21 CFR Part 11是针对电子记录和电子签名的FDA法规,对于药厂和医疗器械使用的众多电子记录和电子签名提供了详尽的要求和规范。彼得对这部分接触的也不多,在研读过程中将原文进行了翻译,供大家交流和讨论。
A部分—通用规定
Subpart A--General Provisions
11.1 范围
Sec. 11.1 Scope.
(a) 本部分的法规制定了接受标准,用于机构评估电子记录、电子签名、电子记录加手写签名的可信性、可靠性,以及通常等同于纸质记录和手写签名的形式。
(a) The regulations in this part setforth the criteria under which the agency considers electronic records,electronic signatures, and handwritten signatures executed to electronicrecords to be trustworthy, reliable, and generally equivalent to paper recordsand handwritten signatures executed on paper.
(b) 本部分适用于根据法规需求制定的,以电子形式生成、修改、维护、存档、恢复或传输的任何记录。还适用于提交给监管机构的关于联邦食品、药品和化妆品以及公共健康服务法案需求的电子记录,即使此类记录不是法规中特别提到的。但是,本部分不适用于以电子形式传输的纸质记录。
(b) This part applies to records inelectronic form that are created, modified, maintained, archived, retrieved, ortransmitted, under any records requirements set forth in agency regulations.This part also applies to electronic records submitted to the agency underrequirements of the Federal Food, Drug, and Cosmetic Act and the Public HealthService Act, even if such records are not specifically identified in agencyregulations. However, this part does not apply to paper records that are, orhave been, transmitted by electronic means.
(c) 当电子签名和相关的电子记录符合本部分要求时,机构应认可电子签名等同于手写签名、缩写和其他法规中要求常用的签名形式,除非是法规自1997年8月20日以来特别强调的情况。
(c) Where electronic signatures andtheir associated electronic records meet the requirements of this part, theagency will consider the electronic signatures to be equivalent to fullhandwritten signatures, initials, and other general signings as required byagency regulations, unless specifically excepted by regulation(s) effective onor after August 20, 1997.
(d) 根据11.2,符合本部分要求的电子记录可以替代纸质记录,除非特别强调需要纸质记录的情况。
(d) Electronic records that meet therequirements of this part may be used in lieu of paper records, in accordancewith 11.2, unless paper records are specifically required.
(e) 计算机系统(包括硬件和软件)、控制和服务文档应准备好,并接受FDA的检查。
(e) Computer systems (includinghardware and software), controls, and attendant documentation maintained underthis part shall be readily available for, and subject to, FDA inspection.
(f) 本部分不适用于1.326-1.368章节确定所需要的记录。符合本章节第1部分J子部分要求的记录,如果在其他适用的法规约束下需要的,仍然需要满足本部分的要求。
(f) This part does not apply torecords required to be established or maintained by 1.326 through 1.368 of thischapter. Records that satisfy the requirements of part 1, subpart J of thischapter, but that also are required under other applicable statutory provisionsor regulations, remain subject to this part.
(g)到(o)的翻译省略,对制造商的意义不大。
11.2执行
Sec. 11.2 Implementation.
(a) 对于需要保持但无需提交机构的记录,只要本部分的要求得到满足,可以部分或全部使用电子记录代替纸质记录,或电子签名代替传统签名。
(a) For records required to bemaintained but not submitted to the agency, persons may use electronic recordsin lieu of paper records or electronic signatures in lieu of traditionalsignatures, in whole or in part, provided that the requirements of this partare met.
(b) 对于提交机构的记录,可以部分或全部使用电子记录代替纸质记录,或电子签名代替传统签名,前提是:
(b) For records submitted to theagency, persons may use electronic records in lieu of paper records orelectronic signatures in lieu of traditional signatures, in whole or in part,provided that:
(1) 本部分的要求得到满足;
(1) The requirements of this partare met; and
(2) 文档或文档部分已在公共摘要第92S-0251号中识别为机构接受以电子形式提交的文件类型。这个摘要将特别识别哪些类型的文档或文档部分允许以电子而不是纸质形式提交,并识别此类型的提交可以用于的接收机构单位(例如,指定中心、办公室、部门和分支)。对于公共摘要中没有提到的接收单位,如果文档以电子形式提交将不会被认定为正式文件;纸质形式的这类文件将被认定为正式文件,并且必须要附上任何的电子记录。需要咨询接收单位,以确定是否以电子形式提交以及提交的细节(例如,传输方法、媒介、文档格式和技术方案等)。
(2) The document or parts of adocument to be submitted have been identified in public docket No. 92S-0251 asbeing the type of submission the agency accepts in electronic form. This docketwill identify specifically what types of documents or parts of documents areacceptable for submission in electronic form without paper records and theagency receiving unit(s) (e.g., specific center, office, division, branch) towhich such submissions may be made. Documents to agency receiving unit(s) notspecified in the public docket will not be considered as official if they aresubmitted in electronic form; paper forms of such documents will be consideredas official and must accompany any electronic records. Persons are expected toconsult with the intended agency receiving unit for details on how (e.g.,method of transmission, media, file formats, and technical protocols) andwhether to proceed with the electronic submission.
11.3 定义
Sec. 11.3 Definitions.
(a) 在法案201部分中包括的定义和条款解释适用于本部分。
(a) The definitions andinterpretations of terms contained in section 201 of the act apply to thoseterms when used in this part.
(b) 以下定义同样适用于本部分:
(b) The following definitions ofterms also apply to this part:
(1) 法案指联邦食品药品化妆品法案(21号美国法典321-393,第201-903部分)。
(1) Act means the FederalFood, Drug, and Cosmetic Act (secs. 201-903 (21 U.S.C. 321-393)).
(2) 机构指的是食品药品监督管理局。
(2) Agency means the Food andDrug Administration.
(3) 生物识别指的是一种基于对个人生理特征或重复动作进行测量的用于验证个人身份的方法,这些特征或动作是个人独特的并可以测量的。
(3) Biometrics means a methodof verifying an individual's identity based on measurement of the individual'sphysical feature(s) or repeatable action(s) where those features and/or actionsare both unique to that individual and measurable.
(4) 封闭系统指的是系统的进入受到电子记录内容负责人控制的环境。
(4) Closed system means anenvironment in which system access is controlled by persons who are responsiblefor the content of electronic records that are on the system.
(5) 数字签名指的是基于发起人授权的加密方法的电子签名,通过一系列规则和参数进行计算来完成,这样签署人的身份和数据的可靠性可以得到验证。
(5) Digital signature meansan electronic signature based upon cryptographic methods of originatorauthentication, computed by using a set of rules and a set of parameters suchthat the identity of the signer and the integrity of the data can be verified.
(6) 电子记录指的是任何文字、图像、数据、音频、绘画或其他形式的信息组合以数字形式在计算机系统中被生成、修改、维持、存档、恢复或分发。
(6) Electronic record meansany combination of text, graphics, data, audio, pictorial, or other informationrepresentation in digital form that is created, modified, maintained, archived,retrieved, or distributed by a computer system.
(7)电子签名指的是个人对任何符号的计算机数据编译的执行、采用或授权,以合法地约束其成为个人手写签名的等同物。
(7) Electronic signaturemeans a computer data compilation of any symbol or series of symbols executed,adopted, or authorized by an individual to be the legally binding equivalent ofthe individual's handwritten signature.
(8) 手写签名指的是个人手写的姓名或法律记号,通过书写在永久性表格上执行或采用以表示授权意图。使用钢笔或尖笔进行签字的行动得到保留。姓名或法律记号虽然传统上适用于纸张,也可以应用于其他可以捕捉姓名和记号的设备。
(8) Handwritten signaturemeans the scripted name or legal mark of an individual handwritten by thatindividual and executed or adopted with the present intention to authenticate awriting in a permanent form. The act of signing with a writing or markinginstrument such as a pen or stylus is preserved. The scripted name or legal mark,while conventionally applied to paper, may also be applied to other devicesthat capture the name or mark.
(9) 开放系统指的是系统的进入不会受到电子记录内容负责人控制的环境。
(9) Open system means anenvironment in which system access is not controlled by persons who areresponsible for the content of electronic records that are on the system.
B部分—电子记录
Subpart B--Electronic Records
11.10 封闭系统的控制
Sec. 11.10 Controls for closed systems.
使用封闭系统进行创建、修改、维持或传输电子记录的人员应使用经过设计的程序和控制,以确保电子记录的真实性、可靠性以及保密性,并确保签署人不能够以记录不真实为由进行否认。这样的程序和控制应包括如下内容:
Persons who use closed systems tocreate, modify, maintain, or transmit electronic records shall employprocedures and controls designed to ensure the authenticity, integrity, and,when appropriate, the confidentiality of electronic records, and to ensure thatthe signer cannot readily repudiate the signed record as not genuine. Suchprocedures and controls shall include the following:
(a) 系统确认,以确保准确性、可靠性、持续的预期性能,以及识别无效或更改后的数据的能力。
(a) Validation of systems to ensureaccuracy, reliability, consistent intended performance, and the ability todiscern invalid or altered records.
(b) 产生准确和完整的记录副本的能力,该副本应以可阅读和电子表格的形式适于机构的检查、评审和复制。如果有任何关于机构进行此类电子记录评审和复制能力的疑问,应联系机构。
(b) The ability to generate accurateand complete copies of records in both human readable and electronic formsuitable for inspection, review, and copying by the agency. Persons shouldcontact the agency if there are any questions regarding the ability of theagency to perform such review and copying of the electronic records.
(c) 对于记录的保护应确保记录保存期间的准确和可恢复。
(c) Protection of records to enabletheir accurate and ready retrieval throughout the records retention period.
(d) 对于授权个人的有限系统进入。
(d) Limiting system access toauthorized individuals.
(e) 使用安全的、计算机产生的、有时间印记的审计跟踪,以独立记录操作人员进入和创建、修改或删除电子记录动作发生的日期和时间。记录的变更不应掩盖之前记录的信息。此类审计跟踪文件应保存至少和电子记录所需同样长的时间,并且可以被机构评审和复制。
(e) Use of secure,computer-generated, time-stamped audit trails to independently record the dateand time of operator entries and actions that create, modify, or deleteelectronic records. Record changes shall not obscure previously recordedinformation. Such audit trail documentation shall be retained for a period atleast as long as that required for the subject electronic records and shall beavailable for agency review and copying.
(f) 适用时,使用操作系统核查以强制允许的步骤和事件的顺序。
(f) Use of operational system checksto enforce permitted sequencing of steps and events, as appropriate.
(g) 使用权限核查以确保只有经过授权的个人可以使用该系统,电子签署记录,进入操作或计算机系统的输入和输出设备,修改记录,执行手头的操作。
(g) Use of authority checks toensure that only authorized individuals can use the system, electronically signa record, access the operation or computer system input or output device, altera record, or perform the operation at hand.
(h) 使用终端设备核查以确定数据输入或操作指南来源的有效性。
(h) Use of device (e.g., terminal)checks to determine, as appropriate, the validity of the source of data inputor operational instruction.
(i) 确定开发、维持或使用电子记录/电子签名系统的人员具备一定的教育、培训和经历来执行所分配的任务。
(i) Determination that persons whodevelop, maintain, or use electronic record/electronic signature systems havethe education, training, and experience to perform their assigned tasks.
(j) 对于书面方针的建立和遵守,使人员对于他们电子签名的行动保证义务和责任,以阻止对于记录和签名的伪造。
(j) The establishment of, andadherence to, written policies that hold individuals accountable andresponsible for actions initiated under their electronic signatures, in orderto deter record and signature falsification.
(k) 使用适当的系统文档控制,包括:
(k) Use of appropriate controls oversystems documentation including:
(1) 对于系统运行和维护文档的分发、进入和使用的适当控制。
(1) Adequate controls over thedistribution of, access to, and use of documentation for system operation andmaintenance.
(2) 修改和变更控制程序,以保持审计跟踪,记录时间顺序的系统文档的开发和修订。
(2) Revision and change controlprocedures to maintain an audit trail that documents time-sequenced developmentand modification of systems documentation.
11.30 开放系统的控制
Sec. 11.30 Controls for open systems.
使用开放系统进行创建、修改、维持或传输电子记录的人员应采用经过设计的程序和控制,以确保电子记录从创建到接收的真实性、可靠性和保密性。这些程序和控制应包括11.10中所识别的内容,以及额外的措施如文件加密和适当数字签名标准的使用,以确保记录的真实性、可靠性和保密性。
Persons who use open systems tocreate, modify, maintain, or transmit electronic records shall employprocedures and controls designed to ensure the authenticity, integrity, and, asappropriate, the confidentiality of electronic records from the point of theircreation to the point of their receipt. Such procedures and controls shallinclude those identified in 11.10, as appropriate, and additional measures suchas document encryption and use of appropriate digital signature standards toensure, as necessary under the circumstances, record authenticity, integrity,and confidentiality.
11.50签名形式
Sec. 11.50 Signature manifestations.
(a) 签署的电子记录应包括签署相关的信息,明确指明如下内容:
(a) Signed electronic records shallcontain information associated with the signing that clearly indicates all ofthe following:
(1) 签署人的印刷体姓名;
(1) The printed name of the signer;
(2) 签名时的日期和时间;
(2) The date and time when thesignature was executed; and
(3) 签名相关的含义(如评审、批准、职责或身份)。
(3) The meaning (such as review,approval, responsibility, or authorship) associated with the signature.
(b) 上述3个项目也应执行和电子记录同样的控制,并应包含在任何可阅读的电子记录表格中(如电子显示或打印)。
(b) The items identified inparagraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to thesame controls as for electronic records and shall be included as part of anyhuman readable form of the electronic record (such as electronic display orprintout).
11.70 签名/记录链接
Sec. 11.70 Signature/record linking.
电子签名和电子记录加手写签名应和相应的电子记录进行链接,以确保签名不能通过通常手段被切除、复制或转移来伪造电子记录。
Electronic signatures andhandwritten signatures executed to electronic records shall be linked to theirrespective electronic records to ensure that the signatures cannot be excised,copied, or otherwise transferred to falsify an electronic record by ordinarymeans.
C部分—电子签名
Subpart C--Electronic Signatures
11.100 通用要求
Sec. 11.100 General requirements.
(a) 每个电子签名对于每个人应是唯一的,不能够被其他任何人再次使用或分配。
(a) Each electronic signature shallbe unique to one individual and shall not be reused by, or reassigned to,anyone else.
(b) 在组织建立、分配、认证或批准某人的电子签名或其组成要素之前,组织应验证该人的身份。
(b) Before an organizationestablishes, assigns, certifies, or otherwise sanctions an individual'selectronic signature, or any element of such electronic signature, theorganization shall verify the identity of the individual.
(c) 在使用电子签名前,人员应向机构证明在1997年8月20日之后系统中的电子签名预期与传统的手写签名是合法等同的。
(c) Persons using electronicsignatures shall, prior to or at the time of such use, certify to the agencythat the electronic signatures in their system, used on or after August 20,1997, are intended to be the legally binding equivalent of traditionalhandwritten signatures.
(1) 证明应以纸质形式递交区域运营办公室(HFC-100),5600 Fishers Lane, Rockville, MD 20857,并签署传统的手写签名。
(1) The certification shall besubmitted in paper form and signed with a traditional handwritten signature, tothe Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD20857.
(2) 使用电子签名的人员根据机构要求,应提供额外的证明或证据以证明特定的电子签名同签署人的手写签名是合法等同的。
(2) Persons using electronicsignatures shall, upon agency request, provide additional certification ortestimony that a specific electronic signature is the legally bindingequivalent of the signer's handwritten signature.
11.200 电子签名的组成和控制
Sec. 11.200 Electronic signature components and controls.
(a) 非基于生物识别的电子签名
(a) Electronic signatures that arenot based upon biometrics shall:
(1) 采用至少两种独特的识别部分,如一个识别码和密码。
(1) Employ at least two distinctidentification components such as an identification code and password.
(i) 当某人在一次持续的控制系统进入后,执行了一系列的签字,那么第一次签字应使用所有的电子签名组成部分;接下来的签字应至少使用一个电子签名组成部分,且从设计上仅可以由该人执行和使用。
(i) When an individual executes aseries of signings during a single, continuous period of controlled systemaccess, the first signing shall be executed using all electronic signaturecomponents; subsequent signings shall be executed using at least one electronicsignature component that is only executable by, and designed to be used onlyby, the individual.
(ii) 当一个人不在一次持续的控制系统进入中执行一个或多个签字时,每个签字都应使用所有的电子签名组成部分。
(ii) When an individual executes oneor more signings not performed during a single, continuous period of controlledsystem access, each signing shall be executed using all of the electronicsignature components.
(2) 仅能由真正的所有者使用;
(2) Be used only by their genuineowners; and
(3) 通过适当的管理和执行,以确保非真正所有人的任何其他人尝试使用电子签名时,需要两个或多个人的协助。
(3) Be administered and executed toensure that attempted use of an individual's electronic signature by anyoneother than its genuine owner requires collaboration of two or more individuals.
(b) 基于生物识别的电子签名应通过设计确保签名不可以被除真正所有人的其他任何人所使用。
(b) Electronic signatures based uponbiometrics shall be designed to ensure that they cannot be used by anyone otherthan their genuine owners.
11.300 识别码/密码的控制
Sec. 11.300 Controls for identification codes/passwords.
使用基于识别码和密码组合的电子签名的人员应采用合适的控制,以确保安全性和可靠性。此类控制应包括:
Persons who use electronicsignatures based upon use of identification codes in combination with passwordsshall employ controls to ensure their security and integrity. Such controlsshall include:
(a) 维持每个识别码和密码组合的唯一性,如没有两个人拥有相同的识别码和密码组合。
(a) Maintaining the uniqueness ofeach combined identification code and password, such that no two individualshave the same combination of identification code and password.
(b) 确保识别码和密码的发放是定期检查、召回或修改的(例如使用密码的有效期)。
(b) Ensuring that identificationcode and password issuances are periodically checked, recalled, or revised(e.g., to cover such events as password aging).
(c) 对于电子授权丢失、被盗、失踪或受到潜在影响的代币、卡片和其他拥有和产生识别码和密码信息的设备遵守遗失管理程序,并根据适当和严格的控制发放临时或永久的替代物。
(c) Following loss managementprocedures to electronically deauthorize lost, stolen, missing, or otherwisepotentially compromised tokens, cards, and other devices that bear or generateidentification code or password information, and to issue temporary orpermanent replacements using suitable, rigorous controls.
(d) 使用交易安全保障来防止密码和识别码的非授权使用,对系统安全单元的任何非授权使用尝试进行探测,并立刻向组织管理层紧急报告
(d) Use of transaction safeguards toprevent unauthorized use of passwords and/or identification codes, and todetect and report in an immediate and urgent manner any attempts at theirunauthorized use to the system security unit, and, as appropriate, toorganizational management.
(e) 对设备进行初次和定期测试,如拥有和产生识别码和密码信息的代币或卡片,以确保物品功能正常,并且没有被非授权地更改。
(e) Initial and periodic testing ofdevices, such as tokens or cards, that bear or generate identification code orpassword information to ensure that they function properly and have not beenaltered in an unauthorized manner.
