Upload
buihanh
View
217
Download
1
Embed Size (px)
Citation preview
1
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
P. Motise
Update on Implementation
21 CFR Part 11Electronic Records; Electronic
Signatures
l Part 11 overviewl Program management at FDAl Public conference outcomesl Guidance developmentl Problems we’re findingl Parallel mainstream activitiesl Resources
We’ll Cover
2
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Part 11 - substantive ruleu Records (not computer) reg.
l Minimal standardsl What makes e-recordkeeping
u Trustworthyu Reliableu Compatible w/FDA work
Part 11 - What It Is
l Part 11 complianceu Permits e-recs/e-sigs in place of
paper/h-sigsn All FDA program areasn Tied to predicate regulations
u E-submissionsn Docket 92S-0251
Part 11 - What It Means
l System controls basis (CGMP model)u Technicalu Proceduralu Administrative
l Controls suggested by industrytechnical experts
Part 11 - The Approach
3
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Development Historyu 1990 - Early worku 7/21/92 - ANPRu 8/31/94 - Proposed Ruleu 3/20/97 - Final Ruleu 8/20/97 - Effective Date
Part 11 - Milestones
l Assoc. Commissioner For RegulatoryAffairs/Office of Enforcement (OE)u Regulatory implementation
n Enforcement/Interpretationn Trainingn Industry guidancen Centers have input
Who Does What?
4
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Agency centersu E-submissions (e.g., NDAs)
n What to accept in e-formn File formats and median Delivery methods
Who Does What?
l Part 11 Compliance Committeeu Responsibilities:
n Advise agency on complianceissues
n Develop policy/guidancedocuments
n Inform units re: committee workmore...
Who Does What?
l Part 11 Compliance Committeeu Responsibilities:
n Discuss crosscutting issuesn Recommend implementationuniformity methods
n Promote, develop, coordinateFDA/industry training/education
Who Does What?
5
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Part 11 Compliance Committeeu Managed by OEu Members from
n All centersn Office of Chief Counseln Field
Who Does What?
l Compliance programsu Per routine revisions/renewals
l New predicate rulesu E.g., Dietary Supplement CGMPs
l Field trainingu Part 11 & predicate rule courses
Weaving Part 11 Into Programs
6
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Co-sponsorship w/PDAl For all FDA regulated industriesl Held June 19 & 20, 2000l 900 attendeesl 22 industry speakers
Conference Facts
more...
l Info exchange onu Industry’s experience in
implementing part 11 technicalprovisions
u Available products/services toenable compliance
Conference Purpose
more...
l Not a tutoriall Not to debate rule’s meritsl To help FDA develop guidance
more...
Conference Purpose
7
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l FDA guidance needed ASAPl Enabling products/services now
available; more coming fastu Mosaic, not turn-key, solutionsu Effort/creativity needed
n XML, Java, Active-X, Source codecontrol tools, native capabilities
Themes That Emerged
l Suppliers listening/can offerneeded featuresu Users must speak up/be specific
l Part 11 in mainstreamu E-commerce; E-government
l People don’t do their homework
Themes That Emerged
8
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Archivingl Audit trailsl Certificationsl Validationl E-copies of e-records for FDA
Among Likely Topics
l Legacy e-systems less secure thantraditional paperu Record integrity principles and
practices left behindl Implementation given to IT alonel Failure to keep up w/standards and
enabling technologies
General Problems
more...
9
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l All users have system admin.privileges
l Network administrator unqualifiedl Passwords posted to directory
Poor Network Security
more...
l E.g., Password = Account Namel Avoid dumb passwords like:
“Password” “Login”“Bob” “Boss”“Goddess” “Diva”“Stud” “Computer”“Dilbert” “GOSKINS!”
Poor Password Controls
more...
l Unvalidatable systemsu System requirements spec. absent
l Program macros not validatedu Assay calculations
n Recall resulted
Validation Problems
more...
10
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Inadequate change control(configuration management)u Remote changes by vendoru Interface changes
more...
Validation Problems
Patient B [Info B]
Patient A [Info B]
Patient B [Info B]
Results of contamination test
Code 330 = Testequipment failed[3 digit results code field]
Code 33 = Tested material is o.k.[2 digit results code field]
11
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l No audit trail of operator changes toassay reports
l Inability to generate e-copies for FDAl Batch record lost to overwritel Failure to record non-compliant info
Other Problems
l Preparing e-records technical reportu Help people comply with part 11
n Framework documentn Modules for legacy and new systems
u Two to three year projectn Launched 8/99
PDA Part 11 Task Group
more...
12
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Participants (25 core, 40+ extended)u Regulated industryu Supplier communityu FDAu Attorneys in e-commerce arena
l Liaison w/other groups
PDA Part 11 Task Group
l EU D-Sig Directive (12/99)l White House to agencies (12/99):
n Issue 100,000 d-certs by end of 2000n Promote on-line gov’t services
l OMB to agencies re: Gov. PaperworkElimination Act (5/2/00)u Part 11 named among 9 model regs.
Impetus Directives
l Echoes part 11 principles/particularsu E-records and e-signatures coveredu Legal acceptance, with conditionsu Provides for regulatory standards
n Maintenance and submission recordsu Doesn’t require e-recordkeeping
E-SIGN Act
more...
13
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Echoes part 11 principles/particularsu Technology neutralu Similar definitions
n “Record” if retrievable in perceivableform; tangible media or otherwise
u Signature to record linksu Consumer protection preserved
E-SIGN Act
more...
l Echoes part 11 principles/particularsu E-record archiving
n E-form & accessible to partiesn Migration anticipated (“accuratereflection” of e-record)
n OK for “originals”
E-SIGN Act
more...
l New concept - E-agent
“A computer program or an electronic or otherautomated means used independently toinitiate an action or respond to electronicrecords or performances in whole or in partwithout review or action by an individual at thetime of the action or response.”
E-SIGN Act
more...
14
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Exemptions include:u Wills and family lawu Court ordersu Consumer notices
n Recalls, utility cut-offs
E-SIGN Act
l Cross Media Electronic Reports andRecordkeeping Rule (CROMERRR)u Same principles and particulars
n Systems controls approachu Public meetings held June/July 2000u Proposed rule by end of 2000u Final rule by end of 2001; 40 CFR
Part 11 Emulators - EPA
l CROMERRR principlesu Codify criteria for e-record integrity,
authenticity, non-repudiationu Trustworthy & reliable recordsu Individual responsibilityu Agency wideu Records and signatures covered
Part 11 Emulators - EPA
15
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l CROMERRR principlesu Submissions and maintenance
records coveredu Relation to predicate rulesu Technology neutralu No legacy system exemptions
Part 11 Emulators - EPA
l CROMERRR particularsu System access controlsu Audit trails; transaction logsu Detect system compromiseu Archiving (migration anticipated)
n Content, metadata, audit trailsn Keep functionality
Part 11 Emulators - EPA
l CROMERRR particularsu Time stampsu Unique e-sigsu E-sig to record bindingu E-sig manifestations (date/time,
meaning)
Part 11 Emulators - EPA
16
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l CROMERRR particularsu E-copies for EPA investigatorsu E-sig certifications (per record)u E-sig deauthorizations
Part 11 Emulators - EPA
l Submissionsu PKI via Internet, encryptedu EPA gives software and d-certs
n GSA ACES programu F/R notice per program submissionu EPA to certify state systems
Part 11 Emulators - EPA
l Application Service Providers (ASPs)(a.k.a., Netsourcing)u Hosted applications, contract facilities
n E.g., archiving, security, and databaseu Attn: security, performance,
availability
Emerging Trends
17
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Vendor acquisition of clientexpertise; strategic alliancesu Consulting services
n Better product use in clientenvironment
n Increased awareness of client needs
Emerging Trends
l States laws enforcing softwarelicensing agreementsu Uniform Computer Information
Transactions Act (UCITA)n National Conference of Commissionerson Uniform State Laws
more...
Emerging Trends
l UCITAu VA, 1st to enact -- effective 7/2001u “Automatic restraint” (in code)
n “Disable” or “repossess” program ifterms not met
n No liability for restraint use harm
more...
Emerging Trends
18
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l UCITAu Use limits (time/number) possibleu User bears risk of loss for elect.
delivered copy
Emerging Trends
l Peer to peer distributed computingu Shared computational power
n Encryption hackersu Search and share files (Internet wide)
n No central repositorys Napster for music filess Gnutella for non-music files
Emerging Trends
1 PC
10 PCs
100 PCs
10n PCs
19
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
FDA Internet Sitesl http://www.fda.gov/ora/compliance_ref/
part11l http://www.fda.gov/dockets
u 6/2000 Conference - 00N-0358
u E-submissions docket 92S-0251
l http://www.fda.gov/cber/summaries.htm
Other Internet Sitesl http://pw1.netcom.com/~jlboet/esiglinks.
htm [John L. Boettcher]l http://www.21CFRPart11.com
(NuGenisis Technologies)
l http://www.pda.org (PDA)l http://www.fcw.com (Federal Computer
Week)
20
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
l Part 11 overviewl Program management at FDAl Public conference outcomesl Guidance developmentl Problems we’re findingl Parallel mainstream activitiesl Resources
We Covered
“ Record retention serves an importantpublic purpose by allowing agencies tomonitor for compliance, protect taxpayersfrom fraud and abuse, and enforce thelaw.” …
White House on E-SIGN Act
more...
“ The act requires that agencies allow mostrecords to be retained electronically, butgovernment may establish standards forelectronic records to ensure thatcompliance with laws can be determined,taxpayers can be protected, and agencymission can be accomplished.”
White House on E-SIGN Act
21
Part 11, Electronic Records; Electronic Signatures; Update On Implementation; P. Motise 8/00
5600 Fishers LaneRockville, MD 20857
Paul J. MotiseConsumer Safety OfficerOffice of Enforcement, HFC-240
Office of the Associate Commissioner for Regulatory Affairs
Phone: 301 827-0383 Fax: 301 827-0343
E-mail: [email protected]