The Dotted Line: 3 Essential Requirements of Electronic Signatures Under CFR 21 Part 11

The Dotted Line: 3 Essential Requirements of Electronic Signatures Under CFR 21 Part 11


NOTE: I am not an attorney. You should always consult an attorney and your Regulatory Department for advice on regulatory compliance. This information is based on my experience as an IT professional implementing electronic signature systems for Biotech and Life Sciences companies.

Biotech and Life Science IT departments and managed IT services companies must implement electronic signature systems that comply with the CFR 21 Part 11 regulation. This regulation is designed to, amongst other things, ensure the FDA can trust the validity of an electronic signature on a document that is part of a regulatory filing.

Put in the language of the CFR 21 Part 11 regulation, this means that records and signatures are considered “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” Let’s look at 3 components of the electronic signature that go to meeting this requirement:

  1. It was signed by the person whose signature appears: In Adobe Acrobat for example you can create a self-signed electronic signature. The problem is there is no independent verification that the signature is actually from the purported signer. You don’t need a password to create or use such an electronic signature, and you can create an electronic signature for any name.

    So, just signing using Adobe Acrobat’s built-in electronic signatures is not enough. The electronic signature solution must have some sort of identity verification. The system can use biometrics to uniquely identify the user, or two distinct identifiers such as a user ID and password. And the regulation specifies that the signature must be unique to a single user – no sharing or reusing of accounts. The regulation also specifies procedural controls to protect the validity of the signature and the ability to deauthorize lost or stolen passwords.

  2. The electronic signature was signed at the time and date it says it was signed: The time and date a document was signed is a key part of the information the FDA may rely on to approve a drug so the FDA must be able to trust that the time/date stamp in the signature is correct. If your electronic signature program takes the time and date from your computer clock the computer must have its clock synchronized to a recognized standard clock. The time and date or time zone should not just be set locally by the user (who could easily change it). That is why CFR 21 part 11-compliant electronic signature systems reference an external time source that the signer cannot alter or affect.
  3. The document was not altered after the electronic signature was applied: Document Management and Quality Management Systems (such as Montrium or Veeva Vault QMS for example) have audit trails built-in so that the FDA can know whether the electronic signature belongs to the version of the document they are working with. Outside electronic signature solutions similarly have to "lock" the document and cryptographically sign it so that any change to the document will invalidate the signature.

Popular Electronic Signature Systems: DocuSign and Adobe Sign (formerly EchoSign) are 2 of the leading cloud-based products Biotech and Life Science companies use for CFR 21 Part 11 compliant signatures. Some Biotech IT systems such as Quality Management Systems that require compliant electronic signature will embed a version of one of these products in their systems rather than develop their own. While cloud-based solutions such as these are widely used there are alternatives such as solutions that use USB tokens with embedded certificates.

No such thing as a compliant solution: One last note – no electronic signature system by itself is “CFR 21 part 11 compliant”. That is because there are processes and controls you, the Biotech or Life Science company, must follow in order to be compliant. The electronic signature system needs to have certain characteristics to enable you to be CFR 21 part 11 compliant. But if you don’t put the proper controls in place you will not be compliant no matter what system you use.

An experienced Biotech and Life Sciences managed IT services firm like GizmoFish will be able to help you select and implement a CFR 21 part 11-compliant electronic signature system that will withstand regulatory scrutiny.

GizmoFish is a Boston-based Managed Service Provider dedicated to meeting the unique and evolving needs of clients across all industries. If you need IT assistance that understands the unique characteristics of the Biotech and Life Science industries contact us at 617-965-6800 or click on the button below. We keep your business healthy, so that you can keep your customers healthy.