FDA Issues Guidance on Electronic Signatures Time Stamps

Date: Nov 02, 2001

On March 20, 2002, FDA announced the availability of a draft guidance for industry, entitled “21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps” (67 Fed. Reg. 12999).  The draft guidance, developed by FDA's Office of Enforcement, focuses on time stamps applied by computer systems and identifies key principles and practices regarding time stamps.  This guidance supplements the regulation published by FDA in the Federal Register of March 20, 1997 (62 Fed. Reg. 13430), and incorporated into the Code of Federal Regulations at 21 CFR § 11, which provided criteria under which the agency considers electronic records and electronic signatures to be trustworthy, reliable and generally equivalent to paper records and handwritten signatures executed on paper.

This new guidance applies to all electronic records and electronic signatures used (created, modified, maintained, archived, retrieved or transmitted) under the records and signature requirements of the Federal Food, Drug, and Cosmetic Act, the Public Health Service Act, and FDA regulations.  Under 21 CFR § 11.10, “Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.”  Among these procedures and controls expressly mentioned in the regulation are the “[u]se of secure, computer generated time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.” [emphasis added] (Section 11.10(e)), and the requirement that “signed electronic records contain information associated with the signing that clearly indicates […] [t]he date and time when the signature was executed [...]” [emphasis added] (Section 11.50(a)(2)).  FDA's draft guidance provides five basic principles and practices to be followed regarding the use of those time-stamped audit trails, also known as 'time stamps.'  The five principles follow:

    • Time Stamp Accuracy

Under this first principle, procedures and controls must be implemented to ensure that time stamps are accurate and reliable.  To that end, computers, whether working in network or independently, should be synchronized to a recognized standard clock.

    • Systems Clock Security

Procedures must be established to detect and deter inappropriate changes to computer clocks, such as unannounced checks of computer clocks.

    • Time Zones

Time stamps should contain reference to a specific time zone and appear in human readable form.  Alternatively, systems documentation should be readily available (e.g., through a code appearing on the stamp) to clearly explain what time zone references apply, as well as zone acronyms and other naming conventions.

It is worthy to note that on this regard, FDA reconsidered its position.  In the preamble to the final rule for 21 CFR § 11, the agency had advised that the signer's local time is the one that should be recorded, without the need to reference any specific time zone.

    • Expression of Date and Time

System documentation should define how date and time are expressed to avoid any source of confusion, e.g., 24 versus 12 hour time recording, or date order conventions (month/day/year versus day/month/year).

    • Precision of Date and Time Expressions

Audit trail and signature time stamps should precise hour and minute, date expressions should include year, month and numerical day of the month.

The draft guidance suggests that time stamps can be helpful in implementing other procedures required under different sections of Part 11, such as limiting system access to authorized individuals (Section 11.10(d)), ensuring proper sequencing of events (Section 11.10(f)), or documenting the time-sequenced development and modification of systems documentation (Section 11.10(k)(2)).

Although the requirements of 21 CFR § 11, and thus, the present guidance are not directly applicable to bulk manufacturers of APIs or excipients, per se, they provide useful insight into how FDA is likely to interpret the guidance in the Q7A International Conference on Harmonization (ICH) Document which FDA adopted last year.  The Q7A requirement for electronic records is that “[a]ll documents related to the manufacture of intermediates or APIs should be prepared, reviewed, approved, and distributed according to written procedures.  Such documents can be in paper or electronic form,” (Emphasis added) and more specifically, that “[i]f electronic signatures are used on documents, they should be authenticated and secure.”  ICH Q7A GMP Guidance for API, Part VI.A (6.1).

Comments on the draft guidance will be accepted by the Dockets Management Branch until June 18, 2002.  A copy of the Federal Register Notice can be found at:  http://www.fda.gov/OHRMS/DOCKETS/98fr/032002b.htm 

while a copy of the draft guidance can be found at:  http://www.fda.gov/OHRMS/DOCKETS/98fr/00d-1542_gdl0001.pdf

In addition, the draft guidance and other useful documents and resources to consider in developing a CGMP compliance program, can be found on this website, at: CGMP Compliance: Making it Happen in a Chemical Facility A CGMP Bibliography