21 CFR Pt. 11 Software Requirements for Electronic Signature

Life sciences companies are experiencing a significant transformation in how they are working and adapting to uncertainty caused by the COVID-19 pandemic. Increased investment in personalized medicine, new global regulations, changing business models and the acceleration of digitalization are driving greater product variety and much shorter product life cycles. 

To meet these needs, companies must reimagine business processes that rely heavily on printing paper-based contracts and sending them via email. Scanning and printing is time consuming, costly and prone to security and compliance risks. Implementing digital processes improves competitiveness, effectiveness and efficiency. One of the most impactful tools to enable this evolution is electronic signature.

By leveraging e-signature, life sciences companies can simplify their quality and regulatory documentation processes, accelerate product development, streamline clinical trial operations and global supply chain management while also managing compliance with FDA regulations like CFR Part 11. This ultimately results in faster time to market.

The DocuSign healthcare and life sciences team recently spoke with USDM Life Sciences consulting firm to understand how life sciences companies are using electronic signature for regulated documents. In this blog, we cover some of the key questions on this topic. 

Can you provide an overview of the CFR Part 11 regulation and what it means for regulated businesses?

David Blewitt, USDM Life Sciences: For non-regulated forms and non-GxP documentation, such as statements of work, sales contracts and purchase orders, a standard electronic signature can be used. DocuSign eSignature offers multiple options to verify a signer’s identity.  Once recipients have signed the document, the document is stored electronically with a certificate of completion indicating the signature image, key event timestamps and the signer’s IP address.

For regulated GxP documents, CFR Part 11 outlines specific FDA requirements for the use of electronic signatures. In order to comply with CFR Part 11, electronic signatures must include:

• The printed name of the signer
• The date and time the signature was executed
• A unique user ID
• Digital adopted signature 
• The meaning of the signature (labeled “signing reason”) 

The biggest difference when signing with a CFR Part 11 signature is that it requires additional verification that it’s really you signing. The system asks you for your username and password at each signing event so that you can verify that it was you who signed that document at three minutes past 10 a.m. on July 17th, for instance. 

The DocuSign Part 11 module for life sciences allows you to maintain a CFR Part 11 and non-CFR Part 11 e-signature account under the same user ID and credentials, enabling you to seamlessly switch between accounts to sign your documents depending on needs. Using the CFR Part 11 module, you can sign adverse events, training documentation, standard operating procedures, certificates of analysis, and batch records. In this module, you sign with your username and password and the CFR Part 11 module records the signing reason within the certificate of completion. You can also easily switch to your non-CFR Part 11 account to sign non-regulated forms, such as non-disclosure agreements, purchasing records or other agreements that do not need additional verification.

Because transactions in regulated industries, like life sciences, as well as transactions in some foreign countries require additional levels of identity assurance, DocuSign offers digital signatures that include additional verification beyond simple electronic signatures.These digital signatures can also be used along with DocuSign’s Part 11 module. 

Life sciences companies must validate technology and processes to meet regulatory requirements. Can you talk about how organizations are validating electronic signature technologies today and what USDM Cloud Assurance provides? 

John DiCredico, USDM: Life sciences companies must ensure that software used to sign and maintain their CFR Part 11 electronic records is not only initially validated, but also continually validated for accuracy, reliability and consistent intended performance. In addition, these companies need to maintain proper documentation evidencing that the software’s functionality is in line with regulatory requirements. 

DocuSign tests their software after each update to verify that it works as intended. As part of DocuSign's software development lifecycle process, they perform rigorous testing of the functionality prior to new releases. 

The main element of the DocuSign Validator for Life Sciences is an automated test. You'll hear that referred to as an ATT (Automated Testing Tool) that is run on a regular basis. The test results are made available to clients who are subscribers to that service through the Validator for Life Sciences report.

USDM goes a step further and assesses the risk that each client has based on intended use.

A client who uses DocuSign eSignature in a clinical trial or drug manufacturing operation may have different risk levels versus a client using DocuSign for signing IT related documents. For instance, if you're validating a document management application like SharePoint, you may have less risk. The intended use is documented as part of the validation process.

USDM also uses a risk-based ATT, which verifies CFR Part 11 system functionality for high- and medium-risk requirements. Once clients are fully validated and live, USDM assesses the DocuSign monthly release notes, we sort out what is GxP relevant and what’s not GxP relevant, and we perform risk-based testing where applicable.

Could you explain what fully validated means?

John DiCredico: Fully validated generally means that the system is validated for intended use with verification documentation, which includes a validation plan, system requirements, functional risk assessment, configuration specification, OQ/PQ, traceability matrix, and a validation summary report.

We also frequently hear from customers that they need to prove the ROI or value of using the DocuSign Part 11 module and fully validating the system for intended use with verification documentation. Can you speak to how you are seeing customers on a daily basis proving out that value?

John DiCredico: That's where USDM will add a lot of value with organizational change management (OCM) and training to drive adoption to make people's lives easier. It's important to show ROI and the hard numbers of the measurable value. We know that it saves time and money, but we have to prove it. 

One biotech customer that comes to mind did an extensive analysis and proved that around 70% of envelopes sent were reviewed, signed and completed within 24 hours of being sent, and that overall GxP envelopes had a 32% faster turnaround time. That kind of significant productivity wins.

We conducted an Information System (IS) Health Check across the company, which provided a holistic view of the customer’s regulatory compliance and IS efficiency. We also identified other areas to use DocuSign. We expanded the use across the company by 49%, which increased ROI in their DocuSign investment.

What are common questions customers have about the need for a CFR Part 11 solution? 

Megha Tak, DocuSign Product Manager: One question we get from a lot of our prospective customers, and even our current customers, is how DocuSign validates its own software services and systems. This is a complicated question because as an e-signature service provider, DocuSign is not regulated by the FDA, but the use of e-signature in certain solutions, like those for life sciences companies, is regulated by the FDA under CFR Part 11. The DocuSign Part 11 module includes enhanced security and control capabilities for document signing and approvals regulated by CFR Part 11. 

While industry best practices across different verticals share common traits, there is no specific GxP guideline for a cloud-based software service company like DocuSign. We want to make sure, though, that any software we are producing is tested and verified, so we have a continuous integration strategy that relies on automated testing for any feature, any bug fix, and any configuration change. Our customers are fully aware that everything coming to them has been tested before going into their environment.

David Blewitt, USDM: To add to that, USDM audits DocuSign on an annual basis and provides the reports of that audit to our customers.

It's an in-depth, two-day audit of DocuSign’s processes because, as you mentioned, DocuSign is not regulated per se, but the use of the software is. End users don’t have control over the infrastructure and the changes DocuSign makes, so when we audit DocuSign, we need to verify that everything is in place from the change control, release management, communication for those releases, the system development life cycle and testing perspectives.

We make the audit results available to customers so they can quickly and easily use the software rather than spending time testing it themselves. USDM’s audit report supports that the DocuSign solution is, in fact, quick and easy to use. Customers can see in detail what processes DocuSign follows, the tools they use and how those tools have been tested and validated. There's a lot that goes on behind the scenes to give you a high-quality platform like the DocuSign Part 11 module.

Can you go into more detail about what team is responsible for this continuous integration strategy? 

Megha Tak, DocuSign Product Manager: DocuSign offers the DocuSign Validator for Life Sciences, which can significantly help in aspects of compliance validation. The Validator for Life Sciences provides the corresponding documentation of DocuSign’s internal testing results in order to demonstrate that our solution performs the necessary tasks to adhere to Part 11 regulations.

As part of our software development lifecycle process, DocuSign has a quality assurance (QA) team that is responsible for testing every new feature, bug fix and setting. This QA team has developed a test framework to write automated scripts so that any new feature or fix that goes out to our customers does not impact their validation or what they have tested.

We provide our customers with a CFR Part 11 assurance packet that includes the Part 11 traceability matrix. The assurance packet provides customers with visibility into DocuSign’s testing, training and software development processes, while the traceability matrix outlines how DocuSign’s QA tests map to the CFR Part 11 regulation. Additionally, we also provide our customers with a sample Validator for Life sciences report, which shows how DocuSign tests after every release to ensure that the Part 11 module works as expected. 

DocuSign and USDM Life Sciences have an established partnership and draw on expertise from deployments at top 20 global biopharma and medical device companies as well as high growth life science organizations. Learn more about how DocuSign partners with USDM and register to watch our recent webinar.

For a sample CFR Part 11 assurance packet or Validator for Life Sciences report, contact your account executives.