The 21 CFR
What is 21 CFR?
It is the section of the Code of Federal Regulations of the Food and Drug Administration (FDA) on electronic records and electronic signatures in the United States.
Part 11 of the 21 CFR, as it is commonly referred, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable and equivalent to paper records.
In what areas apply?
In practical terms it applies to those actors operating in the United States, as:
- Manufacturers of drugs and medical devices
- Manufacturers of biotechnology
- Developers of biological products
- Research groups
Is it necessary to be enforced?
Yes, the FDA conducts regular audits of companies with a presence in the U.S. market, as dictated by the Federal Food, Drug and Cosmetic Act and the Public Health Service.
How can an electronic signature solution to help in its fulfillment?
By signing a document electronically, provides a range of evidence that guarantee the basic principles of traceability, auditing, integrity and non repudiation of documents generated in an electronic environment.
The solution is a combination of the application of electronic signatures and digital certificates suitable for the purpose at hand, which is to meet the 21 CFR. For this purpose we set ClickSign of isigma, plus Corporate Certificates of Natural Person (Spanish), from Firmaprofesional (Spanish). Other Corporate Qualified Certificates, for instance, collegiate, would also be valid.
ClickSign is a product of isigma, design to perform electronic signatures in desktop computer.
ClickSign, along with a Corporate Certificate Natural Person in Secure Signature Creation Device generates qualified electronic signatures under Spanish law, specifically Law 59/2003 of 19 December on Electronic Signature (LFE -Spanish-).
It necessary to recall that “The electronic signature will have on data in electronic form the same value as a handwritten signature on paper,” according to Article 3.4 of the Act.
ClickSign apply electronic signatures to documents created with other applications, whether office automation, document management, graphics, etc. (PDF, Word, XML, images, video, audio, …), staying away from the production of documents prior to signature.
An important part of ensuring the reliability of the system are the digital certificates used. In this case certificates from Certification Authority (hereinafter AC) Firmaprofesional, that complies with Spanish legislation on electronic certification and therefore the EU Directive 1999/93/EC, are to be used.
The document that describes how the AC Firmaprofesional operates and has been approved by the MINETUR (Ministry of Industry, Energy and Tourism, former Ministry of Industry, Tourism and Trade -MITyC-) is the Certification Practices Statement (CPS.) The certificate profile and special conditions are set out in the Certificate Policy (CP -Spanish-).
Alignment of the solution with the requirements of 21 CFR
Given the scope of ClickSign and Firmaprofesional certificates, alignment with 21CFR focuses on the following sections of the standard:
|Sec. 11.50 Signature manifestations.
|(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
The best way to ensure this is to ensure that the signed document itself contains this information, particularly the limitations imposed by paragraph (b).
It is recalled that the certificates provided by Firmaprofesional contain the signer information (name, ID number) and signature embedded in PDF includes information on the date and time of signature, from the signer’s computer.
Notwithstanding the foregoing, and as additional technical measure that provides greater legal guarantees, we recommend the use of Firmaprofesional Time-Stamping (Spanish) service, which supports ClickSign.
|Sec. 11.70 Signature/record linking.
|Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
ClickSign performes PDF- embedded signatures, among other formats. In this way the signature is linked with the signed document from an information standpoint.
On the other hand, the signature is based on asymmetric or public key cryptography, so technically it ensures the link between signature and signer’s identity and document signed by the very nature of the algorithm.
The signature algorithm used is sha1WithRsaEncryption, a standardized algorithm and accepted by the community that guarantees non-falsification or manipulation of data.
|Sec. 11.100 General requirements.
|(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.
(a) The1.024-bit RSA keypair used to produce electronic signatures is generated in the card itself or secure-signature creation device (SSCD), one of whose functions is to ensure “that data used for signature generation can occur only once and their secrecy is reasonably assured” as required in Article 24.3.a of LFE
(b)Firmaprofesional verifies the identity of each signer to whom issues a certificate in accordance with the requirements of Article 12.a) of the LFE (“To check the identity and personal circumstances of applicants under the provisions of the following article. “.) For details, refer to the Certificate Policy (Spanish).
(c) By the very definition of electronic signature (LFE, Article 3.4), the electronic signature generated by ClickSign and Firmaprofesional certificates has recognized functional equivalence to a handwritten signature.
|Sec. 11.200 Electronic signature components and controls.
|(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
(1) The solution is based on asymmetric cryptography, with a private key (signature creation data) stored on a smart card and it is necessary to enter a PIN (activation data) to use it, so one uses two authentication mechanisms, namely:
- something that I have (the card)
- something you know (the PIN)
(i) The electronic signature is made in the chip of the card, so if you retire it, you could not continue to produce electronic signatures.
(ii) After removing the card, if you re-enter and you want to sign again, you must enter yourPIN again.
(2) Guaranteed by the two authentication mechanisms explained above.
(3) The card is locked to the third incorrect PIN attempt. The procedures for issuance of Firmaprofesional ensure that a single person can not issue a certificate on behalf of another.
|Sec. 11.300 Controls for identification codes/passwords.
|Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
Being a solution based on asymmetric cryptography, public key infrastructure(PKI)-digital certificates, and smart cards, not using personal identification codes, this section does not apply.
Taking into account the requirements of 21CFR and the functional scope of the product ClickSign, and certificates issued by the CA Firmaprofesional, the proposed solution meets the requirements specified in the regulations.
If you liked this entry, or you think may be helpful to others, please share it via the buttons you’ll find below.