21 CFR Pt. 11 Compliance with Electronic Signatures
In 21 CFR Part 11, the Food and Drug Administration (FDA) establishes its requirements for electronic records and signatures. The regulation is intended to permit the widest possible use of the technology, while ensuring the integrity and security of electronic records and signatures, ultimately supporting the Food and Drug Administration’s responsibility to protect the public health.
DocuSign eSignature is used by pharmaceutical and medical device companies to meet a range of compliance requirements, including those set forth in the Code of Federal Regulations Title 21 Part 11.
We have a complete guide to CFR Part 11 and electronic signatures with examples of how eSignature satisfies the requirements.
Here we’ll summarize subpart C of CFR Title 21 Part 11, which outlines requirements related to the use of electronic signatures.
What is 21 CFR Part 11?
Title 21 CFR Part 11 establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures. It is a portion of Title 21 of the Code of Federal Regulations.
Part 11 of the code applies to records in electronic form that are created, modified, maintained, archived, retrieved, transmitted or submitted, under any records requirements set forth by FDA regulations or predicate rules.
Who is required to be compliant with 21 CFR Part 11?
Organizations that are subject to 21 CFR Part 11 are those regulated by the FDA and/or engage in activities related to FDA-regulated products. They typically include the following industries:
- Pharmaceutical companies
- Biotechnology companies
- Medical device manufacturers
- Contract research organizations (CROs)
- Contract manufacturing organizations (CMOs)
- Clinical laboratories
- Food and beverage manufacturers
- Cosmetics manufacturers
Although not all activities within these industries are regulated, it’s likely that some common activities do require compliance, and that the tools they use be compatible with requirements.
What does 21 CFR Part 11 require for electronic signatures?
The FDA allows electronic signatures to be used in place of pen and ink signatures on paper documents so that business can be conducted digitally. In order to be compliant electronic signatures must include:
- The printed name of the signer
- The date and time the signature was executed
- A unique user ID
- Digital adopted signature
- The meaning of the signature (labeled “signing reason”)
The FDA also issued a guidance paper “Part 11, Electronic Records; Electronic Signatures — Scope and Application” to provide further clarification on electronic records and electronic signatures.
What are the other requirements for electronic signatures?
Below are the requirements as outlined in subpart C on electronic signatures:
- Each electronic signature must be unique to one individual and not reused by, or reassigned to, anyone else. Subsection 11.100(a)
- The identity of the individual must be verified before establishing, assigning, certifying or otherwise sanctioning the individual’s electronic signature, or any element of such electronic signature. Subsection 11.100(b)
- Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be legally binding equivalent of traditional handwritten signatures. Subsection 11.100(c)
- Persons using electronic signatures must, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature. Subsection 11.100(c.2)
- Electronic signatures that are not based upon biometrics must employ at least two distinct identification components, such as an identification code and password. Subsection 11.200 (a)(1)
- When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing must be executed using all electronic signature components. Subsequent signings must be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. Subsection 11.200 (a)(1)(i)
- When an individual executes one or more signings not performed during a single period of controlled system access, each signing must be executed using all of the electronic signature components. Subsection 11.200 (a)(1)(ii)
- The uniqueness of each combined identification code and password must be maintained such that no two individuals have the same combination of identification code and password. Subsection 11.300(a)
- Identification code and password issuances must be periodically checked, recalled or revised (e.g., to cover such events as password aging). Subsection 11.300(b)
- Loss management procedures must be followed to electronically deauthorize lost, stolen, missing or otherwise potentially compromised tokens, cards and other devices that bear or generate identification code or password information. The system must issue temporary or permanent replacements using suitable, rigorous controls. Subsection 11.300(c)
- The system must use transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use. Subsection 11.300(d)
- A procedure must be in place for initial and periodic testing of devices such as tokens or cards that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Subsection 11.300(e)
DocuSign’s modules for 21 CFR Part 11 compliance
The DocuSign Part 11 module is a product enhancement available for DocuSign’s life science customers who may be impacted by the requirements in 21 CFR Part 11. It features capabilities designed for documents and approvals regulated by 21 CFR Part 11, including:
- Prepackaged account configuration
- Signature-level credentialing
- Signature-level meaning (signing reason)
- Signature manifestation (printed name, date/time and signing reason)
For more examples of how DocuSign solutions help businesses stay compliant, read our complete guide to CFR Part 11 and electronic signatures.