Electronic Signatures, FDA Part 11 and How to Comply

The FDA 21 CFR Part 11 is a daunting piece of legislation but when viewed as a whole, we can see its goal is quite simple, to legitimize your digital records by giving credence to electronic signatures, audit trails, and digital authority checks.

We’re here to summarize the jargon and arm you with practical options that will leave you FDA 21 compliant. Below we’ve prepared an easy-to-read table on part 11 compliance. If that doesn’t answer all your questions, the rest will.

This is all based on our research and interpretation of the regulations. However, if there is any doubt when comparing this information to your unique needs, then we would suggest consulting a lawyer.

If you are in an industry that deals with FDA regulations, you will be required to prove the authenticity of all your digital records under FDA 21 CFR Part 11. In many cases, an audit will need to be performed to confirm this. Compliance with FDA 21 CFR Part 11 is based upon your organization’s ability to show procedures and controls that ensure:

Authenticity
Integrity
Confidentiality
Irrefutability

When reviewing your compliance, you will notice there are some factors that relate to the software you use, and some factors that relate to the processes and personnel decisions you have in place.

In order to comply with FDA CFR Part 11, you need to make sure your software or your operational systems checks can be traced, verified and audited if need be. This means if your software does not automatically track the whole part of the process, then you must provide a workflow, or operational system check that records and provides the required data.

What the table above is depicting is the autonomous FDA part 11 compliance that is built into our health and safety software. Our software will:

Export reports and documents in PDF format
Safely store data on a Closed cloud
Preserve Audit Trails
Maintain an all-in-one solution, meaning the workflow is always in-sync
Maintain a hierarchy of physical locations and user roles
Stamp eSignatures with a date, time and unique user data

Note: If your system is considered Open, it may require additional procedures and controls. An Open system is one where the user access is not controlled or restricted, or could also refer to a system that utilizes cloud storage that isn’t restricted. For instance, google docs cloud storage could be seen as Open depending on the access, whereas BIS system is closed because it requires administration clearance.

Electronic signatures that are obtained through software systems also need to follow strict record-keeping practices to ensure their accuracy:

eSignatures need to be forever linked to the respective records
They must include a printed name, date and time, and the meaning of the signature
Individuals signing must be confirmed by providing ID, and making sure their signature is unique
Adhere to specific design requirements for biometric (fingerprints) or non-biometric collection methods
Adhere to specific requirements for passwords and passcode-generating devices
And finally, you must inform the FDA prior to using electronic signatures

How do you inform the FDA you’re going to use electronic signatures? Start by sending the FDA a Letter of Non-Repudiation Agreement. Make sure this is consistent with your company’s letterheads and signed with a handwritten signature. Provided your electronic signatures comply with everything above, you should have no problem getting approved.

The Food and Drug Administration (FDA) is responsible for protecting American citizens by ensuring the safety of their food supply, pharmaceutical products, medical supplies, veterinary drugs, cosmetics, and products that emit radiation. (Yes, you read that correctly.)

To respond to the changes in technology and the way that companies are collecting and sharing information about their customers, 21 CFR Part 11 was created. It refers to the authenticity of the electronic records collected and submitted to the FDA and has become one of their most (in)famous regulations.

And it’s confusing. Government regulations do not typically make for light bedtime reading. Is this regulation necessary?

This regulation deals with any submission of forms or information that is required by the FDA, specifically when they are made electronically. This is the heart of the regulation, so let’s go over it again. All digital records that you are required to submit to the FDA for regulatory purposes are subject to Part 11. This would include electronic forms used instead of physical forms, onsite inspections using a mobile device or tablet, and much more.

You could be exempt from FDA 21 CFR Part 11 if you have a paper record and choose to scan and submit the record digitally. Or, if you use a software system to collect your information, and the system provides print outs which are used for submissions. Or finally, if you use legacy software that was implemented prior to August 20, 1997, again you may not be subject to Part 11.