Clarification for 21 CFR Part 11.100 - General Requirements

[Pmarszal]

I have been reviewing 21 CFR 11 requirements and feel stumped by section 11.100 - General Requirements

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
____________________________________________________

I am confused about 11.100 (C) and (1). When is the certification required to be submitted? Upon agency request or during the implementation of electronic signatures?

 

[mihzago]

At the time of implementation.

The agency will also ask for such a letter (if you don't have one on file) when you set up an account for electronic gateway with the agency, for example eMDR.

 

[Pmarszal]

How would I go about figuring out if this document is on file with the agency?

 

[Pmarszal]

We are only internally going to be using electronic signatures in our QMS and not to the agency? Is this document still required to be submitted?

 

[mihzago]

Your QMS documentation may still be viewed by the agency, for example, during an inspection. Generally, if your use of electronic signatures falls under the Part 11 then the letter is required.

The point I was trying to make is that the FDA does not actively ask or enforce these letters for internal QMS systems; maybe during an inspection of document control (anyone heard of a company getting dinged for not having a letter?).
FDA will however, as I said earlier, ask for the letter before you set-up an account to transfer data to them.

 

[Dobby1979]

Hi Guys.

Whilst we are on the subject of electronic signatures, how does everyone implement / meet this clause?

Sec. 11.200 Electronic signature components and controls.
(1) Employ at least two distinct identification components such as an identification code and password.

Do you count logging on to your PC / laptop as one component and then entering a password when signing is a second component? What tools do you use?

 

[Pmarszal]

Our current software uses a username and password before logging into the QMS. (We are running a closed system)

 

[Dobby1979]

Thanks for the reply Pmarszal. So you log into your QMS and then just open a document and click sign. Am sure there are more steps but you get my trail of thought!

Have you been audited on your electronic signature? I worry that wouldn't be enough and that you should be password prompted etc. at time of signing.

 

[Pmarszal]

Our QMS system requires a user name and password at the time of entering the system, it then requires a password at the time of signing.

 

[Dobby1979]

OK, thanks. That makes more sense then.

We currently have users sent an email (from a site that you log in to via a user name and password) but they can just click on the link, hit sign on the document and away they go. I am working with the software tool company to have a password prompting you after they hit sign. This would then make things compliant