“What makes an electronic signature vendor 21 CFR Part 11 compliant?”
This is a common question in the pharmaceutical industry, and the answer isn’t always immediately clear. Several e-signature vendors claim to be compliant, but upon closer inspection, that’s not always true.
There are a lot of different parts of the regulation, but we’re going to address the ones that stand out compared to regulations in other industries. These regulations go far beyond the simple requirements set by the ESIGN Act and UETA.
“Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.” —21 CFR Part 11, Subpart B, Sec. 11.10, Part E
CFR 21 Part 11 requires that electronic signatures come with a detailed history of the document—an audit trail. The purpose is to show accountability and to have the history to go back at any point in time to see what the state of that record was.
Every audit trail must log all of the events in the document’s lifecycle, including:
This level of detail will give your company protection if anyone tries to claim “I didn’t sign that.”
“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.” 21 CFR Part 11, Subpart B, Sec. 11.10
If you think about a hardcopy record on paper, what you see is what you get. If somebody makes a change, it tends to be obvious. In an electronic system without the proper controls, a change could be made to the record and no one would ever know. That’s why the FDA requires that electronically signed documents be protected by a feature called “tamper evidence.”
With tamper evidence, if someone tries to change any part of the document (even something as simple as capitalizing a word) there’s proof that tampering took place. The FDA requires that documents be protected from tampering not just at the end of the signing process but throughout the process. Today, SIGNiX is the only electronic signature vendor on the market to offer this level of tamper evidence.
“… subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.” —21 CFR Part 11, Subpart C, Sec. 11.200
In some less-regulated industries, the type of electronic signature you use isn’t all that important. Many people use a type of electronic signature that only requires you to click a button to sign a document. While that’s all well and good when it comes to your kid’s field trip permission slip, it doesn’t cut it in the pharmaceutical industry.
The FDA has very specific guidelines about what counts as a signature. You don’t just need to prove your identity when you first log in to the system, you also have to prove it every time you sign. That means you have to enter you username and password every time you sign. Simply clicking a button without proving your identity isn’t enough.
“[Must] employ at least two distinct identification components such as an identification code and password.” —21 CFR Part 11, Subpart C, Sec. 11.200
When you do business online, you need to know who you're doing business with, and electronic signatures are no exception. If a signed document is challenged in court, you'll have to prove the signer’s identity. That’s why the FDA requires that you use at least two types of authentication to prove signers’ identities. Common types of authentication include:
Using at least two of these methods (a technique called multi-factor authentication), gives you the most evidence to prevent fraud.
Who is responsible for compliance? You might think the electronic signature vendor is responsible, but the law says that the people who own the data are ultimately responsible for compliance. If an electronic signature vendor lies to you and says they’re compliant when they aren’t, they aren’t the ones that will pay—you will!
The good thing is that you can leverage the electronic signature’s services to become compliant. How do you do that? You need to do your due diligence when it comes to the vendor. Here are some key questions to ask during your audit of an electronic signature company:
You should also develop a robust service level agreement with the electronic signature vendor, which will make sure they support your efforts to be 21 CFR Part 11-compliant. You should include topics like:
But compliance isn’t just about which vendor you choose. It’s also about the policies you put in place and how your employees interact with the software. If you don’t address these issues internally, the electronic signature service won’t give you a fully compliant solution. You should consult with a compliance expert to create an electronic signature policy for your company.
Here are the parts of the regulations that can only be completely achieved by a company-wide policy:
With these tips in mind, you can be sure to choose an electronic signature vendor that meets the requirements set by 21 CFR Part 11.