21 CFR Part 11 Compliance
Electronic Signatures and Documents
In recent years, the use of electronic signatures in clinical research has become more common and at times a necessity. In addition, it has become common to see wet-ink documents scanned and utilized electronically. While your clinical trial sponsors may approve the use of electronic signatures and documents, it is important to remember that there are federal regulations (i.e. 21 CFR Part 11) that guide its appropriate use.
Study teams and investigators are ultimately responsible for understanding which electronic documents generated in the context of conducting clinical research must be signed and/or maintained in compliance with 21 CFR Part 11 and for assuring that these guidelines are followed.
What is 21 CFR Part 11 Compliance?
21 CFR Part 11 refers to the automated collection, processing and analysis of research information which results in the creation of an electronic record. This regulation applies to all electronic records*, electronic signatures, and handwritten signatures converted to electronic format. Part 11 outlines the federal requirements that help to ensure that electronic records are trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
This is of the utmost importance in clinical research where we know the informed consent of participants and delegation of responsibilities are heavily regulated.
This regulation is further described in Subparts B and C, found below.
Subpart B – Electronic Records
Electronic Record: any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
When you automate collection, processing, and analysis of research information, you are creating an electronic record. If a research site owns, controls, or operates its own systems with electronic FDA-regulated records, 21 CFR Part 11 applies. This is applicable for electronic records such as:
- Signed consent forms
- Source documentation
- Institutional Review Board (IRB) records
- Drug accountability logs
- Delegation of authority logs
- Other records required to be kept by the site per FDA regulation
11.10 Closed Systems
Closed system: an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
If the persons responsible for the content of electronic records also have control of system access, the system is ‘closed’.
Individuals who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of these records, and to ensure that the signer cannot readily dismiss the signed record as not genuine.
Such procedures and controls include the validation of systems, protection of records, and limiting system access to authorized individuals. For a comprehensive list of procedures and controls please see § 11.10 Controls for closed systems.
11.30 Open Systems
Open system: an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.
If the persons responsible for content of electronic records do not have control of system access, the system is ‘open’.
Individuals who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt.
For a comprehensive list of procedures and controls please see § 11.10 Controls for closed systems. As appropriate, additional measures may include document encryption and use of appropriate digital signature standards.
11.50 Signature Manifestations
(a) Signed electronic records must contain information that indicates all the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section are subject to the same controls as for electronic records. They are also included as part of any human readable form of the electronic record, such as electronic display or printout.
11.70 Signature/Record Linking
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
Subpart C – Electronic Signatures
When you automate the process of an individual authorizing an action, you have created an electronic signature. In addition to the controls required for electronic records, 21 CFR Part 11 contains requirements to assure the agency that electronic signatures are the legally binding equivalent of a person’s handwritten signature.
11.100 General Requirements
The system in place for collecting electronic signatures must meet the guidelines outlined in 21 CFR Part 11. Some requirements include (a) that each electronic signature be unique, (b) that the identity of the individual be verified, (c) certification that the signatures are legally binding equivalent of handwritten signatures.
For detailed information on general requirements, components and controls, and controls for identification codes/passwords: please refer to 21 CFR Part 11.
Do I need to follow 21 CFR Part 11 Compliance?
If you are conducting an FDA-regulated study and you are utilizing either electronic records or electronic signatures, you are obligated to maintain 21 CFR Part 11 compliance.
If you are conducting research that is not FDA-regulated, you are not required to follow 21 CFR Part 11 compliance, however, it would be considered best-practice.
If your study is sponsored, you may also be asked to confirm that you are using 21 CFR Part 11 methods/platforms.
Note: If your study specifically has IRB approval for handwritten informed consent, you must continue to obtain signed consent. If you wish to utilize e-consenting, then you must submit a modification to the IRB and receive approval before utilization.
What resources are available to researchers at Rutgers? (Part 11 DocuSign, REDCap, & Advarra eREG)
Rutgers’ investigators have access to REDCap, eReg, and a Part 11 compliant version of DocuSign. These methods are compliant with the FDA’s regulation at 21 CFR Part 11 for electronic signatures (commonly referred to as “Part 11”). REDCap and DocuSign (Part 11 compliant version) can be used to collect electronic signatures on consents, HIPAA Authorizations, and other research regulatory documents. eReg is Part 11 compliant and can be used to store regulatory documents and collect Part 11 compliant signatures on regulatory documents. eReg is unable to be used to collect signatures on consents and HIPAA Authorizations.
Note: If utilizing REDcap to collect informed consent signatures and HIPAA authorization, you must ensure that the project is built in a manner that is consistent with Part 11 requirements. The project must also be in “Production” to ensure that audit trails are maintained and be accompanied by a detailed enrollment note that outlines verification of the signer’s identity.
Studies not regulated by the FDA may use a regular platform version to collect research signatures, however, it may still be considered a best practice to use Part 11 compliant processes and systems.
What documents require 21 CFR Part 11 Compliance?
21 CFR Part 11 applies to all electronic records or electronic signatures that occur in an FDA regulated study. Some examples include but are not limited to those listed below:
Document | Method of signature collection available |
FDA Form 1572 | eReg & Part 11 Compliant DocuSign |
Delegation of Authority | eReg & Part 11 Compliant DocuSign |
Training Logs | eReg & Part 11 Compliant DocuSign |
Consents/Assents/HIPAA | REDCap* & Part 11 Compliant DocuSign |
Protocol Signature Pages | eReg & Part 11 Compliant DocuSign |
Investigator Brochure Signature Pages | eReg & Part 11 Compliant DocuSign |
Sponsor Acknowledgement Forms | eReg & Part 11 Compliant DocuSign |
Sponsor COI/Financial Disclosure Forms* | eReg & Part 11 Compliant DocuSign |
Any documents specified by sponsor policy | Part 11 Compliant DocuSign |
* These are sponsor-specific COI & Financial Disclosure Forms. These are in addition to any local institutional COI and Financial disclosures
DocuSign – Part 11 Compliant Version
DocuSign is a digital signing software used to send documents online and collect electronic signatures remotely. Senders are able to upload documents to an electronic envelope, add fields for signature and date, and send the envelope to a specified recipient via email.
DocuSign eSignature and DocuSign Part 11 accounts are HIPPA compliant.
Features
- Easily upload and send documents electronically for digital signature.
- Quickly access and sign documents that require signature.
- Readily check a document’s status, send reminders, view audit trails, and securely store online.
- Create templates using existing forms to help streamline the entire process.
- Oversee document workflow by identifying and managing recipients and routing.
- Make forms available online allowing for self-service and ease of accessibility.
- Supports the FDA’s 21 CFR Part 11 regulations for electronic documentation and digital signatures when necessary.
Benefits
- Legally Binding: DocuSign signatures meet requirements of both the US Electronic Signatures in Global and National Commerce (ESIGN) Act and the Uniform Electronic Transactions Act (UETA) and are recognized as valid under US law.
- Secure: Approved by the ISO for use with confidential information when all security best practices are observed.
- FDA Compliant: DocuSign offers 21 CFR Part 11 electronic signatures which ensure the university is compliant with FDA policies.
- Fast and Efficient: eSignature reduces turn-around time and manual staff labor, and provides the opportunity to increase efficiency.
- Green and Sustainable: Processes can be completely paperless, cutting down on the need to print and store copies, eliminating mailing related costs, and external imaging.
- Global and Available 24/7: Provides faculty, students, and staff a secure, effective, and fast way to sign and return documents anytime, anywhere in the world.
For more information please visit: DocuSign Part 11 Compliant
How do I get access to DocuSign?
DocuSign Part 11 Compliant Version:
Anyone responsible for collecting signatures within for clinical research documents should request access. Signers, such as investigators, may be prompted to make a password for DocuSign. This password will be entered again when they apply their electronic signature.
To gain access please fill out this form.
Note: If you have access to standard DocuSign, you will need to ensure that you switch to the Part 11 Compliant version, prior to sending out your documents to be signed (Instructions Attached). Additionally, if you are using DocuSign for obtaining Informed Consent and HIPAA Authorization, please inform your research participant that they may be asked to make a password for a DocuSign account. This password will again be used when they sign the document.