1. Easy Signature 21 CFR Part 11 Supplement
Easy Signature 21 CFR Part 11 Supplement
Version 1.0
Date: 2011-11-01
Introduction
Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic
Signatures sets out the requirements for the creation, modification, maintenance, archival,
retrieval, and transmittal of electronic records and also the use of electronic signatures
when complying with the Federal Food, Drug and Cosmetic Act or any other Food and
Drug Administration (FDA) regulation.
Easy signature is a free digital signature software that enables electronic signing of any
type of file.
This document presents technical elements of Easy Signature for each summary
requirements set out in 21 CFR Part 11.
Notice: It is not possible for any vendor to offer a turnkey 'FDA 21 CFR Part 11
compliant system'. 'FDA 21 CFR Part 11' requires both procedural controls (i.e.
notification, training, SOPs, administration) and administrative controls to be put in
place. It is the responsibility of the user to implement the procedural and administrative
controls.
To discuss and get more information please contact us in www.easysoft.nu.
Free digital signature software – Easy Signature www.easysoft.nu
1
2. Easy Signature 21 CFR Part 11 Supplement
Subpart B – Electronic Records
11.10 Controls for Closed Systems
Section Section Requirements Easy Signature technical response
11.10 (a) Validation of systems to Easy Signature has been designed, developed
ensure accuracy, reliability, and tested to Easy Soft documented
consistent intended Product Development lifecycle.
performance, and the ability Easy signature is using proven cryptographic safe
to discern invalid or altered PKI technology to insure digital hierarchical trust
records. and validity of the record.
11.10(b) The ability to generate It is possible to print a signed record with Easy
accurate and complete Signature in a readable and electronic form. All the
copies of records in both cryptographic details as public keys audit trace is
human readable and available and can be reviewed electronically and in
electronic form suitable for paper form.
inspection, review, and
copying by the FDA.
11.10(c) Protection of records to Easy signature does not provide a specific medium
enable the accurate and or means to store records. Digitally signatures are
ready retrieval throughout basically files that can be stored anywhere.
the records retention period.
It is the responsibility of the user to insure
protection of records. (e.g. access rights in network,
periodic backup etc).
Easy Signature does however provide AES
encryption that can be used for additional
protection by the end-user.
11.10(d) Limiting system access to Easy signature protects the digital signature itself
authorized individuals. by a private password and a private digital
signature file. However Easy signature is only a
Free digital signature tool and does not provide a
specific medium or functionality to store records.
(see 11.10c)
Free digital signature software – Easy Signature www.easysoft.nu
2
3. Easy Signature 21 CFR Part 11 Supplement
11.10 Controls for Closed Systems continued
Section Section Requirements Easy Signature technical response
11.10 (e) Use of secure, computer- Easy signature is using proven cryptographic safe
generated, time-stamped PKI technology to insure digital hierarchical trust
audit trails to and validity of the record. It is not possible to
independently record the obscure signed files. All the audit trail and digital
date and time of operator hierarchical trust is recorded in the signed digital
entries and actions that file and can be reviewed and copied.
create, modify, or delete
electronic records. Record Notice that the current Easy Signature software
changes shall not obscure version does not provide the technical element
previously recorded of date and time stamp synchronization (with
information. external servers) and rely on local computer time.
Such audit trail
documentation shall be We recommend that you use free time
retained for a period of at synchronization software tools in combination
least as long as that with easy signature in your document signature
required for the subject procedures, make sure that the time zone is also
electronic records and shall clearly documented in the signature.
be available for agency
review and copying.
11.10(f) Use of operational system Easy Signature have a simple workflow
checks to enforce permitted capability and can be implemented to
sequencing of steps in ensure that actions is performed in a sequence of
a process, as appropriate. steps in a process. It is however needed that the
end user describes these processes in
documentation and procedures.
11.10(g) Use of authority checks to Easy Signature security model ensures that users
ensure that only authorized with a private unique digital signature file (*.SIG)
individuals can use the issued by the "Signature Issuer Responsible" (SIR)
system, electronically sign can sign files. The digital hierarchical trust is fully
a record, access the maintained. Furthermore the private unique digital
operation or computer signature file (*.SIG) is protected by a password.
system input or output The end-user can easily introduce authority check
device, alter a by defining the "Signature Issuer Responsible"
record, or perform the (SIR) and obtaining a certificate from Easy
operation at hand. Signature.
Notice that Easy signature is only a free digital
signature tool and does not provide a specific
medium or means to store records. The protection
of files (e.g. shared network, etc) to the public is
the responsibility of the end-user.
Free digital signature software – Easy Signature www.easysoft.nu
3
4. Easy Signature 21 CFR Part 11 Supplement
11.10 Controls for Closed Systems continued…
Section Section Requirements Easy Signature technical response
11.10(h) Use of device (e.g. terminal) checks Easy signature is free electronic signature
to determine, as appropriate, the software only.
validity of the source of data input It does not provide means to determine
or operational instruction. validity of the source of data input or
operational instruction (e.g. Correct
document title or project ID) other that
insuring that the digital signature
procedure is correct and safe.
11.10(i) Determination that persons who End-user responsibility.
develop, maintain, or use electronic
record/electronic signature systems
have the education, training, and
experience to perform their
assigned tasks.
11.10(j) The establishment of, and The user must develop policies and
adherence to, written policies that procedures governing accountability
hold individuals accountable and (using Easy Signature PKI security
responsible for actions model) however, a full audit trail details
initiated under their electronic transactions in the system where any
signatures, in order to deter record altered or invalid records would be
and evident through inconsistencies with the
signature falsification. digital signature hierarchical trace and
audit trail. (about record storage Read
11.10c).
11.10(k) Use of appropriate controls over End-user responsibility.
(1) systems documentation including:
Adequate controls over the
distribution of, access to, and use of
documentation for system operation
and maintenance.
11.10(k) Use of appropriate controls over End-user responsibility.
(2) systems documentation including:
Revision and change control
procedures
to maintain an audit trail that
documents
time-sequenced development and
modification of systems
documentation.
Free digital signature software – Easy Signature www.easysoft.nu
4
5. Easy Signature 21 CFR Part 11 Supplement
Subpart B – Electronic Records
11. 3 0 Controls for Open Systems
Section Section Requirements Easy Signature technical response
11.30 Controls for Open Systems Does not apply. Easy Signature is a closed
system for intra security.
Subpart B – Electronic Records
11. 5 0 Signature Manifestations
Section Section Requirements Easy Signature technical response
11.50(a) Signed electronic records shall Easy Signature allows the user to define 1
(1-3) contain information associated with (including a scanned signature), 2 and 3 in
the signing that clearly indicates all a digital signature file. All these
the following: information is digitally signed and cannot
(1) The printed name of the signer; be altered after a digital signature.
(2) The date and time when the
signature was executed; and (3)
The meaning
(such as review, approval,
responsibility, or authorship)
associated with the signature.
11.50(b) The items identified in paragraphs It is possible to print a digital signature
(a)(1), (a)(2), and (a)(3) of this that contains all the information (1-3)(a)
section shall be subject to the same along with cryptographic public keys.
controls as for electronic records
and shall be included as part of any
human readable form of the
electronic record (such as
electronic display or printout).
11. 7 0 Signature/Record Linking
Section Section Requirements Easy Signature technical response
11.70 Electronic signatures and Easy Signature uses SHA512 hashing of
handwritten signatures executed to electronic record, this along with
electronic records shall be linked to information in 11.50(a)
their respective electronic records (1-3) is digitally signed and there are no
to ensure that the signatures cannot ordinary means to remove or copy
be excised, copied, or otherwise signatures from/to records.
transferred to falsify an electronic
record by ordinary means.
Free digital signature software – Easy Signature www.easysoft.nu
5
6. Easy Signature 21 CFR Part 11 Supplement
Subpart C – Electronic Signatures
11. 1 00 Electronic Signature Components and Control
Section Section Requirements Easy Signature technical response
11.100 (a) Each electronic signature shall Each private signature file (*.SIG) has a
be unique to one individual and unique public/private key and is fully
shall not be reused by, or traceable according to PKI practice. This
reassigned to, anyone else. key is private and protected by a personal
private password that cannot be altered or
reused or reassigned to anyone else.
Subpart C – Electronic Signatures
11. 2 00 General Requirements
Section Section Requirements Easy Signature technical response
11.200(a) Electronic signatures that are not Easy Signature uses a combination of a
(1) based upon biometrics shall: (1) private signature file (*.SIG) and an
Employ at least two distinct associated password.
identification components such as
an identification code and
password.
11.200(a) When an individual executes a The private signature file (*.SIG) and a
(1)(i) series of signings during a single, password is required for each signing. By
continuous period of controlled design the password and private signature
system access, the first signing file is re-authenticated for every signature
shall be executed using all event performed.
electronic signature components;
subsequent signings shall be
executed using at least one
electronic signature component that
is only executable by, and designed
to be used only by, the individual.
11.200(a) When an individual executes one or See (11.200(a)(1)(i)
(1)(ii) more signings not performed during
a single, continuous period of
controlled system access, each
signing shall be executed using all
of the electronic signature
components.
11.200(a) Electronic signatures that are not It is beyond the scope of Easy signature to
(2) based upon biometrics shall: Be ensure that users do not provide
used only by their genuine owners. others with access to their private
signature file and password.
Free digital signature software – Easy Signature www.easysoft.nu
6
7. Easy Signature 21 CFR Part 11 Supplement
11. 2 00 General Requirements continued …
Section Section Requirements Easy Signature technical response
11.200(a) Electronic signatures that are not For the digital signature to be breached in
(3) based upon biometrics shall: Be this manner, it would require the
administered and executed to Collaboration of the "Signature Issuer
ensure that attempted use of an Responsible" (SIR) and the end user.
individual’s electronic signature by Notice that the breach can be traced back
anyone other than its genuine to SIR and uniquely identified since every
owner requires collaboration of two private signature (*.SIG) file is digitally
or more individuals. unique.
11.200(b) Electronic signatures based upon Not applicable. Easy signature does not
biometrics shall be designed to use biometrics.
ensure that they cannot be used by
anyone other than their genuine
owners.
Subpart C – Electronic Signatures
11 .300 Controls for Identication Codes/Passwords
Section Section Requirements Easy Signature technical response
11.300(a) Persons who use electronic Every private signature (*.SIG) file is
signatures based upon use of digitally unique and protected by a
identification codes in combination password.
with passwords shall employ
controls to ensure their security and
integrity. Such controls shall
include: (a) Maintaining the
uniqueness of each combined
identification code and password,
such that no two individuals have
the same combination of
identification code and password.
11.300(b) Ensuring that identification code The private signature file (*.SIG) contains
and password issuances are a unique public and private cryptographic
periodically checked, recalled, or key that is valid for a fixed period of time
revised (e.g., to cover such events defined by the certificate issued to the
as password aging). “Signature Issuer Responsible" (SIR). The
private signature file shall be kept safe by
end-user during this time and is also
password protected for additional safety.
Free digital signature software – Easy Signature www.easysoft.nu
7
8. Easy Signature 21 CFR Part 11 Supplement
11 .300 Controls for Identication Codes/Passwords Continued…
Section Section Requirements Easy Signature technical response
11.300(c) Following loss management If the private signature (*.SIG) file is lost
procedures to electronically de- or stolen a new unique private signature
authorize lost, stolen, missing, or (*.SIG) file can be generated. The end-
otherwise potentially compromised user can make a record of the event and
tokens, cards, and other devices all signatures done with the previous
that bear or generate identification private signature (*.SIG) file can be traced
code or password information, and in time.
to issue temporary or permanent
replacements using suitable
rigorous controls.
11.300(d) Use of transaction safeguards to See (11.300(c)). Not applicable if related
prevent unauthorized use of to a device.
passwords and/or identification
codes, and to detect and report in an
immediate and urgent manner any
attempts at their unauthorized use
to the system security unit, and, as
appropriate, to organizational
management.
11.300(e) Initial and periodic testing of See (11.300(c)). Not applicable if related
devices, such as tokens or cards, to a device.
that bear or generate identification
code or password information to
ensure that they function properly
and have not been altered in an
unauthorized manner.
Free digital signature software – Easy Signature www.easysoft.nu
8