Electronic Records: Electronic Signature Certification
November, 30 2009
Persons using electronic signatures/electronic records are required to file certification documents with the Agency, according to the Electronic Records: Electronic Signatures Regulations, 21 C.F.R. Part 11. (By "person", it refers to an individual or an organization with legal rights and duties.) Filing of certification is primarily a one-time requirement for persons wishing to utilize electronic signatures on electronic records in regulated activities and is a declaration that electronic signatures affixed on their electronic records are legally binding equivalents for handwritten signatures. The Office of Regional Operations (ORO) is designated as the administrator of filing and maintenance of the certification information. This FMD is issued to describe how the Office of Regional Operations maintains the certification information and provides the rest of the Agency with access to the information.
21 C.F.R. Part 11 requires that a person using electronic records file a certification document with FDA declaring that electronic signatures used on those records are legally binding equivalents to handwritten signatures. District offices and other units of FDA may need to verify that a person using electronic signatures and electronic records in regulated activities has filed such certification document with the Agency as required by the regulation. However, Part 11 does not call for submission of electronic signature use and authenticity information on individuals covered by the certification document. Investigators or reviewers of documents are expected to determine the authenticity of electronic signatures in the same manner that they determine the authenticity of handwritten signatures.
Significant parts of the regulations pertaining to electronic records are:
Electronic records and signatures are generally equivalent to paper records and handwritten signatures, respectively, executed on paper, provided all the requirements of regulations are met.
Each receiving unit (centers, offices, divisions, branches) must have identified, in advance, the types and formats of records it will accept in electronic format in public docket 92S-0251.
The regulation differentiates between closed systems in which system access is controlled by persons responsible for electronic records on the system, and open systems in which system access may not be entirely controlled by those same persons. Both the open and the closed systems must be designed to ensure that the electronic signatures on electronic records are not easily repudiated by the signer. Open systems must have additional measures such as document encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality (since access to the [computer] system is not controlled by the persons that generate [and maintain] the electronic records under the Part 11 provisions).
Electronic signatures executed to electronic records shall be linked to electronic records to ensure they can't be excised, copied, or transferred to alter those electronic records.
Significant parts of the regulations pertaining to electronic signatures are:
They must be unique to the individual - not reusable by or reassignable to anyone else.
Before using electronic signatures, or at the time of use, persons using electronic signatures must certify to the Agency the electronic signatures used in their system on or after August 20, 1997, are intended to be the legally binding equivalent of handwritten signatures.
The above-mentioned certifications must be in paper form and signed with handwritten signatures and submitted to ORO/DEIO (HFC-130).
On request, persons must provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer=s handwritten signature. Electronic signatures shall use biometrics - based on measurements of physical features (fingerprints, retinal signatures) or repeatable actions (dynamic signature verification combined with parameter code), OR
They shall employ at least two distinct identification components such as identification code and password.
ORO’s agency-wide responsibility for certification documents is cited in 21 CFR 11.100(c) which says, persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. 21 CFR 11.100(c)(1) states the certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100).
Persons wishing to satisfy 21 C.F.R. 11.100 (c) (1) requirement should be directed to file the "letter of certification" with ORA/ORO, at 12420 Parklawn Drive, Element Building, Rockville, MD 20857.
These certification documents will be received by and maintained in an electronic database in ORA/ORO. If any of the Agency units needs to obtain a copy for the purposes of establishing the legal status of respective electronic records/electronic signatures, contact ORO Program Analyst at 301-796-5320. Any inquiries regarding filing of the certification documents should also be referred to the above office.