FDA 21 CFR-compliant pharmaceutical eSignatures

Posted by Victoria Allen on 31-Jul-2017 09:51:23



In our latest industry-specific blog, we're focusing on how the pharmaceutical industry can ensure FDA 21 CFR part 11 compliance with eSignatures.

Some of the world’s strictest regulations are found in the pharmaceutical industry and companies in this sector will have extensive processes and policies to maintain data security. This applies to every department within an organisation - from robust IT systems, to secure solutions used to approve documentation electronically.

e-Signatures and the Pharmaceutical Industry

Pharmaceutical industry regulations

The pharmaceutical industry's focus on security stems from the fact that:

  • The industry is highly competitive
  • Pharmaceutical documentation falls under 'intellectual property' and must be protected 24/7
  • In the US, the Food and Drug Administration (FDA) is involved in governing pharmaceutical organisations. The FDA regulates everything from new drug programmes to how information is electronically shared.

FDA 21 CFR part 11 and pharmaceutical eSignatures

For the context of eSignatures, the most important standard is FDA 21 CFR part 11. Despite its nondescript name (often abbreviated to 21CFR11), this regulation is extremely important for any companies investing in or managing document management systems and eSignatures in the pharmaceutical industry.

The regulation:

“...applies to records in electronic form that are created, modified, maintained, archived, retrieved or transmitted.”

11.11 also states that compliance occurs when:

  • eSignatures must be unique to each user 
  • Identity has been verified
  • The eSignature is considered legally binding

Alongside these elements, organisations should also ensure that they can provide additional certification that a specific eSignature is legally binding. For example, time-stamped audit trails that independently record entries and modifications to documents.


Other characteristics that ensure FDA 21 CFR part 11 compliance include:

  • Meeting ISO 32000 PDF standards and ETSI PAdES signature standards
  • Adhering to the latest standards recommended by the US National Institute of Standards and Technology (NIST), namely SHA-256 hashing and RSA 2048bit crypto or equivalent for digital signatures
  • Long-term digital signatures that include a digitally signed and trusted RFC 3161 timestamp from a trusted Time Stamp Authority (TSA)
  • Solutions that enforce user authentication before allowing access to the signing key (bulk signing of such documents is not permitted).

Ensuring eSignature security

Security is paramount within the pharmaceutical industry. If you are considering implementing an eSignature solution, then ensure you can prove compliance with the necessary regulations.          

Marrying strong security with a great user experience can be achieved using remote signing techniques.

Such solutions use unique signature keys for every user, but held centrally on a secure server in the cloud. Users are authenticated using multi-channels before authorising the use of their remote signing keys.

With such approaches, there is no need for specialist hardware tokens or even for software to be installed locally by user. Instead, advanced digital signatures are possible from anywhere including using smartphones and tablets.  

More detail on FDA 21 CFR part 11 is available here.

Recent Posts

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook