Skip to main content

GMO Sign and 21 CFR Part 11 - Audit Support Guide

  • Updated

Overview

FDA 21 CFR regulation (Part 11) regulates electronic records and electronic signatures or ERES. Part 11 in particular outlines the criteria for which ERES are considered trusted, reliable, and equivalent to paper records. The following guide walks through the regulation and explains how implementing digital signatures using GMO Sign can help organizations meet some of the requirements associated with FDA 21 CFR Part 11. In regards to the control requirements, GMO Sign has pre-set account options to add, authenticate and limit envelope access to authorized signers (as outlined below).

Please note: Beyond the technical controls provided by GMO Sign, the customer is responsible for defining and implementing the required processes to ensure 21 CFR Part 11 compliance.

 

21 CFR Part 11 Subsections How GMO Sign Complies

Section 11.10(b)

The requirement to generate accurate and complete copies of signed records in both human readable and electronic form.

Compliant

GMO Sign provides signers with a hyperlink via email to access the signed copy of the document.

Senders and other authorized Users (specified by the Account Admin), can also download the signed document after securely logging into GMO Sign. The signed document can be downloaded and viewed in PDF format. Documents digitally signed using GMO Sign produce human readable and tamper evident PDFs.

Section 11.10(c)

Records should be accurate and readily available during the retention period.

Compliant

All signed documents are available in GMO Sign for ready retrieval by users, with authorized access as defined by the Administrator, for as long as the customer has an active GMO Sign account.

It is the customer's responsibility to ensure the signed documents are not deleted from the system.

Section 11.10(d)

The system should provide access only to authorized users.

Compliant

The GMO Sign Administrator can define who can access the system. The Admin can register authorized users and specify the User's role and permissions.

Users can also enable 2-Factor authentication using a mobile device for logging into GMO Sign.

Section 11.10(e)

The system should create audit trails of the records.

Compliant

In GMO Sign, authorized Users can navigate to the document details section to view each signed record, including signer details and the time of signing.

Section 11.10(g)

The system should ensure checks that an authorized user is signing a record.

Use of authority checks to ensure that only authorized individuals can use the system,
electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Compliant

The Organization should document policy around how systems are accessed and utilized to perform signatures by only authorized personnel.

In order to apply a digital signature, a User must first login to GMO Sign with their credentials. Furthermore, the identity of the User (signer / employee of the organization) must be verified before receiving login credentials to access GMO Sign. This ensures that only authorized individuals can apply digital signatures after authenticating to the system.

Section 11.50(a)

This section explains the mandatory signature manifestations -

i.e. Once the signer completes the digital signature, the signature format should consist of the signer’s name, date & time of the signature along with the meaning of the signature.

Compliant

GMO Sign shows the signature time, signer's information and allows the signer to specify the reason for signing.

By enabling the signature details option, this information will be auto-populated alongside the signature image.

Section 11.50(b)

Signature Manifestation must be in a proper readable format and should be easily noticeable in the document.

Compliant

GMO Sign provides access to signature manifestations to any authorized party when viewing documents through GMO Sign’s web application and in the downloadable format as well.

By enabling the signature details option, signature manifestations information will be auto-populated alongside the signature image, providing an easily accessible and human readable format.

Section 11.70

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective
electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic
record by ordinary means.

Compliant

GMO Sign maintains links between the signatures and documents.

Each digital signature is applied using a PKI-based digital certificate, providing assurance that the content of the record, including the signature, have not been tampered with.

Digital Signatures are also linked to documents carrying all cryptographic and other related functions in the signature properties embedded in the Signature Panel of the PDF.

Section 11.100(a) and (b)

Before assigning signatures to any individual their identity must be verified, and every signature should be unique. No two signers can share signatures.

Compliant

GMO Sign requires signers to authenticate to the system using unique account login credentials and enter a Personal Identification Number (PIN) before applying their digital signature. The signature also has a unique identity within the GMO Sign system.

If a user receives a digital signature request via email, the user must have login credentials (Login ID and password) in order to access the system to sign.

(a) Digital Signatures are cryptographically tied to a verified identity (GlobalSign as the RA for the organization and the Organization as the LRA for the individual).

(b) The organization verifies the individual through its normal HR or contracting processes. The Admin follows the appropriate identity verification process (e.g. check employee badge, directory, manager etc.) and creates a Username and password for system access and PIN code to apply digital signatures.

Section 11.200 (a) and (b)

The system should employ at least two components for authentication of the signer at the time of applying the signature.

Compliant

Digital Signatures in GMO Sign are protected by login ID and password and also require a Personal Identification Number (PIN). Additionally, GMO Sign offers a number of additional authentication options like sending a OTP to the registered email.

Section 11.300 (a)

The system should ensure that each user has unique access credentials to be able to apply signatures.

Compliant

GMO Sign requires users to authenticate to the system using unique account login credentials and enter a Personal Identification Number (PIN) before applying their digital signature. Login IDs are unique to each user in GMO Sign. No two users can have the same set of credentials.

Section 11.300 (b)

The system should provide assurance that unique combination of credentials are periodically checked and revised.

Compliant

GMO Sign provides the capability for the Admin to set a password reset policy and define the frequency of how often a user will be prompted to reset their password.

Section 11.300 (c)

A procedure to deauthorize the device used for creation of identification code or password.

Note: GMO Sign Users do not use devices or tokens for authentication hence, this does not apply.

Section 11.300 (d)

The system should have safeguards to prevent any unauthorized use of password or identification codes.

Compliant

GMO Sign employs adequate measures to safeguard credentials for applying digital signatures:

  • Multifactor authentication is required in order for a User to change their login credentials (i.e. password).
  • Users are required to enter a Personal Identification Number (PIN) before applying Digital signatures.
  • If a User needs to change their PIN, they are required to enter their login password.
  • In addition, any attempt to change a User's PIN, triggers an email notification to Administrators and users to mitigate against unauthorized PIN changes.
  • User accounts are locked after five continuous incorrect password entries.

Section 11.300 (e)

Periodic testing of devices that bear or generate identification code.

Note: GMO Sign Users do not use devices or tokens for authentication hence, this does not apply.

Customer's Area of Responsibility:

In addition to the requirements above, the customer is responsible for defining and implementing the following processes to ensure 21 CFR Part 11 compliance.

Section 11.10(i)

Users using the system have adequate training and knowledge to perform assigned task.

GlobalSign’s Responsibility - GMO Sign provides the Help Center for training, knowledge base articles and user guides.

Customer’s Responsibility - GMO Sign User information must be stored and they should be educated and trained on using digital signatures.

Section 11.10(j)

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

 Customer’s Responsibility - Customers must adhere to this section. Any lapses in following this standard will be the customer’s responsibility.

Section 11.100(c)

Requires customers to certify that the signatures in the system are legally binding.

GlobalSign’s Responsibility - GMO Sign provides the capability to apply digital signature where the identity is backed by a digital certificate issued by a trusted Certificate Authority. This provides one of the highest levels of assurance.

Customer’s Responsibility - Assure systems and processes for users to apply Digital signatures and maintain the required controls.

 

 

Previous View

Need assistance? Please feel free to contact us.
Contact Us