Electronic Signatures
This is a continuation of a review of the update to EU Annex 11 and Chapter 4 (Documentation) that was issued in January 2011 to become effective on the 30 June 2011.
As stated in the previous article the EU Annex 11 update does not directly reference Electronic Records this is included in the update to EU Chapter 4 (Documentation).
The update to EU Annex 11 however does state the following relating to Electronic Signatures.
Electronic records may be signed electronically. Electronic signatures are expected to:
Discussion
EU Annex 11 provides the details that records can be signed electronically. This is not as clear as within 21 CFR Part 11 and does not state what controls are required.
Password Controls
The recommendation would be to ensure that technical controls are developed using either biometric technology or a combination of user name and passwords and that the controls are validated.
In addition to the technical controls procedures must be in place to ensure that user access and Electronic Signatures are adequately managed. This includes
- Issue of access (user name, passwords)
- Management of lost passwords
- De-authorisation of accounts
- Periodic security review (verification that the controls are working as designed)
21 CFR Part 11 provides a greater level of guidance as to how security controls should be applied to electronic signatures. Following this guidance will ensure compliance with both 21 CFT Part 11 and EU Annex 11.
Sec. 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
Record Linking
Another key requirement is that the signature is linked to the record. Design and verification should be available to demonstrate that the signature is inextricably and permanently linked to the record.
a. have the same impact as hand-written signatures within the boundaries of the
company,
b. be permanently linked to their respective record,
c. include the time and date that they were applied.
As I read Annex 11, the scope is pharma and vet meds. Can device mfgs ignore the Annex and, if not, whey not?
ReplyDeletethanks.
Escobar you are correct that Annex 11 relates to phamaceuticals and vet meds. There are other regulations relating to medical devices. This is not one of my areas of expertise.
ReplyDeleteHowever the principles of making decisions based on documented risk (assessments) is something that the medical device industry has been doing for a number of years.