Pharma IT ELECTRONIC RECORDS

Transcription

1 Pharma IT ELECTRONIC RECORDS Excerpted from Pharmaceutical Formulation & Quality (PFQ) magazine, February/March 2008 E-Signatures Set the Standard E-signatures can improve access to documents and information sharing BY MARKUS ROEMER AND PETER BEACH In today s pharmaceutical environment, establishing a framework for the authentication of computer-generated or computer-based information requires familiarity with concepts and skills in both law and information technology. Finding the right implementation approach and technology for a pharmaceutical company and combining these two disciplines is not an easy task. Modern technologies and inventions such as security applications and document management systems offer the possibility of using electronic signatures, the legally binding equivalent of traditional handwritten signatures. In 1999, the European Union (EU) passed the EU Directive for Electronic Signatures and in 2000, President Bill Clinton signed the Electronic Signatures in Global and National Commerce Act (ESIGN). ESIGN made signed electronic contracts and documents as legally binding as paper-based contracts. The general signature laws cover such issues as signing of agreements for sale, global trading, and various civil services, as well as regulations and guidelines for the pharmaceutical industry. Within the pharmaceutical industry, additional regulations exist and have been taken into consideration and harmonized with these laws. It should be noted that electronic signatures, which are distinct from digital signatures, are described in detail later in this article. The biggest advantages of electronic records and signatures are access to documents, information sharing, digital archiving, speed, and the efficiency available to people entering into transactions either internally or externally. These are also the greatest disadvantages. Unfortunately, people still tend to view electronic documents and signatures with suspicion, seeing them as somehow less concrete than handwritten signatures on paper. One key to avoiding this mistrust is correctly planned and executed computer system validation, which allows for greater trust in new technologies. An important part of this planning is setting standards to regulate e-signatures (See E-signatures Defined, p. 45). Signatures with many different meanings and consequences are necessary in normal businesses within the regulatory environment, including the NIKOLAI SOROKIN, JONATHAN BRIZENDINE DREAMSTIME.COM 44 PFQ

2 review and approval of test specifications, the release of master batch and laboratory records, and drug master files. Although many information technology (IT) systems support different types of e-signatures, and although regulations do not forbid them, use of this technology in regulated industry is still limited. The most common reasons for this are the questions they raise: Which regulations and legislation have to be taken into account? Which technical solution can fulfill the requirements both today and on a long-term basis? To what extent is the technical solution accepted officially? Will the existing IT organization and infrastructure be capable of supporting the new technology? Is the technical solution supported over the next five to 10 years or until the retention period of the documents has been exceeded, which can be up to 30 years? Do employees have the awareness and the will to change their methodology (e.g., document handling)? Legal Needs Because different laws affect different agencies and governmental functions, you will need to analyze, define, and interpret or even reinterpret your legal and regulatory needs and connect them to your business processes before deciding which electronic signature application is appropriate for you. Many decision makers and managers wrongly view e-signatures only as a technical solution. Electronic signature laws, regulatory guidance, agency interpretation, the current status of technology, and your own organizational framework, including IT architecture and electronic records management, all have to be taken into account. The interdisciplinary knowledge these hurdles necessitate means working groups are needed to ensure successful implementation. In addition to these concerns, you must consider your IT technology, marketplaces, and company size and structure. An enterprise-wide architecture is a logically consistent set of principles that guide the design and development of an organization s information systems and technology infrastructure. For the EU, the fourth chapter of the EudraLex Signature laws and regulatory guidelines merely provide for the legality of the electronic, digital, or qualified electronic signature, not the specific method or technology. Laws and regulations predicate rules leave it to individuals and companies to determine what method best serves their purposes when implementing an electronic signature. Volume 4 good manufacturing practices (GMP) define general requirements for documentation that apply to technical or procedural solutions. This chapter includes the following statements on signatures and their meanings: Initials of the persons who [execute]; Should be recorded; Should be approved and recorded by authorized personnel; Should be approved in writing by a competent person; and A clear statement of release or rejection (or other status decision) and the dated signature of the designated responsible person. According to the law, should be approved in writing means a handwritten signature or qualified e-signature. For the United States, the 21 CFR Part 210/211 applies to current GMPs. For example, approvals are required for , , and , and an initial or signature is required for In addition, signatures are required for and For good laboratory practices (GLP), there are several regulations to consider, including the Organization for Economic Co-Operation and Development guidelines, the European GLP Directives, or the U.S. FDA 21 CFR Part 58 GLP. The use of e-signatures is allowed but is not described in any further detail within the regulations. There are several signature-related guidelines for good clinical practice (GCP), including the International Conference on Harmonization of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH) guidelines for GCP. These regulations contain approximately the (Continued on p. 46) E-Signatures Defined An e-signature is printed text or declarations in close proximity to the signature space. It indicates an action performed by a signer as part of a process or to confirm a prior signer s actions and/or authority. The basic information elements of the signature metadata, besides the signature itself, generally include: The printed name of the signer (forename and surname); The meaning of the signature (e.g. review refused, approval, checked); and Date and time, including use of coordinated universal time (UTC) and a date format of DD-MM-YYYY versus MM-DD-YYYY. The electronic signature: Is unique to both the document and the signer and binds both of them together; and Ensures the authenticity of the signer. Any changes made to the document after it is signed invalidate the signature, thereby protecting against forgery and information tampering. February/March

3 PHARMA IT Electronic Records (Continued from p. 45) same statements as those found in the GMP, but instead of the word signatures, the phrases approved protocol or approval/favorable opinion are used. There are some differences in signing requirements for protocols and logbooks. For example, GMP requires initials, while GCP asks that they be dated and signed. Required GLP documents like clinical development plans, data management plans, investigator s brochures, or monitoring manuals need to be analyzed individually to determine the appropriate type of electronic signature for each. Parts of the GCP area could also pertain to an electronic submission (e.g., a New Drug Application [NDA]) where electronic signatures should be used. For example, study protocols, active pharmaceutical ingredient drug files, and so on can be issued by subcontractors, with the submission performed by another subcontractor. This situation would require that different companies communicate on different technology platforms. In general, rules for medical devices are based on the European Directive 98/79/EC, several national laws for medical devices, and the U.S. FDA 21 CFR Part 820. The following statements can be found in these documents: approval, including the date and signature of the individual(s); approved design/ quality system/device; or the approval of records such as device master files or device history files. Initial or Signature? Initials and signatures have different goals and risks in the complete production process. Initials are given to confirm an action or task, a usage that has the character of a logbook entry and can also be shown by audit trail functionality. For Figure 1. SOURCE: Table 1. Legislation and regulations governing the legality of an electronic signature United States Electronic Signature in Global and National Commerce Act (ESIGN) United States Digital Signature and Electronic Authentication Law United Kingdom Electronic Communications Act 2000 (chapter 7) European Union EU Directive for Electronic Signatures (1999/93/EC) SOURCE: this purpose, verification of the correct audit trail function (e.g., local time stamps) is required. A signature, which is more important than initials, confirms the execution (control step or examination) and assumes that the expressions signature, approval, dated signature, and dated and signed have identical legal meanings. Also important are regulatory submissions in electronic format using electronic common technical document (ectd) specifications. This field covers electronic submission of applications for human pharmaceutical products and related submissions, including abbreviated NDAs, NDAs, master files, advertising materials, and other materials. According to the ICH M2 electronic common technical document specification and the FDA guidance Providing Regulatory Submissions in Electronic Format, there are, in general, no specific requirements for the use of digital signatures. It is mandatory, however, that the documents be based on electronic records, with PDF files or XML formats preferred. When a CTD is submitted electronically, the entire submission should be in electronic form, with the exception of certain regional forms that currently require written signatures. In general, documents should be generated from electronic source documents and not from scanned material, except when access to the source electronic file is denied or where a signature is required. The XML technology of ectd documenttype definition supplies the overall structure of the submission and provides signature elements. The FDA gives an example of the submission s signature (See Figure 1, below). Signature methods accepted by the FDA include scanned signatures, digital signatures, and flattened digital signatures. A flattened digital signature must include the printed name of the signer, the date and time when the signature was executed, and the reason for the signature. The FDA advises all relevant agencies to consult with an FDA center representative to determine which signature method is required for each type of submission. For electronic submissions, a qualified electronic signature or digital signature should be used; we believe this practice will soon be required by all national agencies. Nonetheless, consult your agency and, if needed, your subcontractors and any other service providers you are working with to discuss potential technology solutions. Signature Legislation In recent years, most countries have adopted legislation recognizing the legality of an electronic signature and deeming it a binding signature (See Table 1, above). U.S. legislation is technology-neutral regarding what constitutes an electronic signature, but many leading industries have already adopted or mandated digital certificates based on public key infrastructure (PKI) so-called digital signatures. U.S. legislation specifically mentions electronic signatures, which means any electronic means of authorizing a transaction. Digital signatures are cryptographically generated fingerprints binding a transaction to an identity. Cryptographic in nature and based on public key technology, they ensure 46 PFQ

4 data cannot be tampered with and provide proof that someone actually signed a particular transaction. The EU s directive basically addresses three categories: Electronic signature (article 5.2) or simple electronic signature; Advanced electronic signature (article 2.2); and Qualified electronic signature (article 5.1) based on a qualified certificate (should be used if any law requires a written form). The EU s qualified electronic signature equates to the U.S. s digital signature. This type of electronic signature has a strong juridical value because it guarantees authentication, integrity, and confidentiality. These signature laws provide a framework for the use of electronic signatures, but they do not demand that electronic signatures replace handwritten ones. Digital signatures, or qualified electronic signatures, are based on asymmetric cryptography and require use of specific PKI schemes. PKI uses two different keys: private and public. The two keys are generated simultaneously and collectively and are known as a key pair. The resulting e-signature is cryptographic. Qualified certificates may only be prepared by so-called certification service providers. Laws regulate the requirements governing these suppliers, but because there is no guarantee of bilateral acceptance, there can be problems. The digital identity certificate is issued by a certificate authority (CA) and a registration authority. The ability to generate a digital signature can be controlled by authentication methods such as a user identification (ID) and password, a smart card and personal identification number (PIN), or biometric tools such as fingerprints and retinal scans. For internal PKI structures, a certification service provider can be used and keys can be transmitted or linked with another PKI by a so-called bridge-ca. The PKI technology offers different variants to choose from, as well as several digital signature standards and guidance documents that already exist. Without the advice of technical experts, it may be difficult to find the right solution. The maintenance efforts and service costs of operating the desired solution should be taken into account, keeping in mind the retention periods of documents, which may be as long as 30 years. Risk-Based Implementation The decision to use electronic signatures should be based on an assessment of legislation, regulations, technologies, and other factors, and should also consider the long term. As members of the pharmaceutical industry, we always want a frozen, stable IT system, a desire that is obviously contrary to the IT industry and its technologies, which are always evolving. Codes and applications believed to be unbreakable years ago are now easy to crack for anyone who has the correct application or Internet address. But PKI technology also continues to evolve, which means upgrades of your implemented system (e.g., electronic records migration). The simplest solution would be to just choose the digital signature (qualified electronic signature) for all electronic signatures. That is, it would be simple if there were no costs for the implementation, organizational effort, operation, and other services, as well as more risks on open systems. For example, some initials are only used internally, within a company, but a The biggest advantages of electronic records and signatures are access to documents, information sharing, digital archiving, speed, and the efficiency available to people entering into transactions either internally or externally. These are also the greatest disadvantages. connection must be applied to the outside PKI center, something that can increase complete operational risk. When choosing the signature type, be sure to take into account the required retention period of the documentation. The validity period of a PKI key pair is normally shorter than typical retention periods; generally, after five years, a given valid electronic signature is invalid. Without a qualified network or IT infrastructure, the implementation of digital signatures on this level is impossible. If this basis is weak, you will have serious problems running a PKI structure. This type of solution requires ex- (Continued on p. 48) A Strategic Approach to Implementing Electronic Signatures Identify and analyze regulatory guidance documents and predicate rules requirements (e.g., submission of common technical specifications, GMP - 21 CFR Part 210/211). Analyze local laws regarding electronic and digital signatures that apply to you and your business areas. Check into consultant agencies that apply to you as well. Analyze existing or planned information technology (IT) infrastructure (e.g., like IT security standards). Create an overall roadmap for IT systems and signature definitions. Create necessary procedures and requirement documents. Verify the correct implementation and operation. February/March

5 tensive validation and procedural controls and should be monitored regularly (refer, for example, to the Information Technology Infrastructure Library standards). Consider also the issue of user authentication on a system, which could be based on: User ID and password (or PIN); Token cards, smart cards; Biometrics; or Any combination of these to increase the level of security. Biometrics ensures a high level of security, because data sets can t be circulated, but biometric solutions have to be tested and verified intensively. Authentication log-in is the process of executing the electronic signature. Electronic signatures based upon ID code and a password are generally wellknown and widely used. It is a signature type for closed systems that do not fulfill the requirements of a qualified electronic signature. Signatures based upon ID code and password and a physical token could be used for open systems, like signatures based on biometrics, but they do not fulfill the requirements of a qualified electronic (digital) signature. The only solution that fulfills the qualified electronic signature requirements is one based on PKI with an external certificate by a CA. Another option involves implementing a PKI structure with internal certificates and then transferring these certificates (bridge-ca) to other internal PKI structures. This transfer can be done under strict control, on demand. In combination with PKI, a more secure alternative could be to store the private key on a smart card. Signature laws and regulatory guidelines merely provide for the legality of the electronic, digital, or qualified electronic signature, not the specific method or technology. Laws and regulations predicate rules leave it to individuals and companies to determine what method best serves their purpose when implementing electronic signatures. Roemer is the director of quality management and senior validation consultant at Systec & Services GmbH and Beach is executive validation manager at PGB Consultants Ltd. Both are members of IT Pharma Validation Europe ( Reach them at roe@systec-services.com or pgb@it-pharma-validation.com.