[ Home | What We Do | Our Clients | Press & Events | Library | Contact Us ]
Bill Zoellick
November, 2001
The Food and Drug Administration is now enforcing regulations designed to ensure that electronic documents coming from the industries that it regulates are correct and authentic. The focus is on using electronic signature technologies and good management practices to retain individual accountability throughout the entire lifespan of long-lived, complex documents. There is much that other companies involved in the creation of complicated, collaboratively authored design documents or long-lived records of manufacturing practices can learn from the FDA initiative.
Between 1857 and 1860 a fugitive slave using the name Hannah Crafts wrote the manuscript for a novel that she called The Bondswoman's Narrative. She used a quill pen to write the 300 pages and then bound the pages together using sewing thread. The novel, a combination of autobiography and fiction, was never published. Before the Civil War, publishing the novel could have led to the author's capture and return to the plantation. After the war the market for writing by slaves had dried up. So, for 140 years the manuscript remained unpublished and ignored.
This past year Henry Louis Gates Jr., the chairman of the African-American studies department at Harvard University, purchased the manuscript for less than $10,000. In April of 2002 The Bondswoman's Narrative will be published by Warner Books, featured as the company's most prominent title of the season.
One of the key elements in this story -- a step that made it possible for Warner Books to lavish so much attention on this manuscript -- was the determination that the manuscript is authentic. Two experts on literary forgeries examined the work and have reported that it is, in fact, a manuscript that was written sometime between 1853 and 1860. The research into authenticity looked at the content of the writing, including spelling, sentence structure, vocabulary, and historical references. It also relied on a close look at physical characteristics, such as the author's handwriting, the makeup of the ink, the quality of the paper, the kind of eraser that was used to make corrections, and the kind of thread used to stitch the home-made binding.
I wrote the manuscript for my most recent book, CyberRegs, using an HTML editor. I prepared and submitted the complete, final manuscript to Addison-Wesley, my publisher, as a Web site available on the Internet. Someone rediscovering my digital manuscript 140 years from now would probably have a much more difficult time establishing authenticity than did Warner Books and Henry Louis Gates Jr.
The problem is that, unless one uses signature and encryption technologies to establish integrity and authenticity, it is harder to be sure that you can trust information coming to you as digital bits instead of atoms making up a photograph or a printed page. This is not just a problem of historical authentication -- it also applies to anyone who needs confidence in the authenticity and accuracy of digital records and documents in general. If you receive a signed contract electronically, you want to be sure that what you have got is actually the contract that the other party signed. If you are monitoring manufacturing processes electronically, you want to know that the electronic logs have not been altered and that you can trace machine performance back to the person responsible for it. If you receive a research report or design document in electronic form, you want the authors of the report to be able to stand behind the results as they appear on your computer screen. Establishing such confidence in electronic records can be difficult.
This is precisely the problem confronted by the Food and Drug Administration (FDA) as it attempts to rely on the enormous collections of data, reports, and analysis that are used in approving new drugs and in ensuring that the manufacture of drugs is safe. In an age of digital records, how can the FDA be sure that data collected five years ago has not been changed, either accidentally, for example through data conversion processes, or intentionally, with a view toward presenting a better result? Just as important, how can the FDA continue to maintain individual accountability for each clinician reporting on a case in drug trials, for each operator charged with monitoring the quality of the manufacturing process, and for the thousands of other people who, ultimately, are each responsible for drug and food safety?
The FDA first started looking seriously at this question in the early 1991, long before use of electronic documents and electronic data collection was routine throughout the industry. The initial focus was narrow, asking how companies could use electronic signatures to authenticate data and documents. In 1992 the agency published some proposed rules and asked for comments. In a striking demonstration of just how much business practices have changed in the last decade, the agency received only 49 comments on the proposed rule. In the early 1990s, use of electronic records and documents apparently seemed irrelevant to the concerns of most of the thousands of companies involved in the research and manufacture of drugs, medical devices, and food additives.
The agency considered the 49 comments, talked with other agencies, and continued to monitor technology developments. The people studying the issue broadened their focus a bit to include the processes by which electronic records are created and maintained. The FDA finally published its Final Rule on Electronic Records and Electronic Signatures, issued as 21 CFR Part 11 and published in the Federal Register on March 20, 1997. But at that time companies and federal agencies were consumed with preparations for Y2K. So, the FDA instituted a grace period during which pharmaceutical companies could continue creating and using electronic records without worrying about the new regulations. That's just what most companies did. They continued doing things such as collecting laboratory data electronically, using Palm Pilots to collect data in clinical trials, and using electronic document management to collect and organize their research, all without giving much thought to the FDAs concern that documents are demonstrably authentic and correct.
In hindsight, this might have been a mistake. At a recent seminar on implementing 21 CFR Part 11, one laboratory director noted that, of the 100 chromatographs that his laboratory has purchased over the past several years, only 3 of them are equipped to keep the kind of signed audit trail information required by the new regulations. Some industry observers expect that the overall expense and impact of 21 CFR Part 11 on food, drug, and medical device manufacturers will be greater than that of Y2K preparations. At the same time, there is still little understanding of the overall problem -- many people in the industry still believe that, by keeping the paper records and ignoring all the electronic records, they can meet FDA requirements. (They are wrong. To use an analogy, keeping the cake and throwing away the recipe will not assure the FDA that the cake is edible.)
Although the principal impact of 21 CFR Part 11 is on companies in the food, drug, and medical device industries, this is also an important story for companies outside those industries as well. There are several reasons for this.
The interesting (and difficult) thing that the FDA is trying to do is preserve an audit trail, with individual accountability, throughout the life of very complex. long lived documents such as new drug applications and manufacturing process records. At a high level it is clear that digital signatures are ideal for this work, since they create a unique binding of some particular content -- data and/or documents -- with an individual's signature key. But the devil is in the details, as always. How does a company manage signature keys over the thirty year life of some documents? How does one administer passwords for the signatures in a way that provides strong confidence that no one is using someone else's signature? What is the potential for using biometric signature mechanisms? How should a company combine digital identification with encryption in a way that both protects information and allows authorized access thirty years from now? Any industry managing complex manufacturing processes or long collaborative development efforts will find that there is a lot to learn from pharmaceutical companies as they address issues of accountability and confidence in electronic documents.
The companies regulated by the FDA are working at the frontiers of one of the two key problems facing any company that wishes to be sure that an electronic document really contains the words and data that its creator intended. The FDA is focusing on complex, long lived, collaboratively created documents But, in most cases, the people creating these documents are known to the companies that rely on the documents and are controlled by those companies. The digital signatories are employees, contractors, employees of a business partner, or members of some other closed, well defined group.
The fact that the documents that the FDA is worried about are generally created within closed systems makes it easier to recognize and trust the digital signatures that they contain. A drug, food, or medical device company can reasonably expect to set up and maintain (through internal means or through outsourcing) its own database of trusted signatures. Viewed graphically, the FDA and the companies that it regulates are generally working out on the far end of the horizontal axis in the figure below, taking on the problem of long-lived, complex documents, but avoiding the problems associated with open systems, where signatories are not directly controlled.
Not every company that might want to use digital signatures to establish confidence in electronic communications has the luxury of working with groups that it controls. To take just one example, law firms wanting to send and receive secure, signed communications electronically will typically have to be able to work with signatures from many other people and other companies and will not be able to audit all the systems used to create those signatures.
The work that the FDA and companies regulated by the FDA are doing in the area of creating trustworthy documents, so that document creators are both protected and accountable, will teach us a lot about the practice of trusted communications within the lower right domain in this graph. Readers that want to follow this work more closely should look at the sites referenced below, as well as relying on periodic communications from us at Fastwater.
As for work on trusted electronic communications in systems that are more open, we will look at those issues in a future Fastwater article.