FDA inspections and electronic signatures

[pkost]

For those of you that have undergone an FDA inspection where you use electronic signatures, what did they look at? how in depth was the review? How knowledgable was the inspector?

We are planning on implementing electronic signatures, but I'm wondering how tight I should make my belt and braces. I was consdiering setting up my on internal PKI and issueing key pairs to individuals, however I have many questions:

- Do the inspectors care whether you have an intermediate CA, or can all keys be issued off the Root?​

- Do they care about the Root CA being isolated from the network?​

- Do they require a seperate authoratative time server for when documents are signed?​

- Do they care about certificate revocation lists and the insecurities they bring vs OSCP​

Do the inspectors even understand the terminology above?

 

[yodon]

In the inspections I've been involved with, Part 11 compliance never came up.

You're talking at a considerably higher level than required. Generally, to apply e-signatures, signing into the application (username/password) is sufficient. Of course, if your risk profile indicates you need a higher level, you should take it there. But for most, I think the username/password (and all the ancillary stuff like password aging, password strength, time-outs, etc.) should suffice. As far as I know, they're still practicing enforcement discretion. If you show an utter lack of control, they may get after you.

 

[pkost]

Thanks for this, it seems like the risk for us to implement this is low. If anyone else has some experience to share it would be appreciated