Maintaining 21 CFR Part 11 compliance for eSignatures: How signNow gets it done

The food and drug industry in the U.S. is subject to strict federal regulation. Hence, the software systems that provide companies with solutions for digital document management, including electronic signatures, are required to comply with the corresponding governmental standards and guidelines issued by the FDA (Food and Drug Administration). These standards aim at ensuring the security and authenticity of electronic records created and managed by food and drug companies. They also allow businesses to use digital document workflows as a completely legitimate alternative to paper-based processes and wet-ink signatures.

signNow caters to food manufacturers, pharmaceutical companies, and life science organizations by providing them with a comprehensive eSignature platform that fully complies with FDA 21 CFR Part 11. Meeting the requirements of this standard is achieved through the implementation of an array of security features and safety measures that ensure the legality and efficiency of signNow eSignatures for the food and drug industry.

What exactly are the requirements of Title 21 CFR Part 11? How does signNow maintain compliance with the standard? And what makes our eSignature solution suitable for FDA-regulated businesses? Read on to find out.

What is 21 CFR Part 11?

CFR stands for the Code of Federal Regulations responsible for producing a range of administrative laws issued by various government agencies of the United States of America. The Code consists of fifty titles, each applicable to a specific area. The 21st title of the CFR specifies regulations that pertain to the food and drugs industry. Part 11 of CFR Title 21 contains the guidelines established by the Food and Drug Administration of the United States (FDA) that regulate the usage of electronic signatures and records. 

Every organization that specializes in the manufacturing of food products and beverages, pharmaceuticals, cosmetics, and medical equipment are required to follow CFR 21 Part 11. For more details on this set of regulations, please refer to the FDA’s official guidance paper.

Watch the video below to learn more on how signNow Maintains 21 CFR Part 11 Compliance for eSignatures:

What are the FDA’s 21 CFR Part 11 requirements?

Control requirements for electronic signatures and records:

• Section 11.50(a): An FDA-approved electronic signature must have a signer’s printed name, date and time of signature execution, and the meaning of the signature (review, approval, responsibility, or authorship).
  
• Section 11.50(b): An eSignature must be readily viewable and cannot be disabled in order to ensure its authenticity and prevent any tampering once a document is signed.
  
• Section 11.70: Electronic signatures must be bound to corresponding electronic records to eliminate the possibility of removing, replacing, copying, or otherwise transferring signatures from documents.
  
• Section 11.100(a) & (b): Signers must be properly identified to be able to use their eSignatures.
  Electronic signatures are required to be unique and must not be used by other signers.
  
• Section 11.200(a): Signatures that are not based on biometrics must be properly authenticated via non-biometric means (such as two-factor authentication, passwords, etc.). Secure encryption methods should be in place to guarantee the protection of electronic records.

Customer responsibility requirements:

• Section 11.10(i): Customers must have the education, training, and experience required to use and maintain eSignature systems.
  
• Section 11.10(j): A set of written policies must be established and adhered to in order to hold eSignature users accountable and responsible for the actions that ensue from applying their signatures.
  
• Section 11.100(c): Signers must consent to the usage of electronic signatures as direct and legally binding equivalents of their handwritten signatures.
  
• Section 11.300(b): User passwords must be revised on a regular basis to prevent password aging, compromising, or potential theft.
  
• Section 11.300(c): Proper loss management procedures must be in place to deauthorize compromised, lost, or stolen passwords and identification codes. Customers should be held responsible for documenting this information.
  
• Section 11.300(e): Initial and periodic testing must be conducted for devices used to generate identification and password data.

signNow’s 21 CFR Part 11 compliance checklist

To comply with the Title 21 CFR Part 11 requirements mentioned above, signNow has developed its features around the FDA’s guidelines. Due to strong security measures and risk prevention mechanisms, users in the food and drug industry can effectively switch to paperless workflows involving eSignatures without encountering any compliance-related issues.

Control requirements compliance:

• Signature stamps: signNow displays a user’s electronic signature along with their printed name, signing date, and time.
  
• Audit Trail: signNow users and approved parties can easily retrieve a full history of any document. The audit log contains timestamps and IP addresses associated with every signing event or change made to a document. Such transparency and traceability of electronic records ensure the legality of eSignatures and prevent any kind of tampering with your documents.
  
• Digital certificates: This authentication method ensures that users can track all the changes to their documents anytime and that signatures can be viewed in their original form, which deters the falsification of electronic records.
  
• Signature IDs: Every signNow eSignature is linked to an electronic record via a unique ID code, which prevents signatures from being removed or replaced after signing. Each signature ID is associated with a corresponding user ID for authorization and security purposes.
  
• Signer name requirement: Before signing a document electronically, recipients must first provide their full name to confirm their identity.
  
• Two-factor authentication: signNow users can prevent unauthorized access to their documents by requesting signers to verify themselves via a password, phone number, or text message (SMS).
  
• Advanced encryption: signNow maintains the safety of electronic records at transfer and at rest with Secure Sockets Layer (SSL) and AES-256 bit encryption. signNow only stores one-way encrypted passwords.

Customer responsibility compliance:

• Training and education: signNow provides customers with all the necessary training and support to use its eSignature systems with efficiency and accountability. Customers are responsible for following the assistance guidelines provided by signNow.
  
• Documented policy: The signNow eSignature platform has established policies for using its systems safely and responsibly (validation policy, procedures for disaster recovery, system access and security, document control, etc.), which are regularly reviewed and approved. Following the best business practices and keeping the policies up-to-date allows signNow to maintain industry-leading compliances and ensure the continuity of customers’ business processes.
  
• Legal disclosure: This information is provided to customers upon request to ensure that signers are fully aware and acknowledge that their electronic signature exerts the legal equivalence of their handwritten signature.
  
• Account passwords: signNow passwords consist of at least 6 characters, including upper and lower case Latin letters and numbers. signNow users are responsible for periodically updating their passwords.
  
• Signer deauthorization: To prevent a party from accessing and signing a document (for example, when it is accidentally sent to the wrong signer), users can recall or cancel a sent eSignature request, and thus, terminate user access.
  
• Session inactivity timeouts: Users can define how long signNow will remain available in background mode before they are automatically logged out due to inactivity. signNow users will have to log in once again by entering their credentials.
  
• Regular tests and bug fixes: signNow regularly examines its systems, runs vulnerability tests, conducts 21 CFR Part 11 compliance assessments, and releases patches and bug fixes to ensure the stability and security of the platform. Testing and scanning information is available upon request.

How to enable full CFR 21 Part 11 compliance for your signNow account?

If you are looking to switch to paperless workflows and streamline your signature processes, signNow can help you with a seamless transition. In case your organization is subject to the FDA’s regulations, your account will be properly configured to meet 21 CFR Part 11 software requirements, so you won’t have to worry about getting things right on your own. All you need to do is contact our support team and they will take care of the rest.

Once our representatives activate the full 21 CFR Part 11 support for your account, the following settings will take effect:

• Dual-factor authentication will be enabled for all signers who receive your eSignature invites.
• Your Organization Admin will receive an email notification each time an attempt is made to log in to the system. This is to prevent unauthorized access to your signNow accounts.
• User accounts will lock after six or fewer unsuccessful login attempts (this is configurable).
• Users in your signNow Organization will be able to export document histories (Audit Trail) and deliver them via email.
• Mobile web access to your Organization will be disabled for security reasons. However, users will be able to access their accounts from mobile devices via the signNow apps for iOS and Android.
• Session timeout due to user inactivity will be set to 30 minutes (this can be configured to up to 90 minutes).

How do businesses benefit from 21 CFR Part 11 electronic signatures?

eSignatures are gradually becoming an integral part of business processes in a growing number of industries, including food and drug. The flexibility and efficiency they offer are in ever-increasing demand in a post-COVID era when most work is done remotely.

For FDA-regulated businesses, eSignatures hold plenty of potential for streamlining operations and eliminating overhead. Electronic signing can be effectively implemented in production, procurement, and distribution processes, as well as employee management and hiring, contracting, and sign-off workflows.

• Managers, executives, QA officers, and senior employees can use eSignature software to approve and validate documents off-site using any device, without having to be at the office or production facility. Being able to sign off remotely ensures the continuity of business operations and frees up a lot of time for C-level executives to attend to more strategic tasks.
  
• For administrative staff, compliant eSignatures can significantly increase productivity and reduce the overhead associated with repetitive paperwork routines typically carried out manually. The possibility of preparing contracts, agreements, and invoices digitally and then sending them for eSignature via email eliminates the need to waste hours on printing, scanning, and mailing documents the old way.
  
• Customers and partners of a business adopting eSignatures can also benefit from the intuitive and fast signing process on any desktop or mobile device. Since there’s no need for in-person meetings and tedious hard copy signing, a business comes off as more approachable and easy to deal with.

Looking for relevant use cases? Learn how a life science company uses signNow to save time and money on paperwork from our comprehensive case study.

Choose a 21 CFR Part 11 compliant eSignature solution for your business

Electronic signatures are making life easier in this busy digital age. Companies in various industries are adopting eSignature solutions to reduce labor costs and boost productivity for a wide scope of business operations. While the food and drug industry is not an exception, the implementation of paperless workflows must be carried out in strict compliance with the FDA’s standards for the security of electronic records.

signNow is a trusted eSignature provider that has the technology and experience needed to ensure the legality of your electronic signatures while keeping your data protected in accordance with the 21 CFR Part 11’s standards.