Electronic Signatures in FDA-Regulated Industries

Background and Historical Context

On March 20, 1997, the FDA published the final rule for 21 CFR Part 11, “Electronic Records; Electronic Signatures” (hereinafter referred to as “Part 11”), which became effective on August 20, 1997. What is not widely known is that Part 11 was created in response to requests from the pharmaceutical industry. As drug manufacturing processes and quality testing became increasingly computerized in the early 1990s, companies found themselves printing records on paper solely to obtain handwritten signatures—a practice that seemed impractical and inefficient. Recognizing this burden, the pharmaceutical and biotechnology industries approached the FDA as early as 1991 to request requirements that would enable paperless operations, specifically allowing the use of electronic signatures. This led to an Advance Notice of Proposed Rulemaking (ANPRM) in February 1992, followed by a proposed rule in August 1994, before the final rule was published in 1997.

Consequently, Part 11 has its origins in a focus on electronic signatures, though its scope encompasses the broader management of electronic records. The regulation was designed to permit the use of electronic records and signatures as equivalents to paper records and handwritten signatures, provided they meet specific requirements for trustworthiness, reliability, and integrity.

Essential Requirements for Electronic Signatures

Electronic signatures must satisfy two fundamental requirements to ensure their credibility and legal validity:

1) Authentication of Identity (Identity Assurance)
Electronic signatures must ensure that the person signing is indeed who they claim to be. To achieve this, Part 11 requires the use of at least two distinct identification components, such as a user ID and password (§11.300). It is critical to understand that password entry is required at the time of each signature event, not merely at system login. A common misconception is that entering a password at login satisfies the authentication requirement for subsequent signature actions. However, if a user logs into a system and then leaves their workstation unattended, another person could impersonate them and fraudulently execute signatures. Therefore, Part 11 mandates that users re-enter their credentials—specifically their password—each time they execute an electronic signature.

The only exception to this rule occurs during a single, continuous period of controlled system access where an individual executes multiple signings in succession. In such cases, the first signing must use all electronic signature components (user ID and password), while subsequent signings within that controlled session may use at least one component (typically the password). This provision balances security with operational efficiency.

Lax password management undermines the integrity of electronic signatures. Additionally, the practice of sharing passwords with others to allow proxy signing is prohibited. Such behavior is referred to as “impersonation” or “spoofing.” Unlike handwritten signatures, electronic signatures do not leave distinctive marks such as handwriting characteristics, making impersonation virtually impossible to detect during inspections. To mitigate this risk, the FDA requires organizations to provide comprehensive training to all individuals authorized to execute electronic signatures, emphasizing the importance of password confidentiality and the serious consequences of violations. Furthermore, Part 11 requires that persons using electronic signatures must certify to the FDA that their electronic signature is the legally binding equivalent of their handwritten signature (§11.100(c)). This certification, often called a “Letter of Non-Repudiation,” must be submitted to the FDA and serves as a formal acknowledgment of accountability.

2) Non-Repudiation and Record Integrity
Once an electronic signature has been applied to an electronic record, the record must become unalterable (read-only). If any modification is made to a signed electronic record, the electronic signature must be invalidated or the system must generate a new audit trail entry that captures the change. This ensures that the signed record remains trustworthy and that any alterations are traceable.

While handwritten signatures are accompanied by a date, electronic signatures must include a date and time stamp down to the minute (§11.50). This precise time-stamping establishes a clear chronological relationship between the electronic record and the signature, thereby preventing post-signature tampering. The timestamp also ensures that the sequence of actions—record creation, modification, review, and approval—is unambiguous and auditable.

Scope of Part 11 and Risk-Based Application

The 2003 Guidance: A Shift Toward Risk-Based Compliance

Many organizations have implemented overly stringent controls in their interpretation of Part 11 requirements, applying them uniformly to all electronic records regardless of their impact on product quality or patient safety. However, it is important to recognize that the FDA’s expectations have evolved since the regulation’s initial publication.

In September 2003, the FDA issued guidance titled “Part 11, Electronic Records; Electronic Signatures – Scope and Application.” This guidance significantly clarified the scope of Part 11 and introduced a risk-based approach to compliance. The 2003 guidance stated that the FDA would exercise enforcement discretion for certain Part 11 requirements and focus its inspection efforts on electronic records that are critical to product quality and patient safety. Specifically, the FDA emphasized that Part 11’s most stringent requirements apply primarily to records required by predicate rules (regulations other than Part 11, such as current Good Manufacturing Practice or cGMP regulations under 21 CFR Part 211) and to records submitted to the FDA.

Under this risk-based approach, the FDA indicated that strict Part 11 compliance is particularly critical for approval signatures on records that directly impact product quality, safety, or regulatory submissions. Examples include:

• Manufacturing batch records documenting critical process parameters and in-process controls
• Quality control testing records, including analytical test results and certificates of analysis
• Batch release decisions and disposition records
• Validation protocols and reports
• Stability study records
• Adverse event reports and complaint files
• Records submitted to the FDA in support of applications (e.g., New Drug Applications, Biologics License Applications, Investigational New Device Exemptions)

In contrast, the 2003 guidance suggests that signatures by record creators or reviewers (as opposed to approvers) may not require the same level of Part 11 rigor, provided that other controls ensure data integrity. For instance, Standard Operating Procedures (SOPs), training records, and certain administrative documents may not necessitate full Part 11 compliance if their impact on product quality and patient safety is low. While it is certainly desirable and best practice to apply Part 11 controls broadly, an organization that applies identical, maximal controls to every electronic record—including those with minimal regulatory impact—may be engaging in over-engineering and incurring unnecessary costs.

Avoiding Over-Compliance: The Importance of Risk Assessment

The concept of “over-compliance” or “excessive quality” refers to the application of rigorous controls to records that do not warrant such scrutiny from a risk perspective. The FDA itself has acknowledged that not all electronic records require the same degree of validation and control. In the preamble to the 2003 guidance, the FDA noted that it does not intend to burden industry with requirements that do not significantly contribute to product quality or public health protection.

A risk-based approach involves assessing each electronic system and record type based on its potential impact on:

• Product quality and consistency
• Patient safety
• Data integrity and traceability
• Regulatory compliance

Records that directly affect these areas should be subject to full Part 11 controls, including validation, audit trails, electronic signature requirements, and robust security measures. Conversely, records with lower impact may be managed with simpler controls, provided that the organization can justify its approach and demonstrate that data integrity is maintained.

Adopting a risk-based approach allows organizations to allocate resources more efficiently, focusing efforts on systems and records that truly matter while avoiding excessive costs associated with over-validation. This approach aligns with the FDA’s broader regulatory philosophy, as articulated in initiatives such as the 2002 “Pharmaceutical cGMPs for the 21st Century – A Risk-Based Approach” and the more recent emphasis on Computer Software Assurance (CSA) as an alternative to traditional Computer System Validation (CSV).

Recent Regulatory Developments

The 2024 Guidance on Clinical Investigations

On October 1, 2024, the FDA finalized its guidance titled “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers.” This guidance provides updated recommendations for sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs) on the use of electronic systems in clinical trials. Key highlights include:

• Clarification of Part 11 applicability to real-world data sources, such as electronic health records (EHRs) and wearable devices. The FDA indicated that Part 11 does not apply to these external data sources until the data are incorporated into the sponsor’s or CRO’s own electronic systems.
• Emphasis on a risk-based approach to system validation, encouraging organizations to tailor validation activities to the complexity and criticality of the system.
• Recommendations for electronic signature use in clinical investigations, including the submission of letters of non-repudiation to certify that electronic signatures are legally binding.
• Guidance on agreements between regulated entities and information technology service providers, stressing the importance of defining roles and responsibilities for data integrity and Part 11 compliance.

This 2024 guidance reflects the FDA’s recognition of technological advancements and the increasing use of digital health technologies in clinical research. It reinforces the principle that Part 11 compliance should be proportionate to risk and that organizations should focus on ensuring the reliability and integrity of electronic data rather than applying a one-size-fits-all approach.

Data Integrity and the Evolution of FDA Expectations

In recent years, the FDA has placed increasing emphasis on data integrity across all aspects of GxP (Good Practice) activities. Warning letters and inspection observations have frequently cited data integrity deficiencies, many of which stem from inadequate electronic record controls. Common issues include:

• Lack of audit trails or incomplete audit trail functionality
• Shared user accounts or passwords, leading to accountability gaps
• Inadequate controls to prevent data deletion or modification without documentation
• Failure to validate computerized systems, resulting in unreliable data
• Insufficient training on electronic record and signature requirements

These data integrity issues often trace back to fundamental Part 11 principles, such as system validation, audit trails, user authentication, and record retention. The FDA has made it clear that data integrity is not solely an IT responsibility but rather a quality culture issue that must be embraced by everyone in the organization who creates, reviews, or approves GxP records.

In 2018, the FDA issued guidance titled “Data Integrity and Compliance with cGMP,” which underscores the importance of ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available). These principles apply to both paper and electronic records and serve as a foundation for ensuring that data are trustworthy and defensible.

Computer Software Assurance (CSA): A Modern Approach to Validation

In response to industry concerns about the burden and cost of traditional computer system validation, the FDA released draft guidance on Computer Software Assurance (CSA) in 2022. CSA represents a paradigm shift from exhaustive documentation and testing to a more streamlined, risk-based approach that emphasizes critical thinking and focuses validation efforts on the aspects of software that pose the greatest risk to product quality and patient safety.

Key tenets of CSA include:

• Leveraging existing documentation from software vendors (e.g., user manuals, release notes) rather than creating redundant documentation
• Focusing testing on critical functionality and user workflows rather than testing every feature
• Applying a risk-based approach to determine the extent of validation activities
• Emphasizing the importance of a quality culture and critical thinking over prescriptive checklists

While CSA is still in draft form and primarily addresses software validation rather than Part 11 specifically, its principles are fully compatible with the risk-based philosophy articulated in the 2003 Part 11 guidance. Organizations that adopt CSA methods can achieve robust Part 11 compliance while reducing validation costs and timelines.

International Regulatory Context

Comparison with EU GMP Annex 11

While Part 11 is a U.S. regulation, many of its principles align with international standards for electronic records and signatures. In the European Union, electronic records in the pharmaceutical industry are governed by EU GMP Annex 11, “Computerised Systems,” which was revised in 2011. Annex 11 shares common goals with Part 11, including ensuring data integrity, reliability, and traceability. However, there are some differences in emphasis:

Aspect	21 CFR Part 11 (FDA)	EU GMP Annex 11
Legal Status	Federal regulation with force of law	Guidance document (part of EU GMP)
System Validation	Required; detailed specifications in §11.10	Required; emphasis on risk assessment and lifecycle approach
Audit Trails	Detailed requirements in §11.10(e)	Required; emphasis on review of audit trails
Electronic Signatures	Prescriptive requirements (§11.50, §11.200, §11.300)	Less prescriptive; focuses on ensuring authenticity and integrity
Risk-Based Approach	Introduced via 2003 guidance	Explicitly emphasized throughout the document
Periodic Review	Not explicitly required in regulation	Requires periodic review of systems (Clause 11)

Both Part 11 and Annex 11 recognize the importance of system validation, audit trails, access controls, and data backup. Organizations operating in both the U.S. and EU markets often design their electronic systems to comply with both sets of requirements, adopting the more stringent standard where differences exist.

PIC/S Good Practice Guides

The Pharmaceutical Inspection Co-operation Scheme (PIC/S) has published Good Practice Guides on data management and integrity that are widely adopted by regulatory authorities around the world. These guides reinforce principles similar to those in Part 11 and Annex 11, including the ALCOA+ principles and the importance of a quality culture. As regulatory harmonization continues, organizations should stay informed of global expectations for electronic records and data integrity.

Practical Recommendations for Compliance

Building a Compliant Electronic Signature Program

To implement a robust and compliant electronic signature program, organizations should consider the following best practices:

1. Conduct a Risk Assessment: Identify which electronic records and signatures fall under Part 11 and assess their impact on product quality and patient safety. Prioritize compliance efforts accordingly.
2. Implement Strong User Authentication: Ensure that electronic signature systems require at least two distinct identification components (e.g., user ID and password) and that passwords are entered at the time of each signature event, not merely at login.
3. Provide Comprehensive Training: Train all users authorized to execute electronic signatures on Part 11 requirements, the importance of password confidentiality, and the consequences of violations. Require users to sign certifications or letters of non-repudiation.
4. Establish Audit Trails: Implement audit trail functionality that captures who signed, when the signature occurred, and what action was taken. Ensure that audit trails are secure, computer-generated, and time-stamped.
5. Ensure Record Integrity: Configure systems so that signed records become read-only or so that any modifications invalidate the signature or generate a new audit trail entry.
6. Validate Electronic Systems: Validate electronic record and signature systems to demonstrate that they perform as intended and maintain data integrity throughout their lifecycle. Apply a risk-based approach to the extent of validation activities.
7. Maintain Documentation: Document policies, procedures, and validation activities related to electronic records and signatures. Ensure that documentation is readily available for FDA inspection.
8. Foster a Quality Culture: Emphasize that data integrity and Part 11 compliance are not solely IT responsibilities but are the responsibility of every individual who creates, reviews, or approves GxP records.

Avoiding Common Pitfalls

Organizations should be aware of common pitfalls that can lead to non-compliance:

• Shared User Accounts: Allowing multiple users to share a single user ID undermines accountability and violates Part 11 requirements for unique electronic signatures.
• Inadequate Audit Trails: Audit trails that do not capture all relevant actions, that can be disabled by users, or that are not regularly reviewed are insufficient.
• Weak Password Policies: Password policies that allow simple, easily guessed passwords or that do not enforce regular password changes increase the risk of unauthorized access.
• Lack of Training: Failing to train users on Part 11 requirements and the importance of data integrity can lead to inadvertent violations.
• Over-Reliance on Vendors: While software vendors can provide tools and documentation to support Part 11 compliance, the ultimate responsibility for compliance rests with the regulated organization. Organizations must validate vendor-supplied systems and ensure that their use aligns with Part 11 requirements.

Conclusion

21 CFR Part 11 remains a cornerstone regulation for ensuring the integrity, authenticity, and reliability of electronic records and signatures in FDA-regulated industries. Since its publication in 1997, the regulation has evolved through FDA guidance documents that emphasize a risk-based approach to compliance. The 2003 guidance clarified the scope of Part 11 and encouraged organizations to focus their efforts on records that directly impact product quality and patient safety, while the 2024 guidance on clinical investigations addresses emerging technologies and reinforces the importance of proportionate, risk-based controls.

Organizations should avoid the trap of over-compliance, which can lead to excessive costs and diversion of resources away from truly critical areas. Instead, they should conduct thorough risk assessments to determine where Part 11 controls are most needed and implement validation and data integrity measures that are commensurate with the level of risk. By adopting a risk-based approach, investing in robust training programs, and fostering a culture of data integrity, organizations can achieve compliance with Part 11 while optimizing their use of technology to improve efficiency, quality, and ultimately, patient safety.

As technology continues to advance—with the increasing adoption of cloud computing, artificial intelligence, mobile health applications, and real-time data analytics—the principles underlying Part 11 will remain essential. The regulation’s focus on ensuring that electronic records and signatures are trustworthy, attributable, and defensible will continue to serve as a foundation for regulatory compliance in the digital age. Organizations that stay abreast of the latest FDA guidance, embrace risk-based validation methodologies such as Computer Software Assurance, and maintain a steadfast commitment to data integrity will be well-positioned to navigate the evolving regulatory landscape.