How To Navigate Compliance With FDA's 21 CFR Part 11

By Kyle Neuman, managing director, SAFE Identity

21 CFR Part 11, the regulation on electronic records and electronic signatures, causes sleepless nights for many quality control experts and directors of regulatory compliance whose companies are subject to inspections by the FDA. These companies include Contract Research Organizations (CROs) and pharma companies who operate clinical trials that produce records which fall into scope of the regulation. The FDA has released guidance on the 2,500-word regulation to bring more clarity to the scope and intent of its controls; however, compliance remains a moving target due to the nature of FDA inspections.

To make matters more confusing, many companies miss the fact that all assertions made by vendors who claim their products are 21 CFR Part 11 compliant are just that: self-assertions. In reality, there is no certification program accredited or authorized by the FDA to certify vendor products for 21 CFR Part 11 compliance. Furthermore, 21 CFR Part 11 applies to the implementation of products and services in a healthcare organization’s environment, not to the products themselves, thereby making compliance impossible to achieve for vendor products. Some vendors may argue that their products were included in a customer’s computer system validation as part of 21 CFR Part 11 compliance, but this fails to account for the responsibilities assumed by the healthcare organization in order to achieve compliance as part of the overall process.

Due to a lack of discussion and collaboration in this area, individual companies may feel that they are in this alone as they work to achieve regulatory compliance. Such lack of discussion can result in a lot of guesswork and the expenditure of consulting fees on experts in support of satisfying the requirements of the regulation. 

Defining 21 CFR Part 11

Digital records are considerably less expensive overall due to gains in efficiency, storage, and time-to-market when compared to paper records; however, they are vulnerable to cyberattack and compromise if not properly managed and protected. The recent upward trend in virtual clinical trials further underscores the importance of digital record management. 21 CFR Part 11 defines controls for the retention, submission, integrity, and confidentiality of digital records that fall into scope of the regulation. Such controls are necessary and represent best practices for managing digital records with competence.

21 CFR Part 11 is broken out into three subparts:

1. General provisions for the regulation
2. Controls governing open and closed record management systems
3. Controls supporting electronic signatures.

The second subpart defines controls supporting record retention, auditing, and organizational processes and discusses the intertwining of digital record integrity with electronic signatures. The final section lays out specific controls for the use of electronic signatures.

Understanding The Difference Between Electronic And Digital Signatures

The electronic signature plays an important role in 21 CFR Part 11 compliance. However, not all electronic signatures are created equal, and it is important to understand the differences between electronic signatures in general and a specific breed of electronic signature, known as the digital signature.

21 CFR Part 11 defines electronic signatures as:

“A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.”

By contrast, 21 CFR Part 11 defines digital signatures as:

“Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”

Put simply, a digital signature is a secure, standards-based electronic signature that is resistant to forgery, prevents alteration of information once the signature has been applied, and positively identifies the source of the signature. All digital signatures are electronic signatures, but not all electronic signatures are digital signatures.

A recent 21 CFR Part 11 guidance document published by SAFE Identity, a healthcare-focused industry consortium and certification body, stated:

“SAFE Identity does not recognize non-cryptographic electronic signatures as a competent means of expressing non-repudiation of the signer, due to the risk of forgery, and therefore, advises against their use for this purpose.”

This is not a new concept for many healthcare organizations, whose interest in digital signatures led to the establishment of the SAFE Identity consortium (formerly known as the SAFE-BioPharma Association).

Digital signatures provide the means to cryptographically ensure a document’s contents have not changed since the document was signed and strongly associate the signer with the document. Some of the most commonly signed documents are produced using Portable Document Format (PDF) and, because the digital signatures are based on well-established international standards, they have a common look and function whenever used to sign or verify a document. By relying on digital signature standards, organizations can prevent being “locked in” to vendor products built on proprietary technology that may not be interoperable with other document signing and verification platforms and whose processes may not provide the level of protection needed.

Establishing Trust In Digital Credentials

Another important component in 21 CFR Part 11 subpart C is the subject of identity binding controls. Such controls are necessary to consider when applying digital signatures because a digital signature is a combination of a digital credential representing a human and a software application that uses the credential to sign a document in a way that adheres to an industry standard format. In a highly collaborative environment like clinical trials, cross-organization interoperability is particularly important and is only achievable through the adoption commonly agreed upon industry standards.

The controls include requirements concerning the sole possession of the credential by the signer and the identity verification of the signer. The guarantee that these requirements are being met by a credential provider must be gleaned from the processes the provider uses to issue credentials. The processes used to bind an identity to a credential vary from provider to provider, thus, it is fair to say that all credentials used to sign documents are not created equal, which contributes to varying levels of trust in the digital signature credential market. Such a challenge is addressed through the use of a Trust Framework, which is a mechanism that establishes industry-agreed upon criteria to certify credential providers against in order to drive consistency and trust of credentials throughout a particular industry.

Achieving Compliance With 21 CFR Part 11

A plethora of document management system and digital signature products can be used to satisfy various aspects of 21 CFR Part 11. To help make better buying decisions, organizations should leverage product testing programs for digital signature products that lend insight into the capabilities, interoperability, and technical competence of the products being procured to ensure industry standards are adopted properly.

Organizations should also select credential providers that have been certified by a Trust Framework to ensure the credential provider is issuing credentials in compliance with industry standards that have been independently certified by a third party, rather than self-asserted. Some Trust Frameworks also ensure legal interoperability between the credential providers they certify and participants that rely on the Trust Framework. Another benefit Trust Frameworks can offer is the ability for credentials to interoperate with government bodies such as the FDA and even the European Medicines Agency (EMA) through government certifications such as the Federal Identity Credentialing and Access Management (FICAM) Program.

As another resource, the SAFE Identity Document Management System Working Group recently published implementation guidance concerning 21 CFR Part 11 for the life sciences industry, which healthcare organizations may find useful to gain insights into how some members of the SAFE Identity Trust Framework interpret the regulation.

The guidance defines a set of responsibilities necessary for satisfying each control in 21 CFR Part 11. It divides involved parties into categories and then provides strategies and context that help explain the responsibilities for each category needed to implement each control. With this guidance, organizations can map a path to compliance by understanding what is necessary from all parties at every step of the process.

In principle, healthcare organizations should consider the intent behind the controls stipulated in 21 CFR Part 11 when devising processes and selecting vendor products in the pursuit of compliance. Such controls serve as good guiding principles for managing electronic records regardless of whether the records fall into the scope of the regulation. As such, organizations will be best suited to adopt strong electronic record processes across the organization to maximize the benefits of the work that goes into achieving compliance.

About The Author

Kyle Neuman is managing director and cryptography engineering leader at SAFE Identity (formerly SAFE-BioPharma Association), an industry consortium and certification body supporting identity assurance and cryptography in the healthcare sector. Kyle develops technical standards on public-key cryptography, blockchain cryptography, key management, and multi-factor authentication for both government and private sectors.