未分類

Correct Understanding of Electronic Signatures under 21 CFR Part 11

Correct Understanding of Electronic Signatures under 21 CFR Part 11

Introduction

Title 21 of the Code of Federal Regulations Part 11 (21 CFR Part 11) provides detailed requirements for the use of electronic signatures. Through consultation work in the pharmaceutical and medical device industries, I have observed numerous misunderstandings and confusion regarding electronic signatures. This article aims to clarify these misconceptions and promote accurate understanding.

Common Misconceptions

Misconception 1: Scanned Signature Images

First and foremost, an electronic signature is not a scanned image of a handwritten signature on paper. Most professionals are aware of this fact. A scanned signature is merely a digital image and does not meet the requirements for electronic signatures as defined in 21 CFR Part 11.

Misconception 2: Definition of Electronic Signature

21 CFR Part 11 defines an electronic signature as: “A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”

It is important to understand that this refers not to all confirmation or approval processes in general, but specifically to acts that carry particular legal binding force.

Scope Where Electronic Signatures Are Required

When digitizing business operations, numerous data confirmation and approval processes are performed. However, not all of these fall under the strict definition of electronic signatures subject to regulation. The FDA does not require all confirmation and approval processes to meet the 21 CFR Part 11 electronic signature requirements.

What Constitutes a Legally Binding Signature

The FDA requires electronic signatures primarily for the following documents and records:

Examples in Non-clinical and Clinical Studies:

  • Study Protocols
  • Study Reports
  • Final approval of these critical documents

Examples in Manufacturing Settings:

  • Batch Manufacturing Records
  • Batch Production Records
  • Deviation Reports
  • Change Control Records
  • Signatures on other GMP-critical documents

In essence, approval activities that demonstrate final responsibility for data submitted to the FDA or subject to inspection are the scope where electronic signatures are truly required. Routine verification work and intermediate approval processes do not necessarily require strict application of 21 CFR Part 11 electronic signature requirements.

Relationship Between Electronic Signatures and Digital Signatures

It is crucial to accurately understand the relationship between “Electronic Signature” and “Digital Signature.”

Accurate Definitions

Electronic Signature: As a regulatory concept, this refers to the electronic representation of approval acts with legal binding force. It is a broad concept defined in 21 CFR Part 11.

Digital Signature: A specific technological means of implementing electronic signatures using cryptographic techniques based on Public Key Infrastructure (PKI).

The Relationship

Digital signatures are a type of electronic signature and represent one of the technological means for implementing electronic signatures. While not all electronic signatures are digital signatures, digital signatures are widely recognized as one of the most secure and reliable implementation methods for meeting electronic signature requirements.

Electronic signatures can be implemented through various methods:

Implementation MethodDescriptionSecurity Level
ID/Password CombinationUses at least two identification elementsModerate
Biometric AuthenticationFingerprint, iris recognition, etc.High
Digital Signature (PKI)Uses public key cryptographyHighest

Characteristics of Digital Signatures

Digital signatures provide the following technical features:

  1. Authenticity: Cryptographically proves the identity of the signer
  2. Integrity: Detects data tampering
  3. Non-repudiation: Prevents the signer from denying the signature
  4. Confidentiality: Encrypts data when necessary

These characteristics help mitigate the following risks:

  • Eavesdropping
  • Tampering
  • Impersonation

Regulatory Authority Perspectives and Recent Developments

FDA Guidance

The FDA issued the guidance “Part 11, Electronic Records; Electronic Signatures — Scope and Application” in 2003, recommending a risk-based approach. Furthermore, in October 2024, the FDA issued final guidance on the use of electronic records and systems in clinical investigations, clarifying appropriate use of digital health technologies and electronic signatures.

International Harmonization

Regulations concerning electronic signatures must maintain consistency with the following international standards and guidelines:

  • EU GMP Annex 11: Guidelines on Computerised Systems
  • PIC/S PI 011: Good Practices for Computerised Systems in Regulated GxP Environments
  • ISO/IEC 27001: Information Security Management Systems
  • eIDAS Regulation (EU): Electronic Identification and Trust Services

Key Implementation Points

Electronic Signature Requirements (21 CFR Part 11.50)

Electronic records containing electronic signatures must clearly display the following information:

  • Printed name of the signer
  • Date and time of signature
  • Meaning of the signature (approval, review, responsibility, etc.)

Identification and Security (21 CFR Part 11.200)

Electronic signatures not based on biometrics must employ at least two distinct identification elements. For example:

  • Identification code (User ID)
  • Password

System Validation

Systems using electronic signatures must be properly validated to ensure:

  • Accuracy
  • Reliability
  • Consistent Intended Performance

Conclusion

Accurate understanding of electronic signatures is essential for balancing compliance and efficient business operations. “Electronic signature” is a regulatory concept, and “digital signature” is one of the means of implementing it. It is important to correctly understand the relationship between the two and implement them appropriately using a risk-based approach.

The FDA does not uniformly require strict electronic signature requirements for all confirmation and approval processes but expects appropriate management based on the importance and risk of the data. We recommend building an electronic signature system suitable for your company’s business processes, taking into account the latest regulatory trends and guidance.

References:

  • 21 CFR Part 11: Electronic Records; Electronic Signatures
  • FDA Guidance for Industry: Part 11, Electronic Records; Electronic Signatures — Scope and Application (2003)
  • FDA Guidance: Use of Electronic Records and Electronic Signatures in Clinical Investigations (October 2024)
  • EU GMP Annex 11: Computerised Systems
  • PIC/S PI 011: Good Practices for Computerised Systems in Regulated GxP Environments
Risk-Based Approach in FDA Regulations: A Modern Framework for Computer System Validation Previous post The Evolution of Electronic Records Regulations: From FDA Part 11's Tumultuous Past to Today's Global Harmonization Next post

Related post

Comment

There are no comment yet.