How to comply with FDA 21 CFR part 11 - e-Signatures and the Pharmaceutical Industry

Posted by Victoria Morgan on 31-Jul-2017 09:51:23

Some of the world’s strictest regulations are found in the pharmaceutical industry and companies in this sector will have extensive processes and policies to maintain data security. This applies to every department within an organisation - from robust IT systems, to secure solutions used to approve documentation electronically.

e-Signatures and the Pharmaceutical IndustryThis focus on security also stems from the fact that the industry is highly competitive, the type of documentation shared between departments - intellectual property must be protected 24/7 - and in the United States, the Food and Drugs Administration’s (FDA) involvement in governing organisations.

The FDA regulates everything from new drug programmes to how information is electronically shared. From the context of e-signatures, the most important standard is FDA 21 CFR part 11. Despite its nondescript name (often abbreviated to 21CFR11), this regulation is extremely important for any companies investing in or managing document management systems and e-signatures.

The regulation: “applies to records in electronic form that are created, modified, maintained, archived, retrieved or transmitted.” 11.11 also states that compliance occurs when:

  • e-Signatures must be unique to each user 
  • Identity has been verified
  • The e-signature is considered legally binding

Alongside these elements, organisations should also ensure that they can provide additional certification that a specific e-signature is legally binding. For example – time-stamped audit trails that independently record entries and modifications to documents.


Other characteristics that ensure compliance include:


  • Meeting ISO 32000 PDF standards and ETSI PAdES signature standards
  • Adhering to the latest standards recommended by the US National Institute of Standards and Technology (NIST), namely SHA-256 hashing and RSA 2048bit crypto or equivalent for digital signatures
  • Long-term digital signatures that include a digitally signed and trusted RFC 3161 timestamp from a trusted Time Stamp Authority (TSA)
  • Solutions that enforce user authentication before allowing access to the signing key (bulk signing of such documents is not permitted).

Security is paramount within the pharmaceutical industry and if you are considering implementing an e-signature solution, then ensure you can prove compliance with the necessary regulations.          

Marrying strong security with a great user experience can be achieved using remote signing techniques.

Such solutions use unique signature keys for every user, but held centrally on a secure server in the cloud. Users are authenticated using multi-channels before authorising the use of their remote signing keys. With such approaches, there is no need for specialist hardware tokens or even need for software to be installed locally by user - instead advanced digital signatures are possible from anywhere including using smartphones and tablets.  

More detail on 21CFR11 is available here.

Recent Posts

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook