VIEWS: 23 PAGES: 8 CATEGORY: Project Management POSTED ON: 11/1/2011
Easy signature is a free digital signature software that allows signing of any file type. It is customized for work-flow and internal company documentation. This document describes how Easy Signature responds to FDA 21 CFR Part 11.
Easy Signature 21 CFR Part 11 Supplement Easy Signature 21 CFR Part 11 Supplement Version 1.0 Date: 2011-11-01 Introduction Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic Signatures sets out the requirements for the creation, modification, maintenance, archival, retrieval, and transmittal of electronic records and also the use of electronic signatures when complying with the Federal Food, Drug and Cosmetic Act or any other Food and Drug Administration (FDA) regulation. Easy signature is a free digital signature software that enables electronic signing of any type of file. This document presents technical elements of Easy Signature for each summary requirements set out in 21 CFR Part 11. Notice: It is not possible for any vendor to offer a turnkey 'FDA 21 CFR Part 11 compliant system'. 'FDA 21 CFR Part 11' requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place. It is the responsibility of the user to implement the procedural and administrative controls. To discuss and get more information please contact us in www.easysoft.nu. Free digital signature software – Easy Signature 1 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement Subpart B – Electronic Records 11.10 Controls for Closed Systems Section Section Requirements Easy Signature technical response 11.10 (a) Validation of systems to Easy Signature has been designed, developed ensure accuracy, reliability, and tested to Easy Soft documented consistent intended Product Development lifecycle. performance, and the ability Easy signature is using proven cryptographic safe to discern invalid or altered PKI technology to insure digital hierarchical trust records. and validity of the record. 11.10(b) The ability to generate It is possible to print a signed record with Easy accurate and complete Signature in a readable and electronic form. All the copies of records in both cryptographic details as public keys audit trace is human readable and available and can be reviewed electronically and in electronic form suitable for paper form. inspection, review, and copying by the FDA. 11.10(c) Protection of records to Easy signature does not provide a specific medium enable the accurate and or means to store records. Digitally signatures are ready retrieval throughout basically files that can be stored anywhere. the records retention period. It is the responsibility of the user to insure protection of records. (e.g. access rights in network, periodic backup etc). Easy Signature does however provide AES encryption that can be used for additional protection by the end-user. 11.10(d) Limiting system access to Easy signature protects the digital signature itself authorized individuals. by a private password and a private digital signature file. However Easy signature is only a Free digital signature tool and does not provide a specific medium or functionality to store records. (see 11.10c) Free digital signature software – Easy Signature 2 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued Section Section Requirements Easy Signature technical response 11.10 (e) Use of secure, computer- Easy signature is using proven cryptographic safe generated, time-stamped PKI technology to insure digital hierarchical trust audit trails to and validity of the record. It is not possible to independently record the obscure signed files. All the audit trail and digital date and time of operator hierarchical trust is recorded in the signed digital entries and actions that file and can be reviewed and copied. create, modify, or delete electronic records. Record Notice that the current Easy Signature software changes shall not obscure version does not provide the technical element previously recorded of date and time stamp synchronization (with information. external servers) and rely on local computer time. Such audit trail documentation shall be We recommend that you use free time retained for a period of at synchronization software tools in combination least as long as that with easy signature in your document signature required for the subject procedures, make sure that the time zone is also electronic records and shall clearly documented in the signature. be available for agency review and copying. 11.10(f) Use of operational system Easy Signature have a simple workflow checks to enforce permitted capability and can be implemented to sequencing of steps in ensure that actions is performed in a sequence of a process, as appropriate. steps in a process. It is however needed that the end user describes these processes in documentation and procedures. 11.10(g) Use of authority checks to Easy Signature security model ensures that users ensure that only authorized with a private unique digital signature file (*.SIG) individuals can use the issued by the "Signature Issuer Responsible" (SIR) system, electronically sign can sign files. The digital hierarchical trust is fully a record, access the maintained. Furthermore the private unique digital operation or computer signature file (*.SIG) is protected by a password. system input or output The end-user can easily introduce authority check device, alter a by defining the "Signature Issuer Responsible" record, or perform the (SIR) and obtaining a certificate from Easy operation at hand. Signature. Notice that Easy signature is only a free digital signature tool and does not provide a specific medium or means to store records. The protection of files (e.g. shared network, etc) to the public is the responsibility of the end-user. Free digital signature software – Easy Signature 3 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement 11.10 Controls for Closed Systems continued… Section Section Requirements Easy Signature technical response 11.10(h) Use of device (e.g. terminal) checks Easy signature is free electronic signature to determine, as appropriate, the software only. validity of the source of data input It does not provide means to determine or operational instruction. validity of the source of data input or operational instruction (e.g. Correct document title or project ID) other that insuring that the digital signature procedure is correct and safe. 11.10(i) Determination that persons who End-user responsibility. develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. 11.10(j) The establishment of, and The user must develop policies and adherence to, written policies that procedures governing accountability hold individuals accountable and (using Easy Signature PKI security responsible for actions model) however, a full audit trail details initiated under their electronic transactions in the system where any signatures, in order to deter record altered or invalid records would be and evident through inconsistencies with the signature falsification. digital signature hierarchical trace and audit trail. (about record storage Read 11.10c). 11.10(k) Use of appropriate controls over End-user responsibility. (1) systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. 11.10(k) Use of appropriate controls over End-user responsibility. (2) systems documentation including: Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. Free digital signature software – Easy Signature 4 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement Subpart B – Electronic Records 11. 3 0 Controls for Open Systems Section Section Requirements Easy Signature technical response 11.30 Controls for Open Systems Does not apply. Easy Signature is a closed system for intra security. Subpart B – Electronic Records 11. 5 0 Signature Manifestations Section Section Requirements Easy Signature technical response 11.50(a) Signed electronic records shall Easy Signature allows the user to define 1 (1-3) contain information associated with (including a scanned signature), 2 and 3 in the signing that clearly indicates all a digital signature file. All these the following: information is digitally signed and cannot (1) The printed name of the signer; be altered after a digital signature. (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. 11.50(b) The items identified in paragraphs It is possible to print a digital signature (a)(1), (a)(2), and (a)(3) of this that contains all the information (1-3)(a) section shall be subject to the same along with cryptographic public keys. controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). 11. 7 0 Signature/Record Linking Section Section Requirements Easy Signature technical response 11.70 Electronic signatures and Easy Signature uses SHA512 hashing of handwritten signatures executed to electronic record, this along with electronic records shall be linked to information in 11.50(a) their respective electronic records (1-3) is digitally signed and there are no to ensure that the signatures cannot ordinary means to remove or copy be excised, copied, or otherwise signatures from/to records. transferred to falsify an electronic record by ordinary means. Free digital signature software – Easy Signature 5 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement Subpart C – Electronic Signatures 11. 1 00 Electronic Signature Components and Control Section Section Requirements Easy Signature technical response 11.100 (a) Each electronic signature shall Each private signature file (*.SIG) has a be unique to one individual and unique public/private key and is fully shall not be reused by, or traceable according to PKI practice. This reassigned to, anyone else. key is private and protected by a personal private password that cannot be altered or reused or reassigned to anyone else. Subpart C – Electronic Signatures 11. 2 00 General Requirements Section Section Requirements Easy Signature technical response 11.200(a) Electronic signatures that are not Easy Signature uses a combination of a (1) based upon biometrics shall: (1) private signature file (*.SIG) and an Employ at least two distinct associated password. identification components such as an identification code and password. 11.200(a) When an individual executes a The private signature file (*.SIG) and a (1)(i) series of signings during a single, password is required for each signing. By continuous period of controlled design the password and private signature system access, the first signing file is re-authenticated for every signature shall be executed using all event performed. electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. 11.200(a) When an individual executes one or See (11.200(a)(1)(i) (1)(ii) more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. 11.200(a) Electronic signatures that are not It is beyond the scope of Easy signature to (2) based upon biometrics shall: Be ensure that users do not provide used only by their genuine owners. others with access to their private signature file and password. Free digital signature software – Easy Signature 6 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement 11. 2 00 General Requirements continued … Section Section Requirements Easy Signature technical response 11.200(a) Electronic signatures that are not For the digital signature to be breached in (3) based upon biometrics shall: Be this manner, it would require the administered and executed to Collaboration of the "Signature Issuer ensure that attempted use of an Responsible" (SIR) and the end user. individual’s electronic signature by Notice that the breach can be traced back anyone other than its genuine to SIR and uniquely identified since every owner requires collaboration of two private signature (*.SIG) file is digitally or more individuals. unique. 11.200(b) Electronic signatures based upon Not applicable. Easy signature does not biometrics shall be designed to use biometrics. ensure that they cannot be used by anyone other than their genuine owners. Subpart C – Electronic Signatures 11 .300 Controls for Identication Codes/Passwords Section Section Requirements Easy Signature technical response 11.300(a) Persons who use electronic Every private signature (*.SIG) file is signatures based upon use of digitally unique and protected by a identification codes in combination password. with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. 11.300(b) Ensuring that identification code The private signature file (*.SIG) contains and password issuances are a unique public and private cryptographic periodically checked, recalled, or key that is valid for a fixed period of time revised (e.g., to cover such events defined by the certificate issued to the as password aging). “Signature Issuer Responsible" (SIR). The private signature file shall be kept safe by end-user during this time and is also password protected for additional safety. Free digital signature software – Easy Signature 7 www.easysoft.nu Easy Signature 21 CFR Part 11 Supplement 11 .300 Controls for Identication Codes/Passwords Continued… Section Section Requirements Easy Signature technical response 11.300(c) Following loss management If the private signature (*.SIG) file is lost procedures to electronically de- or stolen a new unique private signature authorize lost, stolen, missing, or (*.SIG) file can be generated. The end- otherwise potentially compromised user can make a record of the event and tokens, cards, and other devices all signatures done with the previous that bear or generate identification private signature (*.SIG) file can be traced code or password information, and in time. to issue temporary or permanent replacements using suitable rigorous controls. 11.300(d) Use of transaction safeguards to See (11.300(c)). Not applicable if related prevent unauthorized use of to a device. passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. 11.300(e) Initial and periodic testing of See (11.300(c)). Not applicable if related devices, such as tokens or cards, to a device. that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Free digital signature software – Easy Signature 8 www.easysoft.nu
Pages to are hidden for
"Easy signature 21 CFR Part 11"Please download to view full document