21 CFR Part 11 : Electronic Signature & LMS compliance

The FDA’s data integrity requirement calls for evidence of authenticity. In other words, when someone—let’s call her Mary—is validated on a standard operating procedure (SOP), we need to ensure that she is authenticated, meaning that no one else was logged in to read the SOP for her. This is a part of individual responsibility in a life sciences company and implies liability in case of an incident, inspection, or audit. 

The data integrity requirement applies to any life sciences laboratory or manufacturing company that generates, maintains, edits, saves, and stores electronic records. Data integrity is critical for clinical studies where efficacy and non-toxicity are at stake, and constitutes the core of the activity. You wouldn’t want new drugs’ clinical research to be based on unreliable data or untraceable conclusions, would you? 

But data integrity should be seen as a chain of command. If a clinical research organization relies on a human resources management system and a training management system (TMS) to validate SOPs, these systems should be validated as well. If not, there’s a risk that any mistake in clinical studies from any employee or covered entity cannot be traced back to their initial training or validation. In other words, we need to know where, why, and when Mary started to introduce wrong logical analysis or biased data interpretation.

Did Mary click on “Read and Understood” without reading or without understanding? Was the SOP misleading? In this last case, who wrote the SOP? When and where was it validated, and who validated it as an internally accessible document? Here again, it’s all about liability. And our technical solution for liability is the electronic identification of individuals through electronic signatures. 

Where are electronic signatures mandatory?

An electronic signature forces researchers, covered entities, and business associates to research process validation. From a training perspective, this primarily includes three steps: SOP authoring, SOP publishing, and SOP validation by the trainee.

What is the link between electronic signatures and the audit trail?

Let’s start off with a few key definitions: 

  • An electronic signature is the computer data compilation of a series of symbols executed, adopted, or authorized by an individual (employee, covered entity member, patient, business associate) to the legally binding equivalent of a handwritten signature.
  • An electronic record is any combination of data in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
  • The audit trail is a secure, computer-generated, time-stamped electronic record that allows reconstruction of the course of events relating to the creation, modification, and deletion of an electronic record—for instance, the training course of events.

The audit trail is the objective, and electronic signatures are a tool to reach that objective. Each time an employee signs electronically, the system electronically records a logline that can later be displayed as evidence of a dedicated action, such as publishing an SOP, following an SOP, or getting a certificate. During an inspection, the quality manager or regulatory affairs manager should be in a position to query the audit trail logs and extract any content-based data, presented like this:

“Here is the evidence that on May 10, 2021, at 11 a.m., Mary read and understood SOP #201 Version 2.0 as released by Mike, the training manager, on February 4, 2021.” 

Electronic signatures: 

  • Remove the need for paper
  • Speed up the signature process
  • Improve compliance with logs and a digital audit trail

The regulatory compliance of electronic signatures

Electronic signatures have nothing to do with HIPAA or data privacy. They act as the mandatory tool through which data integrity and traceability are electronically recorded. 

During the initial and mandatory computerized system validation, the quality manager needs to check, document, and validate that electronic signatures are required in the key actions and events that are considered critical. The system should be tested along that use scenario. Screenshots can be made to document the process, and a data diagram should be added to the vendor audit. 

Electronic signatures vs. biometrics

Does your learning management system (LMS) use electronic signatures to store digital records? As a life sciences organization, your training management system must comply.

The FDA spells out how organizations should comply with 21 CFR Part 11. If your organization doesn’t require a biometric signature (such as a fingerprint) in your TMS, you need to follow these rules for electronic signatures: 

  • Make sure the user is the genuine owner. 21 CFR Part 11 requires electronic signatures to be signed only by the signer in question and no one else. You must verify every signer’s identity before they sign a document, which you can do by requiring a unique login. 
  • Create a two-step login for all users. 21 CFR Part 11 requires two forms of identification for an electronic signature. In an LMS, this can take the form of a username or login ID and a strong password that’s unique to each user.
  • Prove that login credentials are secure. Your LMS should ensure that each user’s login credentials are unique and only work for the user in question. 21 CFR Part 11 requires you to test credentials to make sure they stay secure over time. 
  • Record the reason for the signature. Why are you requesting this signature? 21 CFR Part 11 requires you to log the “signing reason” or an explanation for why you require a signature. Your system should also note the date and time of the signature to stay compliant. 
  • Ensure your LMS doesn’t allow improper use: Your LMS shouldn’t give all users access to sensitive information or records. 21 CFR Part 11 requires you to ensure users can’t delete records or access administrator-only data. 

In the rare case that you need to use biometric signatures in your LMS, 21 CFR Part 11 requires you to prove that no other user can use this biometric data. In other words, you should verify that not just any thumbprint will count as a signature; biometric data should be unique to each user. 

Master 21 CFR Part 11 compliance with Dokeos

21 CFR Part 11 compliance might sound intimidating, but with a validated TMS on your side, compliance is baked into the system. Dokeos is a validated TMS that allows you to collect legally binding signatures while complying with 21 CFR Part 11 out of the box. This provides the legal evidence that your organization needs to prevent a lack of traceability and act as proof in the event of an audit or inspection. Ultimately, the global quality manager’s ultimate objective is to ensure there will be no FDA Form 483 issued at the end of an inspection since Form 483 indicates a violation of the Food Drug and Cosmetic (FD&C) Act.


Speed up your LMS with the efficiency of electronic signatures. Stop worrying about 21 CFR Part 11 compliance and focus your energy on training your team instead. Put electronic signatures to work for your organization without the compliance headaches: Sign up now for a free trial of Dokeos.

More news