FDA Home Page | Federal-State | Import Program | Compliance | Inspection | Science | ORA Search

PURPOSE

Persons using electronic signatures/electronic records are required to file certification documents with the Agency, according to the Electronic Records: Electronic Signatures Regulations, 21 C.F.R. Part 11. (By "person", it refers to an individual or an organization with legal rights and duties.) Filing of certification is primarily a one-time requirement for persons wishing to utilize electronic signatures on electronic records in regulated activities and is a declaration that electronic signatures affixed on their electronic records are legally binding equivalents for handwritten signatures. The Office of Regional Operations (ORO) is designated as the administrator of filing and maintenance of the certification information. This FMD is issued to describe how the Office of Regional Operations maintains the certification information and provides the rest of the Agency with access to the information.

BACKGROUND

21 C.F.R. Part 11 requires that a person using electronic records file a certification document with FDA declaring that electronic signatures used on those records are legally binding equivalents to handwritten signatures. District offices and other units of FDA may need to verify that a person using electronic signatures and electronic records in regulated activities has filed such certification document with the Agency as required by the regulation. However, Part 11 does not call for submission of electronic signature use and authenticity information on individuals covered by the certification document. Investigators or reviewers of documents are expected to determine the authenticity of electronic signatures in the same manner that they determine the authenticity of handwritten signatures.

Significant parts of the regulations pertaining to electronic records are:

Electronic records and signatures are generally equivalent to paper records and handwritten signatures, respectively, executed on paper, provided all the requirements of regulations are met.

Each receiving unit (centers, offices, divisions, branches) must have identified, in advance, the types and formats of records it will accept in electronic format in public docket 92S-0251.

The regulation differentiates between closed systems in which system access is controlled by persons responsible for electronic records on the system, and open systems in which system access may not be entirely controlled by those same persons. Both the open and the closed systems must be designed to ensure that the electronic signatures on electronic records are not easily repudiated by the signer. Open systems must have additional measures such as document encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality (since access to the [computer] system is not controlled by the persons that generate [and maintain] the electronic records under the Part 11 provisions).

Electronic signatures executed to electronic records shall be linked to electronic records to ensure they can't be excised, copied, or transferred to alter those electronic records.

Significant parts of the regulations pertaining to electronic signatures are:

They must be unique to the individual - not reusable by or reassignable to anyone else.

Before using electronic signatures, or at the time of use, persons using electronic signatures must certify to the Agency the electronic signatures used in their system on or after August 20, 1997, are intended to be the legally binding equivalent of handwritten signatures.

The above-mentioned certifications must be in paper form and signed with handwritten signatures and submitted to ORO/DEIO (HFC-130).

On request, persons must provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer=s handwritten signature.   Electronic signatures shall use biometrics - based on measurements of physical features (fingerprints, retinal signatures) or repeatable actions (dynamic signature verification combined with parameter code), OR

They shall employ at least two distinct identification components such as identification code and password.

PROCEDURES

ORO=s agency-wide responsibility for certification documents is cited in 21 CFR 11.100(c) which says APersons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures...@, and 21 CFR 11.100(c)(1) AThe certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100).@

These certification documents will be received by and physically stored in ORA/ORO. That office will compile a database of persons and all pertinent certification data. This database will be made accessible to the rest of the Agency by posting its content on ORA INTRANET in two separate tables for ease of search: one sorted alphabetically by names of filing persons and the other by Central File Numbers (CFN's). These tables will be presented on the INTRANET Web Page on the Parklawn network server in HTML format by August 20, 1997. They can be accessed from computers directly connected to any of the ORA's network servers at http://www.ora.fda.gov:8000/esig.html. ORO will update these tables on a periodic basis. For those without access to INTRANET and/or for more up-to-date information, ORO has established an ORO/DEIO contact at 301-827-5629.

Persons wishing to satisfy 21 C.F.R. 11.100 (c) (1) requirement should be directed to file the "letter of certification" with ORA/ORO, HFC-100, at 5600 Fishers Lane, Rockville, MD 20857.

If any of the Agency units needs to obtain an original document or its copy for the purpose of establishing the legal status of respective electonic records/electronic signatures, contact ORO/DEIO at the above-noted number. Any inquiries regarding filing of the certification documents should also be referred to the above office.

DISTRIBUTION:             Regional Food and Drug Directors and District Directors; FDA Headquarters Offices

ISSUED BY:                   ORA/ORO/Division of Emergency and Investigational Operations (HFC-130)

AUTHORITY:                   ORA

PUBLICATION DATE:  2/98

This page was last updated on: 05/21/99.

Return to: Page Top | Inspection Start

	About ORA | Site Map/Index | ORA Search FDA Home Page | Search FDA Site | A-Z Index | Contact FDA | Privacy | Accessibility | HHS Home Page Office of Regulatory Affairs