Title 21 Code of Federal Regulations, Part 11

Introduction

Title 21 CFR Part 11 is the part to the Code of Federal Regulations (“CFR”) which is established by the Food and Drug Administration (“FDA”) which provides requirements for electronic records and electronic signatures. The purpose of this part is to ensure that electronic records and electronic signatures can be trusted in a typically similar manner as paper records and ink signatures (“wet signatures”).

It is pertinent to note that Life science organizations and device manufacturers that are regulated by the FDA are essentially required to follow the CFR as provided under Title 21 Part 11.

Free Guide: A must-read primer to get started with e-Signatures

Electronic Records

An electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. As mentioned above, the purpose of Part 11 is to ensure that electronic records and electronic signatures can be trusted as much as paper records and ink signatures. Hence, all the electronic records that are subject to and used for regulated purposes are subject to Part 11.

When electronic records are signed, the system records the following items as part of the electronic signing process:

• Date and time stamp
• User ID and full name of the signer(s)
• Reason for signature, out of a pre-configured list of possible reasons
• Optionally, an additional comment by the signer at run-time
• PC/node, where the signature was made

According to subpart B which deals with electronic provisions, the Organizations using electronic records must establish and document procedures and controls that ensure the following qualities in their electronic records:

• Authenticity
• Integrity
• Confidentiality (when appropriate)
• Irrefutability (i.e., no way to deny that a record is genuine)

In documented procedures and controls the following mechanisms must be addressed:

1. computer systems validation (CSV),
2. record rendering,
3. document storage and record retention
4. system access
5. audit trails
6. workflows
7. authority checks
8. device checks
9. personnel qualifications
10. personnel accountability
11. document control

Above mentioned mechanisms would apply to the “Closed” category of system. Systems that fall into the category of “Open” (as defined in Subpart A) require additional procedures/controls. The above-mentioned mechanism would still apply in addition to whatever makes more sense given the risks and available options to ensure the same level of record qualities.

Electronic signatures must include the printed name of the signer, the date and time of the signature, and the meaning of the signature. Electronic signatures must be forever linked to their respective records.

Requirements related to electronic records under 21 CFR Part 11:

For regulated records that are not submitted to the FDA, an organization can use electronic instead of (or in addition to) paper, as long as it can prove that its electronic records comply with Part 11. For regulated records that are submitted to the FDA, an organization can use electronic records instead of paper records as long as the following two conditions are met:

1. It can prove that its electronic records comply with Part 11.
2. The FDA is capable of accepting those types of records electronically.

All the electronic records that are used for regulated purposes which apply to all FDA program areas are subject to Part 11 and were intended to permit the widest possible use of electronic technology, compatible with the FDA’s responsibility to protect public health.

Moreover, the term “Part 11” applies to records and signatures in electronic form that are created, modified, maintained, archived, retrieved, transmitted or submitted, under any records requirements set forth by the FDA regulations/predicate rules.

Note: The types of e-records that the FDA accepts are listed in public docket No. 92S-0251.

Download the Whitepaper: Security: The Quintessential Element of Digital Signature Solutions

Electronic Signatures

The FDA allows the use of electronic signatures instead of pen and ink signatures (also known as “wet signatures”) in order to facilitate conducting of the business digitally. A compliant electronic signature must include the following:

• The printed name of the signer
• The date and time the signature was executed
• A unique user ID
• Digital adopted signature
• The meaning of the signature (labelled “signing reason”)

Other requirements for electronic signatures:

The requirements as listed under subpart C on electronic signatures are as follows:

• Uniqueness: Each electronic signature must be unique to one individual and not reused by, or reassigned to, anyone else. [Subsection 11.10(a)]
• Verified identity: The identity of the individual must be verified before establishing, assigning, certifying or otherwise sanctioning the individual’s electronic signature, or any element of such electronic signature. [Subsection 11.10(b)]
• Intention to be legally binding: Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be legally binding equivalent of traditional handwritten signatures. [Subsection 11.10(c)]
• Additional certification: Persons using electronic signatures must, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature. [Subsection 11.10(c)(2)]
• Distinct identification code: Electronic signatures that are not based upon biometrics must employ at least two distinct identification components such as an identification code and password. [Subsection 11.20 (a)(1)]
• Execution using at least one signing component: When an individual executes a series of signings during a single-continuous period of controlled system access, the first signing must be executed using all electronic signature components. Subsequent signings must be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. [Subsection 11.20(a)(1)(i)]
• Execution of one or more signings: When an individual executes one or more signings not performed during a single period of controlled system access, each signing must be executed using all of the electronic signature components. [Subsection 11.20(a)(1)(ii)]
• Ensure distinct identification code: The uniqueness of each combined identification code and password must be maintained such that no two individuals have the same combination of identification code and password. [Subsection 11.30(a)]
• Check on identification code: Identification code and password issuances must be periodically checked, recalled, or revised (e.g., to cover such events as password aging). [Subsection 11.30(b)]
• Loss management procedure: Loss management procedures must be followed to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information. The system must issue temporary or permanent replacements using suitable, rigorous controls. [Subsection 11.30(c)]
• Transaction safeguards: The system must use transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use. [Subsection 11.30(d)]
• Periodic testing procedure: A procedure must be in place for initial and periodic testing of devices such as tokens or cards that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. [Subsection 11.30(e)]

Conclusion

As discussed above, the regulations in Title 21 of CFR, Part 11 set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper, there are various obligations that are required to have complied under Title 21 of CFR, Part 11. This part particularly provides for various regulations that apply to electronic records and electronic signatures as required by the FDA. The regulation made electronic records and signatures as valid as paper records and handwritten signatures. Part 11 does not mandate the use of electronic systems. Rather, it specifies the requirements for companies that choose to use digitized systems in their compliance efforts.

Certinal is a wholly owned subsidiary of Zycus, the pioneer in Cognitive Procurement. A familiar name and market leader with years of experience in managing critical contracts & agreements, Zycus boasts of over Fortune 1000 enterprise clients and deployments of procurement and sourcing suite of products. Digital Signing has always been a focus area for Zycus. Thus Certinal was born with the stated goal of offering a best-in-class Digital Transaction Management solution that will be easy-to-use, 100% secure to deploy, and legally compliant around the world. We stand committed to providing a one-stop solution to large enterprise customers, compliant with various security standards and conforming to different regional regulations.

Disclaimer: Certinal is making available the information and materials in this article for informational purposes only and is meant to help companies understand eSignature’s application in a legal framework. Laws change rapidly and Certinal makes every reasonable effort to keep the content of this article current, hence Certinal makes no claims or representations that the information contained in this article is true, accurate, correct, or current. The law is different from jurisdiction to jurisdiction, and even similar laws may be interpreted differently in different courts or in different places. Since these factors differ according to individuals and businesses, Certinal is not liable for any consequence of any action taken by any third party relying on material/ information provided under this article. The contents hereof should not be construed as legal advice in any manner whatsoever. In cases you require any assistance; you must seek independent legal advice.