21 CFR Part 11 - use of Electronic Signatures

Dear all,
I’m struggling with some 21 CFR part 11 interpretations.
If you please could give me some insight regarding the following it will be very much appreciated.

Let’s say I have an analytical equipment interfaced with a computer. To start a measurement, is required for the operator to put its username and password. When the measurement is finished, a measurement report is automatically saved onto the network in pdf format, or instead can be printed from the computer by selecting the desired analysis. The paper printout has the operator username, the date and time (please be aware that this time is the time the sample was measured). It does not have any statement about the meaning, although prior to save the measurement is possible for the operator to input a comment, e.g: authorship. My question is can say that this is an electronic signature?
I believe that this is more than just a login because it has a meaning associated to it, which is when the user inputs its username and password he is stating that he is making a measurement. But I struggle with the fact that the printout report does not states this clearly.
Besides that I have in place all the required controls for electronic signatures like unique identification, password aging, etc…

What are your thoughts?

No, I don’t believe you can’t say it’s an electronic signature (in the context of Part 11).

But do you NEED to have an electronic signature compliant with Part 11? Is there a particular regulation you’re trying to satisfy with this (that requires a signature)? Do you have internal procedures that require a signature? (Maybe so; the questions need to be asked, though.)

Do you normally print out the records? If so, you could have the operator sign them if you do require some kind of signature.

You don’t have to explicitly state the purpose or meaning of the signature at the time you sign; this can be defined in a procedure governing this process.

Electronic signature is what you define it to be; and one that meets the requirements e.g. audit trail, security and integrity, which sounds like you do meet them. Remember also that if you generate more than one document that needs to be “electronically signed” during a single session, you must execute at least one component of the signature (e.g. password) for each signing.

You need to remember that Part 11 is basis of rules that the FDA put in place to ensure that the documents that computers generate are of sufficient quality and context so that they are the equivalent of the signed document. In the context you stated, the user name/password do not qualify as a signature, it is just the record of who is generating the record.
Both comment made are quite valid. Yondon is probably eluding to the fact that perhaps you are using the typewriter (or hybrid) rule, which would remove (if documented as such) the requirement for e-sig. While the records are generated by the computer (which has been validated, I will assume), at the end of the day, the paper is the official record and is physically signed. He is also correctly asking if this particular document (you would need do this with all the documents (types) that the system generates, is intended to satisfy a predicate (or existing requirement) per the regulations. If not, Part 11 does not apply, since the document would not a regulatory requirement, but may be a business requirement.
Mikez is drawing you attention (once again on the typewriter rule) to that fact the a combination of procedural (SOP) and technical (validated output) can be leveraged, although final approval of the document is required.
Also bear in mind that if you allow regeneration of a record (such as in this case), you will need to address the rules over the record regeneration. Some systems have the “data” store and controlled, but an output, be it a physical record, a graphic or a file transmitted elsewhere, are generated by a query (I will use that term to cover all aspect of data collection, manipulation and presentation) as opposed to systems that actually embed the data into a permanent record, which does not required regeneration. Some of the factors to consider are server date (when you generate a record, the date is was generated is typically stamped on the record, so you need to address why the dates on records are different), if the report was a script type (which means, just a push of a button) versus an ad hoc report, where the factors to collect and present the data may be variable.
But you are allowed leeway for these activities.
I will also note, since you were referencing lab equipment, it is in your best interest to document the control and location of raw data. Lab equipment generates raw data at the equipment, then that raw data is transferred to an intermediate (LACE, A to D converter, integrator…) and finally to the computer system. You need to document that the appropriate controls are in place at each of these steps so that the data cannot be altered at any of the steps. Or if it can be, that there are procedural or other controls in place to identify and control these factors.


If I am looking at the procedure you described, it looks like issuing a blank signature before the measurement is even executed. I would suppose this could never have a meaning of “I agree and certify that the results of the measuring is correct”, as I cannot know this before the fact.

Just my 2 ¢.


The implementation of the e-signature is a requirement of the FDA for systems that will use a graphical representation to replace a handwritten signature. If that would be the claim of the company they e-signature would apply. If the username is displayed and that report would be printed and signed the same day then there is no need for the e-signature. Keep in mind that is the report is stored on the network and printed on a later date then the username is the only prove of who executed the analysis and then e-signature would apply.

Hope this helps.

Juan Miró