How to Get Data, Documents and Signatures FDA Compliant

Are you doing business with or through the FDA? Does your business or operation have compliance requirements that are regulated by the FDA? Asked another way, do you contract or interact with biotechnology, drug and medical equipment manufacturers, healthcare, laboratory or medical records and related service companies? If so, even just a little bit, then you may be bound by the FDA Regulation Title CFR 21 Part 11.

For the most up-to-date version of CFR Title 21, go to the Electronic Code of Federal Regulations (eCFR).

To summarize, the FDA has imposed various regulations in the form of “Code of Federal Regulations 21” (CFR21) as a response to soaring costs and security concerns associated with managing the distribution, storage and retrieval of records. Biotechnology, pharmaceutical, drug and medical manufacturers regulated by the FDA need to be aware of the CFR21 regulations surrounding the protection and privacy of consumer data, management of electronic documents and the acceptance requirements for electronic documents and signatures.

Those contracting with any of the above types of companies may also be subject to compliance. The US Regulation Title CFR 21 Part 11 specifically regulates Electronic Records and Electronic Signatures or ERES. In addition, as Part 11 applies to what we do here at GlobalSign, there are security concerns around hand written signatures that have emerged as it became increasingly evident that these signatures, including the content they were assigned to, could be easily falsified.

CFR 21 Part 11 in particular outlines the criteria for which ERES are considered trusted, reliable and equivalent to paper records. Let’s walk through the basics of the definitions, core regulations and how implementing PDF Signing Certificates can help organizations meet some of the requirements associated with CFR 21 Part 11, specifically those around signatures.

ERES Spelled Out: Trusted – Reliable – Equivalent to Paper Records

As previously stated, Electronic Records and Electronic Signatures or ERES, as outlined in CFR 21 Part 11, can be controlled and managed by a number of vendor solutions (including GlobalSign’s), although it is important to note that, complete compliance will require other resources and organization activity beyond the use of any single vendor’s certificates.

More specifically, when working with electronic records, the solution you choose must comply with detailed specifics of the regulation, including:

• Controls for Closed Systems
• Controls for Open Systems
• Signature Manifestations
• Signature/Record Linking
• Electronic Signature Components and Controls
• Controls for Identification Codes/Passwords

For this post, we’re focusing on the signature/record linking item from above.

Definitions, if you please…

First off, let’s get some definitions out of the way, as they are listed exactly within the regulation:

Digital Signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

Electronic Signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.

Handwritten Signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.

A full list of related definitions may be found within the regulation itself.

Meeting CFR 21 Part 11 Electronic Signature Requirements with Digital Certificates

CFR 21 lays out specific requirements for Electronic Signatures, including manifestations and linking to the record or document. Digital Signatures, a type of electronic signature defined above, meet these requirements. For details on how Digital Signatures map to these requirements, please see our audit guide. To apply a Digital Signature, you first need a Digital Certificate, which is kind of like an electronic passport.

How to Obtain PDF Signing Digital Certificates

For PDF documents (the most commonly used in these related industries), it is standard that all Digital Certificate signing solutions be part of the Adobe Approved Trust List (AATL) that produce explicitly trusted signatures in Adobe Reader and Acrobat Standard and Professional software. The type of certificate license you may need will depend on the number of users that will require signatures, for instance:

• Individual Certificates: Ideal for an individual with the need to sign PDFs.
• Certificate Packs through Managed PKI Account: Ideal for organizations with multiple individuals with the need to sign PDFs and have the added benefit of managing all certificates in a central location. This offers bulk discounts and centralizes lifecycle management including issuing, renewing, revoking and reissuing.

More Resources to Get Started with FDA-Compliant Digital Signatures

Despite efforts to go paperless, many biotech, pharma, healthcare and related organizations still find themselves relying on paper when it comes to applying signatures, which is impractical and inefficient. Digital Signatures are a tried and trusted alternative to wet ink signatures and enable online workflows. It is highly suggested that anyone working in any IT infrastructure read the eBook: An Introduction to Digital Signatures. This short compendium outlines the drawbacks to relying on paper, what a Digital Signature is and how they work, what to look for in a Digital Signature solution and how to choose the right Digital Signature solution for your organization.

Another popular way IT and security administrators bone up on compliance regulations for electronic documents and signatures is through the webcast video recording: Trusted Digital Signatures: Regulations & Deployment Options. This video walks you through the process, industries and regulations behind Document Signing, including the benefits and roadblocks to going paperless, Electronic Signatures vs. Digital Signatures, compliance and technology motivators and enablers, as well as specific global regulations, including:

• CFR 21 Part 11, ESIGN Act, and UETA (US)
• EMA eSignature Capabilities (EU)
• eIDAS electronic identification and trust services (EU)

Here at GlobalSign, we have created our own bible for complying with CFR 21 Part 11 signature requirements, and it is the free PDF: CFR 21 Part 11 Audit Support -Using GlobalSign’s PDF Signing Certificates. This document carefully walks you through the above-highlighted requirements and how to install and manage GlobalSign PDF Digital Certificate solutions to meet CFR 21 Part 11 compliance.

Still have questions? No problem – we would love to answer them, no matter the solution or vendor you choose for your Digital Certificate compliance requirements.