21 CFR Pt. 11 Compliance with Electronic Signatures
In 21 CFR Part 11, the Food and Drug Administration (FDA) establishes its requirements for electronic records and signatures. These regulations, which apply to all FDA program areas, were intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public health.
The DocuSign Agreement Cloud is used by pharmaceutical and medical device companies to meet a range of compliance requirements, including those set forth in the Code of Federal Regulations Title 21 Part 11.
We have a complete guide to CFR Part 11 and electronic signatures with examples of how DocuSign solutions satisfy requirements.
Here we’ll summarize subpart C of CFR Title 21 Part 11, which outlines requirements related to the use of electronic signatures.
What is 21 CFR Part 11?
Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration regulations on electronic records and electronic signatures.
The term “Part 11” applies to records in electronic form that are created, modified, maintained, archived, retrieved, transmitted or submitted, under any records requirements set forth by the FDA regulations/predicate rules.
Life science organizations and device manufacturers regulated by the FDA are required to follow the Code of Federal Regulations Title 21 Part 11.
The FDA also issued a guidance paper “Part 11, Electronic Records; Electronic Signatures — Scope and Application” to provide further clarification on electronic records and electronic signatures.
What does 21 CFR Part 11 require related to electronic signatures?
The FDA allows electronic signatures to be used in place of pen and ink signatures on paper documents so that business can be conducted digitally. In order to be compliant electronic signatures must include:
- The printed name of the signer
- The date and time the signature was executed
- A unique user ID
- Digital adopted signature
- The meaning of the signature (labeled “signing reason”)
What are the other requirements for electronic signatures?
Below are the requirements as outlined in subpart C on electronic signatures:
Each electronic signature must be unique to one individual and not reused by, or reassigned to, anyone else. Subsection 11.100(a)
The identity of the individual must be verified before establishing, assigning, certifying or otherwise sanctioning the individual’s electronic signature, or any element of such electronic signature. Subsection 11.100(b)
Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be legally binding equivalent of traditional handwritten signatures. Subsection 11.100(c)
Persons using electronic signatures must, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature. Subsection 11.100(c.2)
Electronic signatures that are not based upon biometrics must employ at least two distinct identification components such as an identification code and password. Subsection 11.200 (a)(1)
When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing must be executed using all electronic signature components. Subsequent signings must be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. Subsection 11.200 (a)(1)(i)
When an individual executes one or more signings not performed during a single period of controlled system access, each signing must be executed using all of the electronic signature components. Subsection 11.200 (a)(1)(ii)
The uniqueness of each combined identification code and password must be maintained such that no two individuals have the same combination of identification code and password. Subsection 11.300(a)
Identification code and password issuances must be periodically checked, recalled or revised (e.g., to cover such events as password aging). Subsection 11.300(b)
Loss management procedures must be followed to electronically deauthorize lost, stolen, missing or otherwise potentially compromised tokens, cards and other devices that bear or generate identification code or password information. The system must issue temporary or permanent replacements using suitable, rigorous controls. Subsection 11.300(c)
The system must use transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use. Subsection 11.300(d)
A procedure must be in place for initial and periodic testing of devices such as tokens or cards that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Subsection 11.300(e)
DocuSign’s Life Sciences Modules for Part 11
The good news is that modern cloud technologies are not only easier to use and implement but can be far simpler to validate. Life sciences leaders can make technology investments that support their current workflow and set them up for future growth—while choosing tools that meet requirements for regulatory compliance.
The DocuSign Part 11 module is a product enhancement available for DocuSign’s life science customers. It includes additional security and controls, resulting in a different signing experience relative to non regulated use cases.
The DocuSign Life Sciences Modules contains capabilities designed for documents and approvals regulated by 21 CFR Part 11, including:
- Prepackaged account configuration
- Signature-level credentialing
- Signature-level meaning (signing reason)
- Signature manifestation (printed name, date/time and signing reason)