Date: Nov 02, 2001
On March 20, 2002,
FDA announced the availability of a draft guidance for industry, entitled “21
CFR Part 11; Electronic Records; Electronic Signatures Time Stamps” (67 Fed.
Reg. 12999). The draft guidance, developed by FDA's Office of Enforcement,
focuses on time stamps applied by computer systems and identifies key principles
and practices regarding time stamps. This guidance supplements the regulation
published by FDA in the Federal Register of March 20, 1997 (62 Fed. Reg.
13430), and incorporated into the Code of Federal Regulations at 21 CFR § 11,
which provided criteria under which the agency considers electronic records and
electronic signatures to be trustworthy, reliable and generally equivalent to
paper records and handwritten signatures executed on paper.
This new guidance applies to all electronic records and
electronic signatures used (created, modified, maintained, archived, retrieved
or transmitted) under the records and signature requirements of the Federal
Food, Drug, and Cosmetic Act, the Public Health Service Act, and FDA
regulations. Under 21 CFR § 11.10, “Persons who use closed systems to create,
modify, maintain, or transmit electronic records shall employ procedures and
controls designed to ensure the authenticity, integrity, and, when appropriate,
the confidentiality of electronic records, and to ensure that the signer cannot
readily repudiate the signed record as not genuine.” Among these procedures and
controls expressly mentioned in the regulation are the “[u]se of secure,
computer generated time-stamped audit trails to independently record the
date and time of operator entries and actions that create, modify, or
delete electronic records.” [emphasis added] (Section 11.10(e)), and the
requirement that “signed electronic records contain information associated with
the signing that clearly indicates […] [t]he date and time when the
signature was executed [...]” [emphasis added] (Section 11.50(a)(2)). FDA's
draft guidance provides five basic principles and practices to be followed
regarding the use of those time-stamped audit trails, also known as 'time
stamps.' The five principles follow:
first principle, procedures and controls must be implemented to ensure that time
stamps are accurate and reliable. To that end, computers, whether working in
network or independently, should be synchronized to a recognized standard clock.
Procedures must be established to
detect and deter inappropriate changes to computer clocks, such as unannounced
checks of computer clocks.
Time stamps should contain
reference to a specific time zone and appear in human readable form.
Alternatively, systems documentation should be readily available (e.g.,
through a code appearing on the stamp) to clearly explain what time zone
references apply, as well as zone acronyms and other naming conventions.
It is worthy to note that on this
regard, FDA reconsidered its position. In the preamble to the final rule for 21
CFR § 11, the agency had advised that the signer's local time is the one that
should be recorded, without the need to reference any specific time zone.
System documentation should
define how date and time are expressed to avoid any source of confusion, e.g.,
24 versus 12 hour time recording, or date order conventions (month/day/year
Audit trail and signature time
stamps should precise hour and minute, date expressions should include year,
month and numerical day of the month.
The draft guidance suggests that
time stamps can be helpful in implementing other procedures required under
different sections of Part 11, such as limiting system access to authorized
individuals (Section 11.10(d)), ensuring proper sequencing of events (Section
11.10(f)), or documenting the time-sequenced development and modification of
systems documentation (Section 11.10(k)(2)).
Although the requirements of 21
CFR § 11, and thus, the present guidance are not directly applicable to bulk
manufacturers of APIs or excipients, per se, they provide useful insight
into how FDA is likely to interpret the guidance in the Q7A International
Conference on Harmonization (ICH) Document which FDA adopted last year. The Q7A
requirement for electronic records is that “[a]ll documents related to the
manufacture of intermediates or APIs should be prepared, reviewed, approved, and
distributed according to written procedures. Such documents can be in paper or
electronic form,” (Emphasis added) and more specifically, that “[i]f
electronic signatures are used on documents, they should be authenticated and
secure.” ICH Q7A GMP Guidance for API, Part VI.A (6.1).
Comments on the draft guidance will be accepted
by the Dockets Management Branch until June 18, 2002. A copy of the Federal
Register Notice can be found at:
while a copy of the draft guidance
can be found at:
In addition, the draft guidance and other useful
documents and resources to consider in developing a CGMP compliance program, can
be found on this website, at:
CGMP Compliance: Making it Happen in a Chemical Facility A CGMP Bibliography