GUEST COMMENTARY | Laura Robinson
July 14, 2004 | As life science companies rely more on digital documents and increasingly provide access to these files electronically, meeting the rules governing information security is essential to doing business internationally.
A good start is to compare two documents that govern pharmaceutical industry data in the United States and Europe: the FDA's "Guidance for Industry Regarding Part 11, Electronic Records; Electronic Signatures — Scope and Application"; and the Pharmaceutical Inspection Convention's Pharmaceutical Inspection Cooperation Scheme (PIC/S), "PIC/S Guidance: Good Practices for Computerized Systems in Regulated 'GxP' Environments."
The PIC/S guidance is based on the collaboration of international regulatory agencies, mostly from Europe. It is not an actual regulation, but rather is intended to serve as a reference for investigators and regulated users. Regulations governing medicinal products in the European Union include "Directives for Good Manufacturing Practices (GMP)," which contains "Annex 11: Computerized Systems," basically Part 11's European cousin.
It is clear from both Part 11 and PIC/S that a worldwide approach to meeting security requirements would include risk assessment as a central focus. Decisions regarding the implementation of security measures should be based on a justified and documented risk assessment, as stressed in both of these publications. The Society for Life Sciences Professionals' white paper on a risk-based approach serves as a good reference (see www.ispe.org).
The objective of Annex 11 is to ensure that as computerized systems replace manual systems, product quality does not decrease — which parallels Part 11's objective that electronic records be trustworthy, reliable, and essentially equivalent to paper records. Many of the requirements for Annex 11 can be easily mapped to those for Part 11, generally allowing a company to develop a unified approach to meeting both. However, Annex 11 does not cover electronic signatures.
For electronic signatures, the PIC/S refers to the E.U.'s 99/93/EC Directive on Electronic Signatures. The E.U. developed this directive to pave the way for e-commerce by ensuring that all member states accept e-signatures as legal and establish standards for them. As with all E.U. directives, each member state must implement corresponding national legislation.
| Under the European directive, an electronic signature cannot be denied legal validity simply because it is electronic, but it can be if the underlying security is deemed insufficient to make it trustworthy.
The directive makes a distinction between an electronic signature, which can use any authentication method, and an advanced electronic signature, which is created using a qualified digital certificate. Under the directive, an electronic signature cannot be denied legal validity simply because it is electronic, but it can be denied legal validity if the underlying security is deemed insufficient to make it trustworthy. However, an advanced electronic signature receives the same legal value as a handwritten signature. The rules cover specific requirements for advanced electronic signatures, including the contents of the digital certificates and the operations of the certification service providers (CSPs), the organizations that issue the certificates.
How does this compare with Part 11? Under Part 11, electronic signatures are broadly defined and therefore can be based on various authentication technologies. As long as the specific controls are met, electronic signatures would be considered equivalent to those that are handwritten. However, for open systems such as the Internet, the FDA advises that additional measures such as digital signatures (or what the E.U. would call advanced electronic signatures) be taken.
European and U.S. regulations paint only part of the picture. Global life science companies must also meet regulations from other areas, such as Asia. Countries in this region tend to have industrywide regulations, such as Japan's Electronic Signatures and Certification Services Law (2001) and Singapore's Electronic Transactions Act (1998). Most of the Asian laws are based partly on the United Nations Commission on International Trade Law (UNCITRAL) Model of Electronic Commerce and Electronic Signatures; they have specific provisions for establishing legal validity, enforceability, and admissibility of electronic signatures, and provide for the licensing and regulating of certificate authorities. Many of these laws use a similar distinction as the E.U. between electronic signatures and advanced electronic signatures.
A comprehensive approach to complying with e-signature regulations globally requires implementing digital signatures that are created with digital certificates and the underlying technology, public key infrastructure (PKI). This would satisfy international regulations for using electronic signatures that are considered the legal equivalent of handwritten.
Laura Robinson is life sciences industry analyst for RSA Security, developer of e-security technologies and products.