Title 21 Code of Federal Regulations, Part 11

21 Code of Federal Regulations

Title 21 CFR Part 11 is part of the Code of Federal Regulations (“CFR”), which is established by the Food and Drug Administration (“FDA”) and provides requirements for electronic records and electronic signatures. Code Of Federal Regulations Title 21 Part 11 with Electronic Signatures aims to ensure that electronic documents or records can be trusted, as typically as paper records and ink signatures (wet signatures). 

Life science organizations and device manufacturers that the FDA regulates must follow the 21 CFR Part 11. 

Free Guide: A must-read primer to get started with e-Signatures 

Electronic Records

An electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. As mentioned above, the purpose of 21 CFR Part 11 is to ensure that electronic records and electronic signature software can be trusted as much as paper records and ink signatures. Hence, all the electronic records that are subject to and used for regulated purposes are subject to 21 CFR Part 11. 

When electronic records are signed, the system records the following items as part of the electronic signing process:

  • Date and time stamp 
  • User ID and full name of the signer(s) 
  • Reason for signature, out of a pre-configured list of possible reasons 
  • Optionally, an additional comment by the signer at run-time 
  • PC/node, where the signature was made 

According to subpart B, which deals with electronic provisions, the Organizations using electronic records must establish and document procedures and controls that ensure the following qualities in their electronic records:

  • Authenticity 
  • Integrity 
  • Confidentiality (when appropriate) 
  • Irrefutability (i.e., no way to deny that a record is genuine) 

In documented procedures and controls, the following mechanisms must be addressed:

  • Computer Systems Validation (CSV), 
  • Record Rendering, 
  • Document Storage and Record Retention 
  • System Access 
  • Audit Trails 
  • Workflows 
  • Authority Checks 
  • Device Checks 
  • Personnel Qualifications 
  • Personnel Accountability 
  • Document Control 

The mechanisms mentioned above would apply to the “Closed” system category. Systems that fall into the category of “Open” (as defined in Subpart A) require additional procedures/controls. The mechanism mentioned above applies to whatever makes more sense given the risks and available options to ensure the same level of record qualities. 

Electronic signatures must include the following: 

  • The printed name of the signer. 
  • The date and time of the signature. 
  • The meaning of the signature. 

Digital signature software must be forever linked to their respective records. 

Requirements related to 21 CFR Part 11 with Electronic Signatures

For regulated records not submitted to the FDA, an organization can use electronic instead of (or in addition to) paper, as long as it can prove that its electronic records comply with Part 11. For regulated records that are submitted to the FDA, an organization can use electronic records instead of paper records as long as the following two conditions are met: 

  • It can prove that its electronic records comply with the Code of Federal Regulations Title 21 Part 11. 
  • The FDA is capable of accepting those types of records electronically. 

All the electronic records used for regulated purposes that apply to all FDA program areas are subject to Part 11 and were intended to permit the broadest possible use of electronic technology, compatible with the FDA’s responsibility to protect public health. 

Moreover, the term “Part 11” applies to records and signatures in electronic form that are created, modified, maintained, archived, retrieved, transmitted or submitted under any records requirements set forth by the FDA regulations/predicate rules. 

Note: The types of e-records the FDA accepts are listed in public docket No. 92S-0251. 

Download the Whitepaper: Security: The Quintessential Element of Digital Signature Solutions 

Electronic Signatures 

The FDA allows the use of electronic signatures instead of pen and ink signatures (also known as “wet signatures”) to facilitate the conducting of the business digitally. A compliant electronic signature must include the following: 

  • The printed name of the signer 
  • The date and time the signature was executed 
  • A unique user ID 
  • Digital adopted signature 
  • The meaning of the signature (labelled “signing reason”) 

Other requirements for electronic signatures

The requirements, as listed under subpart C on electronic signatures, are as follows: 

  1. Uniqueness: Each electronic signature must be unique to one individual and not reused by, or reassigned to, anyone else. [Subsection 11.10(a)] 
  2. Verified identity: The individual’s identity must be verified before establishing, assigning, certifying or otherwise sanctioning the individual’s electronic signature or any element of such electronic signature. [Subsection 11.10(b)] 
  3. Intention to be legally binding: Persons using electronic signatures shall, before or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be legally binding, equivalent of traditional handwritten signatures. [Subsection 11.10(c)] 
  4. Additional certification: Upon agency request, persons using electronic signatures must provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature. [Subsection 11.10(c)(2)] 
  5. Distinct identification code: Electronic signatures not based on biometrics must employ at least two distinct identification components, such as an identification code and password. [Subsection 11.20 (a)(1)] 
  6. Execution using at least one signing component: When an individual executes a series of signings during a single-continuous period of controlled system access, the first signing must be executed using all electronic signature components. Subsequent signings must be executed using at least one electronic signature component that is only executable and designed to be used only by the individual. [Subsection 11.20(a)(1)(i)] 
  7. Execution of one or more signings: When an individual executes one or more signings not performed during a single period of controlled system access, each signing must be executed using all electronic signature components. [Subsection 11.20(a)(1)(ii)] 
  8. Ensure distinct identification code: The uniqueness of each combined identification code and password must be maintained such that no two individuals have the same identification code and password combination. [Subsection 11.30(a)] 
  9. Check on identification code: Identification code and password issuances must be periodically checked, recalled, or revised (e.g., to cover such events as password ageing). [Subsection 11.30(b)] 
  10. Loss management procedure: Loss management procedures must be followed to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information. The system must issue temporary or permanent replacements using suitable, rigorous controls. [Subsection 11.30(c)] 
  11. Transaction safeguards: The system must use transaction safeguards to prevent unauthorized use of passwords and identification codes and to detect and report immediately and urgently any attempts at their unauthorized use. [Subsection 11.30(d)] 
  12. Periodic testing procedure: A procedure must be in place for initial and periodic testing of devices such as tokens or cards that bear or generate identification code or password information to ensure that they function properly and have not been altered unauthorizedly. [Subsection 11.30(e)] 

Conclusion

As discussed above, the regulations in Title 21 of CFR, Part 11 or Code Of Federal Regulations Title 21 Part 11 set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures achieved on paper, various obligations are required to have complied under Title 21 of CFR, Part 11. This part mainly provides for multiple regulations that apply to electronic records and signatures as required by the FDA. 

The regulation made electronic records and signatures as valid as paper and handwritten ones. Part 11 does not mandate the use of electronic systems. Instead, it specifies the requirements for companies using digitized systems in their compliance efforts. 

Certinal is a wholly-owned subsidiary of Zycus, the pioneer in Cognitive Procurement. A familiar name and market leader with years of experience managing critical contracts & agreements, Zycus boasts of over Fortune 1000 enterprise clients and deployments of procurement and sourcing suite of products. Digital Signing has always been a focus area for Zycus. 

Thus, Certinal was born to offer a best-in-class Digital Transaction Management solution that will be easy to use, 100% secure to deploy, and legally compliant worldwide. We are committed to providing a one-stop solution to large enterprise customers, complying with various security standards and meeting regional regulations. 

To know more, book a demo now! 

Recommended Reads

author avatar
Author
Lokjith is a marketing content writer, and he writes about eSignature technology to raise awareness and help enterprises make informed decisions. Before discovering the SaaS industry, he organized Offline Marketing campaigns campaigns. He has a master’s degree from the Institute of Management Technology, specializing in Marketing.
Table of Contents

Categories

Related Resources

Recommended Resources

Certinal - IDC

Slash your Enterprise eSign & Web Form Costs by 50%!

Certinal's Enterprise-Grade Security & Compliance