Anda di halaman 1dari 8
Easy Signature 21 CFR Part 11 Supplement Easy Signature 21 CFR Part 11 Supplement Version

Easy Signature 21 CFR Part 11 Supplement

Easy Signature 21 CFR Part 11 Supplement Easy Signature 21 CFR Part 11 Supplement Version 1.0

Easy Signature 21 CFR Part 11 Supplement

Version 1.0 Date: 2011-11-01

Introduction

Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic Signatures sets out the requirements for the creation, modification, maintenance, archival, retrieval, and transmittal of electronic records and also the use of electronic signatures when complying with the Federal Food, Drug and Cosmetic Act or any other Food and Drug Administration (FDA) regulation.

Easy signature is a free digital signature software that enables electronic signing of any type of file.

This document presents technical elements of Easy Signature for each summary requirements set out in 21 CFR Part 11.

Notice: It is not possible for any vendor to offer a turnkey 'FDA 21 CFR Part 11 compliant system'. 'FDA 21 CFR Part 11' requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place. It is the responsibility of the user to implement the procedural and administrative controls.

To discuss and get more information please contact us in www.easysoft.nu.

Free digital signature software – Easy Signature

Subpart B – Electronic Records 11.10 Controls for Closed Systems Easy Signature 21 CFR Part

Subpart B – Electronic Records

11.10 Controls for Closed Systems

Easy Signature 21 CFR Part 11 Supplement

Section

Section Requirements

Easy Signature technical response

11.10

(a)

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA. Protection of records to enable the accurate and ready retrieval throughout the records retention period.

Easy Signature has been designed, developed and tested to Easy Soft documented Product Development lifecycle. Easy signature is using proven cryptographic safe PKI technology to insure digital hierarchical trust and validity of the record. It is possible to print a signed record with Easy Signature in a readable and electronic form. All the cryptographic details as public keys audit trace is available and can be reviewed electronically and in paper form.

11.10(b)

11.10(c)

Easy signature does not provide a specific medium or means to store records. Digitally signatures are basically files that can be stored anywhere.

It is the responsibility of the user to insure protection of records. (e.g. access rights in network, periodic backup etc).

 

Easy Signature does however provide AES encryption that can be used for additional protection by the end-user.

11.10(d)

Limiting system access to authorized individuals.

Easy signature protects the digital signature itself by a private password and a private digital signature file. However Easy signature is only a Free digital signature tool and does not provide a specific medium or functionality to store records. (see 11.10c)

Free digital signature software – Easy Signature

11.10 Controls for Closed Systems continued Easy Signature 21 CFR Part 11 Supplement Section Section

11.10 Controls for Closed Systems continued

Easy Signature 21 CFR Part 11 Supplement

Section

Section Requirements

Easy Signature technical response

11.10

(e)

Use of secure, computer- generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period of at least as long as that required for the subject

electronic records and shall be available for agency review and copying. Use of operational system checks to enforce permitted sequencing of steps in

Easy signature is using proven cryptographic safe PKI technology to insure digital hierarchical trust and validity of the record. It is not possible to obscure signed files. All the audit trail and digital hierarchical trust is recorded in the signed digital file and can be reviewed and copied.

 

Notice that the current Easy Signature software version does not provide the technical element of date and time stamp synchronization (with external servers) and rely on local computer time.

We recommend that you use free time synchronization software tools in combination with easy signature in your document signature procedures, make sure that the time zone is also clearly documented in the signature.

11.10(f)

Easy Signature have a simple workflow capability and can be implemented to ensure that actions is performed in a sequence of

a

process, as appropriate.

steps in a process. It is however needed that the end user describes these processes in documentation and procedures.

11.10(g)

Use of authority checks to ensure that only authorized individuals can use the

Easy Signature security model ensures that users with a private unique digital signature file (*.SIG) issued by the "Signature Issuer Responsible" (SIR) can sign files. The digital hierarchical trust is fully

system, electronically sign

a record, access the

operation or computer system input or output device, alter a record, or perform the operation at hand.

maintained. Furthermore the private unique digital signature file (*.SIG) is protected by a password. The end-user can easily introduce authority check by defining the "Signature Issuer Responsible" (SIR) and obtaining a certificate from Easy Signature.

Notice that Easy signature is only a free digital signature tool and does not provide a specific medium or means to store records. The protection of files (e.g. shared network, etc) to the public is the responsibility of the end-user.

Free digital signature software – Easy Signature

Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued… Section Section

Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued…

Section

Section Requirements

Easy Signature technical response

11.10(h)

Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

Easy signature is free electronic signature software only. It does not provide means to determine validity of the source of data input or operational instruction (e.g. Correct document title or project ID) other that insuring that the digital signature procedure is correct and safe. End-user responsibility.

11.10(i)

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

11.10(j)

The user must develop policies and procedures governing accountability (using Easy Signature PKI security model) however, a full audit trail details transactions in the system where any altered or invalid records would be evident through inconsistencies with the digital signature hierarchical trace and audit trail. (about record storage Read

 

11.10c).

11.10(k)

Use of appropriate controls over systems documentation including:

End-user responsibility.

(1)

Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

11.10(k)

Use of appropriate controls over systems documentation including:

End-user responsibility.

(2)

Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Free digital signature software – Easy Signature

Subpart B – Electronic Records 11. 3 0 Controls for Open Systems Easy Signature 21

Subpart B – Electronic Records

11. 3 0 Controls for Open Systems

Easy Signature 21 CFR Part 11 Supplement

Section

Section Requirements

Easy Signature technical response

11.30

Controls for Open Systems

Does not apply. Easy Signature is a closed system for intra security.

Subpart B – Electronic Records

11. 5 0 Signature Manifestations

Section

Section Requirements

Easy Signature technical response

11.50(a)

Signed electronic records shall contain information associated with the signing that clearly indicates all the following:

(1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

Easy Signature allows the user to define 1 (including a scanned signature), 2 and 3 in a digital signature file. All these information is digitally signed and cannot be altered after a digital signature.

(1-3)

11.50(b)

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

It is possible to print a digital signature that contains all the information (1-3)(a) along with cryptographic public keys.

11. 7 0 Signature/Record Linking

Section

Section Requirements

Easy Signature technical response

11.70

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Easy Signature uses SHA512 hashing of electronic record, this along with information in 11.50(a) (1-3) is digitally signed and there are no ordinary means to remove or copy signatures from/to records.

Free digital signature software – Easy Signature

Easy Signature 21 CFR Part 11 Supplement Subpart C – Electronic Signatures 11. 1 00

Easy Signature 21 CFR Part 11 Supplement

Subpart C – Electronic Signatures

11. 1 00 Electronic Signature Components and Control

Section

Section Requirements

Easy Signature technical response

11.100

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

Each private signature file (*.SIG) has a unique public/private key and is fully traceable according to PKI practice. This key is private and protected by a personal private password that cannot be altered or reused or reassigned to anyone else.

Subpart C – Electronic Signatures

11. 2 00 General Requirements

Section

Section Requirements

Easy Signature technical response

11.200(a)

Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Easy Signature uses a combination of a private signature file (*.SIG) and an associated password.

(1)

11.200(a)

(1)(i)

The private signature file (*.SIG) and a password is required for each signing. By design the password and private signature file is re-authenticated for every signature event performed.

11.200(a)

See (11.200(a)(1)(i)

(1)(ii)

11.200(a)

Electronic signatures that are not based upon biometrics shall: Be used only by their genuine owners.

It is beyond the scope of Easy signature to ensure that users do not provide others with access to their private signature file and password.

(2)

Free digital signature software – Easy Signature

11. 2 00 General Requirements continued … Easy Signature 21 CFR Part 11 Supplement Section

11. 2 00 General Requirements continued …

Easy Signature 21 CFR Part 11 Supplement

Section

Section Requirements

Easy Signature technical response

11.200(a)

Electronic signatures that are not based upon biometrics shall: Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

For the digital signature to be breached in this manner, it would require the Collaboration of the "Signature Issuer Responsible" (SIR) and the end user. Notice that the breach can be traced back to SIR and uniquely identified since every private signature (*.SIG) file is digitally unique.

(3)

11.200(b)

Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

Not applicable. Easy signature does not use biometrics.

Subpart C – Electronic Signatures

11 .300 Controls for Identication Codes/Passwords

Section

Section Requirements

Easy Signature technical response

11.300(a)

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

Every private signature (*.SIG) file is digitally unique and protected by a password.

11.300(b)

Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

The private signature file (*.SIG) contains a unique public and private cryptographic key that is valid for a fixed period of time defined by the certificate issued to the “Signature Issuer Responsible" (SIR). The private signature file shall be kept safe by end-user during this time and is also password protected for additional safety.

Free digital signature software – Easy Signature

Easy Signature 21 CFR Part 11 Supplement 11 .300 Controls for Identication Codes/Passwords Continued… Section

Easy Signature 21 CFR Part 11 Supplement

11 .300 Controls for Identication Codes/Passwords

Continued…

Section

Section Requirements

Easy Signature technical response

11.300(c)

Following loss management procedures to electronically de- authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable rigorous controls. Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

If the private signature (*.SIG) file is lost or stolen a new unique private signature (*.SIG) file can be generated. The end- user can make a record of the event and all signatures done with the previous private signature (*.SIG) file can be traced in time.

11.300(d)

See (11.300(c)). Not applicable if related to a device.

11.300(e)

Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

See (11.300(c)). Not applicable if related to a device.

Free digital signature software – Easy Signature