the
Regulatory Flexibility Act.
Not all submissions will immediately be acceptable electronically,
even if the submission and the electronic record conform to the
criteria set forth in this rule. A particular required submission will
be acceptable in electronic form only after it has been identified to
this effect in public docket 92S-0251. (The agency unit that can
receive that electronic submission will also be identified in the
docket.) Thus, although all small entities subject to FDA regulations
are potentially affected by this rule, the rule will actually only
benefit those that: (1) Are required to submit records or other
documents that have been identified in the public docket as acceptable
if submitted electronically, and (2) choose this method of submission,
instead of traditional paper record submissions. The potential range of
submissions includes such records as new drug applications, medical
device premarket notifications, food additive petitions, and medicated
feed applications. These, and all other required submissions, will be
considered by FDA as candidates for optional electronic format.
Although the benefits of making electronic submissions to FDA will
be phased in over time, as the agency accepts more submissions in
electronic form, firms can, upon the rule's effective date, immediately
benefit from using electronic records/signatures for records they are
required to keep, but not submit to FDA. Such records include, but are
not limited to: Pharmaceutical and medical device batch production
records, complaint records, and food processing records.
Some small entities will be affected by this rule even if they are
not among the industries regulated by FDA. Because it will increase the
market demand for certain types of software (e.g., document management,
signature, and encryption software) and services (e.g., digital
notaries and digital signature certification authorities), this rule
will benefit some small firms engaged in developing and providing those
products and services.
C. Description of the Impact
For any paper record that an entity is required to keep under
existing statutes or FDA regulations, FDA will now accept an electronic
record instead of a paper one, as long as the electronic record
conforms to the requirements of this rule. FDA will also consider an
electronic signature to be equivalent to a handwritten signature if it
meets the requirements of this rule. Thus, entities regulated by FDA
may, if they choose, submit required records and authorizations to the
agency electronically once those records have been listed in the docket
as acceptable in electronic form. This action is voluntary; paper
records and handwritten signatures are still fully acceptable. No
entity will be required to change the way it is currently allowed to
submit paper records to the agency.
1. Benefits and costs
For any firm choosing to convert to electronic recordkeeping, the
direct benefits are expected to include:
(1) Improved ability for the firm to analyze trends, problems,
etc., enhancing internal evaluation and quality control;
(2) Reduced data entry errors, due to automated checks;
(3) Reduced costs of storage space;
(4) Reduced shipping costs for data transmission to FDA; and
(5) More efficient FDA reviews and approvals of FDA-regulated
products.
No small entity will be required to convert to electronic
submissions. Furthermore, it is expected that no individual firm, or
other entity, will choose the electronic option unless that firm finds
that the benefits to the firm from conversion will exceed any
conversion costs.
There may be some small entities that currently submit records on
paper, but archive records electronically. These entities will need to
ensure that their existing electronic systems conform to the
requirements for electronic recordkeeping described in this rule. Once
they have done so, however, they may also take advantage of all the
other benefits of electronic recordkeeping. Therefore, no individual
small entity is expected to experience direct costs that exceed
benefits as a result of this rule.
Furthermore, because almost all of the rule's provisions reflect
contemporary security measures and controls that respondents to the
ANPRM identified, most firms should have to make few, if any,
modifications to their systems.
For entities that do choose electronic recordkeeping, the magnitude
of the costs associated with doing so will depend on several factors,
such as the level of appropriate computer hardware and software already
in place in a given firm, the types of conforming technologies
selected, and the size and dispersion of the firm. For example,
biometric signature technologies may be more expensive than
nonbiometric technologies; firms that choose the former technology may
encounter relatively higher costs. Large, geographically dispersed
firms may need some institutional security procedures that smaller
firms, with fewer persons in more geographically concentrated areas,
may not need. Firms that require wholesale technology replacements in
order to adopt electronic record/signature technology may face much
higher costs than those that require only minor modifications (e.g.,
because they already have similar technology for internal security and
quality control purposes). Among the firms that must undertake major
changes to implement electronic recordkeeping, costs will be lower for
those able to undertake these changes simultaneously with other planned
computer and security upgrades. New firms entering the market may have
a slight advantage in implementing technologies that conform with this
rule, because the technologies and associated procedures can be put in
place as part of the general startup.
2. Compliance requirements
If a small entity chooses to keep electronic records and/or make
electronic submissions, it must do so in ways that conform to the
requirements for electronic records and electronic signatures set forth
in this rule. These requirements, described previously in section II.
of this document, involve measures designed to ensure the integrity of
system operations, of information stored in the system, and of the
authorized signatures affixed to electronic records. The requirements
apply to all small (and large) entities in all industry sectors
regulated by FDA.
The agency believes that because the rule is flexible and reflects
contemporary standards, firms should have no difficulty in putting in
place the needed systems and controls. However, to assist firms in
meeting the provisions of this rule, FDA may hold public meetings and
publish more detailed guidance. Firms may contact FDA's Industry and
Small Business Liaison Staff, HF-50, at 5600 Fishers Lane, Rockville,
MD 20857 (301-827-3430) for more information.
[[Page 13464]]
3. Professional skills required
If a firm elects electronic recordkeeping and submissions, it must
take steps to ensure that all persons involved in developing,
maintaining, and using electronic records and electronic signature
systems have the education, training, and experience to perform the
tasks involved. The level of training and experience that will be
required depends on the tasks that the person performs. For example, an
individual whose sole involvement with electronic records is infrequent
might only need sufficient training to understand and use the required
procedures. On the other hand, an individual involved in developing an
electronic record system for a firm wishing to convert from a paper
recordkeeping system would probably need more education or training in
computer systems and software design and implementation. In addition,
FDA expects that such a person would also have specific on-the-job
training and experience related to the particular type of records kept
by that firm.
The relevant education, training, and experience of each individual
involved in developing, maintaining, or using electronic records/
submissions must be documented. However, no specific examinations or
credentials for these individuals are required by the rule.
D. Minimizing the Burden on Small Entities
This rule includes several conditions that an electronic record or
signature must meet in order to be acceptable as an alternative to a
paper record or handwritten signature. These conditions are necessary
to permit the agency to protect and promote the public health. For
example, FDA must retain the ability to audit records to detect
unauthorized modifications, simple errors, and to deter falsification.
Whereas there are many scientific techniques to show changes in paper
records (e.g., analysis of the paper, signs of erasures, and
handwriting analysis), these methods do not apply to electronic
records. For electronic records and submissions to have the same
integrity as paper records, they must be developed, maintained, and
used under circumstances that make it difficult for them to be
inappropriately modified. Without these assurances, FDA's objective of
enabling electronic records and signatures to have standing equal to
paper records and handwritten signatures, and to satisfy the
requirements of existing statutes and regulations, cannot be met.
Within these constraints, FDA has attempted to select alternatives
that provide as much flexibility as practicable without endangering the
integrity of the electronic records. The agency decided not to make the
required extent and stringency of controls dependent on the type of
record or transactions, so that firms can decide for themselves what
level of controls are worthwhile in each case. For example, FDA chose
to give firms maximum flexibility in determining: (1) The circumstances
under which management would have to be notified of security problems,
(2) the means by which firms achieve the required link between an
electronic signature and an electronic record, (3) the circumstances
under which extra security and authentication measures are warranted in
open systems, (4) when to use operational system checks to ensure
proper event sequencing, and (5) when to use terminal checks to ensure
that data and instructions originate from a valid source.
Numerous other specific considerations were addressed in the public
comments to the proposed rule. A summary of the issues raised by those
comments, the agency's assessment of these issues, and any changes made
in the proposed rule as a result of these comments is presented earlier
in this preamble.
FDA rejected alternatives for limiting potentially acceptable
electronic submissions to a particular category, and for issuing
different electronic submissions standards for small and large
entities. The former alternative would unnecessarily limit the
potential benefits of this rule; whereas the latter alternative would
threaten the integrity of electronic records and submissions from small
entities.
As discussed previously in this preamble, FDA rejected comments
that suggested a total of 17 additional more stringent controls that
might be more expensive to implement. These include: (1) Examination
and certification of individuals who perform certain important tasks,
(2) exclusive use of cryptographic methods to link electronic
signatures to electronic records, (3) controls for each possible
combination of a two factored authentication method, (4) controls for
each different type of identification card, and (5) recording in audit
trails the reason why records were changed.
List of Subjects in 21 CFR Part 11
Administrative practice and procedure, Electronic records,
Electronic signatures, Reporting and recordkeeping requirements.
Therefore, under the Federal Food, Drug, and Cosmetic Act, the
Public Health Service Act, and under authority delegated to the
Commissioner of Food and Drugs, Title 21, Chapter I of the Code of
Federal Regulations is amended by adding part 11 to read as follows:
PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
Subpart A--General Provisions
Sec.
11.1 Scope.
11.2 Implementation.
11.3 Definitions.
Subpart B--Electronic Records
11.10 Controls for closed systems.
11.30 Controls for open systems.
11.50 Signature manifestations.
11.70 Signature/record linking.
Subpart C--Electronic Signatures
11.100 General requirements.
11.200 Electronic signature components and controls.
11.300 Controls for identification codes/passwords.
Authority: Secs. 201-903 of the Federal Food, Drug, and Cosmetic
Act (21 U.S.C. 321-393); sec. 351 of the Public Health Service Act
(42 U.S.C. 262).
Subpart A--General Provisions
Sec. 11.1 Scope.
(a) The regulations in this part set forth the criteria under which
the agency considers electronic records, electronic signatures, and
handwritten signatures executed to electronic records to be
trustworthy, reliable, and generally equivalent to paper records and
handwritten signatures executed on paper.
(b) This part applies to records in electronic form that are
created, modified, maintained, archived, retrieved, or transmitted,
under any records requirements set forth in agency regulations. This
part also applies to electronic records submitted to the agency under
requirements of the Federal Food, Drug, and Cosmetic Act and the Public
Health Service Act, even if such records are not specifically
identified in agency regulations. However, this part does not apply to
paper records that are, or have been, transmitted by electronic means.
(c) Where electronic signatures and their associated electronic
records meet the requirements of this part, the agency will consider
the electronic signatures to be equivalent to full handwritten
signatures, initials, and other general signings as required by agency
regulations, unless specifically excepted by regulation(s) effective on
or after
[[Page 13465]]
August 20, 1997.
(d) Electronic records that meet the requirements of this part may
be used in lieu of paper records, in accordance with Sec. 11.2, unless
paper records are specifically required.
(e) Computer systems (including hardware and software), controls,
and attendant documentation maintained under this part shall be readily
available for, and subject to, FDA inspection.
Sec. 11.2 Implementation.
(a) For records required to be maintained but not submitted to the
agency, persons may use electronic records in lieu of paper records or
electronic signatures in lieu of traditional signatures, in whole or in
part, provided that the requirements of this part are met.
(b) For records submitted to the agency, persons may use electronic
records in lieu of paper records or electronic signatures in lieu of
traditional signatures, in whole or in part, provided that:
(1) The requirements of this part are met; and
(2) The document or parts of a document to be submitted have been
identified in public docket No. 92S-0251 as being the type of
submission the agency accepts in electronic form. This docket will
identify specifically what types of documents or parts of documents are
acceptable for submission in electronic form without paper records and
the agency receiving unit(s) (e.g., specific center, office, division,
branch) to which such submissions may be made. Documents to agency
receiving unit(s) not specified in the public docket will not be
considered as official if they are submitted in electronic form; paper
forms of such documents will be considered as official and must
accompany any electronic records. Persons are expected to consult with
the intended agency receiving unit for details on how (e.g., method of
transmission, media, file formats, and technical protocols) and whether
to proceed with the electronic submission.
Sec. 11.3 Definitions.
(a) The definitions and interpretations of terms contained in
section 201 of the act apply to those terms when used in this part.
(b) The following definitions of terms also apply to this part:
(1) Act means the Federal Food, Drug, and Cosmetic Act (secs. 201-
903 (21 U.S.C. 321-393)).
(2) Agency means the Food and Drug Administration.
(3) Biometrics means a method of verifying an individual's identity
based on measurement of the individual's physical feature(s) or
repeatable action(s) where those features and/or actions are both
unique to that individual and measurable.
(4) Closed system means an environment in which system access is
controlled by persons who are responsible for the content of electronic
records that are on the system.
(5) Digital signature means an electronic signature based upon
cryptographic methods of originator authentication, computed by using a
set of rules and a set of parameters such that the identity of the
signer and the integrity of the data can be verified.
(6) Electronic record means any combination of text, graphics,
data, audio, pictorial, or other information representation in digital
form that is created, modified, maintained, archived, retrieved, or
distributed by a computer system.
(7) Electronic signature means a computer data compilation of any
symbol or series of symbols executed, adopted, or authorized by an
individual to be the legally binding equivalent of the individual's
handwritten signature.
(8) Handwritten signature means the scripted name or legal mark of
an individual handwritten by that individual and executed or adopted
with the present intention to authenticate a writing in a permanent
form. The act of signing with a writing or marking instrument such as a
pen or stylus is preserved. The scripted name or legal mark, while
conventionally applied to paper, may also be applied to other devices
that capture the name or mark.
(9) Open system means an environment in which system access is not
controlled by persons who are responsible for the content of electronic
records that are on the system.
Subpart B--Electronic Records
Sec. 11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain, or
transmit electronic records shall employ procedures and controls
designed to ensure the authenticity, integrity, and, when appropriate,
the confidentiality of electronic records, and to ensure that the
signer cannot readily repudiate the signed record as not genuine. Such
procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability,
consistent intended performance, and the ability to discern invalid or
altered records.
(b) The ability to generate accurate and complete copies of records
in both human readable and electronic form suitable for inspection,
review, and copying by the agency. Persons should contact the agency if
there are any questions regarding the ability of the agency to perform
such review and copying of the electronic records.
(c) Protection of records to enable their accurate and ready
retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to
independently record the date and time of operator entries and actions
that create, modify, or delete electronic records. Record changes shall
not obscure previously recorded information. Such audit trail
documentation shall be retained for a period at least as long as that
required for the subject electronic records and shall be available for
agency review and copying.
(f) Use of operational system checks to enforce permitted
sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized
individuals can use the system, electronically sign a record, access
the operation or computer system input or output device, alter a
record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as
appropriate, the validity of the source of data input or operational
instruction.
(i) Determination that persons who develop, maintain, or use
electronic record/electronic signature systems have the education,
training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that
hold individuals accountable and responsible for actions initiated
under their electronic signatures, in order to deter record and
signature falsification.
(k) Use of appropriate controls over systems documentation
including:
(1) Adequate controls over the distribution of, access to, and use
of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit
trail that documents time-sequenced development and modification of
systems documentation.
Sec. 11.30 Controls for open systems.
Persons who use open systems to create, modify, maintain, or
transmit electronic records shall employ procedures and controls
designed to
[[Page 13466]]
ensure the authenticity, integrity, and, as appropriate, the
confidentiality of electronic records from the point of their creation
to the point of their receipt. Such procedures and controls shall
include those identified in Sec. 11.10, as appropriate, and additional
measures such as document encryption and use of appropriate digital
signature standards to ensure, as necessary under the circumstances,
record authenticity, integrity, and confidentiality.
Sec. 11.50 Signature manifestations.
(a) Signed electronic records shall contain information associated
with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or
authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3)
of this section shall be subject to the same controls as for electronic
records and shall be included as part of any human readable form of the
electronic record (such as electronic display or printout).
Sec. 11.70 Signature/record linking.
Electronic signatures and handwritten signatures executed to
electronic records shall be linked to their respective electronic
records to ensure that the signatures cannot be excised, copied, or
otherwise transferred to falsify an electronic record by ordinary
means.
Subpart C--Electronic Signatures
Sec. 11.100 General requirements.
(a) Each electronic signature shall be unique to one individual and
shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or
otherwise sanctions an individual's electronic signature, or any
element of such electronic signature, the organization shall verify the
identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the
time of such use, certify to the agency that the electronic signatures
in their system, used on or after August 20, 1997, are intended to be
the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed
with a traditional handwritten signature, to the Office of Regional
Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request,
provide additional certification or testimony that a specific
electronic signature is the legally binding equivalent of the signer's
handwritten signature.
Sec. 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as
an identification code and password.
(i) When an individual executes a series of signings during a
single, continuous period of controlled system access, the first
signing shall be executed using all electronic signature components;
subsequent signings shall be executed using at least one electronic
signature component that is only executable by, and designed to be used
only by, the individual.
(ii) When an individual executes one or more signings not performed
during a single, continuous period of controlled system access, each
signing shall be executed using all of the electronic signature
components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an
individual's electronic signature by anyone other than its genuine
owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed
to ensure that they cannot be used by anyone other than their genuine
owners.
Sec. 11.300 Controls for identification codes/passwords.
Persons who use electronic signatures based upon use of
identification codes in combination with passwords shall employ
controls to ensure their security and integrity. Such controls shall
include:
(a) Maintaining the uniqueness of each combined identification code
and password, such that no two individuals have the same combination of
identification code and password.
(b) Ensuring that identification code and password issuances are
periodically checked, recalled, or revised (e.g., to cover such events
as password aging).
(c) Following loss management procedures to electronically
deauthorize lost, stolen, missing, or otherwise potentially compromised
tokens, cards, and other devices that bear or generate identification
code or password information, and to issue temporary or permanent
replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of
passwords and/or identification codes, and to detect and report in an
immediate and urgent manner any attempts at their unauthorized use to
the system security unit, and, as appropriate, to organizational
management.
(e) Initial and periodic testing of devices, such as tokens or
cards, that bear or generate identification code or password
information to ensure that they function properly and have not been
altered in an unauthorized manner.
Dated: March 11, 1997.
William B. Schultz,
Deputy Commissioner for Policy.
[FR Doc. 97-6833 Filed 3-20-97; 8:45 am]
BILLING CODE 4160-01-F
