Good Clinical Practice Guide
Results 1 to 2 of 2

Thread: PKI based e-signatures necessary?

  1. #1
    Forum Member
    Join Date
    Jan 2012

    PKI based e-signatures necessary?

    Hello Forum,

    For closed systems, is e-signature based on user authorization in the system (ID, password) sufficient to satisfy 21 CFR Part 11, or are PKI based signatures necessary? Or strongly recommended good practice?

    I am referring specifically to the ability of external parties who are provided (limited) access to an eTMF system (which, I believe is a closed system as we control access and content - correct me if I am wrong) to e-sign submission documents. One of our biggest challenges to date has been how to allow CROs, Investigator's to e-sign documents without having to deal with the costly and complicated PKI certification process. A big can of worms, I know...

    Thanks for any input



  2. #2

    My understanding of 21 CFR Part 11 and related guidance is that an advanced signature such as PKI-based signatures is not mandatory to be compliant. However, implementation of a user authorization approach presents some challenges, most notably how to (a) create a permanent link between the authorization/signature and the document to which it relates that remains throughout its retention period and (b) how the authorization/signature is physically surfaced on the document so that a reader is aware that a signature exists and can see the content of the signature.

    A simple e-signature, based on user authentication, is the most commonly implemented approach in systems that utilize electronic workflow, such as Sharepoint. These are great for capturing the review and approval of documents. Systems can easily be designed so that the status of the document is apparent and the audit trail can be viewed so that a user can see who reviewed and approved the document. The compliance issue however is how to embed that information into the document in a way that allows interoperability and migration of documents over time. I have seen systems that automatically create a "signature page" based on the audit trail information that then becomes an intrinsic part of the document itself. This complies with the 21CFR11 requirement for a human-readable signature.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts