Electronic Records and Signatures
Electronic records and electronic signatures are vastly becoming a strategic and efficient method to maintain record keeping compliance across industry. To comply, the pharmaceutical industry has looked to the technology sector for solutions, which offers a wide range of products and systems. If the industry is looking for an out of the box solution, they will not find it. As the industry implements and utilizes systems for electronic records and signatures, each company must create and maintain a system that complies with regulations by implementing not only technology, but procedures and policies. For the remainder of this paper, systems will be used to describe the combination of technology, procedures, and policies. Systems make up different components to meet the needs of regulations.
Regulations, such as 21 CFR Part 11 and EU Annex 11, comprise of many elements that in some part create a method of controlling the functions and outputs of the overall system. Elements that include, but are not limited to, validation, protection and retention of records, audit trails, restricted access, device checks, training, written procedures, and system documentation.
By implementing internal policies and procedures an organization can:
- Identify, prevent, and detect compliance issues
- Lay out expectations for employee behavior
- Ensure that operations run smoothly
Policies and procedures create a formalized system that help organizations maintain compliance in all areas of operation. Procedures should outline the overall workflow process and how the organization will use technology as part of the process.
For example, most organizations maintain record retention procedures or processes that outline how the organization protects, stores, and maintains documentation and records. Companies can use technology solutions to retain documentation and ensure that the documentation is readily available and auditable. Without components of the entire system in place, the technology would not be sufficient in maintaining compliance.
The Nymi CWP Solution
The Nymi Connected Worker Platform (CWP) Solution, as a biometric authentication product, offers improved data integrity, reduces risk of compromised credentials, and improves the user experience. The Nymi CWP Solution enables customers to comply with data storage and retention regulations in a reliable and effective manner and ensure the integrity of e-signatures by replacing passwords or badges that can be compromised.
The FDA noted that “… biometrics-based electronic signatures, by their nature, are less prone to be compromised than other methods such as identification codes and passwords.”2 When organizations integrate the Nymi CWP Solution with their existing system, the user authenticates to their Nymi Band by using biometrics, which is coupled with administrative applications and enterprise management applications that provide a magnitude improvement in security and data integrity. The FDA set out “11.200 (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners” 1, and the Nymi CWP Solution ensures that a Nymi Band can only be assigned to one individual.
Nymi CWP Solution Integration
The following figure provides an example of system solution workflow for e-signatures and electronic records before the introduction of the Nymi CWP Solution, and how the Nymi CWP Solution fits into the existing solution.
An MES prompts users to authenticate themselves through electronic signatures, at key steps of the process. For example, an MES typically prompts the user to supply their user ID and password, and then the MES verifies the supplied credentials against a directory system of the organization, for example, Active Directory. When verification completes, the MES generates an electronic record that contains information such as the user identifier, metadata, such as a timestamp, and relevant information, such as the process step and related parameters. The MES, or a record management system, stores and manages the records. Regulated environments validate the procedure to ensure that the system remains in compliance with the relevant standards.
The Nymi CWP Solution:
- Replaces the user ID and password verification steps in the system solution workflow. When the MES requires authentication, the MES prompts the user for a Nymi Band tap instead of a user ID and password.
- Verifies the authenticity of the Nymi Band and the action cryptographically.
- Assures the authenticity of the identity of the user. A user can only use the Nymi Band for e-signatures after biometric authentication.
The subsequent record generation sequence in the workflow remains the same. The Nymi CWP Solution does not record and maintain records, but seamlessly integrates into the system solutions.
The Nymi CWP Solution:
• Signals the system solution, if integrated appropriately, to record electronic signatures as outlined in 11.50.
• Maintains compliance for 11.10, by:
- Providing limited system access, triggering the MES to record electronic signature for audit trails.
- Ensuring “that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand”1.
Through the implementation of technology, in addition to policies and procedures, a system can meet regulations and maintain a compliant ecosystem.
For more information, connect with us at email@example.com
This article is also available in PDF format: Nymi and FDA 21 CFR Part 11.pdf
1Food and Drug Administration. (1997). TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG
ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER A-- GENERAL, PART 11, ELECTRONIC RECORDS; ELECTRONIC SIGNATURES. Retrieved from https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11
2 Food and Drug Administration. (1997). 21 CFR Part 11 Electronic Records; Electronic Signatures; Final
Rule. (Federal Register / Vol. 62, No. 54 / Docket No. 97-6833). Retrieved from https://www.govinfo.gov/content/pkg/FR-1997-03-20/pdf/97-6833.pdf