21 CFR Part 11 - Ehealthinformation.ca

federal registerThursdayMarch 20, 1997Part IIDepartment ofHealth and HumanServicesFood and Drug Administration21 CFR Part 11Electronic Records; Electronic Signatures;Final RuleElectronic Submissions; Establishment ofPublic Docket; Notice13429

13430 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and RegulationsDEPARTMENT OF HEALTH ANDHUMAN SERVICESFood and Drug Administration21 CFR Part 11[Docket No. 92N–0251]RIN 0910–AA29Electronic Records; ElectronicSignaturesAGENCY: Food and Drug Administration,HHS.ACTION: Final rule.SUMMARY: The Food and DrugAdministration (FDA) is issuingregulations that provide criteria foracceptance by FDA, under certaincircumstances, of electronic records,electronic signatures, and handwrittensignatures executed to electronicrecords as equivalent to paper recordsand handwritten signatures executed onpaper. These regulations, which applyto all FDA program areas, are intendedto permit the widest possible use ofelectronic technology, compatible withFDA’s responsibility to promote andprotect public health. The use ofelectronic records as well as theirsubmission to FDA is voluntary.Elsewhere in this issue of the FederalRegister, FDA is publishing a documentproviding information concerningsubmissions that the agency is preparedto accept electronically .DATES: Effective August 20, 1997.Submit written comments on theinformation collection provisions of thisfinal rule by May 19, 1997.ADDRESSES: Submit written commentson the information collection provisionsof this final rule to the DocketsManagement Branch (HFA–305), Foodand Drug Administration, 12420Parklawn Dr., rm. 1–23, Rockville, MD20857.The final rule is also availableelectronically via Internet: http://www.fda.gov.FOR FURTHER INFORMATION CONTACT:Paul J. Motise, Center for DrugEvaluation and Research (HFD–325), Food and DrugAdministration, 7520 Standish Pl.,Rockville, MD 20855, 301–594–1089. E-mail address via Internet:Motise@CDER.FDA.GOV, orTom M. Chin, Division of CompliancePolicy (HFC–230), Food and DrugAdministration, 5600 Fishers Lane,Rockville, MD 20857, 301–827–0410. E-mail address via Internet:TChin@FDAEM.SSW.DHHS.GOVSUPPLEMENTARY INFORMATION:I. BackgroundIn 1991, members of thepharmaceutical industry met with theagency to determine how they couldaccommodate paperless record systemsunder the current good manufacturingpractice (CGMP) regulations in parts 210and 211 (21 CFR parts 210 and 211).FDA created a Task Force on ElectronicIdentification/Signatures to develop auniform approach by which the agencycould accept electronic signatures andrecords in all program areas. In aFebruary 24, 1992, report, a task forcesubgroup, the Electronic Identification/Signature Working Group,recommended publication of anadvance notice of proposed rulemaking(ANPRM) to obtain public comment onthe issues involved.In the Federal Register of July 21,1992 (57 FR 32185), FDA published theANPRM, which stated that the agencywas considering the use of electronicidentification/signatures, and requestedcomments on a number of related topicsand concerns. FDA received 53comments on the ANPRM. In theFederal Register of August 31, 1994 (59FR 45160), the agency published aproposed rule that incorporated many ofthe comments to the ANPRM, andrequested that comments on theproposed regulation be submitted byNovember 29, 1994. A completediscussion of the options considered byFDA and other background informationon the agency’s policy on electronicrecords and electronic signatures can befound in the ANPRM and the proposedrule.FDA received 49 comments on theproposed rule. The commentersrepresented a broad spectrum ofinterested parties: Human andveterinary pharmaceutical companies aswell as biological products, medicaldevice, and food interest groups,including 11 trade associations, 25manufacturers, and 1 Federal agency.II. Highlights of the Final RuleThe final rule provides criteria underwhich FDA will consider electronicrecords to be equivalent to paperrecords, and electronic signaturesequivalent to traditional handwrittensignatures. Part 11 (21 CFR part 11)applies to any paper records required bystatute or agency regulations andsupersedes any existing paper recordrequirements by providing thatelectronic records may be used in lieuof paper records. Electronic signatureswhich meet the requirements of the rulewill be considered to be equivalent tofull handwritten signatures, initials, andother general signings required byagency regulations.Section 11.2 provides that recordsmay be maintained in electronic formand electronic signatures may be usedin lieu of traditional signatures. Recordsand signatures submitted to the agencymay be presented in an electronic formprovided the requirements of part 11 aremet and the records have beenidentified in a public docket as the typeof submission the agency accepts in anelectronic form. Unless records areidentified in this docket as appropriatefor electronic submission, only paperrecords will be regarded as officialsubmissions.Section 11.3 defines terms used inpart 11, including the terms: Biometrics,closed system, open system, digitalsignature, electronic record, electronicsignature, and handwritten signature.Section 11.10 describes controls forclosed systems, systems to which accessis controlled by persons responsible forthe content of electronic records on thatsystem. These controls includemeasures designed to ensure theintegrity of system operations andinformation stored in the system. Suchmeasures include: (1) Validation; (2) theability to generate accurate andcomplete copies of records; (3) archivalprotection of records; (4) use ofcomputer-generated, time-stamped audittrails; (5) use of appropriate controlsover systems documentation; and (6) adetermination that persons whodevelop, maintain, or use electronicrecords and signature systems have theeducation, training, and experience toperform their assigned tasks.Section 11.10 also addresses thesecurity of closed systems and requiresthat: (1) System access be limited toauthorized individuals; (2) operationalsystem checks be used to enforcepermitted sequencing of steps andevents as appropriate; (3) authoritychecks be used to ensure that onlyauthorized individuals can use thesystem, electronically sign a record,access the operation or computer systeminput or output device, alter a record, orperform operations; (4) device (e.g.,terminal) checks be used to determinethe validity of the source of data inputor operation instruction; and (5) writtenpolicies be established and adhered toholding individuals accountable andresponsible for actions initiated undertheir electronic signatures, so as to deterrecord and signature falsification.Section 11.30 sets forth controls foropen systems, including the controlsrequired for closed systems in § 11.10and additional measures such asdocument encryption and use ofappropriate digital signature standards

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13431to ensure record authenticity, integrity,and confidentiality.Section 11.50 requires signaturemanifestations to contain informationassociated with the signing of electronicrecords. This information must includethe printed name of the signer, the dateand time when the signature wasexecuted, and the meaning (such asreview, approval, responsibility, andauthorship) associated with thesignature. In addition, this informationis subject to the same controls as forelectronic records and must be includedin any human readable forms of theelectronic record (such as electronicdisplay or printout).Under § 11.70, electronic signaturesand handwritten signatures executed toelectronic records must be linked totheir respective records so thatsignatures cannot be excised, copied, orotherwise transferred to falsify anelectronic record by ordinary means.Under the general requirements forelectronic signatures, at § 11.100, eachelectronic signature must be unique toone individual and must not be reusedby, or reassigned to, anyone else. Beforean organization establishes, assigns,certifies, or otherwise sanctions anindividual’s electronic signature, theorganization shall verify the identity ofthe individual.Section 11.200 provides thatelectronic signatures not based onbiometrics must employ at least twodistinct identification components suchas an identification code and password.In addition, when an individualexecutes a series of signings during asingle period of controlled systemaccess, the first signing must beexecuted using all electronic signaturecomponents and the subsequentsignings must be executed using at leastone component designed to be usedonly by that individual. When anindividual executes one or moresignings not performed during a singleperiod of controlled system access, eachsigning must be executed using all ofthe electronic signature components.Electronic signatures not based onbiometrics are also required to be usedonly by their genuine owners andadministered and executed to ensurethat attempted use of an individual’selectronic signature by anyone elserequires the collaboration of two ormore individuals. This would make itmore difficult for anyone to forge anelectronic signature. Electronicsignatures based upon biometrics mustbe designed to ensure that suchsignatures cannot be used by anyoneother than the genuine owners.Under § 11.300, electronic signaturesbased upon use of identification codesin combination with passwords mustemploy controls to ensure security andintegrity. The controls must include thefollowing provisions: (1) Theuniqueness of each combinedidentification code and password mustbe maintained in such a way that no twoindividuals have the same combinationof identification code and password; (2)persons using identification codes and/or passwords must ensure that they areperiodically recalled or revised; (3) lossmanagement procedures must befollowed to deauthorize lost, stolen,missing, or otherwise potentiallycompromised tokens, cards, and otherdevices that bear or generateidentification codes or passwordinformation; (4) transaction safeguardsmust be used to prevent unauthorizeduse of passwords and/or identificationcodes, and to detect and report anyattempt to misuse such codes; (5)devices that bear or generateidentification codes or passwordinformation, such as tokens or cards,must be tested initially and periodicallyto ensure that they function properlyand have not been altered in anunauthorized manner.III. Comments on the Proposed RuleA. General Comments1. Many comments expressed generalsupport for the proposed rule. Notingthat the proposal’s regulatory approachincorporated several suggestionssubmitted by industry in comments onthe ANPRM, a number of commentsstated that the proposal is a goodexample of agency and industrycooperation in resolving technicalissues.Several comments also noted thatboth industry and the agency can realizesignificant benefits by using electronicrecords and electronic signatures, suchas increasing the speed of informationexchange, cost savings from the reducedneed for storage space, reduced errors,data integration/trending, productimprovement, manufacturing processstreamlining, improved process control,reduced vulnerability of electronicsignatures to fraud and abuse, and jobcreation in industries involved inelectronic record and electronicsignature technologies.One comment noted that, when part11 controls are satisfied, electronicsignatures and electronic records haveadvantages over paper systems,advantages that include: (1) Havingautomated databases that enable moreadvanced searches of information, thusobviating the need for manual searchesof paper records; (2) permittinginformation to be viewed from multipleperspectives; (3) permittingdetermination of trends, patterns, andbehaviors; and (4) avoiding initial andsubsequent document misfiling thatmay result from human error.There were several comments on thegeneral scope and effect of proposedpart 11. These comments noted that thefinal regulations will be viewed as astandard by other Government agencies,and may strongly influence thedirection of electronic record andelectronic signature technologies. Onecomment said that FDA’s position onelectronic signatures/electronic recordsis one of the most pressing issues for thepharmaceutical industry and has asignificant impact on the industry’sfuture competitiveness. Anothercomment said that the rule constitutesan important milestone along theNation’s information superhighway.FDA believes that the extensiveindustry input and collaboration thatwent into formulating the final rule isrepresentative of a productivepartnership that will facilitate the use ofadvanced technologies. The agencyacknowledges the potential benefits tobe gained by electronic record/electronic signature systems. Theagency expects that the magnitude ofthese benefits should significantlyoutweigh the costs of making thesesystems, through compliance with part11, reliable, trustworthy, andcompatible with FDA’s responsibility topromote and protect public health. Theagency is aware of the potential impactof the rule, especially regarding theneed to accommodate and encouragenew technologies while maintaining theagency’s ability to carry out its mandateto protect public health. The agency isalso aware that other Federal agenciesshare the same concerns and areaddressing the same issues as FDA; theagency has held informal discussionswith other Federal agencies andparticipated in several interagencygroups on electronic records/electronicsignatures and information technologyissues. FDA looks forward toexchanging information and experiencewith other agencies for mutual benefitand to promote a consistent Federalpolicy on electronic records andsignatures. The agency also notes thatbenefits, such as the ones listed by thecomments, will help to offset anysystem modification costs that personsmay incur to achieve compliance withpart 11.B. Regulations Versus Guidelines2. Several comments addressedwhether the agency’s policy onelectronic signatures and electronicrecords should be issued as a regulation

13432 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsor recommended in a guideline. Mostcomments supported a regulation, citingthe need for a practical and workableapproach for criteria to ensure thatrecords can be stored in electronic formand are reliable, trustworthy, secure,accurate, confidential, and authentic.One comment specifically supported asingle regulation covering all FDAregulatedproducts to ensure consistentrequirements across all product lines.Two comments asserted that the agencyshould only issue guidelines or ‘‘makethe regulations voluntary.’’ One of thesecomments said that by issuingregulations, the agency is shifting fromcreating tools to enhancecommunication (technological quality)to creating tools for enforcement(compliance quality).The agency remains convinced, asexpressed in the preamble to theproposed rule (59 FR 45160 at 45165),that a policy statement, inspectionguide, or other guidance would be aninappropriate means for enunciating acomprehensive policy on electronicsignatures and records. FDA hasconcluded that regulations are necessaryto establish uniform, enforceable,baseline standards for acceptingelectronic signatures and records. Theagency believes, however, thatsupplemental guidance documentswould be useful to address controls ingreater detail than would be appropriatefor regulations. Accordingly, the agencyanticipates issuing supplementalguidance as needed and will afford allinterested parties the opportunity tocomment on the guidance documents.The need for regulations isunderscored by several opinionsexpressed in the comments. Forexample, one comment asserted that itshould be acceptable for supervisors toremove the signatures of theirsubordinates from signed records andreplace them with their own signatures.Although the agency does not object tothe use of a supervisor’s signature toendorse or confirm a subordinate’sactions, removal of an original signatureis an action the agency views asfalsification. Several comments alsoargued that an electronic signatureshould consist of only a password, thatpasswords need not be unique, that it isacceptable for people to use passwordsassociated with their personal lives (likethe names of their children or theirpets), and that passwords need only bechanged every 2 years. FDA believesthat such procedures would greatlyincrease the possibility that a passwordcould be compromised and the chancethat any resulting impersonation and/orfalsification would continue for a longtime. Therefore, an enforceableregulation describing the acceptablecharacteristics of an electronic signatureappears necessary.C. Flexibility and Specificity3. Several comments addressed theflexibility and specificity of theproposed rule. The commentscontended that agency acceptance ofelectronic records systems should not bebased on any particular technology, butrather on the adequacy of the systemcontrols under which they are createdand managed. Some comments claimedthat the proposed rule was overlyprescriptive and that it should notspecify the mechanisms to be used, butrather only require owners/users todesign appropriate safeguards andvalidate them to reasonably ensureelectronic signature integrity andauthenticity. One comment commendedthe agency for giving industry thefreedom to choose from a variety ofelectronic signature technologies, whileanother urged that the final rule be morespecific in detailing softwarerequirements for electronic records andelectronic notebooks in research andtesting laboratories.The agency believes that theprovisions of the final rule afford firmsconsiderable flexibility while providinga baseline level of confidence thatrecords maintained in accordance withthe rule will be of high integrity. Forexample, the regulation permits a widevariety of existing and emergingelectronic signature technologies, fromuse of identification codes inconjunction with manually enteredpasswords to more sophisticatedbiometric systems that may necessitateadditional hardware and software.While requiring electronic signatures tobe linked to their respective electronicrecords, the final rule affords flexibilityin achieving that link through use of anyappropriate means, including use ofdigital signatures and secure relationaldatabase references. The final ruleaccepts a wide variety of electronicrecord technologies, including thosebased on optical storage devices. Inaddition, as discussed in comment 40 ofthis document, the final rule does notestablish numerical standards for levelsof security or validation, thus offeringfirms flexibility in determining whatlevels are appropriate for theirsituations. Furthermore, while requiringoperational checks, authority checks,and periodic testing of identifyingdevices, persons have the flexibility ofconducting those controls by anysuitable method. When the final rulecalls for a certain control, such asperiodic testing of identification tokens,persons have the option of determiningthe frequency.D. Controls for Electronic SystemsCompared with Paper Systems4. Two comments stated that anycontrols that do not apply to paperbaseddocument systems andhandwritten signatures should notapply to electronic record and signaturesystems unless those controls areneeded to address an identified uniquerisk associated with electronic recordsystems. One comment expressedconcern that FDA was establishing amuch higher standard for electronicsignatures than necessary.In attempting to establish minimumcriteria to make electronic signaturesand electronic records trustworthy andreliable and compatible with FDA’sresponsibility to promote and protectpublic health (e.g., by hastening theavailability of new safe and effectivemedical products and ensuring thesafety of foods), the agency hasattempted to draw analogies tohandwritten signatures and paperrecords wherever possible. In doing so,FDA has found that the analogy doesnot always hold because of thedifferences between paper andelectronic systems. The agency believessome of those differences necessitatecontrols that will be unique toelectronic technology and that must beaddressed on their own merits and notevaluated on the basis of theirequivalence to controls governing paperdocuments.The agency found that some of thecomments served to illustrate thedifferences between paper andelectronic record technologies and theneed to address controls that may notgenerally be found in paper recordsystems. For example, several commentspointed out that electronic records builtupon information databases, unlikepaper records, are actually transientviews or representations of informationthat is dispersed in various parts of thedatabase. (The agency notes that thedatabases themselves may begeographically dispersed but linked bynetworks.) The same software thatgenerates representations of databaseinformation on a screen can alsomisrepresent that information,depending upon how the software iswritten (e.g., how a query is prepared).In addition, database elements caneasily be changed at any time tomisrepresent information, withoutevidence that a change was made, andin a manner that destroys the originalinformation. Finally, more people havepotential access to electronic record

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13433systems than may have access to paperrecords.Therefore, controls are needed toensure that representations of databaseinformation have been generated in amanner that does not distort data orhide noncompliant or otherwise badinformation, and that database elementsthemselves have not been altered so asto distort truth or falsify a record. Suchcontrols include: (1) Using timestampedaudit trails of informationwritten to the database, where suchaudit trails are executed objectively andautomatically rather than by the personentering the information, and (2)limiting access to the database searchsoftware. Absent effective controls, it isvery easy to falsify electronic records torender them indistinguishable fromoriginal, true records.The traditional paper record, incomparison, is generally a durableunitized representation that is fixed intime and space. Information is recordeddirectly in a manner that does notrequire an intermediate means ofinterpretation. When an incorrect entryis made, the customary method ofcorrecting FDA-related records is tocross out the original entry in a mannerthat does not obscure the prior data.Although paper records may befalsified, it is relatively difficult (incomparison to falsification of electronicrecords) to do so in a nondetectablemanner. In the case of paper recordsthat have been falsified, a body ofevidence exists that can help prove thatthe records had been changed;comparable methods to detectfalsification of electronic records haveyet to be fully developed.In addition, there are significanttechnological differences betweentraditional handwritten signatures(recorded on paper) and electronicsignatures that also require controlsunique to electronic technologies. Forexample, the traditional handwrittensignature cannot be readilycompromised by being ‘‘loaned’’ or‘‘lost,’’ whereas an electronic signaturebased on a password in combinationwith an identification code can becompromised by being ‘‘loaned’’ or‘‘lost.’’ By contrast, if one personattempts to write the handwrittensignature of another person, thefalsification would be difficult toexecute and a long-standing body ofinvestigational techniques would beavailable to detect the falsification. Onthe other hand, many electronicsignatures are relatively easy to falsifyand methods of falsification almostimpossible to detect.Accordingly, although the agency hasattempted to keep controls for electronicrecord and electronic signaturesanalogous to traditional paper systems,it finds it necessary to establish certaincontrols specifically for electronicsystems.E. FDA Certification of ElectronicSignature Systems5. One comment requested FDAcertification of what it described as alow-cost, biometric-based electronicsignature system, one which usesdynamic signature verification with aparameter code recorded on magneticstripe cards.The agency does not anticipate theneed to certify individual electronicsignature products. Use of anyelectronic signature system thatcomplies with the provisions of part 11would form the basis for agencyacceptance of the system regardless ofwhat particular technology or brand isused. This approach is consistent withFDA’s policy in a variety of programareas. The agency, for example, does notcertify manufacturing equipment usedto make drugs, medical devices, or food.F. Biometric Electronic Signatures6. One comment addressed theagency’s statement in the proposed rule(59 FR 45160 at 45168) that the ownerof a biometric/behavioral link could notlose or give it away. The commentstated that it was possible for an ownerto ‘‘lend’’ the link for a file to beopened, as a collaborative fraudulentgesture, or to unwittingly assist afraudulent colleague in an ‘‘emergency,’’a situation, the comment said, that wasnot unknown in the computer industry.The agency acknowledges that suchfraudulent activity is possible and thatpeople determined to falsify recordsmay find a means to do so despitewhatever technology or preventivemeasures are in place. The controls inpart 11 are intended to deter suchactions, make it difficult to executefalsification by mishap or casualmisdeed, and to help detect suchalterations when they occur (see § 11.10(introductory paragraph and especially§§ 11.10(j) and 11.200(b)).G. Personnel Integrity7. A few comments addressed the roleof individual honesty and trust inensuring that electronic records arereliable, trustworthy, and authentic.One comment noted that firms must relyin large measure upon the integrity oftheir employees. Another said thatsubpart C of part 11, ElectronicSignatures, appears to have been writtenwith the belief that pharmaceuticalmanufacturers have an incentive tofalsify electronic signatures. Onecomment expressed concern aboutpossible signature falsification when anemployee leaves a company to workelsewhere and the employee uses theelectronic signature illegally.The agency agrees that the integrity ofany electronic signature/electronicrecord system depends heavily upon thehonesty of employees and that mostpersons are not motivated to falsifyrecords. However, the agency’sexperience with various types of recordsand signature falsification demonstratesthat some people do falsify informationunder certain circumstances. Amongthose circumstances are situations inwhich falsifications can be executedwith ease and have little likelihood ofdetection. Part 11 is intended tominimize the opportunities for readilyexecuting falsifications and to maximizethe chances of detecting falsifications.Concerning signature falsification byformer employees, the agency wouldexpect that upon the departure of anemployee, the assigned electronicsignature would be ‘‘retired’’ to preventthe former employee from falsely usingthe signature.H. Security of Industry ElectronicRecords Submitted to FDA8. Several comments expressedconcern about the security andconfidentiality of electronic recordssubmitted to FDA. One suggested thatsubmissions be limited to such readonlyformats as CD–ROM with raw datafor statistical manipulation providedseparately on floppy diskette. Onecomment suggested that in light of theproposed rule, the agency should reviewits own internal security procedures.Another addressed electronic recordsthat may be disclosed under theFreedom of Information Act andexpressed concern regarding agencydeletion of trade secrets. One commentanticipated FDA’s use of open systemsto access industry records (such asmedical device production and controlrecords) and suggested that such accessshould be restricted to closed systems.The agency is well aware of its legalobligation to maintain theconfidentiality of trade secretinformation in its possession, and iscommitted to meet that obligationregardless of the form (paper orelectronic) a record takes. Theprocedures used to ensureconfidentiality are consistent with theprovisions of part 11. FDA is alsoexamining other controls, such as use ofdigital signatures, to ensure submissionintegrity. To permit legitimate changesto be made, the agency does not believethat it is necessary to restrictsubmissions to those maintained in

13434 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsread-only formats in all cases; eachagency receiving unit retains theflexibility to determine whatever formatis most suitable. Those intending tosubmit material are expected to consultwith the appropriate agency receivingunit to determine the acceptableformats.Although FDA access to electronicrecords on open systems maintained byfirms is not anticipated in the nearfuture, the agency believes it would beinappropriate to rule out such aprocedure. Such access can be avaluable inspection tool and canenhance efficiencies by reducing thetime investigators may need to be onsite. The agency believes it is importantto develop appropriate procedures andsecurity measures in cooperation withindustry to ensure that such access doesnot jeopardize data confidentiality orintegrity.I. Effective Date/Grandfathering9. Several comments addressed theproposed effective date of the final rule,90 days after publication in the FederalRegister, and suggested potentialexemptions (grandfathering) for systemsnow in use. Two comments requestedan expedited effective date for the finalrule. One comment requested aneffective date at least 18 months afterpublication of the final rule to permitfirms to modify and validate theirsystems. One comment expressedconcern about how the rule, in general,will affect current systems, andsuggested that the agency permit firmsto continue to use existing electronicrecord systems that otherwise conformto good manufacturing or laboratorypractices until these firms make majormodifications to those systems or until5 years have elapsed, whichever comesfirst. Several other comments requestedgrandfathering for specific sections ofthe proposed rule.The agency has carefully consideredthe comments and suggestions regardingthe final rule’s effective date and hasconcluded that the effective date shouldbe 5 months after date of publication inthe Federal Register. The agency wishesto accommodate firms that are preparednow to comply with part 11 or will beprepared soon, so as to encourage andfoster new technologies in a manner thatensures that electronic record andelectronic signature systems are reliable,trustworthy, and compatible with FDA’sresponsibility to promote and protectpublic health. The agency believes thatfirms that have consulted with FDAbefore adopting new electronic recordand electronic signature technologies(especially technologies that mayimpact on the ability of the agency toconduct its work effectively) will needto make few, if any, changes to systemsused to maintain records required byFDA.The agency believes that theprovisions of part 11 represent minimalstandards and that a general exemptionfor existing systems that do not meetthese provisions would be inappropriateand not in the public interest becausesuch systems are likely to generateelectronic records and electronicsignatures that are unreliable,untrustworthy, and not compatible withFDA’s responsibility to promote andprotect public health. Such anexemption might, for example, meanthat a firm could: (1) Deny FDAinspectional access to electronic recordsystems, (2) permit unauthorized accessto those systems, (3) permit individualsto share identification codes andpasswords, (4) permit systems to gounvalidated, and (5) permit records tobe falsified in many ways and in amanner that goes undetected.The agency emphasizes that theseregulations do not require, but ratherpermit, the use of electronic records andsignatures. Firms not confident thattheir electronic systems meet theminimal requirements of theseregulations are free to continue to usetraditional signatures and paperdocuments to meet recordkeepingrequirements.J. Comments by Electronic Mail (e-mail)and Electronic Distribution of FDADocuments10. One comment specifically notedthat the agency has accepted commentsby e-mail and that this provides anadditional avenue for publicparticipation in the rulemaking process.Another comment encouraged FDA toexpand the use of electronic media toprovide information by such opensystems as bulletin boards.The agency intends to explore furtherthe possibility of continuing to acceptpublic comments by e-mail and otherelectronic means. For this currentexperiment, the agency received onlyone comment by e-mail. The commentthat addressed this issue was, itself,transmitted in a letter. The agencyrecognizes the benefits of distributinginformation electronically, hasexpanded that activity, and intends tocontinue that expansion. Although onlyone e-mail comment was received, theagency does not attribute that lownumber to a lack of ability to send e-mail because the agency received e-mailfrom 198 persons who requested the textof the proposed rule, including requestsfrom people outside the United States.K. Submissions by Facsimile (Fax)11. One comment said that part 11should include a provision for FDAacceptance of submissions by fax, suchas import form FDA 2877. The commentnoted that the U.S. Customs Serviceaccepts fax signatures on its documents,and claimed that FDA’s insistence onhard copies of form FDA 2877 is animpediment to imports.The agency advises that part 11permits the unit that handles importform FDA 2877 to accept that record inelectronic form when it is preparedlogistically to do so. As noted in thediscussion on § 11.1(b) in comment 21of this document, the agency recognizesthat faxes can be in paper or electronicform, based on the capabilities of thesender and recipient.L. Blood Bank Issues12. Two comments addressed bloodbank issues in the context of electronicrecords and electronic signatures andsaid the agency should clarify that part11 would permit electroniccrossmatching by a central blood centerfor individual hospitals. One commentstated that remote blood center andtransfusion facilities should bepermitted to rely on electronicallycommunicated information, such asauthorization for labeling/issuing unitsof blood, and that the electronicsignature of the supervisor in the centraltesting facility releasing the product forlabeling and issuance should besufficient because the proposed ruleguards against security and integrityproblems.One comment questioned whether,under part 11, electronic signatureswould meet the signature requirementsfor the release of units of blood, and ifthere would be instances where a fullsignature would be required instead ofa technician’s identification. Anothercomment asserted that it is important toclarify how the term ‘‘batch’’ will beinterpreted under part 11, and suggestedthat the term used in relation to bloodproducts refers to a series of units ofblood having undergone commonmanufacturing processes and recordedon the same computerized document.The comment contrasted this to FDA’scurrent view that each unit of blood beconsidered a batch.The agency advises that part 11permits release records now in paperform to be in electronic form andtraditional handwritten signatures to beelectronic signatures. Under part 11, thename of the technician must appear inthe record display or printout to clearlyidentify the technician. The appearanceof the technician’s identification code

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13435alone would not be sufficient. Theagency also advises that the definitionof a ‘‘batch’’ for blood or other productsis not affected by part 11, whichaddresses the trustworthiness andreliability of electronic records andelectronic signatures, regardless of howa batch, which is the subject of thoserecords and signatures, is defined.M. Regulatory Flexibility Analysis13. One comment said that, becausepart 11 will significantly impact asubstantial number of small businesses,even though the impact would bebeneficial, FDA is required to perform aregulatory flexibility analysis andshould publish such an analysis in theFederal Register before a final rule isissued.The comment states that thelegislative history of the RegulatoryFlexibility Act is clear that, ‘‘significanteconomic impact,’’ as it appears at 5U.S.C. 605(b) is neutral with respect towhether such impact is beneficial oradverse.Contrary to the comment’s assertion,the legislative history is not dispositiveof this matter. It is well established thatthe task of statutory construction mustbegin with the actual language of thestatute. (See Bailey v. United States, 116S. Ct. 595, 597 (1996).) A statutory termmust not be construed in isolation; aprovision that may seem ambiguous inisolation is often clarified by theremainder of the statute. (See Dept. OfRevenue of Oregon v. ACF Industries,114 S. Ct. 843, 850 (1994).) Moreover, itis a fundamental canon of statutoryconstruction that identical terms withinthe same statute must bear the samemeaning. (See Reno v. Koray, 115 S. Ct.2021, 2026 (1995).)In addition to appearing in 5 U.S.C.605(b), the term ‘‘significant economicimpact’’ appears elsewhere in thestatute. The legislation is premisedupon the congressional finding thatalternative regulatory approaches maybe available which ‘‘minimize thesignificant economic impact’’ of rules (5U.S.C. 601 note). In addition, an initialregulatory flexibility analysis mustdescribe significant regulatoryalternatives that ‘‘minimize anysignificant economic impact’’ (5 U.S.C.603(c)). Similarly, a final regulatoryflexibility analysis must include adescription of the steps the agency hastaken to ‘‘minimize any significanteconomic impact’’ (5 U.S.C. 604(a)(5)).The term appeared as one of theelements of a final regulatory flexibilityanalysis, as originally enacted in 1980.(See Pub. L. No. 96–354, 3(a), 94 Stat.1164, 1167 (1980) (formerly codified at5 U.S.C. 604(a)(3)).) In addition, whenCongress amended the elements of afinal regulatory flexibility analysis in1996, it re-enacted the term, as set forthabove. (See Pub. L. 104–121, 241(b), 110Stat. 857, 865 (1996) (codified at 5U.S.C.604(a)(5)).)Unless the purpose of the statute wasintended to increase the economicburden of regulations by minimizingpositive or beneficial effects,‘‘significant economic impact’’ cannotinclude such effects. Because it isbeyond dispute that the purpose of thestatute is not increasing economicburdens, the plain meaning of‘‘significant economic impact’’ is clearand necessarily excludes beneficial orpositive effects of regulations. Evenwhere there are some limited contraryindications in the statute’s legislativehistory, it is inappropriate to resort tolegislative history to cloud a statutorytext that is clear on its face. (See Ratzlaffv. United States, 114 S. Ct. 655, 662(1994).) Therefore, the agency concludesthat a final regulatory flexibility analysisis not required for this regulation or anyregulation for which there is nosignificant adverse economic impact onsmall entities. Notwithstanding theseconclusions, FDA has nonethelessconsidered the impact of the rule onsmall entities. (See section XVI. of thisdocument.)N. Terminology14. One comment addressed theagency’s use of the word ‘‘ensure’’throughout the rule and argued that theagency should use the word ‘‘assure’’rather than ‘‘ensure’’ because ‘‘ensure’’means ‘‘to guarantee or make certain’’whereas ‘‘assure’’ means ‘‘to makeconfident.’’ The comment added that‘‘assure’’ is also more consistent withterminology in other regulations.The agency wishes to emphasize thatit does not intend the word ‘‘ensure’’ torepresent a guarantee. The agencyprefers to use the word ‘‘ensure’’because it means to make certain.O. General Comments Regarding thePrescription Drug Marketing Act of 1987(PDMA)15. Three comments addressed theuse of handwritten signatures that arerecorded electronically (SRE’s) underpart 11 and PDMA. One firm describedits delivery information acquisitiondevice and noted its use of time stampsto record when signatures are executed.The comments requested clarificationthat SRE’s would be acceptable underthe PDMA regulations. One commentassumed that subpart C of part 11(Electronic Signatures) would not applyto SRE’s, noting that it was not practicalunder PDMA (given the large number ofphysicians who may be eligible toreceive drug product samples) to usesuch alternatives as identification codescombined with passwords.The agency advises that part 11applies to handwritten signaturesrecorded electronically and that suchsignatures and their correspondingelectronic records will be acceptable forpurposes of meeting PDMA’srequirements when the provisions ofpart 11 are met. Although subpart C ofpart 11 does not apply to handwrittensignatures recorded electronically, theagency advises that controls related toelectronic records (subpart B), and thegeneral provisions of subpart A, doapply to electronic records in thecontext of PDMA. The agencyemphasizes, however, that part 11 doesnot restrict PDMA signings to SRE’s,and that organizations retain the optionof using electronic signatures inconformance with part 11. Furthermore,the agency believes that the number ofpeople in a given population ororganization should not be viewed as aninsurmountable obstacle to use ofelectronic signatures. The agency isaware, for example, of efforts by theAmerican Society of Testing andMaterials to develop standards forelectronic medical records in whichdigital signatures could theoretically beused on a large scale.P. Comments on the Unique Nature ofPasswords16. Several comments noted, bothgenerally and with regard to§§ 11.100(a), 11.200(a), and 11.300, thatthe password in an electronic signaturethat is composed of a combination ofpassword and identification code is not,and need not be, unique. Twocomments added that passwords may beknown to system security administratorswho assist people who forget passwordsand requested that the rule acknowledgethat passwords need not be unique. Onecomment said that the rule shoulddescribe how uniqueness is to bedetermined.The agency acknowledges that whenan electronic signature consists of acombined identification code andpassword, the password need not beunique. It is possible that two personsin the same organization may have thesame password. However, the agencybelieves that where good passwordpractices are implemented, suchcoincidence would be highly unlikely.As discussed in section XIII. of thisdocument in the context of commentson proposed § 11.300, records are lesstrustworthy and reliable if it is relativelyeasy for someone to deduce or execute,by chance, a person’s electronic

13436 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationssignature where the identification codeof the signature is not confidential andthe password is easily guessed.The agency does not believe thatrevising proposed § 11.100(a) isnecessary because what must remainunique is the electronic signature,which, in the case addressed by thecomments, consists not of the passwordalone, but rather the password incombination with an identificationcode. If the combination is unique, thenthe electronic signature is unique.The agency does not believe that it isnecessary to describe in the regulationsthe various ways of determininguniqueness or achieving compliancewith the requirement. Organizationsthereby maintain implementationflexibility.The agency believes that most systemadministrators or security managerswould not need to know passwords tohelp people who have forgotten theirown. This is because mostadministrators or managers have globalcomputer account privileges to resolvesuch problems.IV. Scope (§ 11.1)17. One comment suggested adding anew paragraph to proposed § 11.1 thatwould exempt computer recordmaintenance software installed beforethe effective date of the final rule, andthat would exempt electronic recordsmaintained before that date. Thecomment argued that such exemptionswere needed for economic andconstitutional reasons because makingchanges to existing systems would becostly and because the imposition ofadditional requirements after the factcould be regarded as an ex post factorule. The comment said firms have beenusing electronic systems that havedemonstrated reliability and security formany years before the agency’spublication of the ANPRM, and that theabsence of FDA’s objections ininspectional form FDA 483 wasevidence of the agency’s acceptance ofthe system.As discussed in section III.I. of thisdocument, the agency is opposed to‘‘grandfathering’’ existing systemsbecause such exemptions mayperpetuate environments that provideopportunities for record falsificationand impair FDA’s ability to protect andpromote public health. However, theagency wishes to avoid any confusionregarding the application of theprovisions of part 11 to systems andelectronic records in place before therule’s effective date. Importantdistinctions need to be made relative toan electronic record’s creation,modification, and maintenance becausevarious portions of part 11 addressmatters relating to these actions. Thoseprovisions apply depending upon whena given electronic record is created,modified, or maintained.Electronic records created before theeffective date of this rule are notcovered by part 11 provisions that relateto aspects of the record’s creation, suchas the signing of the electronic record.Those records would not, therefore,need to be altered retroactively.Regarding records that were first createdbefore the effective date, part 11provisions relating to modification ofrecords, such as audit trails for recordchanges and the requirement thatoriginal entries not be obscured, wouldapply only to those modifications madeon or after the rule’s effective date, notto modifications made earlier. Likewise,maintenance provisions of part 11, suchas measures to ensure that electronicrecords can be retrieved throughouttheir retention periods, apply toelectronic records that are beingmaintained on or after the rule’seffective date. The hardware andsoftware, as well as operationalprocedures used on or after the rule’seffective date, to create, modify, ormaintain electronic records mustcomply with the provisions of part 11.The agency does not agree with anysuggestion that FDA endorsement oracceptance of an electronic recordsystem can be inferred from the absenceof objections in an inspection report.Before this rulemaking, FDA did nothave established criteria by which itcould determine the reliability andtrustworthiness of electronic recordsand electronic signatures and could notsanction electronic alternatives whenregulations called for signatures. Aprimary reason for issuing part 11 is todevelop and codify such criteria. FDAwill assess the acceptability ofelectronic records and electronicsignatures created prior to the effectivedate of part 11 on a case-by-case basis.18. One comment suggested thatproposed § 11.1 exempt production ofmedical devices and in vitro diagnosticproducts on the grounds that the subjectwas already adequately addressed in themedical device CGMP regulationscurrently in effect in § 820.195 (21 CFR820.195), and that additional regulationswould be confusing and would limitcompliance.The agency believes that part 11complements, and is supportive of, themedical device CGMP regulations andthe new medical device quality systemregulation, as well as other regulations,and that compliance with one does notconfound compliance with others.Before publication of the ANPRM, theagency determined that existingregulations, including the medicaldevice CGMP regulations, did notadequately address electronic recordsand electronic signatures. Thatdetermination was reinforced in thecomments to the ANPRM, whichfocused on the need to identify whatmakes electronic records reliable,trustworthy, and compatible with FDA’sresponsibility to promote and protectpublic health. For example, theprovision cited by the comment,§ 820.195, states ‘‘When automated dataprocessing is used for manufacturing orquality assurance purposes, adequatechecks shall be designed andimplemented to prevent inaccurate dataoutput, input, and programming errors.’’This section does not address the manyissues addressed by part 11, such aselectronic signatures, recordfalsification, or FDA access to electronicrecords. The relationship between thequality system regulation and part 11 isdiscussed at various points in thepreamble to the quality systemregulation.19. One comment asserted that forpurposes of PDMA, the scope ofproposed part 11 should be limited torequire only those controls for assessingsignatures in paper-based systemsbecause physicians’ handwrittensignatures are executed to electronicrecords. The comment further assertedthat, because drug manufacturers’representatives carry computers intophysicians’ offices (where thephysicians then sign sample requestsand receipts), only closed systemcontrols should be needed.The agency believes that, for purposesof PDMA, controls needed for electronicrecords bearing handwritten signaturesare no different from controls needed forthe same kinds of records and signaturesused elsewhere, and that proposed§ 11.1 need not make any suchdistinction.In addition, the agency disagrees withthe implication that all PDMAelectronic records are, in fact, handledwithin closed systems. Theclassification of a system as open orclosed in a particular situation dependson what is done in that situation. Forexample, the agency agrees that a closedsystem exists where a drug producer’srepresentative (the person responsiblefor the content of the electronic record)has control over access to the electronicrecord system by virtue of possessingthe portable computer and controllingwho may use the computer to signelectronic records. However, should thefirm’s representative transfer copies ofthose records to a public online servicethat stores them for the drug firm’s

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13437subsequent retrieval, the agencyconsiders such transfer and storage to bewithin an open system because access tothe system holding the records iscontrolled by the online service, whichis not responsible for the record’scontent. Activities in the first examplewould be subject to closed systemcontrols and activities in the secondexample would be subject to opensystem controls.20. One comment urged that proposed§ 11.1 contain a clear statement of whatprecedence certain provisions of part 11have over other regulations.The agency believes that suchstatements are found in § 11.1(c):Where electronic signatures and theirassociated records meet the requirements ofthis part, the agency will consider theelectronic signatures to be equivalent to fullhandwritten signatures, initials, and othergeneral signings as required under agencyregulations unless specifically excepted byregulations * * *.and § 11.1(d) (‘‘Electronic records thatmeet the requirements of this part maybe used in lieu of paper records, inaccordance with § 11.2, unless paperrecords are specifically required.’’).These provisions clearly address theprecedence of part 11 and theequivalence of electronic records andelectronic signatures.To further clarify the scope of therule, FDA has revised § 11.1 to apply toelectronic records submitted to theagency under requirements of theFederal Food, Drug, and Cosmetic Act(the act) and the Public Health ServiceAct (the PHS Act). This clarifies thepoint that submissions required by thesestatutes, but not specifically mentionedin the Code of Federal Regulations(CFR), are subject to part 11.21. Proposed § 11.1(b) stated that theregulations would apply to records inelectronic form that are created,modified, maintained, or transmitted,under any records requirements setforth in Chapter I of Title 21. Onecomment suggested that the word‘‘transmitted’’ be deleted from proposed§ 11.1(b) because the wording wouldinappropriately apply to paperdocuments that are transmitted by fax.The comment noted that if the recordsare in machine readable form before orafter transmission, they would still becovered by the revised wording.The agency does not intend part 11 toapply to paper records even if suchrecords are transmitted or received byfax. The agency notes that the recordstransmitted by fax may be in electronicform at the sender, the recipient, orboth. Part 11 would apply whenever therecord is in electronic form. To remedythe problem noted by the comment, theagency has added a sentence to § 11.1(b)stating that part 11 does not apply topaper records that are, or have been,transmitted by electronic means.22. One comment asked whetherpaper records created by computerwould be subject to proposed part 11.The comment cited, as an example, thesituation in which a computer systemcollects toxicology data that are printedout and maintained as ‘‘raw data.’’Part 11 is intended to apply tosystems that create and maintainelectronic records under FDA’srequirements in Chapter I of Title 21,even though some of those electronicrecords may be printed on paper atcertain times. The key to determiningpart 11 applicability, under § 11.1(b), isthe nature of the system used to create,modify, and maintain records, as well asthe nature of the records themselves.Part 11 is not intended to apply tocomputer systems that are merelyincidental to the creation of paperrecords that are subsequentlymaintained in traditional paper-basedsystems. In such cases, the computersystems would function essentially likemanual typewriters or pens and anysignatures would be traditionalhandwritten signatures. Record storageand retrieval would be of the traditional‘‘file cabinet’’ variety. More importantly,overall reliability, trustworthiness, andFDA’s ability to access the recordswould derive primarily from wellestablishedand generally acceptedprocedures and controls for paperrecords. For example, if a person wereto use word processing software togenerate a paper submission to FDA,part 11 would not apply to the computersystem used to generate the submission,even though, technically speaking, anelectronic record was initially createdand then printed on paper.When records intended to meetregulatory requirements are inelectronic form, part 11 would apply toall the relevant aspects of managingthose records (including their creation,signing, modification, storage, access,and retrieval). Thus, the software andhardware used to create records that areretained in electronic form for purposesof meeting the regulations would besubject to part 11.Regarding the comment about ‘‘rawdata,’’ the agency notes that specificrequirements in existing regulationsmay affect the particular records atissue, regardless of the form suchrecords take. For example, ‘‘raw data,’’in the context of the good laboratorypractices regulations (21 CFR part 58),include computer printouts fromautomated instruments as well as thesame data recorded on magnetic media.In addition, regulations that cover dataacquisition systems generally includerequirements intended to ensure thetrustworthiness and reliability of thecollected data.23. Several comments on proposed§ 11.1(b) suggested that the phrase ‘‘orarchived and retrieved’’ be added toparagraph (b) to reflect more accuratelya record’s lifecycle.The agency intended that recordarchiving and retrieval would be part ofrecord maintenance, and thereforealready covered by § 11.1(b). However,for added clarity, the agency has revised§ 11.1(b) to add ‘‘archived andretrieved.’’24. One comment suggested that, indescribing what electronic records arewithin the scope of part 11, proposed§ 11.1(b) should be revised bysubstituting ‘‘processed’’ for ‘‘modified’’and ‘‘communicated’’ for ‘‘transmitted’’because ‘‘communicated’’ reflects thefact that the information was dispatchedand also received. The comment alsosuggested substituting ‘‘retained’’ for‘‘maintained,’’ or adding the word‘‘retained,’’ because ‘‘maintain’’ doesnot necessarily convey the retentionrequirement.The agency disagrees. The word‘‘modified’’ better describes the agency’sintent regarding changes to a record; theword ‘‘processed’’ does not necessarilyinfer a change to a record. FDA believes‘‘transmitted’’ is preferable to‘‘communicated’’ because‘‘communicated’’ might infer thatcontrols to ensure integrity andauthenticity hinge on whether theintended recipient actually received therecord. Also, as discussed in comment22 of this document, the agency intendsfor the term ‘‘maintain’’ to includerecords retention.25. Two comments suggested thatproposed § 11.1(b) explicitly state thatpart 11 supersedes all references tohandwritten signatures in 21 CFR parts211 through 226 that pertain to a drug,and in 21 CFR parts 600 through 680that pertain to biological products forhuman use. The comments stated thatthe revision should clarify coverage andpermit blood centers and transfusionservices to take full advantage ofelectronic systems that provide processcontrols.The agency does not agree that therevision is necessary because, under§ 11.1(b) and (c), part 11 permitselectronic records or submissions underall FDA regulations in Chapter I of Title21 unless specifically excepted byfuture regulations.26. Several comments expressedconcern that the proposed rule hadinappropriately been expanded in scope

13438 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsfrom the ANPRM to address electronicrecords as well as electronic signatures.One comment argued that the scope ofpart 11 should be restricted only tothose records that are currently requiredto be signed, witnessed, or initialed, andthat the agency should not requireelectronic records to contain electronicsignatures where the correspondingpaper records are not required to besigned.The agency disagrees with theassertion that part 11 should addressonly electronic signatures and notelectronic records for several reasons.First, based on comments on theANPRM, the agency is convinced thatthe reliability and trustworthiness ofelectronic signatures depend in largemeasure on the reliability andtrustworthiness of the underlyingelectronic records. Second, the agencyhas concluded that electronic records,like paper records, need to betrustworthy, reliable, and compatiblewith FDA’s responsibility to promoteand protect public health regardless ofwhether they are signed. In addition,records falsification is an issue withrespect to both signed and unsignedrecords. Therefore, the agencyconcludes that although the ANPRMfocused primarily on electronicsignatures, expansion of the subject toelectronic records in the proposed rulewas fully justified.The agency stresses that part 11 doesnot require that any given electronicrecord be signed at all. The requirementthat any record bear a signature iscontained in the regulation thatmandates the basic record itself. Whererecords are signed, however, by virtue ofmeeting a signature requirement orotherwise, part 11 addresses controlsand procedures intended to help ensurethe reliability and trustworthiness ofthose signatures.27. Three comments asked if therewere any regulations, including CGMPregulations, that might be excepted frompart 11 and requested that the agencyidentify such regulations.FDA, at this time, has not identifiedany current regulations that arespecifically excepted from part 11.However, the agency believes it isprudent to provide for such exceptionsshould they become necessary in thefuture. It is possible that, as the agency’sexperience with part 11 increases,certain records may need to be limitedto paper if there are problems with theelectronic versions of such records.28. One comment requestedclarification of the meaning of the term‘‘general signings’’ in proposed § 11.1(c),and said that the distinction between‘‘full handwritten’’ signatures and‘‘initials’’ is unnecessary becausehandwritten includes initials in allcommon definitions of handwrittensignature. The comment also suggestedchanging the term ‘‘equivalent’’ to ‘‘atleast equivalent’’ because electronicsignatures are not precise equivalents ofhandwritten signatures and computerbasedsignatures have the potential ofbeing more secure.The agency advises that currentregulations that require records to besigned express those requirements indifferent ways depending upon theagency’s intent and expectations. Someregulations expressly state that recordsmust be signed using ‘‘full handwritten’’signatures, whereas other regulationsstate that records must be ‘‘signed orinitialed;’’ still other regulationsimplicitly call for some kind of signingby virtue of requiring record approvalsor endorsements. This last broadcategory is addressed by the term‘‘general signings’’ in § 11.1(c).Where the language is explicit in theregulations, the means of meeting therequirement are correspondinglyprecise. Therefore, where a regulationstates that a signature must be recordedas ‘‘full handwritten,’’ the use of initialsis not an acceptable substitute.Furthermore, under part 11, for anelectronic signature to be acceptable inplace of any of these signings, theagency only needs to consider them asequivalent; electronic signatures neednot be superior to those other signingsto be acceptable.29. Several comments requestedclarification of which FDA records arerequired to be in paper form, and urgedthe agency to allow and promote the useof electronic records in all cases. Onecomment suggested that proposed§ 11.1(d) be revised to read, in part,‘‘* * * unless the use of electronicrecords is specifically prohibited.’’The agency intends to permit the useof electronic records required to bemaintained but not submitted to theagency (as noted in § 11.2(a)) providedthat the requirements of part 11 are metand paper records are not specificallyrequired. The agency also wishes toencourage electronic submissions, but islimited by logistic and resourceconstraints. The agency is unaware of‘‘maintenance records’’ that arecurrently explicitly required to be inpaper form (explicit mention of paper isgenerally unnecessary because, at thetime most regulations were prepared,only paper-based technologies were inuse) but is providing for that possibilityin the future. For purposes of part 11,the agency will not consider that aregulation requires ‘‘maintenance’’records to be in paper form where theregulation is silent on the form therecord must take. FDA believes that thecomments’ suggested wording does notoffer sufficient advantages to adopt thechange.However, to enable FDA to accept asmany electronic submissions aspossible, the agency is amending§ 11.1(b) to include those submissionsthat the act and the PHS Act specificallyrequire, even though such submissionsmay not be identified in agencyregulations. An example of such recordsis premarket submissions for Class I andClass II medical devices, required bysection 510(k) of the act (21 U.S.C.360(k)).30. Several comments addressedvarious aspects of the proposedrequirement under § 11.1(e) regardingFDA inspection of electronic recordsystems. Several comments objected tothe proposal as being too broad andgoing beyond the agency’s legalinspectional authority. One commentstated that access inferred by suchinspection may include proprietaryfinancial and sales data to which FDAis not entitled. Another commentsuggested adding the word ‘‘authorized’’before ‘‘inspection.’’ Some commentssuggested revising proposed § 11.1(e) tolimit FDA inspection only to theelectronic records and electronicsignatures themselves, thus excludinginspection of hardware and softwareused to manage those records andsignatures. Other comments interpretedproposed § 11.1(e) as requiring them tokeep supplanted or retired hardwareand software to enable FDA inspectionof those outdated systems.The agency advises that FDAinspections under part 11 are subject tothe same legal limitations as FDAinspections under other regulations. Theagency does not believe it is necessaryto restate that limitation by use of thesuggested wording. However, withinthose limitations, it may be necessary toinspect hardware and software used togenerate and maintain electronicrecords to determine if the provisions ofpart 11 are being met. Inspection ofresulting records alone would beinsufficient. For example, the agencymay need to observe the use andmaintenance of tokens or devices thatcontain or generate identificationinformation. Likewise, to assess theadequacy of systems validation, it isgenerally necessary to inspect hardwarethat is being used to determine, amongother things, if it matches the systemdocumentation description of suchhardware. The agency has concludedthat hardware and software used togenerate and maintain electronicrecords and signatures are ‘‘pertinent

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13439equipment’’ within the meaning ofsection 704 of the act (21 U.S.C. 374).The agency does not expect persons tomaintain obsolete and supplantedcomputer systems for the sole purposeof enabling FDA inspection. However,the agency does expect firms tomaintain and have available forinspection documentation relevant tothose systems, in terms of compliancewith part 11, for as long as theelectronic records are required by otherrelevant regulations. Persons shouldalso be mindful of the need to keepappropriate computer systems that arecapable of reading electronic records foras long as those records must beretained. In some instances, this maymean retention of otherwise outdatedand supplanted systems, especiallywhere the old records cannot beconverted to a form readable by thenewer systems. In most cases, however,FDA believes that where electronicrecords are accurately and completelytranscribed from one system to another,it would not be necessary to maintainolder systems.31. One comment requested thatproposed part 11 be revised to giveexamples of electronic records subject toFDA inspection, includingpharmaceutical and medical deviceproduction records, in order to reducethe need for questions.The agency does not believe that it isnecessary to include examples ofrecords it might inspect because theaddition of such examples might raisequestions about the agency’s intent toinspect other records that were notidentified.32. One comment said that theregulation should state that certainsecurity related information, such asprivate keys attendant to cryptographicimplementation, is not intended to besubject to inspection, althoughprocedures related to keeping such keysconfidential can be subject toinspection.The agency would not routinely seekto inspect especially sensitiveinformation, such as passwords orprivate keys, attendant to securitysystems. However, the agency reservesthe right to conduct such inspections,consistent with statutory limitations, toenforce the provisions of the act andrelated statutes. It may be necessary, forexample, in investigating cases ofsuspected fraud, to access anddetermine passwords and private keys,in the same manner as the agency mayobtain specimens of handwrittensignatures (‘‘exemplars’’). Should therebe any reservations about suchinspections, persons may, of course,change their passwords and private keysafter FDA inspection.33. One comment asked how personswere expected to meet the proposedrequirement, under § 11.1(e), thatcomputer systems be readily availablefor inspection when such systemsinclude geographically dispersednetworks. Another comment said FDAinvestigators should not be permitted toaccess industry computer systems aspart of inspections because investigatorswould be untrained users.The agency intends to inspect thoseparts of electronic record or signaturesystems that have a bearing on thetrustworthiness and reliability ofelectronic records and electronicsignatures under part 11. Forgeographically dispersed systems,inspection at a given location wouldextend to operations, procedures, andcontrols at that location, along withinteraction of that local system with thewider network. The agency wouldinspect other locations of the network ina separate but coordinated manner,much the same way the agencycurrently conducts inspections of firmsthat have multiple facilities in differentparts of the country and outside of theUnited States.FDA does not believe it is reasonableto rule out computer system access aspart of an inspection of electronicrecord or signature systems.Historically, FDA investigators observethe actions of establishment employees,and (with the cooperation ofestablishment management) sometimesrequest that those employees performsome of their assigned tasks todetermine the degree of compliancewith established requirements.However, there may be times when FDAinvestigators need to access a systemdirectly. The agency is aware that suchaccess will generally require thecooperation of and, to some degree,instruction by the firms being inspected.As new, complex technologies emerge,FDA will need to develop andimplement new inspectional methods inthe context of those technologies.V. Implementation (§ 11.2)34. Proposed § 11.2(a) stated that for‘‘records required by chapter I of thistitle to be maintained, but not submittedto the agency, persons may useelectronic records/signatures in lieu ofpaper records/conventional signatures,in whole or in part, * * *.’’Two comments requested clarificationof the term ‘‘conventional signatures.’’One comment suggested that the term‘‘traditional signatures’’ be used instead.Another suggested rewording in order toclarify the slash in the phrase ‘‘records/signatures.’’The agency advises that the term‘‘conventional signature’’ meanshandwritten signature. The agencyagrees that the term ‘‘traditionalsignature’’ is preferable, and has revised§ 11.2(a) and (b) accordingly. Theagency has also clarified proposed§ 11.2(a) by replacing the slash with theword ‘‘or.’’35. One comment asked if the term‘‘persons’’ in proposed § 11.2(b) wouldinclude devices because computersystems frequently apply digital timestamps on records automatically,without direct human intervention.The agency advises that the term‘‘persons’’ excludes devices. The agencydoes not consider the application of atime stamp to be the application of asignature.36. Proposed § 11.2(b)(2) providesconditions under which electronicrecords or signatures could be submittedto the agency in lieu of paper. Onecondition is that a document, or part ofa document, must be identified in apublic docket as being the type ofsubmission the agency will accept inelectronic form. Two commentsaddressed the nature of the submissionsto the public docket. One commentasked that the agency provide specifics,such as the mechanism for updating thedocket and the frequency of suchupdates. One comment suggestedmaking the docket available to thepublic by electronic means. Anothercomment suggested that acceptanceprocedures be uniform among agencyunits and that electronic mail be used tohold consultations with the agency. Onecomment encouraged the agency unitsreceiving the submissions to workclosely with regulated industry toensure that no segment of industry isunduly burdened and that agencyguidance is widely accepted.The agency intends to developefficient electronic records acceptanceprocedures that afford receiving unitssufficient flexibility to deal withsubmissions according to theircapabilities. Although agencywideuniformity is a laudable objective, toattain such flexibility it may benecessary to accommodate somedifferences among receiving units. Theagency considers of primaryimportance, however, that all part 11submissions be trustworthy, reliable,and in keeping with FDA regulatoryactivity. The agency expects to workclosely with industry to help ensure thatthe mechanics and logistics of acceptingelectronic submissions do not pose anyundue burdens. However, the agencyexpects persons to consult with the

13440 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsintended receiving units on thetechnical aspects of the submission,such as media, method of transmission,file format, archiving needs, andtechnical protocols. Such consultationswill ensure that submissions arecompatible with the receiving units’capabilities. The agency has revisedproposed § 11.2(b)(2) to clarify thisexpectation.Regarding the public docket, theagency is not at this time establishing afixed schedule for updating what typesof documents are acceptable forsubmission because the agency expectsthe docket to change and grow at a ratethat cannot be predicted. The agencymay, however, establish a schedule forupdating the docket in the future. Theagency agrees that making the docketavailable electronically is advisable andwill explore this option. Elsewhere inthis issue of the Federal Register, FDAis providing further information on thisdocket.VI. Definitions (§ 11.3)37. One comment questioned theincorporation in proposed § 11.3(a) ofdefinitions under section 201 of the act(21 U.S.C. 321), noting that other FDAregulations (such as 21 CFR parts 807and 820) lack such incorporation, andsuggested that it be deleted.The agency has retained theincorporation by reference to definitionsunder section 201 of the act becausethose definitions are applicable to part11.38. One comment suggested addingthe following definition for the term‘‘digital signature:’’ ‘‘data appended to,or a cryptographic transformation of, adata unit that allows a recipient of thedata unit to prove the source andintegrity of the data unit and protectagainst forgery, e.g., by the recipient.’’The agency agrees that the termdigital signature should be defined andhas added new § 11.3(b)(5) to provide adefinition for digital signature that isconsistent with the Federal InformationProcessing Standard 186, issued May19, 1995, and effective December 1,1995, by the U.S. Department ofCommerce, National Institute ofStandards and Technology (NIST).Generally, a digital signature is ‘‘anelectronic signature based uponcryptographic methods of originatorauthentication, computed by using a setof rules and a set of parameters suchthat the identity of the signer and theintegrity of the data can be verified.’’FDA advises that the set of rules andparameters is established in each digitalsignature standard.39. Several comments suggestedvarious modifications of the proposeddefinition of biometric/behavioral links,and suggested revisions that wouldexclude typing a password oridentification code which, thecomments noted, is a repeatable action.The comments suggested that actions beunique and measurable to meet theintent of a biometric method.The agency agrees that the proposeddefinition of biometric/behavioral linksshould be revised to clarify the agency’sintent that repetitive actions alone, suchas typing an identification code andpassword, are not considered to bebiometric in nature. Because commentsalso indicated that it would bepreferable to simplify the term, theagency is changing the term ‘‘biometric/behavioral link’’ to ‘‘biometrics.’’Accordingly, § 11.3(b)(3) defines theterm ‘‘biometrics’’ to mean ‘‘a method ofverifying an individual’s identity basedon measurement of the individual’sphysical feature(s) or repeatableaction(s) where those features and/oractions are both unique to thatindividual and measurable.’’40. One comment said that the agencyshould identify what biometric methodsare acceptable to verify a person’sidentity and what validation acceptancecriteria the agency has used todetermine that biometric technologiesare superior to other methods, such asuse of identification codes andpasswords.The agency believes that there is awide variety of acceptable technologies,regardless of whether they are based onbiometrics, and regardless of theparticular type of biometric mechanismthat may be used. Under part 11,electronic signatures that employ atleast two distinct identificationcomponents such as identification codesand passwords, and electronicsignatures based on biometrics areequally acceptable substitutes fortraditional handwritten signatures.Furthermore, all electronic recordsystems are subject to the samerequirements of subpart B of part 11regardless of the electronic signaturetechnology being used. These provisionsinclude requirements for validation.Regarding the comment’s suggestionthat FDA apply quantitative acceptancecriteria, the agency is not seeking to setspecific numerical standards orstatistical performance criteria indetermining the threshold ofacceptability for any type of technology.If such standards were to be set forbiometrics-based electronic signatures,similar numerical performance andreliability requirements would have tobe applied to other technologies as well.The agency advises, however, that thedifferences between system controls forbiometrics-based electronic signaturesand other electronic signatures are aresult of the premise that biometricsbasedelectronic signatures, by theirnature, are less prone to becompromised than other methods suchas identification codes and passwords.Should it become evident thatadditional controls are warranted forbiometrics-based electronic signatures,the agency will propose to revise part 11accordingly.41. Proposed § 11.3(b)(4) defined aclosed system as an environment inwhich there is communication amongmultiple persons, and where systemaccess is restricted to people who arepart of the organization that operates thesystem.Many comments requestedclarification of the term ‘‘organization’’and stated that the rule should accountfor persons who, though not strictlyemployees of the operating organization,are nonetheless obligated to it in somemanner, or who would otherwise begranted system access by the operatingorganization. As examples of suchpersons, the comments cited outsidecontractors, suppliers, temporaryemployees, and consultants. Thecomments suggested a variety ofalternative wording, including a changeof emphasis from organizationalmembership to organizational controlover system access. One commentrequested clarification of whether therule intends to address specificdisciplines within a company.Based on the comments, the agencyhas revised the proposed definition ofclosed system to state ‘‘an environmentin which system access is controlled bypersons who are responsible for thecontent of electronic records that are onthe system.’’ The agency agrees that themost important factor in classifying asystem as closed or open is whether thepersons responsible for the content ofthe electronic records control access tothe system containing those records. Asystem is closed if access is controlledby persons responsible for the content ofthe records. If those persons do notcontrol such access, then the system isopen because the records may be read,modified, or compromised by others tothe possible detriment of the personsresponsible for record content. Hence,those responsible for the records wouldneed to take appropriate additionalmeasures in an open system to protectthose records from being read, modified,destroyed, or otherwise compromisedby unauthorized and potentiallyunknown parties. The agency does notbelieve it is necessary to codify the basisor criteria for authorizing system access,such as existence of a fiduciary

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13441responsibility or contractualrelationship. By being silent on suchcriteria, the rule affords maximumflexibility to organizations by permittingthem to determine those criteria forthemselves.42. Concerning the proposeddefinition of closed system, onecomment suggested adding the words‘‘or devices’’ after ‘‘persons’’ becausecommunications may involvenonhuman entities.The agency does not believe it isnecessary to adopt the suggestedrevision because the primary intent ofthe regulation is to addresscommunication among humans, notdevices.43. One comment suggested defininga closed system in terms of functionalcharacteristics that include physicalaccess control, having professionallywritten and approved procedures withemployees and supervisors trained tofollow them, conducting investigationswhen abnormalities may have occurred,and being under legal obligation to theorganization responsible for operatingthe system.The agency agrees that the functionalcharacteristics cited by the comment areappropriate for a closed system, but hasdecided that it is unnecessary to includethem in the definition. The functionalcharacteristics themselves, however,such as physical access controls, areexpressed as requirements elsewhere inpart 11.44. Two comments said that theagency should regard as closed a systemin which dial-in access via public phonelines is permitted, but where access isauthorized by, and under the control of,the organization that operates thesystem.The agency advises that dial-in accessover public phone lines could beconsidered part of a closed systemwhere access to the system that holdsthe electronic records is under thecontrol of the persons responsible forthe content of those records. The agencycautions, however, that, where anorganization’s electronic records arestored on systems operated by thirdparties, such as commercial onlineservices, access would be under controlof the third parties and the agencywould regard such a system as beingopen. The agency also cautions that, bypermitting access to its systems bypublic phone lines, organizations losethe added security that results fromrestricting physical access to computerterminal and other input devices. Insuch cases, the agency believes firmswould be prudent to implementadditional security measures above andbeyond those controls that theorganization would use if the accessdevice was within its facility andcommensurate with the potentialconsequences of such unauthorizedaccess. Such additional controls mightinclude, for example, use of inputdevice checks, caller identificationchecks (phone caller identification), callbacks, and security cards.45. Proposed § 11.3(b)(5) definedelectronic record as a document orwriting comprised of any combinationof text, graphic representation, data,audio information, or video information,that is created, modified, maintained, ortransmitted in digital form by acomputer or related system. Manycomments suggested revising theproposed definition to reflect moreaccurately the nature of electronicrecords and how they differ from paperrecords. Some comments suggesteddistinguishing between machinereadable records and paper recordscreated by machine. Some commentsnoted that the term ‘‘document orwriting’’ is inappropriate for electronicrecords because electronic records couldbe any combination of pieces ofinformation assembled (sometimes on atransient basis) from manynoncontiguous places, and because theterm does not accurately describe suchelectronic information as raw data orvoice mail. Two comments suggestedthat the agency adopt definitions ofelectronic record that were established,respectively, by the United NationsCommission on International Trade Law(UNCITRAL) Working Group onElectronic Data Interchange, and theAmerican National Standards Institute/Institute of Electrical and ElectronicEngineers Software Engineering (ANSI/IEEE) Standard (729–1983).The agency agrees with the suggestedrevisions and has revised the definitionof ‘‘electronic record’’ to emphasize thisunique nature and to clarify that theagency does not regard a paper recordto be an electronic record simplybecause it was created by a computersystem. The agency has removed‘‘document or writing’’ from thisdefinition and elsewhere in part 11 forthe sake of clarity, simplicity, andconsistency.However, the agency believes it ispreferable to adapt or modify the words‘‘document’’ and ‘‘writing’’ to electronictechnologies rather than discard thementirely from the lexicon of computertechnology. The agency is aware that theterms ‘‘document’’ and ‘‘electronicdocument’’ are used in contexts thatclearly do not intend to describe paper.Therefore, the agency considers theterms ‘‘electronic record’’ and‘‘electronic document’’ to be generallysynonymous and may use the terms‘‘writing,’’ ‘‘electronic document,’’ or‘‘document’’ in other publications todescribe records in electronic form. Theagency believes that such usage is aprudent conservation of language and isconsistent with the use of other termsand expressions that have roots in oldertechnologies, but have nonetheless beenadapted to newer technologies. Suchterms include telephone ‘‘dialing,’’internal combustion engine ‘‘horsepower,’’ electric light luminanceexpressed as ‘‘foot candles,’’ and (morerelevant to computer technology)execution of a ‘‘carriage return.’’Accordingly, the agency has revisedthe definition of electronic record tomean ‘‘any combination of text,graphics, data, audio, pictorial, or otherinformation representation in digitalform that is created, modified,maintained, archived, retrieved, ordistributed by a computer system.’’46. Proposed § 11.3(b)(6) defined anelectronic signature as the entry in theform of a magnetic impulse or otherform of computer data compilation ofany symbol or series of symbols,executed, adopted or authorized by aperson to be the legally bindingequivalent of the person’s handwrittensignature. One comment supported thedefinition as proposed, noting itsconsistency with dictionary definitions(Random House Dictionary of theEnglish Language, Unabridged Ed. 1983,and American Heritage Dictionary,1982). Several other comments,however, suggested revisions. Onecomment suggested replacing‘‘electronic signature’’ with ‘‘computerbased signature,’’ ‘‘authentication,’’ or‘‘computer based authentication’’because ‘‘electronic signature’’ isimprecise and lacks clear andrecognized meaning in the informationsecurity and legal professions. Thecomment suggested a definition closerto the UNCITRAL draft definition:(1) [a] method used to identify theoriginator of the data message and to indicatethe originator’s approval of the informationcontained therein; and (2) that method is asreliable as was appropriate for the purposefor which the data message was generated orcommunicated, in the light of allcircumstances, including any agreementbetween the originator and the addressee ofthe data message.One comment suggested replacing‘‘electronic signature’’ with ‘‘electronicidentification’’ or ‘‘electronicauthorization’’ because the termsinclude many types of technologies thatare not easily distinguishable andbecause the preamble to the proposedrule gave a rationale for using‘‘electronic signature’’ that was too‘‘esoteric for practical consideration.’’

13442 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and RegulationsThe agency disagrees that ‘‘electronicsignature’’ as proposed should bereplaced with other terms anddefinitions. As noted in the preamble tothe proposed rule, the agency believesthat it is vital to retain the word‘‘signature’’ to maintain the equivalenceand significance of various electronictechnologies with the traditionalhandwritten signature. By not using theword ‘‘signature,’’ people may treat theelectronic alternatives as less important,less binding, and less in need ofcontrols to prevent falsification. Theagency also believes that use of theword signature provides a logical bridgebetween paper and electronictechnologies that facilitates the generaltransition from paper to electronicenvironments. The term helps peoplecomply with current FDA regulationsthat specifically call for signatures. Nordoes the agency agree that thisreasoning is beyond the reach ofpractical consideration.The agency declines to accept thesuggested UNCITRAL definitionbecause it is too narrow in context inthat there is not always a specifiedmessage addressee for electronic recordsrequired by FDA regulations (e.g., abatch production record does not havea specific ‘‘addressee’’).47. Concerning the proposeddefinition of ‘‘electronic signature,’’other comments suggested deletion ofthe term ‘‘magnetic impulse’’ to renderthe term media neutral and thus allowfor such alternatives as an optical disk.Comments also suggested that the term‘‘entry’’ was unclear and recommendedits deletion. Two comments suggestedrevisions that would classify symbols asan electronic signature only when theyare committed to permanent storagebecause not every computer entry is asignature and processing to permanentstorage must occur to indicatecompletion of processing.The agency advises that the proposaldid not limit electronic signaturerecordings to ‘‘magnetic impulse’’because the proposed definition added,‘‘or other form of computer data * * *.’’However, in keeping with the agency’sintent to accept a broad range oftechnologies, the terms ‘‘magneticimpulse’’ and ‘‘entry’’ have beenremoved from the proposed definition.The agency believes that recording ofcomputer data to ‘‘permanent’’ storage isnot a necessary or warranted qualifierbecause it is not relevant to the conceptof equivalence to a handwrittensignature. In addition, use of thequalifier regarding permanent storagecould impede detection of falsifiedrecords if, for example, the signedfalsified record was deleted after apredetermined period (thus, technicallynot recorded to ‘‘permanent’’ storage).An individual could disavow asignature because the record had ceasedto exist.For consistency with the proposeddefinition of handwritten signature, andto clarify that electronic signatures arethose of individual human beings, andnot those of organizations (as includedin the act’s definition of ‘‘person’’), FDAis changing ‘‘person’’ to ‘‘individual’’ inthe final rule.Accordingly, § 11.3(b)(7) defineselectronic signature as a computer datacompilation of any symbol or series ofsymbols executed, adopted, orauthorized by an individual to be thelegally binding equivalent of theindividual’s handwritten signature.48. Proposed § 11.3(b)(7)(redesignated § 11.3(b)(8) in the finalrule) defined ‘‘handwritten signature’’as the name of an individual,handwritten in script by that individual,executed or adopted with the presentintention to authenticate a writing in apermanent form. The act of signing witha writing or marking instrument such asa pen or stylus is preserved. Theproposed definition also stated that thescripted name, while conventionallyapplied to paper, may also be applied toother devices which capture the writtenname.Many comments addressed thisproposed definition. Two commentssuggested that it be deleted on thegrounds it is redundant and that, whenhandwritten signatures are recordedelectronically, the result fits thedefinition of electronic signature.The agency disagrees that thedefinition of handwritten signatureshould be deleted. In stating the criteriaunder which electronic signatures maybe used in place of traditionalhandwritten signatures, the agencybelieves it is necessary to definehandwritten signature. In addition, theagency believes that it is necessary todistinguish handwritten signatures fromelectronic signatures because, withhandwritten signatures, the traditionalact of signing one’s name is preserved.Although the handwritten signaturerecorded electronically and electronicsignatures, as defined in part 11, mayboth ultimately result in magneticimpulses or other forms ofcomputerized symbol representations,the means of achieving those recordingsand, more importantly, the controlsneeded to ensure their reliability andtrustworthiness are quite different. Inaddition, the agency believes that adefinition for handwritten signature iswarranted to accommodate persons whowish to implement record systems thatare combinations of paper andelectronic technologies.49. Several comments suggestedreplacing the reference to ‘‘scriptedname’’ in the proposed definition ofhandwritten signature with ‘‘legalmark’’ so as to accommodateindividuals who are physically unableto write their names in script. Thecomments asserted that the term ‘‘legalmark’’ would bring the definition tocloser agreement with generallyrecognized legal interpretations ofsignature.The agency agrees and has added theterm ‘‘legal mark’’ to the definition ofhandwritten signature.50. One comment recommended thatthe regulation state that, when thehandwritten signature is not the resultof the act of signing with a writing ormarking instrument, but is applied toanother device that captures the writtenname, a system should verify that theowner of the signature has authorizedthe use of the handwritten signature.The agency declines to accept thiscomment because, if the act of signingor marking is not preserved, the type ofsignature would not be considered ahandwritten signature. The commentappears to be referring to instances inwhich one person authorizes someoneelse to use his or her stamp or device.The agency views this as inappropriatewhen the signed record does not clearlyshow that the stamp owner did notactually execute the signature. Asdiscussed elsewhere in this preamble,the agency believes that where oneperson authorizes another to sign adocument on his or her behalf, thesecond person must sign his or her ownname (not the name of the first person)along with some notation that, in doingso, he or she is acting in the capacity,or on behalf, of the first person.51. One comment suggested thatwhere handwritten signatures arecaptured by devices, there should be aregister of manually written signaturesto enable comparison for authenticityand the register also include the typednames of individuals.The agency agrees that the practice ofestablishing a signature register hasmerit, but does not believe that it isnecessary, in light of other part 11controls. As noted elsewhere in thispreamble (in the discussion of proposed§ 11.50), the agency agrees that humanreadable displays of electronic recordsmust display the name of the signer.52. Several comments suggestedvarious editorial changes to theproposed definition of handwrittensignature including: (1) Changing theword ‘‘also’’ in the last sentence to‘‘alternatively,’’ (2) clarifying the

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13443difference between the words‘‘individual’’ and ‘‘person,’’ (3) deletingthe words ‘‘in a permanent form,’’ and(4) changing ‘‘preserved’’ to‘‘permitted.’’ One comment asserted thatthe last sentence of the proposeddefinition was unnecessary.The agency has revised the definitionof handwritten signature to clarify itsintent and to keep the regulation asflexible as possible. The agency believesthat the last sentence of the proposeddefinition is needed to address devicesthat capture handwritten signatures.The agency is not adopting thesuggestion that the word ‘‘preserved’’ bechanged to ‘‘permitted’’ because‘‘preserved’’ more accurately states theagency’s intent and is a qualifier to helpdistinguish handwritten signatures fromothers. The agency advises that theword ‘‘individual’’ is used, rather than‘‘person,’’ because the act’s definition ofperson extends beyond individualhuman beings to companies andpartnerships. The agency has retainedthe term ‘‘permanent’’ to discourage theuse of pencils, but recognizes that‘‘permanent’’ does not mean eternal.53. One comment asked whether asignature that is first handwritten andthen captured electronically (e.g., byscanning) is an electronic signature or ahandwritten signature, and asked how ahandwritten signature capturedelectronically (e.g., by using a stylussensingpad device) that is affixed to apaper copy of an electronic recordwould be classified.FDA advises that when the act ofsigning with a stylus, for example, ispreserved, even when applied to anelectronic device, the result is ahandwritten signature. The subsequentprintout of the signature on paperwould not change the classification ofthe original method used to execute thesignature.54. One comment asserted that ahandwritten signature recordedelectronically should be considered tobe an electronic signature, based on themedium used to capture the signature.The comment argued that the wordsignature should be limited to papertechnology.The agency disagrees and believes itis important to classify a signature ashandwritten based upon the preservedaction of signing with a stylus or otherwriting instrument.55. One comment asked if thedefinition of handwritten signatureencompasses handwritten initials.The agency advises that, as revised,the definition of handwritten signatureincludes handwritten initials if theinitials constitute the legal markexecuted or adopted with the presentintention to authenticate a writing in apermanent form, and where the methodof recording such initials involves theact of writing with a pen or stylus.56. Proposed § 11.3(b)(8)(redesignated as § 11.3(b)(9) in the finalrule) defined an open system as anenvironment in which there iselectronic communication amongmultiple persons, where system accessextends to people who are not part ofthe organization that operates thesystem.Several comments suggested that, forsimplicity, the agency define ‘‘opensystem’’ as any system that does notmeet the definition of a closed system.One comment suggested that thedefinition be deleted on the grounds itis redundant, and that it is theresponsibility of individual firms to takeappropriate steps to ensure the validityand security of applications andinformation, regardless of whethersystems are open or closed. Othercomments suggested definitions of‘‘open system’’ that were opposite towhat they suggested for a closed system.The agency has revised the definitionof open system to mean ‘‘anenvironment in which system access isnot controlled by persons who areresponsible for the content of electronicrecords that are on the system.’’ Theagency believes that, for clarity, thedefinition should stand on its ownrather than as any system that is notclosed. The agency rejects thesuggestion that the term need not bedefined at all because FDA believes thatcontrols for open systems merit distinctprovisions in part 11 and defining theterm is basic to understanding whichrequirements apply to a given system.The agency agrees that companies havethe responsibility to take steps to ensurethe validity and security of theirapplications and information. However,FDA finds it necessary to establish part11 as minimal requirements to helpensure that those steps are, in fact,acceptable.VII. Electronic Records—Controls forClosed Systems (§ 11.10)The introductory paragraph ofproposed § 11.10 states that:Closed systems used to create, modify,maintain, or transmit electronic records shallemploy procedures and controls designed toensure the authenticity, integrity, andconfidentiality of electronic records, and toensure that the signer cannot readilyrepudiate the signed record as notgenuine. * * *The rest of the section lists specificprocedures and controls.57. One comment expressed fullsupport for the list of proposed controls,calling them generally appropriate andstated that the agency is correctlyaccommodating the fluid nature ofvarious electronic record and electronicsignature technologies. Anothercomment, however, suggested thatcontrols should not be implemented atthe time electronic records are firstcreated, but rather only after adocument is accepted by a company.The agency disagrees with thissuggestion. To ignore such controls at astage before official acceptance riskscompromising the record. For example,if ‘‘preacceptance’’ records are signed bytechnical personnel, it is vital to ensurethe integrity of their electronicsignatures to prevent record alteration.The need for such integrity is no lessimportant at preacceptance stages thanat later stages when managers officiallyaccept the records. The possibility existsthat some might seek to disavow, oravoid FDA examination of, pertinentrecords by declaring they had not beenformally ‘‘accepted.’’ In addition, FDAroutinely can and does inspect evolvingpaper documents (e.g., standardoperating procedures and validationprotocols) even though they have yet toreceive a firm’s final acceptance.58. One comment said proposed§ 11.10 contained insufficientrequirements for firms to conductperiodic inspection and monitoring oftheir own systems and procedures toensure compliance with the regulations.The comment also called for a clearidentification of the personnel in a firmwho would be responsible for systemimplementation, operation, changecontrol, and monitoring.The agency does not believe it isnecessary at this time to codify a selfauditingrequirement, as suggested bythe comment. Rather, the agencyintends to afford organizationsflexibility in establishing their owninternal mechanisms to ensurecompliance with part 11. Self-audits,however, may be considered as ageneral control, within the context ofthe introductory paragraph of § 11.10.The agency encourages firms to conductsuch audits periodically as part of anoverall approach to ensure compliancewith FDA regulations generally.Likewise, the agency does not believe itis necessary or practical to codify whichindividuals in an organization should beresponsible for compliance with variousprovisions of part 11. However, ultimateresponsibility for part 11 will generallyrest with persons responsible forelectronic record content, just asresponsibility for compliance withpaper record requirements generally lieswith those responsible for the record’scontent.

13444 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations59. Several comments interpretedproposed § 11.10 as applying allprocedures and controls to closedsystems and suggested revising it topermit firms to apply only thoseprocedures and controls they deemnecessary for their own operations,because some requirements areexcessive in some cases.The agency advises that, where agiven procedure or control is notintended to apply in all cases, thelanguage of the rule so indicates.Specifically, use of operational checks(§ 11.10(f)) and device checks(§ 11.10(h)) is not required in all cases.The remaining requirements do apply inall cases and are, in the agency’sopinion, the minimum needed to ensurethe trustworthiness and reliability ofelectronic record systems. In addition,certain controls that firms deemadequate for their routine internaloperations might nonetheless leaverecords vulnerable to manipulation and,thus, may be incompatible with FDA’sresponsibility to protect public health.The suggested revision wouldeffectively permit firms to implementvarious controls selectively and possiblyshield records from FDA, employunqualified personnel, or permitemployees to evade responsibility forfraudulent use of their electronicsignatures.The agency believes that the controlsin § 11.10 are vital, and notes thatalmost all of them were suggested bycomments on the ANPRM. The agencybelieves the wording of the regulationnonetheless permits firms maximumflexibility in how to meet thoserequirements.60. Two comments suggested that theword ‘‘confidentiality’’ in theintroductory paragraph of proposed§ 11.10 be deleted because it isunnecessary and inappropriate. Thecomments stated that firms shoulddetermine if certain records need to beconfidential, and that as long as recordscould not be altered or deleted withoutappropriate authority, it would notmatter whether they could read therecords.The agency agrees that not all recordsrequired by FDA need to be keptconfidential within a closed system andhas revised the reference in theintroductory paragraph of § 11.10 tostate ‘‘* * * and, when appropriate, theconfidentiality of electronic records.’’The agency believes, however that theneed for retaining the confidentiality ofcertain records is not diminishedbecause viewers cannot change them. Itmay be prudent for persons to carefullyassess the need for recordconfidentiality. (See, e.g., 21 CFR1002.42, Confidentiality of recordsfurnished by dealers and distributors,with respect to certain radiologicalhealth products.) In addition, FDA’sobligation to retain the confidentiality ofinformation it receives in somesubmissions hinges on the degree towhich the submitter maintainsconfidentiality, even within its ownorganization. (See, e.g., 21 CFR 720.8(b)with respect to cosmetic ingredientinformation in voluntary filings ofcosmetic product ingredient andcosmetic raw material compositionstatements.)61. One comment asked if theprocedures and controls required byproposed § 11.10 were to be built intosoftware or if they could exist in writtenform.The agency expects that, by theirnature, some procedures and controls,such as use of time-stamped audit trailsand operational checks, will be builtinto hardware and software. Others,such as validation and determination ofpersonnel qualifications, may beimplemented in any appropriate mannerregardless of whether the mechanismsare driven by, or are external to,software or hardware. To clarify thisintent, the agency has revised theintroductory paragraph of proposed§ 11.10 to read, in part, ‘‘Persons whouse closed systems to create, modify* * *.’’ Likewise, for clarity andconsistency, the agency is introducingthe same phrase, ‘‘persons who use* * *’’ in §§ 11.30 and 11.300.62. One comment contended that thedistinction between open and closedsystems should not be predominantbecause a $100,000 transaction in aclosed system should not have fewercontrols than a $1 transaction in anopen system.The agency believes that, within part11, firms have the flexibility they needto adjust the extent and stringency ofcontrols based on any factors theychoose, including the economic value ofthe transaction. The agency does notbelieve it is necessary to modify part 11at this time so as to add economiccriteria.63. One comment suggested that thereference to repudiation in theintroductory paragraph of § 11.10should be deleted because repudiationcan occur at any time in legalproceedings. Another comment, notingthat the proposed rule appeared toaddress only nonrepudiation of a signer,said the rule should addressnonrepudiation of record ‘‘genuineness’’or extend to nonrepudiation ofsubmission, delivery, and receipt. Thecomment stated that some firms providenonrepudiation services that canprevent someone from successfullyclaiming that a record has been altered.In response to the first comment, theagency does not agree that the referenceto repudiation should be deletedbecause reducing the likelihood thatsomeone can readily repudiate anelectronic signature as not his or herown, or that the signed record had beenaltered, is vital to the agency’s basicacceptance of electronic signatures. Theagency is aware that the need to detersuch repudiation has been addressed inmany forums and publications thatdiscuss electronic signatures. Absentadequate controls, FDA believes somepeople would be more likely torepudiate an electronically-signedrecord because of the relative ease withwhich electronic records may be alteredand the ease with which one individualcould impersonate another. The agencynotes, however, that the rule does notcall for nonrepudiation as an absoluteguarantee, but requires that the signercannot ‘‘readily’’ repudiate thesignature.In response to the second comment,the agency agrees that it is alsoimportant to establish nonrepudiation ofsubmission, delivery, and receipt ofelectronic records, but advises that, forpurposes of § 11.10, the agency’s intentis to limit nonrepudiation to thegenuineness of the signer’s record. Inother words, an individual should notbe able to readily say that: (1) He or shedid not, in fact, sign the record; (2) agiven electronic record containing theindividual’s signature was not, in fact,the record that the person signed; or (3)the originally signed electronic recordhad been altered after having beensigned.64. Proposed § 11.10(a) states thatcontrols for closed systems are toinclude the validation of systems toensure accuracy, reliability, consistentintended performance, and the ability toconclusively discern invalid or alteredrecords.Many comments objected to thisproposed requirement because the word‘‘conclusively’’ inferred anunreasonably high and unattainablestandard, one which is not applied topaper records.The agency intends to apply the samevalidation concepts and standards toelectronic record and electronicsignature systems as it does to papersystems. As such, FDA does not intendthe word ‘‘conclusively’’ to suggest anunattainable absolute and has, therefore,deleted the word from the final rule.65. One comment suggestedqualifying the proposed validationrequirement in § 11.10(a) to state thatvalidation be performed ‘‘where

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13445necessary’’ and argued that validation ofcommercially available software is notnecessary because such software hasalready been thoroughly validated. Thecomment acknowledged that validationmay be required for applicationprograms written by manufacturers andothers for special needs.The agency disagrees with thecomment’s claim that all commercialsoftware has been validated. The agencybelieves that commercial availability isno guarantee that software hasundergone ‘‘thorough validation’’ and isunaware of any regulatory entity thathas jurisdiction over general purposesoftware producers. The agency notesthat, in general, commercial softwarepackages are accompanied not bystatements of suitability or compliancewith established standards, but ratherby disclaimers as to their fitness for use.The agency is aware of the complex andsometimes controversial issues invalidating commercial software.However, the need to validate suchsoftware is not diminished by the factthat it was not written by those who willuse the software.In the future, the agency may provideguidance on validation of commercialsoftware used in electronic recordsystems. FDA has addressed the matterof software validation in general in suchdocuments as the ‘‘Draft Guideline forthe Validation of Blood EstablishmentComputer Systems,’’ which is availablefrom the Manufacturers Assistance andCommunications Staff, Center forBiologics Evaluation and Research(HFM–42), Food and DrugAdministration, 1401 Rockville Pike,Rockville, MD 20852–1448, 301–594–2000. This guideline is also available bysending e-mail to the following Internetaddress:CBERINFO@A1.CBER.FDA.GOV). Forthe purposes of part 11, however, theagency believes it is vital to retain thevalidation requirement.66. One comment requested anexplanation of what was meant by thephrase ‘‘consistent intended’’ inproposed § 11.10(a) and why‘‘consistent performance’’ was not usedinstead. The comment suggested thatthe rule should distinguish consistentintended performance from wellrecognizedservice ‘‘availability.’’The agency advises that the phrase‘‘consistent intended performance’’relates to the general principle ofvalidation that planned and expectedperformance is based uponpredetermined design specifications(hence, ‘‘intended’’). This concept is inaccord with the agency’s 1987‘‘Guideline on General Principles ofProcess Validation,’’ which is availablefrom the Division of Manufacturing andProduct Quality, Center for DrugEvaluation and Research (HFD–320),Food and Drug Administration, 7520Standish Pl., Rockville, MD 20855, 301–594–0093). This guideline definesvalidation as establishing documentedevidence that provides a high degree ofassurance that a specific process willconsistently produce a product meetingits predetermined specifications andquality attributes. The agency believesthat the comment’s concepts areaccommodated by this definition to theextent that system ‘‘availability’’ may beone of the predetermined specificationsor quality attributes.67. One comment said the rule shouldindicate whether validation of systemsdoes, or should, require any certificationor accreditation.The agency believes that althoughcertification or accreditation may be apart of validation of some systems, suchcertification or accreditation is notnecessary in all cases, outside of thecontext of any such approvals within anorganization itself. Therefore, part 11 issilent on the matter.68. One comment said the rule shouldclarify whether system validationshould be capable of discerning theabsence of electronic records, in light ofagency concerns about falsification. Thecomment added that the agency’sconcerns regarding invalid or alteredrecords can be mitigated by use ofcryptographically enhanced methods,including secure time and datestamping.The agency does not believe that it isnecessary at this time to include anexplicit requirement that systems becapable of detecting the absence ofrecords. The agency advises that therequirement in § 11.10(e) for audit trailsof operator actions would cover thoseactions intended to delete records.Thus, the agency would expect firms todocument such deletions, and wouldexpect the audit trail mechanisms to beincluded in the validation of theelectronic records system.69. Proposed § 11.10(b) states thatcontrols for closed systems mustinclude the ability to generate truecopies of records in both humanreadable and electronic form suitable forinspection, review, and copying by theagency, and that if there were anyquestions regarding the ability of theagency to perform such review andcopying, persons should contact theagency.Several comments objected to therequirement for ‘‘true’’ copies ofelectronic records. The commentsasserted that information in an originalrecord (as may be contained in adatabase) may be presented in a copy ina different format that may be moreusable. The comments concluded that,to generate precise ‘‘true’’ copies ofelectronic records, firms may have toretain the hardware and software thathad been used to create those records inthe first place (even when suchhardware and software had beenreplaced by newer systems). Thecomments pointed out that firms mayhave to provide FDA with theapplication logic for ‘‘true’’ copies, andthat this may violate copyrightprovisions. One comment illustrated thedifference between ‘‘true’’ copies andother equally reliable, but not exact,copies of electronic records by notingthat pages from FDA’s paperpublications (such as the CFR and theCompliance Policy Guidance Manual)look quite different from electroniccopies posted to FDA’s bulletin board.The comments suggested differentwording that would effectively requireaccurate and complete copies, but notnecessarily ‘‘true’’ copies.The agency agrees that providingexact copies of electronic records in thestrictest meaning of the word ‘‘true’’may not always be feasible. The agencynonetheless believes it is vital thatcopies of electronic records provided toFDA be accurate and complete.Accordingly, in § 11.10(b), ‘‘true’’ hasbeen replaced with ‘‘accurate andcomplete.’’ The agency expects that thisrevision should obviate the potentialproblems noted in the comments. Therevision should also reduce the costs ofproviding copies by making clear thatfirms need not maintain obsoleteequipment in order to make copies thatare ‘‘true’’ with respect to format andcomputer system.70. Many comments objected to theproposed requirement that systems becapable of generating electronic copiesof electronic records for FDA inspectionand copying, although they generallyagreed that it was appropriate to provideFDA with readable paper copies.Alternative wording was suggested thatwould make providing electronic copiesoptional, such that persons couldprovide FDA with nothing but papercopies if they so wished. The commentsargued that providing FDA withelectronic copies was unnecessary,unjustified, not practical consideringthe different types of computer systemsthat may be in use, and would unfairlylimit firms in their selection ofhardware and software if they couldonly use systems that matched FDA’scapabilities (capabilities which, it wasargued, would not be uniformthroughout the United States). Onecomment suggested that the rule specify

13446 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsa particular format, such as ASCII, forelectronic copies to FDA.The agency disagrees with theassertion that FDA need only beprovided with paper copies of electronicrecords. To operate effectively, theagency must function on the sametechnological plane as the industries itregulates. Just as firms realizeefficiencies and benefits in the use ofelectronic records, FDA should be ableto conduct audits efficiently andthoroughly using the same technology.For example, where firms performcomputerized trend analyses ofelectronic records to improve theirprocesses, FDA should be able to usecomputerized methods to auditelectronic records (on site and off, asnecessary) to detect trends,inconsistencies, and potential problemareas. If FDA is restricted to reviewingonly paper copies of those records, theresults would severely impede itsoperations. Inspections would takelonger to complete, resulting in delaysin approvals of new medical products,and expenditure of additional resourcesboth by FDA (in performing theinspections and transcribing paperrecords to electronic format) and by theinspected firms, which would generatethe paper copies and respond toquestions during the resultinglengthened inspections.The agency believes that it also maybe necessary to require that personsfurnish certain electronic copies ofelectronic records to FDA because papercopies may not be accurate andcomplete if they lack certain audit trail(metadata) information. Suchinformation may have a direct bearingon record trustworthiness andreliability. These data could includeinformation, for example, on whencertain items of electronic mail weresent and received.The agency notes that people who usedifferent computer systems routinelyprovide each other with electroniccopies of electronic records, and thereare many current and developing toolsto enable such sharing. For example, ata basic level, records may be created in,or transferred to, the ASCII format.Many different commercial programshave the capability to import from, andexport to, electronic records havingdifferent formats. Firms use electronicdata interchange (commonly known asEDI) and agreed upon transaction setformats to enable them to exchangecopies of electronic records effectively.Third parties are also developingportable document formats to enableconversion among several diverseformats.Concerning the ability of FDA tohandle different formats of electronicrecords, based upon the emergence offormat conversion tools such as thosementioned above, the agency’sexperience with electronic submissionssuch as computer assisted new drugapplications (commonly known asCANDA’s), and the agency’s plannedSubmissions Management and ReviewTracking System (commonly known asSMART), FDA is confident that it canwork with firms to minimize anyformatting difficulties. In addition,substitution of the words ‘‘accurate andcomplete’’ for ‘‘true,’’ as discussed incomment 69, should make it easier forfirms to provide FDA with electroniccopies of their electronic records. FDAdoes not believe it is necessary tospecify any particular format in part 11because it prefers, at this time, to affordindustry and the agency more flexibilityin deciding which formats meet thecapabilities of all parties. Accordingly,the agency has revised proposed§ 11.10(b) to read:The ability to generate accurate andcomplete copies of records in both humanreadable and electronic form suitable forinspection, review, and copying by theagency. Persons should contact the agency ifthere are any questions regarding the abilityof the agency to perform such review andcopying of the electronic records.71. Proposed § 11.10(c) states thatprocedures and controls for closedsystems must include the protection ofrecords to enable their accurate andready retrieval throughout the recordsretention period.One firm commented that, because itreplaces systems often (about every 3years), it may have to retain supplantedsystems to meet these requirements.Another comment suggested that therule be modified to require recordsretention only for as long as ‘‘legallymandated.’’The agency notes that, as discussed incomment 70 of this document, personswould not necessarily have to retainsupplanted hardware and softwaresystems provided they implementedconversion capabilities when switchingto replacement technologies. The agencydoes not believe it is necessary to addthe qualifier ‘‘legally mandated’’because the retention period for a givenrecord will generally be established bythe regulation that requires the record.Where the regulations do not specify agiven time, the agency would expectfirms to establish their own retentionperiods. Regardless of the basis for theretention period, FDA believes that therequirement that a given electronicrecord be protected to permit it to beaccurately and readily retrieved for aslong as it is kept is reasonable andnecessary.72. Proposed § 11.10(e) would requirethe use of time-stamped audit trails todocument record changes, all write-tofileoperations, and to independentlyrecord the date and time of operatorentries and actions. Record changesmust not obscure previously recordedinformation and such audit traildocumentation must be retained for aperiod at least as long as required for thesubject electronic documents and mustbe available for agency review andcopying.Many comments objected to theproposed requirement that all write-tofileoperations be documented in theaudit trail because it is unnecessary todocument all such operations. Thecomments said that this would requireaudit trails for such automatedrecordings as those made to internalbuffers, data swap files, or temporaryfiles created by word processingprograms. The comments suggestedrevising § 11.10(e) to require audit trailsonly for operator entries and actions.Other comments suggested that audittrails should cover: (1) Operator datainputs but not actions, (2) only operatorchanges to records, (3) only criticalwrite-to-file information, (4) operatorchanges as well as all actions, (5) onlynew entries, (6) only systems where datacan be altered, (7) only informationrecorded by humans, (8) informationrecorded by both humans and devices,and (9) only entries made uponadoption of the records as official. Onecomment said audit trails should not berequired for data acquisition systems,while another comment said audit trailsare critical for data acquisition systems.It is the agency’s intent that the audittrail provide a record of essentially whodid what, wrote what, and when. Thewrite-to-file operations referenced in theproposed rule were not intended tocover the kind of ‘‘background’’nonhuman recordings the commentsidentified.The agency considers such operatoractions as activating a manufacturingsequence or turning off an alarm towarrant the same audit trail coverage asoperator data entries in order todocument a thorough history of eventsand those responsible for such events.Although FDA acknowledges that notevery operator ‘‘action,’’ such asswitching among screen displays, needbe covered by audit trails, the agency isconcerned that revising the rule to coveronly ‘‘critical’’ operations would resultin excluding much information andactions that are necessary to documentevents thoroughly.

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13447The agency believes that, in general,the kinds of operator actions that needto be covered by an audit trail are thoseimportant enough to memorialize in theelectronic record itself. These areactions which, for the most part, wouldbe recorded in corresponding paperrecords according to existingrecordkeeping requirements.The agency intends that the audit trailcapture operator actions (e.g., acommand to open a valve) at the timethey occur, and operator information(e.g., data entry) at the time theinformation is saved to the recordingmedia (such as disk or tape), in muchthe same manner as such actions andinformation are memorialized on paper.The audit trail need not capture everykeystroke and mistake that is held in atemporary buffer before thosecommitments. For example, where anoperator records the lot number of aningredient by typing the lot number,followed by the ‘‘return key’’ (wherepressing the return key would cause theinformation to be saved to a disk file),the audit trail need not record every‘‘backspace delete’’ key the operatormay have previously pressed to correcta typing error. Subsequent ‘‘saved’’corrections made after such acommitment, however, must be part ofthe audit trail.At this time, the agency’s primaryconcern relates to the integrity of humanactions. Should the agency’s experiencewith part 11 demonstrate a need torequire audit trails of device operationsand entries, the agency will proposeappropriate revisions to theseregulations. Accordingly, the agency hasrevised proposed § 11.10(e) by removingreference to all write-to-file operationsand clarifying that the audit trail is tocover operator entries and actions thatcreate, modify, or delete electronicrecords.73. A number of commentsquestioned whether proposed § 11.10(e)mandated that the audit trail be part ofthe electronic record itself or be kept asa separate record. Some commentsinterpreted the word ‘‘independently’’as requiring a separate record. Severalcomments focused on the question ofwhether audit trails should be generatedmanually under operator control orautomatically without operator control.One comment suggested a revision thatwould require audit trails to begenerated by computer, because thesystem, not the operator, should recordthe audit trail. Other comments said therule should facilitate date and timerecording by software, not operators,and that the qualifier ‘‘securely’’ beadded to the language describing theaudit trail. One comment, noting thataudit trails require validation andqualification to ensure that time stampsare accurate and independent, suggestedthat audit trails be required only whenoperator actions are witnessed.The agency advises that audit trailinformation may be contained as part ofthe electronic record itself or as aseparate record. FDA does not intend torequire one method over the other. Theword ‘‘independently’’ is intended torequire that the audit trail not be underthe control of the operator and, toprevent ready alteration, that it becreated independently of the operator.To maintain audit trail integrity, theagency believes it is vital that the audittrail be created by the computer systemindependently of operators. The agencybelieves it would defeat the purpose ofaudit trails to permit operators to writeor change them. The agency believesthat, at this time, the source of suchindependent audit trails may effectivelybe within the organization that createsthe electronic record. However, theagency is aware of a situation underwhich time and date stamps areprovided by trusted third parties outsideof the creating organization. These thirdparties provide, in effect, a publicelectronic notary service. FDA willmonitor development of such servicesin light of part 11 to determine if arequirement for such third partyservices should be included in theseregulations. For now, the agencyconsiders the advent of such services asrecognition of the need for strictobjectivity in recording time and datestamps.The agency disagrees with thepremise that only witnessed operatoractions need be covered by audit trailsbecause the opportunities for recordfalsification are not limited to caseswhere operator actions are witnessed.Also, the need for validating audit trailsdoes not diminish the need for theirimplementation.FDA agrees with the suggestion thatthe proposed rule be revised to requirea secure audit trail—a concept inherentin having such a control at all.Accordingly, proposed § 11.10(e) hasbeen revised to require use of ‘‘secure,computer-generated’’ audit trails.74. A few comments objected to therequirement that time be recorded, inaddition to dates, and suggested thattime be recorded only when necessaryand feasible. Other commentsspecifically supported the requirementfor recording time, noting that timestamps make electronic signatures lessvulnerable to fraud and abuse. Thecomments noted that, in any setting,there is a need to identify the date, time,and person responsible for adding to orchanging a value. One of the commentssuggested that the rule require recordingthe reason for making changes toelectronic records. Other commentsimplicitly supported recording time.FDA believes that recording time is acritical element in documenting asequence of events. Within a given daya number of events and operator actionsmay take place, and without recordingtime, documentation of those eventswould be incomplete. For example,without time stamps, it may be nearlyimpossible to determine such importantsequencing as document approvals andrevisions and the addition of ingredientsin drug production. Thus, the elementof time becomes vital to establishing anelectronic record’s trustworthiness andreliability.The agency notes that comments onthe ANPRM frequently identified use ofdate/time stamps as an importantsystem control. Time recording, in theagency’s view, can also be an effectivedeterrent to records falsification. Forexample, event sequence codes alonewould not necessarily document truetime in a series of events, makingfalsification of that sequence easier iftime stamps are not used. The agencybelieves it should be very easy for firmsto implement time stamps because thereis a clock in every computer anddocument management software,electronic mail systems and otherelectronic record/electronicapplications, such as digital signatureprograms, commonly apply date andtime stamps. The agency does notintend that new technologies, such ascryptographic technologies, will beneeded to comply with thisrequirement. The agency believes thatimplementation of time stamps shouldbe feasible in virtually all computersystems because effective computeroperations depend upon internal clockor timing mechanisms and, in theagency’s experience, most computersystems are capable of preciselyrecording such time entries as whenrecords are saved.The agency is implementing the timestamp requirement based on theunderstanding that all currentcomputers, electronic documentsoftware, electronic mail, and relatedelectronic record systems include suchtechnologies. The agency alsounderstands that time stamps areapplied automatically by these systems,meaning firms would not have to installadditional hardware, software, or incuradditional burden to implement thiscontrol. In recognition of this, theagency wishes to clarify that a primaryintent of this provision is to ensure thatpeople take reasonable measures to

13448 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsensure that those built in time stampsare accurate and that people do not alterthem casually so as to readily maskunauthorized record changes.The agency advises that, although part11 does not specify the time units (e.g.,tenth of a second, or even the second)to be used, the agency expects the unitof time to be meaningful in terms ofdocumenting human actions.The agency does not believe part 11needs to require recording the reason forrecord changes because such arequirement, when needed, is already inplace in existing regulations that pertainto the records themselves.75. One comment stated thatproposed § 11.10(e) should not requirean electronic signature for each write-tofileoperation.The agency advises that § 11.10(e)does not require an electronic signatureas the means of authenticating eachwrite-to-file operation. The agencyexpects the audit trail to document whodid what and when, documentation thatcan be recorded without electronicsignatures themselves.76. Several comments, addressing theproposed requirement that recordchanges not obscure previouslyrecorded information, suggestedrevising proposed § 11.10(e) to applyonly to those entries intended to updateprevious information.The agency disagrees with thesuggested revision because therewording is too narrow. The agencybelieves that some record changes maynot be ‘‘updates’’ but significantmodifications or falsifications disguisedas updates. All changes to existingrecords need to be documented,regardless of the reason, to maintain acomplete and accurate history, todocument individual responsibility, andto enable detection of recordfalsifications.77. Several comments suggestedreplacing the word ‘‘document’’ with‘‘record’’ in the phrase ‘‘Such audittrails shall be retained for a period atleast as long as required for the subjectelectronic documents * * *’’ becausenot all electronic documents areelectronic records and because the worddocument connotes paper.As discussed in section III.D. of thisdocument, the agency equates electronicdocuments with electronic records, butfor consistency, has changed the phraseto read ‘‘Such audit trail documentationshall be retained for a period at least aslong as that required for the subjectelectronic records * * *.’’78. Proposed § 11.10(k)(ii)(§ 11.10(k)(2) in this regulation)addresses electronic audit trails as asystems documentation control. Onecomment noted that this provisionappears to be the same as the audit trailprovision of proposed § 11.10(e) andrequested clarification.The agency wishes to clarify that thekinds of records subject to audit trails inthe two provisions cited by thecomment are different. Section 11.10(e)pertains to those records that arerequired by existing regulations whereas§ 11.10(k)(2) covers the systemdocumentation records regarding overallcontrols (such as access privilege logs,or system operational specificationdiagrams). Accordingly, the firstsentence of § 11.10(e) has been revisedto read ‘‘Use of secure, computergenerated,time-stamped audit trails toindependently record and date the timeof operator entries and actions thatcreate, modify, or delete electronicrecords.’’79. Proposed § 11.10(f) states thatprocedures and controls for closedsystems must include the use ofoperational checks to enforce permittedsequencing of events, as appropriate.Two comments requested clarificationof the agency’s intent regardingoperational checks.The agency advises that the purposeof performing operational checks is toensure that operations (such asmanufacturing production steps andsignings to indicate initiation orcompletion of those steps) are notexecuted outside of the predefined orderestablished by the operatingorganization.80. Several comments suggested that,for clarity, the phrase ‘‘operationalchecks’’ be modified to ‘‘operationalsystem checks.’’The agency agrees that the addedmodifier ‘‘system’’ more accuratelyreflects the agency’s intent thatoperational checks be performed by thecomputer systems and has revisedproposed § 11.10(f) accordingly.81. Several comments suggestedrevising proposed § 11.10(f) to clarifywhat is to be checked. The commentssuggested that ‘‘steps’’ in addition to‘‘events’’ be checked, only critical stepsbe checked, and that ‘‘records’’ also bechecked.The agency intends the word ‘‘event’’to include ‘‘steps’’ such as productionsteps. For clarity, however, the agencyhas revised proposed § 11.10(f) byadding the word ‘‘steps.’’ The agencydoes not, however, agree that onlycritical steps need be subject tooperational checks because a givenspecific step or event may not becritical, yet it may be very importantthat the step be executed at the propertime relative to other steps or events.The agency does not believe it necessaryto add the modifier ‘‘records’’ toproposed § 11.10(f) because creation,deletion, or modification of a record isan event. Should it be necessary tocreate, delete, or modify records in aparticular sequence, operational systemchecks would ensure that the propersequence is followed.82. Proposed § 11.10(g) states thatprocedures and controls for closedsystems must include the use ofauthority checks to ensure that onlyauthorized individuals use the system,electronically sign a record, access theoperation or device, alter a record, orperform the operation at hand.One comment suggested that therequirement for authority checks bequalified with the phrase ‘‘asappropriate,’’ on the basis that it wouldnot be necessary for certain parts of asystem, such as those not affecting anelectronic record. The comment citedpushing an emergency stop button as anexample of an event that would notrequire an authority check. Anothercomment suggested deleting therequirement on the basis that somerecords can be read by all employees inan organization.The agency advises that authoritychecks, and other controls under§ 11.10, are intended to ensure theauthenticity, integrity, andconfidentiality of electronic records,and to ensure that signers cannot readilyrepudiate a signed record as notgenuine. Functions outside of thiscontext, such as pressing an emergencystop button, would not be covered.However, even in this example, theagency finds it doubtful that a firmwould permit anyone, such as a strangerfrom outside the organization, to entera facility and press the stop button atwill regardless of the existence of anemergency. Thus, there would likely besome generalized authority checks builtinto the firm’s operations.The agency believes that feworganizations freely permit anyone fromwithin or without the operation to usetheir computer system, electronicallysign a record, access workstations, alterrecords, or perform operations. It islikely that authority checks shape theactivities of almost every organization.The nature, scope, and mechanism ofperforming such checks is up to theoperating organization. FDA believes,however, that performing such checks isone of the most fundamental measuresto ensure the integrity andtrustworthiness of electronic records.Proposed § 11.10(g) does not precludeall employees from being permitted toread certain electronic records.However, the fact that some records maybe read by all employees would not

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13449justify deleting the requirement forauthority checks entirely. The agencybelieves it is highly unlikely that all ofa firm’s employees would haveauthority to read, write, and sign all ofits electronic records.83. One comment said authoritychecks are appropriate for documentaccess but not system access, andsuggested that the phrase ‘‘access theoperation or device’’ be deleted. Thecomment added, with respect toauthority checks on signing records, thatin many organizations, more than oneindividual has the authority to signdocuments required under FDAregulations and that such authorityshould be vested with the individual asdesignated by the operatingorganization. Another comment saidproposed § 11.10(g) should explicitlyrequire access authority checks andsuggested that the phrase ‘‘use thesystem’’ be changed to ‘‘access and usethe system.’’ The comment also askedfor clarification of the term ‘‘device.’’The agency disagrees that authoritychecks should not be required forsystem access because, as discussed incomment 82 of this document, it isunlikely that a firm would permit anyunauthorized individuals to access itscomputer systems. System accesscontrol is a basic security functionbecause system integrity may beimpeached even if the electronic recordsthemselves are not directly accessed.For example, someone could access asystem and change passwordrequirements or otherwise overrideimportant security measures, enablingindividuals to alter electronic records orread information that they were notauthorized to see. The agency does notbelieve it necessary to add the qualifier‘‘access and’’ because § 11.10(d) alreadyrequires that system access be limited toauthorized individuals. The agencyintends the word ‘‘device’’ to mean acomputer system input or output deviceand has revised proposed § 11.10(g) toclarify this point.Concerning signature authority, FDAadvises that the requirement forauthority checks in no way limitsorganizations in authorizing individualsto sign multiple records. Firms may useany appropriate mechanism toimplement such checks. Organizationsdo not have to embed a list ofauthorized signers in every record toperform authority checks. For example,a record may be linked to an authoritycode that identifies the title ororganizational unit of people who maysign the record. Thus, employees whohave that corresponding code, or belongto that unit, would be able to sign therecord. Another way to implementcontrols would be to link a list ofauthorized records to a givenindividual, so that the system wouldpermit the individual to sign onlyrecords in that list.84. Two comments addressedauthority checks within the context ofPDMA and suggested that such checksnot be required for drug sample receiptrecords. The comments said thatdifferent individuals may be authorizedto accept drug samples at a physician’soffice, and that the large number ofphysicians who would potentiallyqualify to receive samples would be toogreat to institute authority checks.The agency advises that authoritychecks need not be automated and thatin the context of PDMA such checkswould be as valid for electronic recordsas they are for paper sample requestsbecause only licensed practitioners ortheir designees may accept delivery ofdrug samples. The agency, therefore,acknowledges that many individualsmay legally accept samples and, thus,have the authority to sign electronicreceipts. However, authority checks forelectronic receipts could nonetheless beperformed by sample manufacturerrepresentatives by using the sameprocedures as the representatives use forpaper receipts. Accordingly, the agencydisagrees with the comment thatproposed § 11.10(g) should not apply toPDMA sample receipts.The agency also advises that underPDMA, authority checks would beparticularly important in the case ofdrug sample request records becauseonly licensed practitioners may requestdrug samples.Accordingly, proposed § 11.10(g) hasbeen revised to read: ‘‘Use of authoritychecks to ensure that only authorizedindividuals can use the system,electronically sign a record, access theoperation or computer system input oroutput device, alter a record, or performthe operation at hand.’’85. Proposed § 11.10(h) states thatprocedures and controls for closedsystems must include the use of device(e.g., terminal) location checks todetermine, as appropriate, the validityof the source of data input oroperational instruction. Severalcomments objected to this proposedrequirement and suggested its deletionbecause it is: (1) Unnecessary (becausethe data source is always known byvirtue of system design and validation);(2) problematic with respect to mobiledevices, such as those connected bymodem; (3) too much of a ‘‘how to;’’ (4)not explicit enough to tell firms what todo; (5) unnecessary in the case ofPDMA; and (6) technically challenging.One comment stated that a device’sidentification, in addition to location,may be important and suggested that theproposed rule be revised to requiredevice identification as well.FDA advises that, by use of the term‘‘as appropriate,’’ it does not intend torequire device checks in all cases. Theagency believes that these checks arewarranted where only certain deviceshave been selected as legitimate sourcesof data input or commands. In suchcases, the device checks would be usedto determine if the data or commandsource was authorized. In a network, forexample, it may be necessary forsecurity reasons to limit issuance ofcritical commands to only oneauthorized workstation. The devicecheck would typically interrogate thesource of the command to ensure thatonly the authorized workstation, andnot some other device, was, in fact,issuing the command.The same approach applies for remotesources connected by modem, to theextent that device identityinterrogations could be madeautomatically regardless of where theportable devices were located. To clarifythis concept, the agency has removedthe word ‘‘location’’ from proposed§ 11.10(h). Device checks would benecessary under PDMA when the sourceof commands or data is relevant toestablishing authenticity, such as whenlicensed practitioners order drugsamples directly from the manufactureror authorized distributor without theintermediary of a sales representative.Device checks may also be useful tofirms in documenting and identifyingwhich sales representatives aretransmitting drug sample requests fromlicensed practitioners.FDA believes that, althoughvalidation may demonstrate that a giventerminal or workstation is technicallycapable of sending information from onepoint to another, validation alone wouldnot be expected to address whether ornot such device is authorized to do so.86. Proposed § 11.10(i) states thatprocedures and controls for closedsystems must include confirmation thatpersons who develop, maintain, or useelectronic record or signature systemshave the education, training, andexperience to perform their assignedtasks.Several comments objected to theword ‘‘confirmation’’ because it isredundant with, or more restrictivethan, existing regulations, and suggestedalternate wording, such as ‘‘evidence.’’Two comments interpreted theproposed wording as requiring thatchecks of personnel qualifications beperformed automatically by computersystems that perform database type

13450 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsmatches between functions andpersonnel training records.The agency advises that, althoughthere may be some overlap in proposed§ 11.10(i) and other regulationsregarding the need for personnel to beproperly qualified for their duties, part11 is specific to functions regardingelectronic records, an issue that otherregulations may or may not adequatelyaddress. Therefore, the agency isretaining the requirement.The agency does not intend to requirethat the check of personnelqualifications be performedautomatically by a computer systemitself (although such automation isdesirable). The agency has revised theintroductory paragraph of § 11.10, asdiscussed in section VII. of thisdocument, to clarify this point. Theagency agrees that another word shouldbe used in place of ‘‘confirmation,’’ andfor clarity has selected ‘‘determination.’’87. One comment suggested that theword ‘‘training’’ be deleted because ithas the same meaning as ‘‘education’’and ‘‘experience,’’ and objected to theimplied requirement for records ofemployee training. Another commentargued that applying this provision tosystem developers was irrelevant solong as systems perform as required andhave been appropriately validated. Thecomment suggested revising proposed§ 11.10(i) to require employees to betrained only ‘‘as necessary.’’ Onecomment, noting that training andexperience are very important,suggested expanding proposed § 11.10(i)to require appropriate examination andcertification of persons who performcertain high-risk, high-trust functionsand tasks.The agency regards this requirementas fundamental to the proper operationof a facility. Personnel entrusted withimportant functions must havesufficient training to do their jobs. InFDA’s view, formal education (e.g.,academic studies) and general industryexperience would not necessarilyprepare someone to begin specific,highly technical tasks at a given firm.Some degree of on-the-job trainingwould be customary and expected. Theagency believes that documentation ofsuch training is also customary and notunreasonable.The agency also disagrees with theassertion that personnel qualificationsof system developers are irrelevant. Thequalifications of personnel who developsystems are relevant to the expectedperformance of the systems they buildand their ability to explain and supportthese systems. Validation does notlessen the need for personnel to havethe education, training, and experienceto do their jobs properly. Indeed, it ishighly unlikely that poorly qualifieddevelopers would be capable ofproducing a system that could bevalidated. The agency advises that,although the intent of proposed§ 11.10(i) is to address qualifications ofthose personnel who develop systemswithin an organization, rather thanexternal ‘‘vendors’’ per se, it isnonetheless vital that vendor personnelare likewise qualified to do their work.The agency agrees that periodicexamination or certification ofpersonnel who perform certain criticaltasks is desirable. However, the agencydoes not believe that at this time aspecific requirement for suchexamination and certification isnecessary.88. Proposed § 11.10(j) states thatprocedures and controls for closedsystems must include the establishmentof, and adherence to, written policiesthat hold individuals accountable andliable for actions initiated under theirelectronic signatures, so as to deterrecord and signature falsification.Several comments suggested changingthe word ‘‘liable’’ to ‘‘responsible’’because the word ‘‘responsible’’ isbroader, more widely understood byemployees, more positive and inclusiveof elements of honesty and trust, andmore supportive of a broad range ofdisciplinary measures. One commentargued that the requirement would notdeter record or signature falsificationbecause employee honesty and integritycannot be regulated.The agency agrees because, althoughthe words ‘‘responsible’’ and ‘‘liable’’are generally synonymous,‘‘responsible’’ is preferable because it ismore positive and supportive of a broadrange of disciplinary measures. Theremay be a general perception thatelectronic records and electronicsignatures (particularly identificationcodes and passwords) are lesssignificant and formal than traditionalpaper records and handwrittensignatures. Individuals may thereforenot fully equate the seriousness ofelectronic record falsification withpaper record falsification. Employeesneed to understand the gravity andconsequences of signature or recordfalsification. Although FDA agrees thatemployee honesty cannot be ensured byrequiring it in a regulation, the presenceof strong accountability andresponsibility policies is necessary toensure that employees understand theimportance of maintaining the integrityof electronic records and signatures.89. Several comments expressedconcern regarding employee liability foractions taken under their electronicsignatures in the event that suchsignatures are compromised, andrequested ‘‘reasonable exceptions.’’ Thecomments suggested revising proposed§ 11.10(j) to hold people accountableonly where there has been intentionalfalsification or corruption of electronicdata.The agency considers the compromiseof electronic signatures to be a veryserious matter, one that shouldprecipitate an appropriate investigationinto any causative weaknesses in anorganization’s security controls. Theagency nonetheless recognizes thatwhere such compromises occur throughno fault or knowledge of individualemployees, there would be reasonablelimits on the extent to whichdisciplinary action would be taken.However, to maintain emphasis on theseriousness of such security breechesand deter the deliberate fabrication of‘‘mistakes,’’ the agency believes § 11.10should not provide for exceptions thatmay lessen the import of such afabrication.90. One comment said the agencyshould consider the need for criminallaw reform because current computercrime laws do not address signatureswhen unauthorized access or computeruse is not an issue. Another commentargued that proposed § 11.10(j) shouldbe expanded beyond ‘‘individual’’accountability to include businessentities.The agency will consider the need forrecommending legislative initiatives toaddress electronic signature falsificationin light of the experience it gains withthis regulation. The agency does notbelieve it necessary to address businessentity accountability specifically in§ 11.10 because the emphasis is onactions and accountability ofindividuals, and because individuals,rather than business entities, applysignatures.91. One comment suggested thatproposed § 11.10(j) should be deletedbecause it is unnecessary becauseindividuals are presumably heldaccountable for actions taken undertheir authority, and because, in someorganizations, individuals frequentlydelegate authority to sign their names.As discussed in comments 88 to 90 ofthis document, the agency hasconcluded that this section is necessary.Furthermore it does not limit delegationof authority as described in thecomment. However, where oneindividual signs his or her name onbehalf of someone else, the signatureapplied should be that of the delegatee,with some notation of that fact, and notthe name of the delegator. This is the

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13451same procedure commonly used onpaper documents, noted as ‘‘X for Y.’’92. Proposed § 11.10(k) states thatprocedures and controls for closedsystems must include the use ofappropriate systems documentationcontrols, including: (1) Adequatecontrols over the distribution, access to,and use of documentation for systemoperation and maintenance; and (2)records revision and change controlprocedures to maintain an electronicaudit trail that documents timesequenceddevelopment andmodification of records. Severalcomments requested clarification of thetype of documents covered by proposed§ 11.10(k). One comment noted that thissection failed to address controls forrecord retention. Some commentssuggested limiting the scope of systemsdocumentation to application andconfigurable software, or only tosoftware that could compromise systemsecurity or integrity. Other commentssuggested that this section should bedeleted because some documentationneeds wide distribution within anorganization, and that it is an onerousburden to control user manuals.The agency advises that § 11.10(k) isintended to apply to systemsdocumentation, namely, recordsdescribing how a system operates and ismaintained, including standardoperating procedures. The agencybelieves that adequate controls oversuch documentation are necessary forvarious reasons. For example, it isimportant for employees to have correctand updated versions of standardoperating and maintenance procedures.If this documentation is not current,errors in procedures and/ormaintenance are more likely to occur.Part 11 does not limit an organization’sdiscretion as to how widely or narrowlyany document is to be distributed, andFDA expects that certain documentswill, in fact, be widely disseminated.However, some highly sensitivedocumentation, such as instructions onhow to modify system security features,would not routinely be widelydistributed. Hence, it is important tocontrol distribution of, access to, anduse of such documentation.Although the agency agrees that themost critical types of system documentswould be those directly affecting systemsecurity and integrity, FDA does notagree that control over systemdocumentation should only extend tosecurity related software or toapplication or configurable software.Documentation that relates to operatingsystems, for example, may also have animpact on security and day-to-dayoperations. The agency does not agreethat it is an onerous burden to controldocumentation that relates to effectiveoperation and security of electronicrecords systems. Failure to control suchdocumentation, as discussed above,could permit and foster recordsfalsification by making the enablinginstructions for these acts readilyavailable to any individual.93. Concerning the proposedrequirement for adequate controls overdocumentation for system operation andmaintenance, one comment suggestedthat it be deleted because it is under thecontrol of system vendors, rather thanoperating organizations. Severalcomments suggested that the proposedprovision be deleted because itduplicates § 11.10(e) with respect toaudit trails. Some comments alsoobjected to maintaining the changecontrol procedures in electronic formand suggested deleting the word‘‘electronic’’ from ‘‘electronic audittrails.’’The agency advises that this section isintended to apply to systemsdocumentation that can be changed byindividuals within an organization. Ifsystems documentation can only bechanged by a vendor, this provisiondoes not apply to the vendor’scustomers. The agency acknowledgesthat systems documentation may be inpaper or electronic form. Where thedocumentation is in paper form, anaudit trail of revisions need not be inelectronic form. Where systemsdocumentation is in electronic form,however, the agency intends to requirethe audit trail also be in electronic form,in accordance with § 11.10(e). Theagency acknowledges that, in light ofthe comments, the proposed rule maynot have been clear enough regardingaudit trails addressed in § 11.10(k)compared to audit trails addressed in§ 11.10(e) and has revised the final ruleto clarify this matter.The agency does not agree, however,that the audit trail provisions of§ 11.10(e) and (k), as revised, areentirely duplicative. Section 11.10(e)applies to electronic records in general(including systems documentation);§ 11.10(k) applies exclusively to systemsdocumentation, regardless of whethersuch documentation is in paper orelectronic form.As revised, § 11.10(k) now reads asfollows:(k) Use of appropriate controls oversystems documentation including:(1) Adequate controls over the distributionof, access to, and use of documentation forsystem operation and maintenance.(2) Revision and change control proceduresto maintain an audit trail that documentstime-sequenced development andmodification of systems documentation.VIII. Electronic Records—Controls forOpen Systems (§ 11.30)Proposed § 11.30 states that: ‘‘Opensystems used to create, modify,maintain, or transmit electronic recordsshall employ procedures and controlsdesigned to ensure the authenticity,integrity and confidentiality ofelectronic records from the point oftheir creation to the point of theirreceipt.’’ In addition, § 11.30 states:* * * Such procedures and controls shallinclude those identified in § 11.10, asappropriate, and such additional measures asdocument encryption and use of establisheddigital signature standards acceptable to theagency, to ensure, as necessary under thecircumstances, record authenticity, integrity,and confidentiality.94. One comment suggested that thereference to digital signature standardsbe deleted because the agency shouldnot be setting standards and should notdictate how to ensure recordauthenticity, integrity, andconfidentiality. Other commentsrequested clarification of the agency’sexpectations with regard to digitalsignatures: (1) The kinds that would beacceptable, (2) the mechanism forannouncing which standards wereacceptable (and whether that meantFDA would be certifying particularsoftware), and (3) a definition of digitalsignature. One comment asserted thatFDA should accept internationalstandards for digital signatures. Somecomments also requested a definition ofencryption. One comment encouragedthe agency to further define opensystems.The agency advises that § 11.30requires additional controls, beyondthose identified in § 11.10, as neededunder the circumstances, to ensurerecord authenticity, integrity, andconfidentiality for open systems. Use ofdigital signatures is one measure thatmay be used, but is not specificallyrequired. The agency wants to ensurethat the digital signature standard usedis, in fact, appropriate. Development ofdigital signature standards is a complexundertaking, one FDA does not expectto be performed by individual firms onan ad hoc basis, and one FDA does notnow seek to perform.The agency is nonetheless concernedthat such standards be robust andsecure. Currently, the agency is aware oftwo such standards, the RSA (Rivest-Shamir-Adleman), and NIST’s DigitalSignature Standard (DSS). The DSSbecame Federal Information ProcessingStandard (FIPS) 186 on December 1,1994. These standards are incorporatedin different software programs. Theagency does not seek to certify orotherwise approve of such programs,

13452 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsbut expects people who use suchprograms to ensure that they are suitablefor their intended use. FDA is awarethat NIST provides certificationsregarding mathematical conformance tothe DSS core algorithms, but does notformally evaluate the broader programsthat contain those algorithms. Theagency has revised the final rule toclarify its intent that firms retain theflexibility to use any appropriate digitalsignature as an additional systemcontrol for open systems. FDA is alsoincluding a definition of digitalsignature under § 11.3(b)(5).The agency does not believe itnecessary to codify the term‘‘encryption’’ because, unlike the termdigital signature, it has been in generaluse for many years and is generallyunderstood to mean the transforming ofa writing into a secret code or cipher.The agency is aware that there areseveral commercially available softwareprograms that implement both digitalsignatures and encryption.95. Two comments noted that use ofdigital signatures and encryption is notnecessary in the context of PDMA,where access to an electronic record islimited once it is signed and stored. Oneof the comments suggested thatproposed § 11.30 be revised to clarifythis point.As discussed in comment 94 of thisdocument, use of digital signatures andencryption would be an option whenextra measures are necessary under thecircumstances. In the case of PDMArecords, such measures may bewarranted in certain circumstances, andunnecessary in others. For example, ifelectronic records were to betransmitted by a firm’s representative byway of a public online service to acentral location, additional measureswould be necessary. On the other hand,where the representative’s records arehand delivered to that location, ortransferred by direct connectionbetween the representative and thecentral location, such additionalmeasures to ensure record authenticity,confidentiality, and integrity may not benecessary. The agency does not believethat it is practical to revise § 11.30 toelaborate on every possible situation inwhich additional measures would orwould not be needed.96. One comment addressedencryption of submissions to FDA andasked if people making thosesubmissions would have to give theagency the appropriate ‘‘keys’’ and, ifso, how the agency would protect thesecurity of such information.The agency intends to developappropriate procedures regarding theexchange of ‘‘keys’’ attendant to use ofencryption and digital signatures, andwill protect those keys that must remainconfidential, in the same manner as theagency currently protects trade secrets.Where the agency and a submitter agreeto use a system that calls for theexchange of secret keys, FDA will workwith submitters to achieve mutuallyagreeable procedures. The agency notes,however, that not all encryption anddigital signature systems require thatenabling keys be secret.97. One comment noted that proposed§ 11.30 does not mention availabilityand nonrepudiation and requestedclarification of the term ‘‘point ofreceipt.’’ The comment noted that,where an electronic record is received ata person’s electronic mailbox (whichresides on an open system), additionalmeasures may be needed when therecord is transferred to the person’s ownlocal computer because such additionaltransfer entails additional security risks.The comment suggested wording thatwould extend open system controls tothe point where records are ultimatelyretained.The agency agrees that, in thesituation described by the comment,movement of the electronic record froman electronic mailbox to a person’s localcomputer may necessitate open systemcontrols. However, situations may varyconsiderably as to the ultimate point ofreceipt, and FDA believes proposed§ 11.30 offers greater flexibility indetermining open system controls thanrevisions suggested by the comment.The agency advises that the concept ofnonrepudiation is part of recordauthenticity and integrity, as alreadycovered by § 11.10(c). Therefore, FDA isnot revising § 11.30 as suggested.IX. Electronic Records—SignatureManifestations (§ 11.50)Proposed § 11.50 requires thatelectronic records that are electronicallysigned must display in clear text theprinted name of the signer, and the dateand time when the electronic signaturewas executed. This section also requiresthat electronic records clearly indicatethe meaning (such as review, approval,responsibility, and authorship)associated with their attendantsignatures.98. Several comments suggested thatthe information required underproposed § 11.50 need not be containedin the electronic records themselves, butonly in the human readable format(screen displays and printouts) of suchrecords. The comments explained thatthe records themselves need onlycontain links, such as signature attributecodes, to such information to producethe displays of information required.The comments noted, for example, that,where electronic signatures consist of anidentification code in combination witha password, the combined code andpassword itself would not be part of thedisplay. Some comments suggested thatproposed § 11.50 be revised to clarifywhat items are to be displayed.The agency agrees and has revisedproposed § 11.50 accordingly. Theintent of this section is to require thathuman readable forms of signedelectronic records, such as computerscreen displays and printouts bear: (1)The printed name of the signer (at thetime the record is signed as well aswhenever the record is read byhumans); (2) the date and time ofsigning; and (3) the meaning of thesignature. The agency believes thatrevised § 11.50 will afford persons theflexibility they need to implement thedisplay of information appropriate fortheir own electronic records systems,consistent with other system controls inpart 11, to ensure record integrity andprevent falsification.99. One comment stated that thecontrols in proposed § 11.50 would notprotect against inaccurate entries.FDA advises that the purpose of thissection is not to protect againstinaccurate entries, but to provideunambiguous documentation of thesigner, when the signature wasexecuted, and the signature’s meaning.The agency believes that such a recordis necessary to document individualresponsibility and actions.In a paper environment, the printedname of the individual is generallypresent in the signed record, frequentlypart of a traditional ‘‘signature block.’’In an electronic environment, theperson’s name may not be apparent,especially where the signature is basedon identification codes combined withpasswords. In addition, the meaning ofa signature is generally apparent in apaper record by virtue of the context ofthe record or, more often, explicitphrases such as ‘‘approved by,’’‘‘reviewed by,’’ and ‘‘performed by.’’Thus, the agency believes that for cleardocumentation purposes it is necessaryto carry such meanings into theelectronic record environment.100. One comment suggested thatproposed § 11.50 should apply only tothose records that are required to besigned, and that the display of the dateand time should be performed in asecure manner.The agency intends that this sectionapply to all signed electronic recordsregardless of whether other regulationsrequire them to be signed. The agencybelieves that if it is important enoughthat a record be signed, human readable

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13453displays of such records must includethe printed name of the signer, the dateand time of signing, and the meaning ofthe signature. Such information iscrucial to the agency’s ability to protectpublic health. For example, a messagefrom a firm’s management to employeesinstructing them on a particular courseof action may be critical in litigation.This requirement will help ensure cleardocumentation and deter falsificationregardless of whether the signature iselectronic or handwritten.The agency agrees that the display ofinformation should be carried out in asecure manner that preserves theintegrity of that information. Theagency, however, does not believe it isnecessary at this time to revise § 11.50to add specific security measuresbecause other requirements of part 11have the effect of ensuring appropriatesecurity.Because signing information isimportant regardless of the type ofsignature used, the agency has revised§ 11.50 to cover all types of signings.101. Several comments objected to therequirement in proposed § 11.50(a) thatthe time of signing be displayed inaddition to the date on the grounds thatsuch information is: (1) Unnecessary, (2)costly to implement, (3) needed in theelectronic record for auditing purposes,but not needed in the display of therecord, and (4) only needed in criticalapplications. Some comments assertedthat recording time should be optional.One comment asked whether the timeshould be local to the signer or to acentral network when electronic recordsystems cross different time zones.The agency believes that it is vital torecord the time when a signature isapplied. Documenting the time when asignature was applied can be critical todemonstrating that a given record was,or was not, falsified. Regarding systemsthat may span different time zones, theagency advises that the signer’s localtime is the one to be recorded.102. One comment assumed that aperson’s user identification code couldbe displayed instead of the user’sprinted name, along with the date andtime of signing.This assumption is incorrect. Theagency intends that the printed name ofthe signer be displayed for purposes ofunambiguous documentation and toemphasize the importance of the act ofsigning to the signer. The agencybelieves that because an identificationcode is not an actual name, it would notbe a satisfactory substitute.103. One comment suggested that theword ‘‘printed’’ in the phrase ‘‘printedname’’ be deleted because the word wassuperfluous. The comment also statedthat the rule should state when the cleartext must be created or displayedbecause some computer systems, in thecontext of electronic data interchangetransactions, append digital signaturesto records before, or in connection with,communication of the record.The agency disagrees that the word‘‘printed’’ is superfluous because theintent of this section is to show thename of the person in an unambiguousmanner that can be read by anyone. Theagency believes that requiring theprinted name of the signer instead ofcodes or other manifestations, moreeffectively provides clarity.The agency has revised this section toclarify the point at which the signer’sinformation must be displayed, namely,as part of any human readable form ofthe electronic record. The revision, inthe agency’s view, addresses thecomment’s concern regarding theapplication of digital signatures. Theagency advises that under § 11.50, anytime after an electronic record has beensigned, individuals who see the humanreadable form of the record will be ableto immediately tell who signed therecord, when it was signed, and whatthe signature meant. This includes thesigner who, as with a traditionalsignature to paper, will be able toreview the signature instantly.104. One comment asked if theoperator would have to see the meaningof the signature, or if the informationhad to be stored on the physicalelectronic record.As discussed in comment 100 of thisdocument, the information required by§ 11.50(b) must be displayed in thehuman readable format of the electronicrecord. Persons may elect to store thatinformation directly within theelectronic record itself, or in logicallyassociated records, as long as suchinformation is displayed any time aperson reads the record.105. One comment noted thatproposed § 11.50(b) could be interpretedto require lengthy explanations of thesignatures and the credentials of thesigners. The comment also stated thatthis information would more naturallybe contained in standard operatingprocedures, manuals, or accompanyingliterature than in the electronic recordsthemselves.The agency believes that the commentmisinterprets the intent of thisprovision. Recording the meaning of thesignature does not infer that the signer’scredentials or other lengthyexplanations be part of that meaning.The statement must merely show whatis meant by the act of signing (e.g.,review, approval, responsibility,authorship).106. One comment noted that themeaning of a signature may be includedin a (digital signature) public keycertificate and asked if this would beacceptable. The comment also notedthat the certificate might be easilyaccessible by a record recipient fromeither a recognized database or one thatmight be part of, or associated with, theelectronic record itself. The commentfurther suggested that FDA wouldbenefit from participating in developingrules of practice regarding certificatebasedpublic key cryptography andinfrastructure with the InformationSecurity Committee, Section of Scienceand Technology, of the American BarAssociation (ABA).The intent of this provision is toclearly discern the meaning of thesignature when the electronic record isdisplayed in human readable form. Theagency does not expect such meaning tobe contained in or displayed by a publickey certificate because the public key isgenerally a fixed value associated withan individual. The certificate is used bythe recipient to authenticate a digitalsignature that may have differentmeanings, depending upon the recordbeing signed. FDA acknowledges that itis possible for someone to establishdifferent public keys, each of whichmay indicate a different signaturemeaning. Part 11 would not prohibitmultiple ‘‘meaning’’ keys provided themeaning of the signature itself was stillclear in the display of the record, afeature that could conceivably beimplemented by software.Regarding work of the ABA and otherstandard-setting organizations, theagency welcomes an open dialog withsuch organizations, for the mutualbenefit of all parties, to establish andfacilitate the use of electronic record/electronic signature technologies. FDA’sparticipation in any such activitieswould be in accordance with theagency’s policy on standards stated inthe Federal Register of October 11, 1995(60 FR 53078).Revised § 11.50, signaturemanifestations, reads as follows:(a) Signed electronic records shall containinformation associated with the signing thatclearly indicates all of the following:(1) The printed name of the signer;(2) The date and time when the signaturewas executed; and(3) The meaning (such as review, approval,responsibility, or authorship) associated withthe signature.(b) The items identified in paragraphs(a)(1), (a)(2), and (a)(3) of this section shallbe subject to the same controls as forelectronic records and shall be included aspart of any human readable form of theelectronic record (such as electronic displayor printout).

13454 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and RegulationsX. Electronic Records—Signature/Record Linking (§ 11.70)107. Proposed § 11.70 states thatelectronic signatures and handwrittensignatures executed to electronicrecords must be verifiably bound totheir respective records to ensure thatsignatures could not be excised, copied,or otherwise transferred to falsifyanother electronic record.Many comments objected to thisprovision as too prescriptive,unnecessary, unattainable, andexcessive in comparison to paper-basedrecords. Some comments asserted thatthe objectives of the section could beattained through appropriate proceduraland administrative controls. Thecomments also suggested that objectivesof the provision could be met byappropriate software (i.e., logical) linksbetween the electronic signatures andelectronic records, and that such linksare common in systems that useidentification codes in combinationwith passwords. One firm expressed fullsupport for the provision, and notedthat its system implements such afeature and that signature-to-recordbinding is similar to the record-lockingprovision of the proposed PDMAregulations.The agency did not intend to mandateuse of any particular technology by useof the word ‘‘binding.’’ FDA recognizesthat, because it is relatively easy to copyan electronic signature to anotherelectronic record and thus compromiseor falsify that record, a technology basedlink is necessary. The agency does notbelieve that procedural oradministrative controls alone aresufficient to ensure that objectivebecause such controls could be moreeasily circumvented than astraightforward technology basedapproach. In addition, when electronicrecords are transferred from one party toanother, the procedural controls used bythe sender and recipient may bedifferent. This could result in recordfalsification by signature transfer.The agency agrees that the word‘‘link’’ would offer persons greaterflexibility in implementing the intent ofthis provision and in associating thenames of individuals with theiridentification codes/passwords withoutactually recording the passwordsthemselves in electronic records. Theagency has revised proposed § 11.70 tostate that signatures shall be linked totheir electronic records.108. Several comments argued thatproposed § 11.70 requires absoluteprotection of electronic records fromfalsification, an objective that isunrealistic to the extent that determinedindividuals could falsify records.The agency acknowledges that,despite elaborate system controls,certain determined individuals may finda way to defeat antifalsificationmeasures. FDA will pursue such illegalactivities as vigorously as it doesfalsification of paper records. Forpurposes of part 11, the agency’s intentis to require measures that preventelectronic records falsification byordinary means. Therefore, FDA hasrevised § 11.70 by adding the phrase ‘‘byordinary means’’ at the end of thissection.109. Several comments suggestedchanging the phrase ‘‘another electronicrecord’’ to ‘‘an electronic record’’ toclarify that the antifalsificationprovision applies to the current recordas well as any other record.The agency agrees and has revised§ 11.70 accordingly.110. Two comments argued thatsignature-to-record binding isunnecessary, in the context of PDMA,beyond the point of record creation (i.e.,when records are transmitted to a pointof receipt). The comments asserted thatpersons who might be in a position toseparate a signature from a record (forpurposes of falsification) are individualsresponsible for record integrity and thusunlikely to falsify records. Thecomments also stated that signature-torecordbinding is produced by softwarecoding at the time the record is signed,and suggested that proposed § 11.70clarify that binding would be necessaryonly up to the point of actualtransmission of the electronic record toa central point of receipt.The agency disagrees with thecomment’s premise that the need forbinding to prevent falsification dependson the disposition of people to falsifyrecords. The agency believes thatreliance on individual tendencies isinsufficient insurance againstfalsification. The agency also notes thatin the traditional paper record, thesignature remains bound to itscorresponding record regardless ofwhere the record may go.111. One comment suggested thatproposed § 11.70 be deleted because itappears to require that all records bekept on inalterable media. The commentalso suggested that the phrase‘‘otherwise transferred’’ be deleted onthe basis that it should be permissiblefor copies of handwritten signatures(recorded electronically) to be madewhen used, in addition to anotherunique individual identificationmechanism.The agency advises that neither§ 11.70, nor other sections in part 11,requires that records be kept oninalterable media. What is required isthat whenever revisions to a record aremade, the original entries must not beobscured. In addition, this section doesnot prohibit copies of handwrittensignatures recorded electronically frombeing made for legitimate reasons thatdo not relate to record falsification.Section 11.70 merely states that suchcopies must not be made that falsifyelectronic records.112. One comment suggested thatproposed § 11.70 be revised to requireapplication of response cryptographicmethods because only those methodscould be used to comply with theregulation. The comment noted that, forcertificate based public keycryptographic methods, the agencyshould address verifiable bindingbetween the signer’s name and publickey as well as binding between digitalsignatures and electronic records. Thecomment also suggested that theregulation should reference electronicsignatures in the context of secure timeand date stamping.The agency intends to permitmaximum flexibility in howorganizations achieve the linking calledfor in § 11.70, and, as discussed above,has revised the regulation accordingly.Therefore, FDA does not believe thatcryptographic and digital signaturemethods would be the only ways oflinking an electronic signature to anelectronic document. In fact, one firmcommented that its system binds aperson’s handwritten signature to anelectronic record. The agency agreesthat use of digital signaturesaccomplishes the same objectivebecause, if a digital signature were to becopied from one record to another, thesecond record would fail the digitalsignature verification procedure.Furthermore, FDA notes that concernsregarding binding a person’s name withthe person’s public key would beaddressed in the context of § 11.100(b)because an organization must establishan individual’s identity before assigningor certifying an electronic signature (orany of the electronic signaturecomponents).113. Two comments requestedclarification of the types of technologiesthat could be used to meet therequirements of proposed § 11.70.As discussed in comment 107 of thisdocument, the agency is affordingpersons maximum flexibility in usingany appropriate method to linkelectronic signatures to their respectiveelectronic records to prevent recordfalsification. Use of digital signatures isone such method, as is use of softwarelocks to prevent sections of codes

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13455representing signatures from beingcopied or removed. Because this is anarea of developing technology, it islikely that other linking methods willemerge.XI. Electronic Signatures—GeneralRequirements (§ 11.100)Proposed § 11.100(a) states that eachelectronic signature must be unique toone individual and not be reused orreassigned to anyone else.114. One comment asserted thatseveral people should be permitted toshare a common identification code andpassword where access control islimited to inquiry only.Part 11 does not prohibit theestablishment of a common groupidentification code/password for readonly access purposes. However, suchcommonly shared codes and passwordswould not be regarded, and must not beused, as electronic signatures. Sharedaccess to a common database maynonetheless be implemented by grantingappropriate common record accessprivileges to groups of people, each ofwhom has a unique electronic signature.115. Several comments said proposed§ 11.100(a) should permit identificationcodes to be reused and reassigned fromone employee to another, as long as anaudit trail exists to associate anidentification code with a givenindividual at any one time, and differentpasswords are used. Several commentssaid the section should indicate if theagency intends to restrict authoritydelegation by the nonreassignment ornonreuse provision, or by the provisionin § 11.200(a)(2) requiring electronicsignatures to be used only by theirgenuine owners. The commentsquestioned whether reuse meansrestricting one noncryptographic basedsignature to only one record and arguedthat passwords need not be unique if thecombined identification code andpassword are unique to one individual.One comment recommended caution inusing the term ‘‘ownership’’ because ofpossible confusion with intellectualproperty rights or ownership of thecomputer systems themselves.The agency advises that, where anelectronic signature consists of thecombined identification code andpassword, § 11.100 would not prohibitthe reassignment of the identificationcode provided the combinedidentification code and passwordremain unique to prevent recordfalsification. The agency believes thatsuch reassignments are inadvisable,however, to the extent that they mightbe combined with an easily guessedpassword, thus increasing the chancesthat an individual might assume asignature belonging to someone else.The agency also advises that wherepeople can read identification codes(e.g., printed numbers and letters thatare typed at a keyboard or read from acard), the risks of someone obtainingthat information as part of a falsificationeffort would be greatly increased ascompared to an identification code thatis not in human readable form (one thatis, for example, encoded on a ‘‘securecard’’ or other device).Regarding the delegation of authorityto use electronic signatures, FDA doesnot intend to restrict the ability of oneindividual to sign a record or otherwiseact on behalf of another individual.However, the applied electronicsignature must be the assignee’s and therecord should clearly indicate thecapacity in which the person is acting(e.g., on behalf of, or under the authorityof, someone else). This is analogous totraditional paper records andhandwritten signatures when person‘‘A’’ signs his or her own name underthe signature block of person ‘‘B,’’ withappropriate explanatory notations suchas ‘‘for’’ or ‘‘as representative of’’ personB. In such cases, person A does notsimply sign the name of person B. Theagency expects the same procedure to beused for electronic records andelectronic signatures.The agency intends the term ‘‘reuse’’to refer to an electronic signature usedby a different person. The agency doesnot regard as ‘‘reuse’’ the replicateapplication of a noncryptographic basedelectronic signature (such as anidentification code and password) todifferent electronic records. For clarity,FDA has revised the phrase ‘‘not bereused or reassigned to’’ to state ‘‘not bereused by, or reassigned to,’’ in§ 11.100(a).The reference in § 11.200(a) toownership is made in the context of anindividual owning or being assigned aparticular electronic signature that noother individual may use. FDA believesthis is clear and that concerns regardingownership in the context of intellectualproperty rights or hardware aremisplaced.116. One comment suggested thatproposed § 11.100(a) shouldaccommodate electronic signaturesassigned to organizations rather thanindividuals.The agency advises that, for purposesof part 11, electronic signatures arethose of individual human beings andnot organizations. For example, FDAdoes not regard a corporate seal as anindividual’s signature. Humans mayrepresent and obligate organizations bysigning records, however. Forclarification, the agency is substitutingthe word ‘‘individual’’ for ‘‘person’’ inthe definition of electronic signature(§ 11.3(b)(7)) because the broaderdefinition of person within the actincludes organizations.117. Proposed § 11.100(b) states that,before an electronic signature isassigned to a person, the identity of theindividual must be verified by theassigning authority.Two comments noted that wherepeople use identification codes incombination with passwords only theidentification code portion of theelectronic signature is assigned, not thepassword. Another comment arguedthat the word ‘‘assigned’’ isinappropriate in the context ofelectronic signatures based upon publickey cryptography because theappropriate authority certifies the bindbetween the individual’s public key andidentity, and not the electronicsignature itself.The agency acknowledges that, forcertain types of electronic signatures,the authorizing or certifyingorganization issues or approves only aportion of what eventually becomes anindividual’s electronic signature. FDAwishes to accommodate a broad varietyof electronic signatures and is thereforerevising § 11.100(b) to require that anorganization verify the identity of anindividual before it establishes, assigns,certifies, or otherwise sanctions anindividual’s electronic signature or anyelement of such electronic signature.118. One comment suggested that theword ‘‘verified’’ in proposed § 11.100(b)be changed to ‘‘confirmed.’’ Othercomments addressed the method ofverifying a person’s identity andsuggested that the section specifyacceptable verification methods,including high level proceduresregarding the relative strength of thatverification, and the need for personalappearances or supportingdocumentation such as birth certificates.Two comments said the verificationprovision should be deleted becausenormal internal controls are adequate,and that it was impractical formultinational companies whoseemployees are globally dispersed.The agency does not believe that thereis a sufficient difference between‘‘verified’’ and ‘‘confirmed’’ to warrant achange in this section. Both wordsindicate that organizations substantiatea person’s identity to preventimpersonations when an electronicsignature, or any of its elements, isbeing established or certified. Theagency disagrees with the assertion thatthis requirement is unnecessary.Without verifying someone’s identity atthe outset of establishing or certifying

13456 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsan individual’s electronic signature, or aportion thereof, an imposter mighteasily access and compromise manyrecords. Moreover, an imposter couldcontinue this activity for a prolongedperiod of time despite other systemcontrols, with potentially seriousconsequences.The agency does not believe that thesize of an organization, or globaldispersion of its employees, is reason toabandon this vital control. Suchdispersion may, in fact, make it easierfor an impostor to pose as someone elsein the absence of such verification.Further, the agency does not accept theimplication that multinational firmswould not verify the identity of theiremployees as part of other routineprocedures, such as when individualsare first hired.In addition, in cases where anorganization is widely dispersed andelectronic signatures are established orcertified centrally, § 11.100(b) does notprohibit organizations from having theirlocal units perform the verification andrelaying this information to the centralauthority. Similarly, local units mayconduct the electronic signatureassignment or certification.FDA does not believe it is necessaryat this time to specify methods ofidentity verification and expects thatorganizations will consider risksattendant to sanctioning an erroneouslyassigned electronic signature.119. Proposed § 11.100(c) states thatpersons using electronic signatures mustcertify to the agency that their electronicsignature system guarantees theauthenticity, validity, and bindingnature of any electronic signature.Persons utilizing electronic signatureswould, upon agency request, provideadditional certification or testimony thata specific electronic signature isauthentic, valid, and binding. Suchcertification would be submitted to theFDA district office in which territory theelectronic signature system is in use.Many comments objected to theproposed requirement that personsprovide FDA with certificationregarding their electronic signaturesystems. The comments asserted thatthe requirement was: (1)Unprecedented, (2) unrealistic, (3)unnecessary, (4) contradictory to theprinciples and intent of systemvalidation, (5) too burdensome for FDAto manage logistically, (6) apparentlyintended only to simplify FDAlitigation, (7) impossible to meetregarding ‘‘guarantees’’ of authenticity,and (8) an apparent substitute for FDAinspections.FDA agrees in part with thesecomments. This final rule reduces thescope and burden of certification to astatement of intent that electronicsignatures are the legally bindingequivalent of handwritten signatures.As noted previously, the agencybelieves it is important, within thecontext of its health protectionactivities, to ensure that persons whoimplement electronic signatures fullyequate the legally binding nature ofelectronic signatures with thetraditional handwritten paper-basedsignatures. The agency is concerned thatindividuals might disavow an electronicsignature as something completelydifferent from a traditional handwrittensignature. Such contention could resultin confusion and possibly extensivelitigation.Moreover, a limited certification asprovided in this final rule is consistentwith other legal, regulatory, andcommercial practices. For example,electronic data exchange trading partneragreements are often written on paperand signed with traditional handwrittensignatures to establish that certainelectronic identifiers are recognized asequivalent to traditional handwrittensignatures.FDA does not expect electronicsignature systems to be guaranteedfoolproof. The agency does not intend,under § 11.100(c), to establish arequirement that is unattainable.Certification of an electronic signaturesystem as the legally binding equivalentof a traditional handwritten signature isseparate and distinct from systemvalidation. This provision is notintended as a substitute for FDAinspection and such inspection alonemay not be able to determine in aconclusive manner an organization’sintent regarding electronic signatureequivalency.The agency has revised proposed§ 11.100(c) to clarify its intent. Theagency wishes to emphasize that thefinal rule dramatically curtails whatFDA had proposed and is essential forthe agency to be able to protect andpromote the public health because FDAmust be able to hold people to thecommitments they make under theirelectronic signatures. The certificationin the final rule is merely a statement ofintent that electronic signatures are thelegally binding equivalent of traditionalhandwritten signatures.120. Several comments questioned theprocedures necessary for submitting thecertification to FDA, including: (1) Thescheduling of the certification; (2)whether to submit certificates for eachindividual or for each electronicsignature; (3) the meaning of ‘‘territory’’in the context of wide area networks; (4)whether such certificates could besubmitted electronically; and (5)whether organizations, after submittinga certificate, had to wait for a responsefrom FDA before implementing theirelectronic signature systems. Twocomments suggested revising proposed§ 11.100(c) to require that allcertifications be submitted to FDA onlyupon agency request. One commentsuggested changing ‘‘should’’ to ‘‘shall’’in the last sentence of § 11.100(c) if theagency’s intent is to require certificatesto be submitted to the respective FDAdistrict office.The agency intends that certificates besubmitted once, in the form of a paperletter, bearing a traditional handwrittensignature, at the time an organizationfirst establishes an electronic signaturesystem after the effective date of part 11,or, where such systems have been usedbefore the effective date, uponcontinued use of the electronicsignature system.A separate certification is not neededfor each electronic signature, althoughcertification of a particular electronicsignature is to be submitted if theagency requests it. The agency does notintend to establish certification as areview and approval function. Inaddition, organizations need not awaitFDA’s response before puttingelectronic signature systems into effect,or before continuing to use an existingsystem.A single certification may be stated inbroad terms that encompass electronicsignatures of all current and futureemployees, thus obviating the need forsubsequent certifications submitted on apreestablished schedule.To further simplify the process and tominimize the number of certificationsthat persons would have to provide, theagency has revised § 11.100(c) to permitsubmission of a single certification thatcovers all electronic signatures used byan organization. The revised rule alsosimplifies the process by providing asingle agency receiving unit. The finalrule instructs persons to sendcertifications to FDA’s Office ofRegional Operations (HFC–100), 5600Fishers Lane, Rockville, MD 20857.Persons outside the United States maysend their certifications to the sameoffice.The agency offers, as guidance, anexample of an acceptable § 11.100(c)certification:Pursuant to Section 11.100 of Title 21 ofthe Code of Federal Regulations, this is tocertify that [name of organization] intendsthat all electronic signatures executed by ouremployees, agents, or representatives, locatedanywhere in the world, are the legallybinding equivalent of traditional handwrittensignatures.

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13457The agency has revised § 11.100 toclarify where and when certificates areto be submitted.The agency does not agree that theinitial certification be provided onlyupon agency request because FDAbelieves it is vital to have suchcertificates, as a matter of record, inadvance of any possible litigation. Thiswould clearly establish the intent oforganizations to equate the legallybinding nature of electronic signatureswith traditional handwritten signatures.In addition, the agency believes thathaving the certification on file ahead oftime will have the beneficial effect ofreinforcing the gravity of electronicsignatures by putting an organization’semployees on notice that theorganization has gone on record withFDA as equating electronic signatureswith handwritten signatures.121. One comment suggested thatproposed § 11.100(c) be revised toexclude from certification instances inwhich the purported signer claims thathe or she did not create or authorize thesignature.The agency declines to make thisrevision because a provision fornonrepudiation is already contained in§ 11.10.As a result of the considerationsdiscussed in comments 119 and 120 ofthis document, the agency has revisedproposed § 11.100(c) to state that:(c) Persons using electronic signaturesshall, prior to or at the time of such use,certify to the agency that the electronicsignatures in their system, used on or afterAugust 20, 1997, are intended to be thelegally binding equivalent of traditionalhandwritten signatures.(1) The certification shall be submitted inpaper form and signed with a traditionalhandwritten signature to the Office ofRegional Operations (HFC–100), 5600 FishersLane, Rockville, MD 20857.(2) Persons using electronic signaturesshall, upon agency request, provideadditional certification or testimony that aspecific electronic signature is the legallybinding equivalent of the signer’shandwritten signature.XII. Electronic Signature Componentsand Controls (§ 11.200)122. Proposed § 11.200 sets forthrequirements for electronic signatureidentification mechanisms and controls.Two comments suggested that the term‘‘identification code’’ should be defined.Several comments suggested that theterm ‘‘identification mechanisms’’should be changed to ‘‘identificationcomponents’’ because each componentof an electronic signature need not beexecuted by a different mechanism.The agency believes that the term‘‘identification code’’ is sufficientlybroad and generally understood anddoes not need to be defined in theseregulations. FDA agrees that the word‘‘component’’ more accurately reflectsthe agency’s intent than the word‘‘mechanism,’’ and has substituted‘‘component’’ for ‘‘mechanism’’ inrevised § 11.200. The agency has alsorevised the section heading to read‘‘Electronic signature components andcontrols’’ to be consistent with thewording of the section.123. Proposed § 11.200(a) states thatelectronic signatures not based uponbiometric/behavioral links must: (1)Employ at least two distinctidentification mechanisms (such as anidentification code and password), eachof which is contemporaneouslyexecuted at each signing; (2) be usedonly by their genuine owners; and (3) beadministered and executed to ensurethat attempted use of an individual’selectronic signature by anyone otherthan its genuine owner requirescollaboration of two or moreindividuals.Two comments said that proposed§ 11.200(a) should acknowledge thatpasswords may be known not only totheir genuine owners, but also to systemadministrators in case people forgettheir passwords.The agency does not believe thatsystem administrators would routinelyneed to know an individual’s passwordbecause they would have sufficientprivileges to assist those individualswho forget passwords.124. Several comments argued thatthe agency should accept a singlepassword alone as an electronicsignature because: (1) Combining thepassword with an identification codeadds little security, (2) administrativecontrols and passwords are sufficient,(3) authorized access is more difficultwhen two components are needed, (4)people would not want to gainunauthorized entry into amanufacturing environment, and (5)changing current systems that use onlya password would be costly.The comments generally addressedthe need for two components inelectronic signatures within the contextof the requirement that all componentsbe used each time an electronicsignature is executed. Several commentssuggested that, for purposes of systemaccess, individuals should enter both auser identification code and password,but that, for subsequent signings duringone period of access, a single element(such as a password) known only to,and usable by, the individual should besufficient.The agency believes that it is veryimportant to distinguish between those(nonbiometric) electronic signatures thatare executed repetitively during asingle, continuous controlled period oftime (access session or logged-onperiod) and those that are not. Theagency is concerned, from statementsmade in comments, that people mightuse passwords that are not alwaysunique and are frequently words thatare easily associated with an individual.Accordingly, where nonbiometricelectronic signatures are not executedrepetitively during a single, continuouscontrolled period, it would be extremelybad practice to use a password alone asan electronic signature. The agencybelieves that using a password alone insuch cases would clearly increase thelikelihood that one individual, bychance or deduction, could enter apassword that belonged to someone elseand thereby easily and readilyimpersonate that individual. This actioncould falsify electronic records.The agency acknowledges that thereare some situations involving repetitivesignings in which it may not benecessary for an individual to executeeach component of a nonbiometricelectronic signature for every signing.The agency is persuaded by thecomments that such situations generallyinvolve certain conditions. For example,an individual performs an initial systemaccess or ‘‘log on,’’ which is effectivelythe first signing, by executing allcomponents of the electronic signature(typically both an identification codeand a password). The individual thenperforms subsequent signings byexecuting at least one component of theelectronic signature, under controlledconditions that prevent another personfrom impersonating the legitimatesigner. The agency’s concern here is thepossibility that, if the person leaves theworkstation, someone else could accessthe workstation (or other computerdevice used to execute the signing) andimpersonate the legitimate signer byentering an identification code orpassword.The agency believes that, in suchsituations, it is vital to have stringentcontrols in place to prevent theimpersonation. Such controls include:(1) Requiring an individual to remain inclose proximity to the workstationthroughout the signing session; (2) useof automatic inactivity disconnectmeasures that would ‘‘de-log’’ the firstindividual if no entries or actions weretaken within a fixed short timeframe;and (3) requiring that the singlecomponent needed for subsequentsignings be known to, and usable onlyby, the authorized individual.The agency’s objective in acceptingthe execution of fewer than all thecomponents of a nonbiometric

13458 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationselectronic signature for repetitivesignings is to make it impractical tofalsify records. The agency believes thatthis would be attained by complyingwith all of the following procedureswhere nonbiometric electronicsignatures are executed more than onceduring a single, continuous controlledsession: (1) All electronic signaturecomponents are executed for the firstsigning; (2) at least one electronicsignature component is executed at eachsubsequent signing; (3) the electronicsignature component executed after theinitial signing is only used by itsgenuine owner, and is designed toensure it can only be used by itsgenuine owner; and (4) the electronicsignatures are administered andexecuted to ensure that their attempteduse by anyone other than their genuineowners requires collaboration of two ormore individuals. Items 1 and 4 arealready incorporated in proposed§ 11.200(a). FDA has included items 2and 3 in final § 11.200(a).The agency cautions, however, that ifits experience with enforcement of part11 demonstrates that these controls areinsufficient to deter falsifications, FDAmay propose more stringent controls.125. One comment asserted that, if theagency intends the term ‘‘identificationcode’’ to mean the typical useridentification, it should not characterizethe term as a distinct mechanismbecause such codes do not necessarilyexhibit security attributes. The commentalso suggested that proposed § 11.200(a)address the appropriate application ofeach possible combination of a twofactorauthentication method.The agency acknowledges that theidentification code alone does notexhibit security attributes. Securityderives from the totality of systemcontrols used to prevent falsification.However, uniqueness of theidentification code when combinedwith another electronic signaturecomponent, which may not be unique(such as a password), makes thecombination unique and therebyenables a legitimate electronic signature.FDA does not now believe it necessaryto address, in § 11.200(a), theapplication of all possible combinationsof multifactored authenticationmethods.126. One comment requestedclarification of ‘‘each signing,’’ notingthat a laboratory employee may enter agroup of test results under one signing.The agency advises that each signingmeans each time an individual executesa signature. Particular requirementsregarding what records need to besigned derive from other regulations,not part 11. For example, in the case ofa laboratory employee who performs anumber of analytical tests, within thecontext of drug CGMP regulations, it ispermissible for one signature to indicatethe performance of a group of tests (21CFR 211.194(a)(7)). A separate signing isnot required in this context for eachseparate test as long as the recordclearly shows that the single signaturemeans the signer performed all the tests.127. One comment suggested that theproposed requirement, thatcollaboration of at least two individualsis needed to prevent attempts atelectronic signature falsification, bedeleted because a responsible personshould be allowed to override theelectronic signature of a subordinate.Several comments addressed the phrase‘‘attempted use’’ and suggested that it bedeleted or changed to ‘‘unauthorizeduse.’’ The comments said that willfulbreaking or circumvention of anysecurity measure does not require twoor more people to execute, and that thecentral question is whethercollaboration is required to use theelectronic signature.The agency advises that the intent ofthe collaboration provision is to requirethat the components of a nonbiometricelectronic signature cannot be used byone individual without the priorknowledge of a second individual. Onetype of situation the agency seeks toprevent is the use of a component suchas a card or token that a person mayleave unattended. If an individual mustcollaborate with another individual bydisclosing a password, the risks ofbetrayal and disclosure are greatlyincreased and this helps to deter suchactions. Because the agency is notcondoning such actions, § 11.200(a)(2)requires that electronic signatures beused only by the genuine owner. Theagency disagrees with the commentsthat the term ‘‘attempted use’’ should bechanged to ‘‘unauthorized uses,’’because ‘‘unauthorized uses’’ couldinfer that use of someone else’selectronic signature is acceptable if it isauthorized.Regarding electronic signature‘‘overrides,’’ the agency would consideras falsification the act of substituting thesignature of a supervisor for that of asubordinate. The electronic signature ofthe subordinate must remain inviolatefor purposes of authentication anddocumentation. Although supervisorsmay overrule the actions of their staff,the electronic signatures of thesubordinates must remain a permanentpart of the record, and the supervisor’sown electronic signature must appearseparately. The agency believes thatsuch an approach is fully consistentwith procedures for paper records.As a result of the revisions noted incomments 123 to 127 of this document,§ 11.200(a) now reads as follows:(a) Electronic signatures that are not basedupon biometrics shall:(1) Employ at least two distinctidentification components such as anidentification code and password.(i) When an individual executes a series ofsignings during a single, continuous periodof controlled system access, the first signingshall be executed using all electronicsignature components; subsequent signingsshall be executed using at least one electronicsignature component that is only executableby, and designed to be used only by, theindividual.(ii) When an individual executes one ormore signings not performed during a single,continuous period of controlled systemaccess, each signing shall be executed usingall of the electronic signature components.(2) Be used only by their genuine owners;and(3) Be administered and executed to ensurethat attempted use of an individual’selectronic signature by anyone other than itsgenuine owner requires collaboration of twoor more individuals.128. Proposed § 11.200(b) states thatelectronic signatures based uponbiometric/behavioral links be designedto ensure that they could not be used byanyone other than their genuine owners.One comment suggested that theagency make available, by publicworkshop or other means, anyinformation it has regarding existingbiometric systems so that industry canprovide proper input. Another commentasserted that proposed § 11.200(b)placed too great an emphasis onbiometrics, did not establish particularlevels of assurance for biometrics, anddid not provide for systems usingmixtures of biometric and nonbiometricelectronic signatures. The commentrecommended revising the phrase‘‘designed to ensure they cannot beused’’ to read ‘‘provide assurances thatprevent their execution.’’The agency’s experience withbiometric electronic signatures iscontained in the administrative recordfor this rulemaking, under docket no.92N–0251, and includesrecommendations from publiccomments to the ANPRM and theproposed rule. The agency has alsogathered, and continues to gather,additional information from literaturereviews, general press reports, meetings,and the agency’s experience with thistechnology. Interested persons have hadextensive opportunity for input andcomment regarding biometrics in part11. In addition, interested persons maycontinue to contact the agency at anytime regarding biometrics or any otherrelevant technologies. The agency notes

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13459that the rule does not require the use ofbiometric-based electronic signatures.As the agency’s experience withbiometric electronic signaturesincreases, FDA will consider holding orparticipating in public workshops if thatapproach would be helpful to thosewishing to adopt such technologies tocomply with part 11.The agency does not believe thatproposed § 11.200(b) places too muchemphasis on biometric electronicsignatures. As discussed above, theregulation makes a clear distinctionbetween electronic signatures that areand are not based on biometrics, buttreats their acceptance equally.The agency recognizes the inherentsecurity advantages of biometrics,however, in that record falsification ismore difficult to perform. Systemcontrols needed to make biometricbasedelectronic signatures reliable andtrustworthy are thus different in certainrespects from controls needed to makenonbiometric electronic signaturesreliable and trustworthy. Therequirements in part 11 reflect thosedifferences.The agency does not believe that it isnecessary at this time to set numericalsecurity assurance standards that anysystem would have to meet.The regulation does not prohibitindividuals from using combinations ofbiometric and nonbiometric-basedelectronic signatures. However, whencombinations are used, FDA advisesthat requirements for each element inthe combination would also apply. Forexample, if passwords are used incombination with biometrics, then thebenefits of using passwords would onlybe realized, in the agency’s view, byadhering to controls that ensurepassword integrity (see § 11.300).In addition, the agency believes thatthe phrase ‘‘designed to ensure that theycannot be used’’ more accurately reflectsthe agency’s intent than the suggestedalternate wording, and is moreconsistent with the concept of systemsvalidation. Under such validation,falsification preventive attributes wouldbe designed into the biometric systems.To be consistent with the reviseddefinition of biometrics in § 11.3(b)(3),the agency has revised § 11.200(b) toread, ‘‘Electronic signatures based uponbiometrics shall be designed to ensurethat they cannot be used by anyoneother than their genuine owners.’’XIII. Electronic Signatures—Controlsfor Identification Codes/Passwords(§ 11.300)The introductory paragraph ofproposed § 11.300 states that electronicsignatures based upon use ofidentification codes in combinationwith passwords must employ controls toensure their security and integrity.To clarify the intent of this provision,the agency has added the words‘‘[p]ersons who use’’ to the firstsentence of § 11.300. This change isconsistent with §§ 11.10 and 11.30. Theintroductory paragraph now reads,‘‘Persons who use electronic signaturesbased upon use of identification codesin combination with passwords shallemploy controls to ensure their securityand integrity. Such controls shallinclude: * * *.’’129. One comment suggested deletionof the phrase ‘‘in combination withpasswords’’ from the first sentence ofthis section.The agency disagrees with thesuggested revision because the change isinconsistent with FDA’s intent toaddress controls for electronicsignatures based on combinations ofidentification codes and passwords, andwould, in effect, permit a singlecomponent nonbiometric-basedelectronic signature.130. Proposed § 11.300(a) states thatcontrols for identification codes/passwords must include maintainingthe uniqueness of each issuance ofidentification code and password.One comment alleged that mostpasswords are commonly used words,such as a child’s name, a State, city,street, month, holiday, or date, that aresignificant to the person who creates thepassword. Another stated that the ruleshould explain uniqueness anddistinguish between issuance and usebecause identification code/passwordcombinations generally do not changefor each use.FDA does not intend to require thatindividuals use a completely differentidentification code/passwordcombination each time they execute anelectronic signature. For reasonsexplained in the response to comment16, what is required to be unique is eachcombined password and identificationcode and FDA has revised the wordingof § 11.300(a) to clarify this provision.The agency is aware, however, ofidentification devices that generate newpasswords on a continuous basis insynchronization with a ‘‘host’’computer. This results in uniquepasswords for each system access. Thus,it is possible in theory to generate aunique nonbiometric electronicsignature for each signing.The agency cautions against usingpasswords that are common wordseasily associated with their originatorsbecause such a practice would make itrelatively easy for someone toimpersonate someone else by guessingthe password and combining it with anunsecured (or even commonly known)identification code.131. Proposed § 11.300(b) states thatcontrols for identification codes/passwords must ensure that code/password issuances are periodicallychecked, recalled, or revised.Several comments objected to thisproposed requirement because: (1) It isunnecessary, (2) it excessivelyprescribes ‘‘how to,’’ (3) it duplicatesthe requirements in § 11.300(c), and (4)it is administratively impractical forlarger organizations. However, thecomments said individuals should beencouraged to change their passwordsperiodically. Several commentssuggested that proposed § 11.300(b)include a clarifying example such as ‘‘tocover events such as password aging.’’One comment said that the sectionshould indicate who is to perform theperiodic checking, recalling, or revising.The agency disagrees with theobjections to this provision. FDA doesnot view the provision as a ‘‘how to’’because organizations have fullflexibility in determining the frequencyand methods of checking, recalling, orrevising their code/password issuances.The agency does not believe that thisparagraph duplicates the regulation in§ 11.300(c) because paragraph (c)specifically addresses followup to lossesof electronic signature issuances,whereas § 11.300(b) addresses periodicissuance changes to ensure against theirhaving been unknowinglycompromised. This provision would bemet by ensuring that people changetheir passwords periodically.FDA disagrees that this system controlis unnecessary or impractical in largeorganizations because the presence ofmore people may increase theopportunities for compromisingidentification codes/passwords. Theagency is confident that largerorganizations will be fully capable ofhandling periodic issuance checks,revisions, or recalls.FDA agrees with the comments thatsuggested a clarifying example and hasrevised § 11.300(b) to include passwordaging as such an example. The agencycautions, however, that the exampleshould not be taken to mean thatpassword expiration would be the onlyrationale for revising, recalling, andchecking issuances. If, for example,identification codes and passwords havebeen copied or compromised, theyshould be changed.FDA does not believe it necessary atthis time to specify who in anorganization is to carry out this systemcontrol, although the agency expects

13460 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsthat units that issue electronicsignatures would likely have this duty.132. Proposed § 11.300(c) states thatcontrols for identification codes/passwords must include the followingof loss management procedures toelectronically deauthorize lost tokens,cards, etc., and to issue temporary orpermanent replacements using suitable,rigorous controls for substitutes.One comment suggested that thissection be deleted because it excessivelyprescribes ‘‘how to.’’ Another commentargued that the proposal was notdetailed enough and should distinguishamong fundamental types of cards (e.g.,magstripe, integrated circuit, andoptical) and include separate sectionsthat address their respective use. Twocomments questioned why the proposalcalled for ‘‘rigorous controls’’ in thissection as opposed to other sections.One of the comments recommended thatthis section should also apply to cardsor devices that are stolen as well as lost.The agency believes that therequirement that organizations instituteloss management procedures is neithertoo detailed nor too general.Organizations retain full flexibility inestablishing the details of suchprocedures. The agency does not believeit necessary at this time to offer specificprovisions relating to different types ofcards or tokens. Organizations that usesuch devices retain full flexibility toestablish appropriate controls for theiroperations. To clarify the agency’s broadintent to cover all types of devices thatcontain or generate identification codeor password information, FDA hasrevised § 11.300(c) to replace ‘‘etc.’’with ‘‘and other devices that bear orgenerate identification code or passwordinformation.’’The agency agrees that § 11.300(c)should cover loss managementprocedures regardless of how devicesbecome potentially compromised, andhas revised this section by adding, afterthe word ‘‘lost,’’ the phrase ‘‘stolen,missing, or otherwise potentiallycompromised.’’ FDA uses the term‘‘rigorous’’ because devicedisappearance may be the result ofinadequate controls over the issuanceand management of the original cards ordevices, thus necessitating morestringent measures to prevent problemrecurrence. For example, personneltraining on device safekeeping mayneed to be strengthened.133. Proposed § 11.300(d) states thatcontrols for identification codes/passwords must include the use oftransaction safeguards to preventunauthorized use of passwords and/oridentification codes, and, detecting andreporting to the system security unit andorganizational management in anemergent manner any attempts at theirunauthorized use.Several comments suggested that theterm ‘‘emergent’’ in proposed§ 11.300(d) be replaced with ‘‘timely’’ todescribe reports regarding attemptedunauthorized use of identificationcodes/passwords because: (1) A timelyreport would be sufficient, (2)technology to report emergently is notavailable, and (3) timely is a morerecognizable and common term.FDA agrees in part. The agencyconsiders attempts at unauthorized useof identification codes and passwords tobe extremely serious because suchattempts signal potential electronicsignature and electronic recordfalsification, data corruption, or worse—consequences that could also ultimatelybe very costly to organizations. In FDA’sview, the significance of such attemptsrequires the immediate and urgentattention of appropriate securitypersonnel in the same manner thatindividuals would respond to a firealarm. To clarify its intent with a morewidely recognized term, the agency isreplacing ‘‘emergent’’ with ‘‘immediateand urgent’’ in the final rule. Theagency believes that the sametechnology that accepts or rejects anidentification code and password can beused to relay to security personnel anappropriate message regardingattempted misuse.134. One comment suggested that theword ‘‘any’’ be deleted from the phrase‘‘any attempts’’ in proposed § 11.300(d)because it is excessive. Anothercomment, noting that the question ofattempts to enter a system or access afile by unauthorized personnel is veryserious, urged the agency to substitute‘‘all’’ for ‘‘any.’’ This comment addedthat there are devices on the market thatcan be used by unauthorizedindividuals to locate personalidentification codes and passwords.The agency believes the word ‘‘any’’is sufficiently broad to cover allattempts at misuse of identificationcodes and passwords, and rejects thesuggestion to delete the word. If theword ‘‘any’’ were deleted, laxity couldresult from any inference that personsare less likely to be caught in anessentially permissive, nonvigilantsystem. FDA is aware of the ‘‘sniffing’’devices referred to by one comment andcautions persons to establish suitablecountermeasures against them.135. One comment suggested thatproposed § 11.300(d) be deleted becauseit is impractical, especially when simpletyping errors are made. Anothersuggested that this section pertain toaccess to electronic records, not just thesystem, on the basis that simple miskeysmay be typed when accessing a system.As discussed in comments 133 and134 of this document, the agencybelieves this provision is necessary andreasonable. The agency’s securityconcerns extend to system as well asrecord access. Once having gainedunauthorized system access, anindividual could conceivably alterpasswords to mask further intrusion andmisdeeds. If this section were removed,falsifications would be more probable tothe extent that some establishmentswould not alert security personnel.However, the agency advises that asimple typing error may not indicate anunauthorized use attempt, although apattern of such errors, especially inshort succession, or such an apparenterror executed when the individual who‘‘owns’’ that identification code orpassword is deceased, absent, orotherwise known to be unavailable,could signal a security problem thatshould not be ignored. FDA notes thatthis section offers organizationsmaximum latitude in deciding whatthey perceive to be attempts atunauthorized use.136. One comment suggestedsubstituting the phrase ‘‘electronicsignature’’ for ‘‘passwords and/oridentification codes.’’The agency disagrees with thiscomment because the net effect of therevision might be to ignore attemptedmisuse of important elements of anelectronic signature such as a‘‘password’’ attack on a system.137. Several comments argued that:(1) It is not necessary to report misuseattempts simultaneously to managementwhen reporting to the appropriatesecurity unit, (2) security units wouldrespond to management in accordancewith their established procedures andlines of authority, and (3) managementwould not always be involved.The agency agrees that not everymisuse attempt would have to bereported simultaneously to anorganization’s management if thesecurity unit that was alerted respondedappropriately. FDA notes, however, thatsome apparent security breeches couldbe serious enough to warrantmanagement’s immediate and urgentattention. The agency has revisedproposed § 11.300(d) to giveorganizations maximum flexibility inestablishing criteria for managementnotification. Accordingly, § 11.300(d)now states that controls foridentification codes/passwords mustinclude:Use of transaction safeguards to preventunauthorized use of passwords and/oridentification codes, and to detect and report

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13461in an immediate and urgent manner anyattempts at their unauthorized use to thesystem security unit, and, as appropriate, toorganizational management.138. Proposed § 11.300(e) states thatcontrols for identification codes/passwords must include initial andperiodic testing of devices, such astokens or cards, bearing identifyinginformation, for proper function.Many comments objected to thisproposed device testing requirement asunnecessary because it is part of systemvalidation and because devices areaccess fail-safe in that nonworkingdevices would deny rather than permitsystem access. The comments suggestedrevising this section to require thatfailed devices deny user access. Onecomment stated that § 11.300(e) isunclear on the meaning of ‘‘identifyinginformation’’ and that the phrase‘‘tokens or cards’’ is redundant becausecards are a form of tokens.FDA wishes to clarify the reason forthis proposed requirement, and toemphasize that proper devicefunctioning includes, in addition tosystem access, the correctness of theidentifying information and securityperformance attributes. Testing forsystem access alone could fail to discernsignificant unauthorized devicealterations. If, for example, a device hasbeen modified to change the identifyinginformation, system access may still beallowed, which would enable someoneto assume the identity of anotherperson. In addition, devices may havebeen changed to grant individualsadditional system privileges and actionauthorizations beyond those granted bythe organization. Of lesser significancewould be simple wear and tear on suchdevices, which result in reducedperformance. For instance, a bar codemay not be read with the sameconsistent accuracy as intended if thecode becomes marred, stained, orotherwise disfigured. Access may begranted, but only after many morescannings than desired. The agencyexpects that device testing would detectsuch defects.Because validation of electronicsignature systems would not coverunauthorized device modifications, orsubsequent wear and tear, validationwould not obviate the need for periodictesting.The agency notes that § 11.300(e) doesnot limit the types of devicesorganizations may use. In addition, notall tokens may be cards, and identifyinginformation is intended to includeidentification codes and passwords.Therefore, FDA has revised proposed§ 11.300(e) to clarify the agency’s intentand to be consistent with § 11.300(c).Revised § 11.300(e) requires initial andperiodic testing of devices, such astokens or cards, that bear or generateidentification code or passwordinformation to ensure that they functionproperly and have not been altered in anunauthorized manner.XIV. Paperwork Reduction Act of 1995This final rule contains informationcollection provisions that are subject toreview by the Office of Management andBudget (OMB) under the PaperworkReduction Act of 1995 (44 U.S.C. 3501–3520). Therefore, in accordance with 5CFR 1320, the title, description, anddescription of respondents of thecollection of information requirementsare shown below with an estimate of theannual reporting and recordkeepingburdens. Included in the estimate is thetime for reviewing instructions,searching existing data sources,gathering and maintaining the dataneeded, and completing and reviewingthe collection of information.Most of the burden created by theinformation collection provision of thisfinal rule will be a one-time burdenassociated with the creation of standardoperating procedures, validation, andcertification. The agency anticipates theuse of electronic media willsubstantially reduce the paperworkburden associated with maintainingFDA-required records.Title: Electronic records; Electronicsignatures.Description: FDA is issuingregulations that provide criteria foracceptance of electronic records,electronic signatures, and handwrittensignatures executed to electronicrecords as equivalent to paper records.Rules apply to any FDA recordsrequirements unless specific restrictionsare issued in the future. Recordsrequired to be submitted to FDA may besubmitted electronically, provided theagency has stated its ability to acceptthe records electronically in an agencyestablished public docket.Description of Respondents:Businesses and other for-profitorganizations, state or localgovernments, Federal agencies, andnonprofit institutions.Although the August 31, 1994,proposed rule (59 FR 45160) provided a90-day comment period under thePaperwork Reduction Act of 1980, FDAis providing an additional opportunityfor public comment under thePaperwork Reduction Act of 1995,which was enacted after the expirationof the comment period and applies tothis final rule. Therefore, FDA nowinvites comments on: (1) Whether theproposed collection of information isnecessary for the proper performance ofFDA’s functions, including whether theinformation will have practical utility;(2) the accuracy of FDA’s estimate of theburden of the proposed collection ofinformation, including the validity ofthe methodology and assumptions used;(3) ways to enhance the quality, utility,and clarity of the information to becollected; and (4) ways to minimize theburden of the collection of informationon respondents, including through theuse of automated collection techniques,when appropriate, and other forms ofinformation technology. Individuals andorganizations may submit comments onthe information collection provisions ofthis final rule by May 19, 1997.Comments should be directed to theDockets Management Branch (addressabove).At the close of the 60-day commentperiod, FDA will review the commentsreceived, revise the informationcollection provisions as necessary, andsubmit these provisions to OMB forreview and approval. FDA will publisha notice in the Federal Register whenthe information collection provisionsare submitted to OMB, and anopportunity for public comment to OMBwill be provided at that time. Prior tothe effective date of this final rule, FDAwill publish a notice in the FederalRegister of OMB’s decision to approve,modify, or disapprove the informationcollection provisions. An agency maynot conduct or sponsor, and a person isnot required to respond to, a collectionof information unless it displays acurrently valid OMB control number.TABLE 1.—ESTIMATED ANNUAL RECORDKEEPING BURDEN21 CFR SectionAnnual No. ofRecordkeepersHours perRecordkeeperTotal Hours11.10 50 40 2,00011.30 50 40 2,00011.50 50 40 2,000

13462 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and RegulationsTABLE 1.—ESTIMATED ANNUAL RECORDKEEPING BURDEN—Continued21 CFR SectionAnnual No. ofRecordkeepersHours perRecordkeeperTotal Hours11.300 50 40 2,000Total annual burden hours 8,000TABLE 2.—ESTIMATED ANNUAL REPORTING BURDEN21 CFR SectionAnnual No. ofRespondentsHours perResponseTotal BurdenHours11.100 1,000 1 1,000Total annual burden hours 1,000XV. Environmental ImpactThe agency has determined under 21CFR 25.24(a)(8) that this action is of atype that does not individually orcumulatively have a significant effect onthe human environment. Therefore,neither an environmental assessmentnor an environmental impact statementis required.XVI. Analysis of ImpactsFDA has examined the impacts of thefinal rule under Executive Order 12866,under the Regulatory Flexibility Act (5U.S.C. 601–612), and under theUnfunded Mandates Reform Act (Pub.L. 104–4). Executive Order 12866directs agencies to assess all costs andbenefits of available regulatoryalternatives and, when regulation isnecessary, to select regulatoryapproaches that maximize net benefits(including potential economic,environmental, public health and safety,and other advantages; and distributiveimpacts and equity). Unless an agencycertifies that a rule will not have asignificant economic impact on asubstantial number of small entities, theRegulatory Flexibility Act requires ananalysis of regulatory options thatwould minimize any significant impactof a rule on small entities. TheUnfunded Mandates Reform Actrequires that agencies prepare anassessment of anticipated costs andbenefits before proposing any rule thatmay result in an annual expenditure byState, local and tribal governments, inthe aggregate, or by the private sector, of$100 million (adjusted annually forinflation).The agency believes that this finalrule is consistent with the regulatoryphilosophy and principles identified inthe Executive Order. This rule permitspersons to maintain any FDA requiredrecord or report in electronic format. Italso permits FDA to accept electronicrecords, electronic signatures, andhandwritten signatures executed toelectronic records as equivalent to paperrecords and handwritten signaturesexecuted on paper. The rule applies toany paper records required by statute oragency regulations. The rule wassubstantially influenced by comments tothe ANPRM and the proposed rule. Theprovisions of this rule permit the use ofelectronic technology under conditionsthat the agency believes are necessary toensure the integrity of electronicsystems, records, and signatures, andthe ability of the agency to protect andpromote the public health.This rule is a significant regulatoryaction as defined by the Executive Orderand is subject to review under theExecutive Order. This rule does notimpose any mandates on State, local, ortribal governments, nor is it a significantregulatory action under the UnfundedMandates Reform Act.The activities regulated by this ruleare voluntary; no entity is required bythis rule to maintain or submit recordselectronically if it does not wish to doso. Presumably, no firm (or otherregulated entity) will implementelectronic recordkeeping unless thebenefits to that firm are expected toexceed any costs (including capital andmaintenance costs). Thus, the industrywill incur no net costs as a result of thisrule.Based on the fact that the activitiesregulated by this rule are entirelyvoluntary and will not have any netadverse effects on small entities, theCommissioner of Food and Drugscertifies that this rule will not have asignificant economic impact on asubstantial number of small entities.Therefore, under the RegulatoryFlexibility Act, no further regulatoryflexibility analysis is required.Although no further analysis isrequired, in developing this rule, FDAhas considered the impact of the rule onsmall entities. The agency has alsoconsidered various regulatory options tomaximize the net benefits of the rule tosmall entities without compromising theintegrity of electronic systems, records,and signatures, or the agency’s ability toprotect and promote the public health.The following analysis briefly examinesthe potential impact of this rule onsmall businesses and other smallentities, and describes the measures thatFDA incorporated in this final rule toreduce the costs of applying electronicrecord/signature systems consistentwith the objectives of the rule. Thisanalysis includes each of the elementsrequired for a final regulatory flexibilityanalysis under 5 U.S.C. 604(a).A. ObjectivesThe purpose of this rule is to permitthe use of a technology that was notcontemplated when most existing FDAregulations were written, withoutundermining in any way the integrity ofrecords and reports or the ability of FDAto carry out its statutory healthprotection mandate. The rule willpermit regulated industry and FDA tooperate with greater flexibility, in waysthat will improve both the efficiencyand the speed of industry’s operationsand the regulatory process. At the sametime, it ensures that individuals willassign the same level of importance toaffixing an electronic signature, and therecords to which that signature attests,as they currently do to a handwrittensignature.B. Small Entities AffectedThis rule potentially affects all largeand small entities that are required byany statute administered by FDA, or anyFDA regulation, to keep records or makereports or other submissions to FDA,including small businesses, nonprofitorganizations, and small governmententities. Because the rule affects such abroad range of industries, no datacurrently exist to estimate precisely thetotal number of small entities that willpotentially benefit from the rule, but thenumber is substantial. For example,within the medical devices industryalone, the Small Business

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13463Administration (SBA) estimates thatover 3,221 firms are small businesses(i.e., have fewer than 500 employees).SBA also estimates that 504pharmaceutical firms are smallbusinesses with fewer than 500employees. Of the approximately 2,204registered blood and plasmaestablishments that are neithergovernment-owned nor part of theAmerican Red Cross, most are nonprofitestablishments that are not nationallydominant and thus may be smallentities as defined by the RegulatoryFlexibility Act.Not all submissions will immediatelybe acceptable electronically, even if thesubmission and the electronic recordconform to the criteria set forth in thisrule. A particular required submissionwill be acceptable in electronic formonly after it has been identified to thiseffect in public docket 92S–0251. (Theagency unit that can receive thatelectronic submission will also beidentified in the docket.) Thus, althoughall small entities subject to FDAregulations are potentially affected bythis rule, the rule will actually onlybenefit those that: (1) Are required tosubmit records or other documents thathave been identified in the publicdocket as acceptable if submittedelectronically, and (2) choose thismethod of submission, instead oftraditional paper record submissions.The potential range of submissionsincludes such records as new drugapplications, medical device premarketnotifications, food additive petitions,and medicated feed applications. These,and all other required submissions, willbe considered by FDA as candidates foroptional electronic format.Although the benefits of makingelectronic submissions to FDA will bephased in over time, as the agencyaccepts more submissions in electronicform, firms can, upon the rule’s effectivedate, immediately benefit from usingelectronic records/signatures for recordsthey are required to keep, but notsubmit to FDA. Such records include,but are not limited to: Pharmaceuticaland medical device batch productionrecords, complaint records, and foodprocessing records.Some small entities will be affectedby this rule even if they are not amongthe industries regulated by FDA.Because it will increase the marketdemand for certain types of software(e.g., document management, signature,and encryption software) and services(e.g., digital notaries and digitalsignature certification authorities), thisrule will benefit some small firmsengaged in developing and providingthose products and services.C. Description of the ImpactFor any paper record that an entity isrequired to keep under existing statutesor FDA regulations, FDA will nowaccept an electronic record instead of apaper one, as long as the electronicrecord conforms to the requirements ofthis rule. FDA will also consider anelectronic signature to be equivalent toa handwritten signature if it meets therequirements of this rule. Thus, entitiesregulated by FDA may, if they choose,submit required records andauthorizations to the agencyelectronically once those records havebeen listed in the docket as acceptablein electronic form. This action isvoluntary; paper records andhandwritten signatures are still fullyacceptable. No entity will be required tochange the way it is currently allowedto submit paper records to the agency.1. Benefits and costsFor any firm choosing to convert toelectronic recordkeeping, the directbenefits are expected to include:(1) Improved ability for the firm toanalyze trends, problems, etc.,enhancing internal evaluation andquality control;(2) Reduced data entry errors, due toautomated checks;(3) Reduced costs of storage space;(4) Reduced shipping costs for datatransmission to FDA; and(5) More efficient FDA reviews andapprovals of FDA-regulated products.No small entity will be required toconvert to electronic submissions.Furthermore, it is expected that noindividual firm, or other entity, willchoose the electronic option unless thatfirm finds that the benefits to the firmfrom conversion will exceed anyconversion costs.There may be some small entities thatcurrently submit records on paper, butarchive records electronically. Theseentities will need to ensure that theirexisting electronic systems conform tothe requirements for electronicrecordkeeping described in this rule.Once they have done so, however, theymay also take advantage of all the otherbenefits of electronic recordkeeping.Therefore, no individual small entity isexpected to experience direct costs thatexceed benefits as a result of this rule.Furthermore, because almost all of therule’s provisions reflect contemporarysecurity measures and controls thatrespondents to the ANPRM identified,most firms should have to make few, ifany, modifications to their systems.For entities that do choose electronicrecordkeeping, the magnitude of thecosts associated with doing so willdepend on several factors, such as thelevel of appropriate computer hardwareand software already in place in a givenfirm, the types of conformingtechnologies selected, and the size anddispersion of the firm. For example,biometric signature technologies may bemore expensive than nonbiometrictechnologies; firms that choose theformer technology may encounterrelatively higher costs. Large,geographically dispersed firms mayneed some institutional securityprocedures that smaller firms, withfewer persons in more geographicallyconcentrated areas, may not need. Firmsthat require wholesale technologyreplacements in order to adoptelectronic record/signature technologymay face much higher costs than thosethat require only minor modifications(e.g., because they already have similartechnology for internal security andquality control purposes). Among thefirms that must undertake majorchanges to implement electronicrecordkeeping, costs will be lower forthose able to undertake these changessimultaneously with other plannedcomputer and security upgrades. Newfirms entering the market may have aslight advantage in implementingtechnologies that conform with thisrule, because the technologies andassociated procedures can be put inplace as part of the general startup.2. Compliance requirementsIf a small entity chooses to keepelectronic records and/or makeelectronic submissions, it must do so inways that conform to the requirementsfor electronic records and electronicsignatures set forth in this rule. Theserequirements, described previously insection II. of this document, involvemeasures designed to ensure theintegrity of system operations, ofinformation stored in the system, and ofthe authorized signatures affixed toelectronic records. The requirementsapply to all small (and large) entities inall industry sectors regulated by FDA.The agency believes that because therule is flexible and reflectscontemporary standards, firms shouldhave no difficulty in putting in place theneeded systems and controls. However,to assist firms in meeting the provisionsof this rule, FDA may hold publicmeetings and publish more detailedguidance. Firms may contact FDA’sIndustry and Small Business LiaisonStaff, HF–50, at 5600 Fishers Lane,Rockville, MD 20857 (301–827–3430)for more information.

13464 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations3. Professional skills requiredIf a firm elects electronicrecordkeeping and submissions, it musttake steps to ensure that all personsinvolved in developing, maintaining,and using electronic records andelectronic signature systems have theeducation, training, and experience toperform the tasks involved. The level oftraining and experience that will berequired depends on the tasks that theperson performs. For example, anindividual whose sole involvement withelectronic records is infrequent mightonly need sufficient training tounderstand and use the requiredprocedures. On the other hand, anindividual involved in developing anelectronic record system for a firmwishing to convert from a paperrecordkeeping system would probablyneed more education or training incomputer systems and software designand implementation. In addition, FDAexpects that such a person would alsohave specific on-the-job training andexperience related to the particular typeof records kept by that firm.The relevant education, training, andexperience of each individual involvedin developing, maintaining, or usingelectronic records/submissions must bedocumented. However, no specificexaminations or credentials for theseindividuals are required by the rule.D. Minimizing the Burden on SmallEntitiesThis rule includes several conditionsthat an electronic record or signaturemust meet in order to be acceptable asan alternative to a paper record orhandwritten signature. These conditionsare necessary to permit the agency toprotect and promote the public health.For example, FDA must retain theability to audit records to detectunauthorized modifications, simpleerrors, and to deter falsification.Whereas there are many scientifictechniques to show changes in paperrecords (e.g., analysis of the paper, signsof erasures, and handwriting analysis),these methods do not apply toelectronic records. For electronicrecords and submissions to have thesame integrity as paper records, theymust be developed, maintained, andused under circumstances that make itdifficult for them to be inappropriatelymodified. Without these assurances,FDA’s objective of enabling electronicrecords and signatures to have standingequal to paper records and handwrittensignatures, and to satisfy therequirements of existing statutes andregulations, cannot be met.Within these constraints, FDA hasattempted to select alternatives thatprovide as much flexibility aspracticable without endangering theintegrity of the electronic records. Theagency decided not to make the requiredextent and stringency of controlsdependent on the type of record ortransactions, so that firms can decide forthemselves what level of controls areworthwhile in each case. For example,FDA chose to give firms maximumflexibility in determining: (1) Thecircumstances under whichmanagement would have to be notifiedof security problems, (2) the means bywhich firms achieve the required linkbetween an electronic signature and anelectronic record, (3) the circumstancesunder which extra security andauthentication measures are warrantedin open systems, (4) when to useoperational system checks to ensureproper event sequencing, and (5) whento use terminal checks to ensure thatdata and instructions originate from avalid source.Numerous other specificconsiderations were addressed in thepublic comments to the proposed rule.A summary of the issues raised by thosecomments, the agency’s assessment ofthese issues, and any changes made inthe proposed rule as a result of thesecomments is presented earlier in thispreamble.FDA rejected alternatives for limitingpotentially acceptable electronicsubmissions to a particular category,and for issuing different electronicsubmissions standards for small andlarge entities. The former alternativewould unnecessarily limit the potentialbenefits of this rule; whereas the latteralternative would threaten the integrityof electronic records and submissionsfrom small entities.As discussed previously in thispreamble, FDA rejected comments thatsuggested a total of 17 additional morestringent controls that might be moreexpensive to implement. These include:(1) Examination and certification ofindividuals who perform certainimportant tasks, (2) exclusive use ofcryptographic methods to linkelectronic signatures to electronicrecords, (3) controls for each possiblecombination of a two factoredauthentication method, (4) controls foreach different type of identificationcard, and (5) recording in audit trails thereason why records were changed.List of Subjects in 21 CFR Part 11Administrative practice andprocedure, Electronic records,Electronic signatures, Reporting andrecordkeeping requirements.Therefore, under the Federal Food,Drug, and Cosmetic Act, the PublicHealth Service Act, and under authoritydelegated to the Commissioner of Foodand Drugs, Title 21, Chapter I of theCode of Federal Regulations is amendedby adding part 11 to read as follows:PART 11—ELECTRONIC RECORDS;ELECTRONIC SIGNATURESSubpart A—General ProvisionsSec.11.1 Scope.11.2 Implementation.11.3 Definitions.Subpart B—Electronic Records11.10 Controls for closed systems.11.30 Controls for open systems.11.50 Signature manifestations.11.70 Signature/record linking.Subpart C—Electronic Signatures11.100 General requirements.11.200 Electronic signature componentsand controls.11.300 Controls for identification codes/passwords.Authority: Secs. 201–903 of the FederalFood, Drug, and Cosmetic Act (21 U.S.C.321–393); sec. 351 of the Public HealthService Act (42 U.S.C. 262).Subpart A—General Provisions§ 11.1 Scope.(a) The regulations in this part setforth the criteria under which theagency considers electronic records,electronic signatures, and handwrittensignatures executed to electronicrecords to be trustworthy, reliable, andgenerally equivalent to paper recordsand handwritten signatures executed onpaper.(b) This part applies to records inelectronic form that are created,modified, maintained, archived,retrieved, or transmitted, under anyrecords requirements set forth in agencyregulations. This part also applies toelectronic records submitted to theagency under requirements of theFederal Food, Drug, and Cosmetic Actand the Public Health Service Act, evenif such records are not specificallyidentified in agency regulations.However, this part does not apply topaper records that are, or have been,transmitted by electronic means.(c) Where electronic signatures andtheir associated electronic records meetthe requirements of this part, the agencywill consider the electronic signaturesto be equivalent to full handwrittensignatures, initials, and other generalsignings as required by agencyregulations, unless specifically exceptedby regulation(s) effective on or after

Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations13465August 20, 1997.(d) Electronic records that meet therequirements of this part may be used inlieu of paper records, in accordancewith § 11.2, unless paper records arespecifically required.(e) Computer systems (includinghardware and software), controls, andattendant documentation maintainedunder this part shall be readily availablefor, and subject to, FDA inspection.§ 11.2 Implementation.(a) For records required to bemaintained but not submitted to theagency, persons may use electronicrecords in lieu of paper records orelectronic signatures in lieu oftraditional signatures, in whole or inpart, provided that the requirements ofthis part are met.(b) For records submitted to theagency, persons may use electronicrecords in lieu of paper records orelectronic signatures in lieu oftraditional signatures, in whole or inpart, provided that:(1) The requirements of this part aremet; and(2) The document or parts of adocument to be submitted have beenidentified in public docket No. 92S–0251 as being the type of submission theagency accepts in electronic form. Thisdocket will identify specifically whattypes of documents or parts ofdocuments are acceptable forsubmission in electronic form withoutpaper records and the agency receivingunit(s) (e.g., specific center, office,division, branch) to which suchsubmissions may be made. Documentsto agency receiving unit(s) not specifiedin the public docket will not beconsidered as official if they aresubmitted in electronic form; paperforms of such documents will beconsidered as official and mustaccompany any electronic records.Persons are expected to consult with theintended agency receiving unit fordetails on how (e.g., method oftransmission, media, file formats, andtechnical protocols) and whether toproceed with the electronic submission.§ 11.3 Definitions.(a) The definitions and interpretationsof terms contained in section 201 of theact apply to those terms when used inthis part.(b) The following definitions of termsalso apply to this part:(1) Act means the Federal Food, Drug,and Cosmetic Act (secs. 201–903 (21U.S.C. 321–393)).(2) Agency means the Food and DrugAdministration.(3) Biometrics means a method ofverifying an individual’s identity basedon measurement of the individual’sphysical feature(s) or repeatableaction(s) where those features and/oractions are both unique to thatindividual and measurable.(4) Closed system means anenvironment in which system access iscontrolled by persons who areresponsible for the content of electronicrecords that are on the system.(5) Digital signature means anelectronic signature based uponcryptographic methods of originatorauthentication, computed by using a setof rules and a set of parameters suchthat the identity of the signer and theintegrity of the data can be verified.(6) Electronic record means anycombination of text, graphics, data,audio, pictorial, or other informationrepresentation in digital form that iscreated, modified, maintained, archived,retrieved, or distributed by a computersystem.(7) Electronic signature means acomputer data compilation of anysymbol or series of symbols executed,adopted, or authorized by an individualto be the legally binding equivalent ofthe individual’s handwritten signature.(8) Handwritten signature means thescripted name or legal mark of anindividual handwritten by thatindividual and executed or adoptedwith the present intention toauthenticate a writing in a permanentform. The act of signing with a writingor marking instrument such as a pen orstylus is preserved. The scripted nameor legal mark, while conventionallyapplied to paper, may also be applied toother devices that capture the name ormark.(9) Open system means anenvironment in which system access isnot controlled by persons who areresponsible for the content of electronicrecords that are on the system.Subpart B—Electronic Records§ 11.10 Controls for closed systems.Persons who use closed systems tocreate, modify, maintain, or transmitelectronic records shall employprocedures and controls designed toensure the authenticity, integrity, and,when appropriate, the confidentiality ofelectronic records, and to ensure thatthe signer cannot readily repudiate thesigned record as not genuine. Suchprocedures and controls shall includethe following:(a) Validation of systems to ensureaccuracy, reliability, consistentintended performance, and the ability todiscern invalid or altered records.(b) The ability to generate accurateand complete copies of records in bothhuman readable and electronic formsuitable for inspection, review, andcopying by the agency. Persons shouldcontact the agency if there are anyquestions regarding the ability of theagency to perform such review andcopying of the electronic records.(c) Protection of records to enabletheir accurate and ready retrievalthroughout the records retention period.(d) Limiting system access toauthorized individuals.(e) Use of secure, computer-generated,time-stamped audit trails toindependently record the date and timeof operator entries and actions thatcreate, modify, or delete electronicrecords. Record changes shall notobscure previously recordedinformation. Such audit traildocumentation shall be retained for aperiod at least as long as that requiredfor the subject electronic records andshall be available for agency review andcopying.(f) Use of operational system checks toenforce permitted sequencing of stepsand events, as appropriate.(g) Use of authority checks to ensurethat only authorized individuals can usethe system, electronically sign a record,access the operation or computer systeminput or output device, alter a record, orperform the operation at hand.(h) Use of device (e.g., terminal)checks to determine, as appropriate, thevalidity of the source of data input oroperational instruction.(i) Determination that persons whodevelop, maintain, or use electronicrecord/electronic signature systemshave the education, training, andexperience to perform their assignedtasks.(j) The establishment of, andadherence to, written policies that holdindividuals accountable and responsiblefor actions initiated under theirelectronic signatures, in order to deterrecord and signature falsification.(k) Use of appropriate controls oversystems documentation including:(1) Adequate controls over thedistribution of, access to, and use ofdocumentation for system operation andmaintenance.(2) Revision and change controlprocedures to maintain an audit trailthat documents time-sequenceddevelopment and modification ofsystems documentation.§ 11.30 Controls for open systems.Persons who use open systems tocreate, modify, maintain, or transmitelectronic records shall employprocedures and controls designed to

13466 Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulationsensure the authenticity, integrity, and,as appropriate, the confidentiality ofelectronic records from the point oftheir creation to the point of theirreceipt. Such procedures and controlsshall include those identified in § 11.10,as appropriate, and additional measuressuch as document encryption and use ofappropriate digital signature standardsto ensure, as necessary under thecircumstances, record authenticity,integrity, and confidentiality.§ 11.50 Signature manifestations.(a) Signed electronic records shallcontain information associated with thesigning that clearly indicates all of thefollowing:(1) The printed name of the signer;(2) The date and time when thesignature was executed; and(3) The meaning (such as review,approval, responsibility, or authorship)associated with the signature.(b) The items identified in paragraphs(a)(1), (a)(2), and (a)(3) of this sectionshall be subject to the same controls asfor electronic records and shall beincluded as part of any human readableform of the electronic record (such aselectronic display or printout).§ 11.70 Signature/record linking.Electronic signatures and handwrittensignatures executed to electronicrecords shall be linked to theirrespective electronic records to ensurethat the signatures cannot be excised,copied, or otherwise transferred tofalsify an electronic record by ordinarymeans.Subpart C—Electronic Signatures§ 11.100 General requirements.(a) Each electronic signature shall beunique to one individual and shall notbe reused by, or reassigned to, anyoneelse.(b) Before an organization establishes,assigns, certifies, or otherwise sanctionsan individual’s electronic signature, orany element of such electronicsignature, the organization shall verifythe identity of the individual.(c) Persons using electronic signaturesshall, prior to or at the time of such use,certify to the agency that the electronicsignatures in their system, used on orafter August 20, 1997, are intended to bethe legally binding equivalent oftraditional handwritten signatures.(1) The certification shall besubmitted in paper form and signedwith a traditional handwrittensignature, to the Office of RegionalOperations (HFC–100), 5600 FishersLane, Rockville, MD 20857.(2) Persons using electronic signaturesshall, upon agency request, provideadditional certification or testimony thata specific electronic signature is thelegally binding equivalent of the signer’shandwritten signature.§ 11.200 Electronic signature componentsand controls.(a) Electronic signatures that are notbased upon biometrics shall:(1) Employ at least two distinctidentification components such as anidentification code and password.(i) When an individual executes aseries of signings during a single,continuous period of controlled systemaccess, the first signing shall beexecuted using all electronic signaturecomponents; subsequent signings shallbe executed using at least one electronicsignature component that is onlyexecutable by, and designed to be usedonly by, the individual.(ii) When an individual executes oneor more signings not performed duringa single, continuous period of controlledsystem access, each signing shall beexecuted using all of the electronicsignature components.(2) Be used only by their genuineowners; and(3) Be administered and executed toensure that attempted use of anindividual’s electronic signature byanyone other than its genuine ownerrequires collaboration of two or moreindividuals.(b) Electronic signatures based uponbiometrics shall be designed to ensurethat they cannot be used by anyoneother than their genuine owners.§ 11.300 Controls for identification codes/passwords.Persons who use electronic signaturesbased upon use of identification codesin combination with passwords shallemploy controls to ensure their securityand integrity. Such controls shallinclude:(a) Maintaining the uniqueness ofeach combined identification code andpassword, such that no two individualshave the same combination ofidentification code and password.(b) Ensuring that identification codeand password issuances are periodicallychecked, recalled, or revised (e.g., tocover such events as password aging).(c) Following loss managementprocedures to electronically deauthorizelost, stolen, missing, or otherwisepotentially compromised tokens, cards,and other devices that bear or generateidentification code or passwordinformation, and to issue temporary orpermanent replacements using suitable,rigorous controls.(d) Use of transaction safeguards toprevent unauthorized use of passwordsand/or identification codes, and todetect and report in an immediate andurgent manner any attempts at theirunauthorized use to the system securityunit, and, as appropriate, toorganizational management.(e) Initial and periodic testing ofdevices, such as tokens or cards, thatbear or generate identification code orpassword information to ensure thatthey function properly and have notbeen altered in an unauthorizedmanner.Dated: March 11, 1997.William B. Schultz,Deputy Commissioner for Policy.[FR Doc. 97–6833 Filed 3–20–97; 8:45 am]BILLING CODE 4160–01–F