What is 21 CFR Part 11 Compliance Certification?

In Title 21 of the Code of Federal Regulations, Part 11 (21 cfr part 11), the U.S. Food and Drug Administration (FDA) established compliance requirements for electronic records and electronic signatures. This regulation aims to allow organizations to use electronic technology as broadly as possible while ensuring the integrity and security of electronic records and electronic signatures, thereby supporting the FDA's responsibility to protect public health.

Docusign eSignature is widely used by pharmaceutical and medical device companies to meet multiple compliance requirements, including 21 CFR Part 11.

This article will focus on summarizing the contents of Subpart C of 21 CFR Part 11, which specifically sets forth the requirements for the use of electronic signatures.

What is 21 CFR Part 11?

Title 21 of the Code of Federal Regulations, Part 11 (Title 21 CFR Part 11) is the U.S. FDA's regulatory code for electronic records and electronic signatures. It is a part of Title 21 of the Code of Federal Regulations.

This regulation applies to all records in electronic form that are created, modified, maintained, archived, retrieved, transmitted, or submitted, provided these records fall under the scope of FDA regulations or related statutory requirements.

Who Needs to Comply with 21 CFR Part 11?

Organizations required to comply with 21 CFR Part 11 are typically those regulated by the FDA or engaged in activities related to FDA-regulated products. Common industries include:

• Pharmaceutical companies

• Biotechnology companies

• Medical device manufacturers

• Contract Research Organizations (CRO)

• Contract Manufacturing Organizations (CMO)

• Clinical laboratories

• Food and beverage production enterprises

• Cosmetics manufacturers

Although not all business activities within these industries are regulated by the FDA, many common operations do require compliance with Part 11 requirements, while also demanding that the tools utilized possess compliance capabilities.

21 CFR Part 11 Requirements for Electronic Signatures

The FDA allows companies to use electronic signatures instead of traditional handwritten signatures on paper documents, thereby enabling the digital operation of business. To meet regulatory requirements, an electronic signature must include the following information:

• Printed name of the signer

• Date and time of execution

• Unique user ID

• Digitized form of the signature

• Meaning of the signature (i.e., the "reason for signing")

Furthermore, the FDA has issued a guidance document titled "Part 11, Electronic Records; Electronic Signatures — Scope and Application", which further clarifies the scope and requirements for applying electronic records and electronic signatures.

Other Compliance Requirements for Electronic Signatures

According to Subpart C of 21 CFR Part 11, electronic signatures must also satisfy the following conditions:

• Each electronic signature must be unique to one individual and must not be reused by, or reassigned to, anyone else. (11.100(a))

• Before establishing, assigning, certifying, or otherwise sanctioning an individual's electronic signature, the organization must verify the identity of the signer. (11.100(b))

• Persons using electronic signatures shall, prior to or at the time of such use, certify to the FDA that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (11.100(c))

• The FDA may request organizations to provide additional certification or testimony confirming that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature. (11.100(c.2))

• Electronic signatures not based upon biometrics must employ at least two distinct identification components (such as an identification code and password). (11.200(a)(1))

• When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing must use all electronic signature components; subsequent signings may use a single signature component that can only be executed by that individual. (11.200(a)(1)(i))

• When an individual executes signings not performed during a single, continuous period of controlled system access, each signing must use all electronic signature components. (11.200(a)(1)(ii))

• Each combination of an identification code and password must maintain uniqueness and cannot be reused. (11.300(a))

• Identification codes and passwords must be periodically checked, recalled, or revised (e.g., handling password expirations). (11.300(b))

• Loss management procedures must be established to electronically deauthorize lost, stolen, or potentially compromised tokens, cards, etc., and to issue temporary or permanent replacements using strict, rigorous controls. (11.300(c))

• The system must possess transaction security mechanisms to prevent unauthorized use of passwords or identification codes, and to immediately detect and report attempts at unauthorized use. (11.300(d))

• Procedures must be established to periodically test devices used to generate identification codes or passwords (such as tokens or cards) to ensure they function properly and have not been altered. (11.300(e))

Docusign's 21 CFR Part 11 Compliance Module

Docusign provides a dedicated Part 11 module for life sciences industry clients to help them meet 21 CFR Part 11 compliance requirements. This module includes the following features:

• Pre-configured account settings: Simplifies system configuration to align with regulatory standards.

• Signature-level credential validation: Ensures signer identity verification complies with regulations.

• Signature reason capturing: Records the purpose of the signature during each signing event.

Signature formatting/display: Automatically displays the signer's printed name, date/time, and reason for signing.