Electronic records and electronic signatures are vastly becoming a strategic and efficient method in order to maintain record keeping compliance across industry. In order to comply, the pharmaceutical industry has looked to the technology sector for solutions, which offers a wide range of products and systems. If the industry is looking for an out of the box solution, they won’t find it. As the industry implements and utilizes systems for electronic records and signatures, each company must create and maintain a system that complies with regulations by implementing not only technology, but procedures and policies. For the remainder of this paper, systems will be used to describe the combination of technology, procedures and policies. Systems make up different components in order to meet the needs of regulations.
Regulations, such as 21 CFR Part 11 and EU Annex 11, comprise of many elements that in some part create a method of controlling the functions and outputs of the overall system. Elements that include, but are not limited to, validation, protection and retention of records, audit trails, restricted access, device checks, training, written procedures and system documentation. By implementing internal policies and procedures the company can identify, prevent and detect compliance issues, lay out expectations for employee behaviour and ensure that operations run smoothly. Policies and procedures create a formalized system to help organizations maintain compliance in all areas of operation. Procedures should outline the overall workflow process and how technology is used as part of the process. For example, most organizations will maintain a procedure outlining their record retention policy or process, this outlines how the organization protects, stores and maintains documentation and records. Outlined in a record retention procedure are details relating to how long records are retained for and where they are housed, which brings us to technology and the solution it can provide to retain documentation that is readily available and auditable. Without components of the entire system in place the technology would not be sufficient in maintaining compliance.
Nymi Enterprise Edition (NEE), as a biometric authentication product, offers improved data integrity, reduces risk of compromised credentials and can add to improvements in user experience. NEE solution enables our customers to comply with regulations in a reliable and effective manner. The NEE solution enables customers to comply with this requirement by replacing passwords or badges that can be compromised. The FDA noted that “… biometrics-based electronic signatures, by their nature, are less prone to be compromised than other methods such as identification codes and passwords.”2 The Nymi band is authenticated using biometrics coupled with administrative applications and enterprise management applications provide a magnitude improvement in security and data integrity. The FDA set out “11.200 (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners” 1, and the NEE ensures that a Nymi band can only be assigned to one individual.
Although the NEE does not record and maintain records, the NEE seamlessly integrates into system solutions, such as an Manufacturing Execution System (MES). Through seamless integration, the NEE signals the system solution, if integrated appropriately, to record electronic signatures as outlined in 11.50. The NEE will maintain compliance for 11.10, such as limited system access, triggering the MES to record electronic signature for audit trails, and to “ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand”1. Through the implementation of technology, in addition to policies and procedures, a system can meet regulations and maintain a compliant ecosystem.
A MES prompts the users to authenticate themselves through electronic signatures, at key steps of the process. The users are typically prompted for their user ID and password, which are then verified against the organization’s directory system (e.g. Active Directory). Once the user ID and password are verified, an electronic record is generated which may include the user identifier, metadata such as timestamp, and relevant information such as the process step and related parameters. These records are then stored and managed, either by the MES itself or by record management systems. In a regulated environment, the above procedure is validated for compliance against the relevant standards.
The Nymi Enterprise Edition (NEE) replaces the user ID and password verification steps in the above procedure. When authentication is required, the MES would prompt the user for a Nymi Band tap instead of user ID and password. The authenticity of the Nymi Band and the action are verified cryptographically, and the identity of the user is also authenticated (since the Nymi Band had to be biometrically authenticated prior to use). The subsequent record generation sequence remains the same.
After the NEE is integrated, the customer may be required to perform an incremental or full validation, to ensure that the system (not just the NEE) remains in compliance with the relevant standards.
1Food and Drug Administration. (1997). TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG
ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER A-- GENERAL, PART 11, ELECTRONIC RECORDS; ELECTRONIC SIGNATURES. Retrieved from https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11
2 Food and Drug Administration. (1997). 21 CFR Part 11 Electronic Records; Electronic Signatures; Final
Rule. (Federal Register / Vol. 62, No. 54 / Docket No. 97-6833). Retrieved from https://www.govinfo.gov/content/pkg/FR-1997-03-20/pdf/97-6833.pdf