|2004N-0133 - Part 11 Public Meeting; June 11, 2004|
|FDA Comment Number :||EC3|
|Submitter :||Dr. Larry Leeth||Date & Time:||05/06/2004 07:05:33|
|Organization :||QAD, Inc.|
| One area where input was requested related to additional audit trail controls.
Specifically, ' 3. Should audit trail requirements include safeguards designed and implemented to deter, prevent, and document unauthorized record
creation, modification, and deletion?'
A point I offered in a comment on an earlier Part 11 guidance document is that controls specified in sections 11.200 and 11.300 should be moved to cover both electronic records AND electronic signatures.
That is, strong, reliable authentication is a fundamental control for assuring the integrity of electronic records. It seems to be just as relevant to establish reliable attribution for the creation, modification and deletion of records as it is for the 'signature' of specific events identified in the predicate rules.
It would seem desirable to have multi-factor authentication of all users of electronic records covered by the predicate rules. However, properly administered UserID/Password systems are still adequate in most applications. This point may be contigent on a risk management assesment.
Also, with reliable attribution for audit trail records, the need for electronic signatures on many electronic records may be reduced. This is particulary the case where signature requirements in the predicate rules are 'implicit'.
For example, the Quality System regulation, Subpart G - Production and Process Controls, (g)(2) states: (2)Inspection. Each manufacturer shall conduct periodic inspections in accordance with established procedures to ensure adherence to applicable equipment maintenance schedules. The inspections, including the date and individual(s) conducting the inspections, shall be documented.'
If these inspections are documented in electronic records, the audit trail for the creation/modification of such records should adequately fulfill the requirements of this predicate rule, without requiring an 'electronic signature', assuming the controls as discussed above are in place.
Larry Leeth, PhD CISSP