[Federal Register: March 20, 1997 (Volume 62, Number 54)] [Rules and Regulations] [Page 13429-13466] 21 CFR Part 11 - Electronic Records; Electronic s; Final Rule; Electronic Submissions; Establishment of Public Docket; Notice 21 CFR Part 11 [Docket No. 92N-0251] RIN 0910-AA29 Electronic Records; Electronic s AGENCY: Food and Drug Administration, HHS. ACTION: Final rule. 요약 (SUMMARY): The Food and Drug Administration (FDA) is issuing regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, are intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to promote and protect public health. The use of electronic records as well as their submission to FDA is voluntary. Elsewhere in this issue of the Federal Register, FDA is publishing a document providing information concerning submissions that the agency is prepared to accept electronically. 전자기록서, 전자서명, 그리고전자기록서의수기서명을종이기록서와종이문서의수기서명과동등한것으로 FDA가인정하는상황과기준을정한규정을발행한다. 이규정은 FDA의모든프로그램영역에적용되며, 공중보건의촉진과보호라는 FDA의책임과조화를이루는다양한전자기술을사용할수있도록하기위한것이다. 전자기록서의사용과이의 FDA 제출은자율적인선택사항이다. 이연방관보에는 FDA가전자적으로접수할준비가되어있는제출문서관련정보가정리되어있다. 시행일자 (DATES): Effective August 20, 1997. Submit written comments on the 1
information collection provisions of this final rule by May 19, 1997. 1997년 8월 20일시행. 이최종규칙의정보수집조항에대한의견서를 1997년 5월 19일까지제출하기바란다. 주소 (ADDRESSES): Submit written comments on the information collection provisions of this final rule to the Dockets Management Branch (HFA-305), Food and Drug Administration, 12420 Parklawn Dr., rm. 1-23, Rockville, MD 20857. 이최종규칙의정보수집조항에관한의견서의제출처주소는다음과같다. Dockets Management Branch (HFA-305), Food and Drug Administration, 12420 Parklawn Dr., rm. 1-23, Rockville, MD 20857 The final rule is also available electronically via Internet: http://www.fda.gov. 이최종규칙을인터넷을통해서도제공한다. 문의처 (FOR FURTHER INFORMATION CONTACT): Paul J. Motise, Center for Drug Evaluation and Research (HFD-325), Food and Drug Administration, 7520 Standish Pl., Rockville, MD 20855, 301-594-1089. E-mail address via Internet: Motise@CDER.FDA.GOV, or Tom M. Chin, Division of Compliance Policy (HFC-230), Food and Drug Administration, 5600 Fishers Lane, Rockville, MD 20857, 301-827-0410. E-mail address via Internet: TChin@FDAEM.SSW.DHHS.GOV 보충정보 (SUPPLEMENTARY INFORMATION): I. 배경 (Background) In 1991, members of the pharmaceutical industry met with the agency to determine how they could accommodate paperless record systems under the current good manufacturing practice (CGMP) regulations in parts 210 and 211 (21 CFR parts 210 and 211). FDA created a Task Force on Electronic Identification/s to develop a uniform approach by which the agency could accept electronic signatures and records in all program areas. In a February 24, 1992, report, a task force subgroup, the Electronic Identification/ Working Group, recommended publication of an advance notice of proposed rulemaking (ANPRM) to obtain public comment on the issues involved. 2
1991년에제약업계대표와 FDA가만나, 파트 210 및 211의 CGMP 규정 (21 CFR 파트 210 및 211) 에부합하면서도종이없는기록시스템을추진하는방안에대해협의했다. FDA는모든프로그램영역의전자서명과기록서를 FDA가인정하는통합적인방법을개발하기위하여, " 전자식별 / 서명태스크포스 " 를구성했다. 1992년 2월 24일자보고서를통해태스크포스산하조직인 " 전자식별 / 서명실무그룹 " 은 ANPRM(advance notice of proposed rulemaking) 을발행하여관련이슈에대한의견을수렴하자고권고했다. In the Federal Register of July 21, 1992 (57 FR 32185), FDA published the ANPRM, which stated that the agency was considering the use of electronic identification/signatures, and requested comments on a number of related topics and concerns. FDA received 53 comments on the ANPRM. In the Federal Register of August 31, 1994 (59 FR 45160), the agency published a proposed rule that incorporated many of the comments to the ANPRM, and requested that comments on the proposed regulation be submitted by November 29, 1994. A complete discussion of the options considered by FDA and other background information on the agency's policy on electronic records and electronic signatures can be found in the ANPRM and the proposed rule. 1992년 7월 21일자연방관보 (57 FR 32185) 를통해, FDA는전자식별 / 서명의사용을검토하고있으며관련주제에대하여의견을구한다는내용의 ANPRM을발표했다. 이에대하여 53건의의견이접수되었다. 이후 1994년 8월 31일자연방관보 (59 FR 45160) 를통해, FDA는 ANPRN에대한여러의견을반영해만든규정안을발표하고이에대한의견을 1994년 11월 29일까지제출하도록요청했다. FDA가검토한옵션별상세정보와전자기록서및전자서명에대한기타배경정보를상기 ANPRM과규정안에서찾아볼수있다. FDA received 49 comments on the proposed rule. The commenters represented a broad spectrum of interested parties: Human and veterinary pharmaceutical companies as well as biological products, medical device, and food interest groups, including 11 trade associations, 25 manufacturers, and 1 Federal agency. 규정안과관련하여 49건의의견이접수되었다. 11개업계단체와 25개제조업체, 1개연방기구를포함하여, 사람의약품및동물의약품, 생물학적제제, 의료기기, 식품등여러분야의다양한관계자가의견을보내왔다. II. 최종규정의주요사항 (Highlights of the Final Rule) The final rule provides criteria under which FDA will consider electronic records to 3
be equivalent to paper records, and electronic signatures equivalent to traditional handwritten signatures. Part 11 (21 CFR part 11) applies to any paper records required by statute or agency regulations and supersedes any existing paper record requirements by providing that electronic records may be used in lieu of paper records. Electronic signatures which meet the requirements of the rule will be considered to be equivalent to full handwritten signatures, initials, and other general signings required by agency regulations. 이최종규정은 FDA가종이기록서와동등하다고생각하는전자기록서와전통적인수기서명과동등하다고생각하는전자서명에대한기준을제시한다. 파트 11(21 CFR 파트 11) 은법률또는 FDA 규정에서요구하는종이기록서에적용되며, 종이기록서대신전자기록서를사용할수있도록함으로써기존의종이기록서요구기준을대체한다. 이규정의기준에부합하는전자서명은정식수기서명, 이니셜, 그리고 FDA 규정에서요구하는기타일반서명과동등한것으로간주된다. Section 11.2 provides that records may be maintained in electronic form and electronic signatures may be used in lieu of traditional signatures. Records and signatures submitted to the agency may be presented in an electronic form provided the requirements of part 11 are met and the records have been identified in a public docket as the type of submission the agency accepts in an electronic form. Unless records are identified in this docket as appropriate for electronic submission, only paper records will be regarded as official submissions. 섹션 11.2는기록서를전자형식으로유지할수있으며, 전통적인서명대신전자서명을사용할수있다고규정한다. FDA에제출하는기록서와서명을전자형식으로할수있는데, 다만파트 11의기준이충족되고 FDA가전자형식으로인정하여접수하는제출문서유형으로정해진것이어야한다. 전자제출에적절한것으로분류된기록서가아니라면, 종이기록서만공식제출문서로간주된다. Section 11.3 defines terms used in part 11, including the terms: Biometrics, closed system, open system, digital signature, electronic record, electronic signature, and handwritten signature. 섹션 11.3은 " 생체인식 ", " 폐쇄계 ", " 개방계 ", " 디지털서명 ", " 전자기록서 ", " 전자서명 ", " 수기서명 " 을포함하여, 파트 11에서사용되는용어의의미를설명한다. Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system 4
operations and information stored in the system. Such measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use of computer-generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks. 섹션 11.10에서는폐쇄계의관리기준을제시하는데, 폐쇄계는시스템에있는전자기록서내용에책임을지는자가시스템접근을통제하는것이다. 이때통제를위하여시스템에저장된정보와시스템운영의완전성을보증하기위한대책이필요하다. 그러한대책에는 (1) 밸리데이션, (2) 정확하고완벽한기록서사본제작능력, (3) 기록서보관및보호, (4) 컴퓨터생성타임스탬프방식의감사추적기능, (5) 시스템문서의적절한관리, (6) 전자기록서및서명시스템의개발, 유지관리또는사용을맡은자가지정과업을수행하는데필요한교육, 훈련, 경험을구비하고있는지판단하는것이포함된다. Section 11.10 also addresses the security of closed systems and requires that: (1) System access be limited to authorized individuals; (2) operational system checks be used to enforce permitted sequencing of steps and events as appropriate; (3) authority checks be used to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform operations; (4) device (e.g., terminal) checks be used to determine the validity of the source of data input or operation instruction; and (5) written policies be established and adhered to holding individuals accountable and responsible for actions initiated under their electronic signatures, so as to deter record and signature falsification. 또한섹션 11.10에서는폐쇄계의보안부분을다루면서, (1) 허가받은자만시스템에접근할수있게제한하고, (2) 적절한경우에단계와이벤트의허용순서를강제하는운영시스템점검기능을활용하며, (3) 허가받은자만시스템을사용하고기록서에전자적으로서명하며운영또는컴퓨터시스템입력또는출력장치에접근하고기록서를수정하며또는작업을수행할수있도록하기위한권한점검이있어야하고, (4) 작업지시또는데이터입력소스의유효성을판단하기위한장치 ( 예, 터미널 ) 점검을실시하며, (5) 기록과서명변조를방지하기위해전자서명에의해추진된행위를책임지는자를규정한방침문서를제정하고준수할것을요구한다. Section 11.30 sets forth controls for open systems, including the controls required for closed systems in Sec. 11.10 and additional measures such as document 5
encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality. 섹션 11.30에서는개방계의관리기준을제시하는데, 개방계의관리에는섹션 11.10의폐쇄계관리에관한사항과기록신빙성, 완전성, 기밀유지성보증을위하여적절한디지털서명표준의활용과문서암호화같은추가적인대책이포함된다. Section 11.50 requires signature manifestations to contain information associated with the signing of electronic records. This information must include the printed name of the signer, the date and time when the signature was executed, and the meaning (such as review, approval, responsibility, and authorship) associated with the signature. In addition, this information is subject to the same controls as for electronic records and must be included in any human readable forms of the electronic record (such as electronic display or printout). 섹션 11.50에서는전자기록서의서명과관련된정보를포함하는서명표시기준을제시한다. 인쇄된서명자의이름, 서명일시, 그리고서명의의미 ( 예, 검토, 승인, 책임, 작성 ) 가포함되어야한다. 이외에도이정보를전자기록서와동일한수준으로관리해야하며, 전자기록서의사람이읽을수있는형식에포함시켜야한다 ( 예, 전자적디스플레이또는인쇄물 ). Under Sec. 11.70, electronic signatures and handwritten signatures executed to electronic records must be linked to their respective records so that signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. 섹션 11.70에는서명의잘라내기, 복사또는옮기기를통해일반적인수단으로전자기록서를변조할수없도록, 전자기록서의전자서명및수기서명을각각의기록서와링크시켜야한다는기준이제시되어있다. Under the general requirements for electronic signatures, at Sec. 11.100, each electronic signature must be unique to one individual and must not be reused by, or reassigned to, anyone else. Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, the organization shall verify the identity of the individual. 섹션 11.100에는전자서명에대한일반기준이제시되어있는데, 각전자서명은한개인의고유한것이어야하며, 다른사람이다시사용하거나다른사람에게다시할당해서는안된다. 개인의전자서명을설정, 할당, 인증또는허가하기에앞서, 그사람의신원을확인해야한다. 6
Section 11.200 provides that electronic signatures not based on biometrics must employ at least two distinct identification components such as an identification code and password. In addition, when an individual executes a series of signings during a single period of controlled system access, the first signing must be executed using all electronic signature components and the subsequent signings must be executed using at least one component designed to be used only by that individual. When an individual executes one or more signings not performed during a single period of controlled system access, each signing must be executed using all of the electronic signature components. 섹션 11.200에서는생체인식을바탕으로하지않는전자서명은확인코드및패스워드같이, 최소한두개의뚜렷한확인컴포넌트를갖춰야한다고규정한다. 또한단일의연속적인통제시스템접속기간동안한사람이일련의서명을하는경우, 첫서명은모든전자서명컴포넌트를활용하여실시하고이후서명은그사람만이사용하도록설계된최소한한개의전자서명컴포넌트를사용하여실시한다. 단일의연속적인통제시스템접속기간동안수행하지않는 1회이상의서명인경우, 각서명은모든전자서명컴포넌트를활용하여실시한다. Electronic signatures not based on biometrics are also required to be used only by their genuine owners and administered and executed to ensure that attempted use of an individual's electronic signature by anyone else requires the collaboration of two or more individuals. This would make it more difficult for anyone to forge an electronic signature. Electronic signatures based upon biometrics must be designed to ensure that such signatures cannot be used by anyone other than the genuine owners. 또한생체인식을바탕으로하지않는전자서명은본인만사용해야하며, 본인이외의다른사람이사용하고자할때는두명이상의공동작업이필요하도록관리하고운영해야한다. 이렇게하면전자서명을위조하기가더어렵게될것이다. 생체인식기반전자서명은본인이외의다른사람이사용할수없도록설계한다. Under Sec. 11.300, electronic signatures based upon use of identification codes in combination with passwords must employ controls to ensure security and integrity. The controls must include the following provisions: (1) The uniqueness of each combined identification code and password must be maintained in such a way that no two individuals have the same combination of identification code and password; (2) persons using identification codes and/or passwords must ensure that they are 7
periodically recalled or revised; (3) loss management procedures must be followed to deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification codes or password information; (4) transaction safeguards must be used to prevent unauthorized use of passwords and/or identification codes, and to detect and report any attempt to misuse such codes; (5) devices that bear or generate identification codes or password information, such as tokens or cards, must be tested initially and periodically to ensure that they function properly and have not been altered in an unauthorized manner. 섹션 11.300에서는패스워드와조합된확인코드의사용을기반으로하는전자서명을사용할때는, 보안성과완전성보장을위한관리대책을구비해야한다고규정하고있다. 이러한관리대책의일환으로, (1) 각확인코드및패스워드조합의고유성을유지하여, 두사람이동일한확인코드및패스워드조합을갖는일이없도록하고, (2) 확인코드및 / 또는패스워드를주기적으로리콜또는수정하며, (3) 확인코드또는패스워드정보를갖고있거나발생시키는토큰, 카드, 기타장치가분실, 도난, 망실또는훼손된경우에무효처리하는, 분실관리절차를준수하고, (4) 패스워드및 / 또는확인코드의무허가사용을방지하고무허가사용시도를감지하여보고하는트랜잭션보안장치를활용하며, (5) 확인코드또는패스워드정보를갖고있거나발생시키는, 토큰또는카드같은장치를처음도입할때테스트하고이후주기적으로테스트하여, 적절하게기능을발휘하며허가받지않은방식으로변형되지않았음을확인한다. 8