21 CFR Part 11: Electronic Records and Signatures

Electronic records and electronic signatures are vastly becoming a strategic and efficient method in order
to maintain record keeping compliance across industry. In order to comply, the pharmaceutical industry
has looked to the technology sector for solutions, which offers a wide range of products and systems. If
the industry is looking for an out of the box solution, they won’t find it. As the industry implements and
utilizes systems for electronic records and signatures, each company must create and maintain a system
that complies with regulations by implementing not only technology, but procedures and policies. For the
remainder of this paper, systems will be used to describe the combination of technology, procedures, and
policies. Systems make up different components in order to meet the needs of regulations.
Regulations, such as 21 CFR Part 11 and EU Annex 11, comprise of many elements that in some part create a method of controlling the functions and outputs of the overall system. Elements that include, but are not limited to, validation, protection and retention of records, audit trails, restricted access, device checks, training, written procedures, and system documentation. By implementing internal policies and
procedures the company can identify, prevent and detect compliance issues, lay out expectations for
employee behavior and ensure that operations run smoothly. Policies and procedures create a formalized
system to help organizations maintain compliance in all areas of operation. Procedures should outline the
overall workflow process and how technology is used as part of the process. For example, most
organizations will maintain a procedure outlining their record retention policy or process. This outlines
how the organization protects, stores, and maintains documentation and records. Outlined in a record
retention procedure are details relating to how long records are retained for and where they are housed,
which brings us to technology and the solution it can provide to retain documentation that is readily
available and auditable. Without components of the entire system in place the technology would not be
sufficient in maintaining compliance.
The Nymi Connected Worker Platform (CWP) is a unifying platform solution delivered through a workplace wearable, the Nymi BandTM. It includes a biometric authentication process that improves data integrity, reduces risk of compromised credentials, and improves the overall user experience. The Nymi CWP solution enables our customers to comply with regulations in a reliable and effective manner.

The Nymi CWP solution enables customers to comply with this requirement by replacing passwords or
badges that can be compromised. The FDA noted that, “… biometrics-based electronic signatures, by
their nature, are less prone to be compromised than other methods such as identification codes and
passwords.”2 The Nymi Band is authenticated using biometrics coupled with administrative applications
and enterprise management applications, providing a magnitude improvement in security and data
integrity. The FDA set out “11.200 (b) Electronic signatures based upon biometrics shall be designed to
ensure that they cannot be used by anyone other than their genuine owners”1, and the Nymi CWP ensures that a Nymi Band can only be assigned to one individual.
Although the Nymi CWP does not record and maintain records, the Nymi CWP seamlessly integrates into
system solutions, such as a Manufacturing Execution System (MES). Through seamless integration, the
Nymi CWP signals the system solution, if integrated appropriately, to record electronic signatures as
outlined in 11.50. The Nymi CWP will maintain compliance for 11.10, such as limited system access,
triggering the MES to record electronic signature for audit trails, and to “ensure that only authorized
individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.”1 Through the implementation of
technology, in addition to policies and procedures, a system can meet regulations and maintain a
compliant ecosystem.
An MES prompts the users to authenticate themselves through electronic signatures, at key steps of the
process. The users are typically prompted for their user ID and password, which are then verified against
the organization’s directory system (e.g., Active Directory). Once the user ID and password are verified,
an electronic record is generated, which may include the user identifier, metadata such as timestamp, and
relevant information such as the process step and related parameters. These records are then stored and
managed, either by the MES itself or by record management systems. In a regulated environment, the
above procedure is validated for compliance against the relevant standards.

The Nymi CWP replaces the user ID and password verification steps in the above procedure. When
authentication is required, the MES would prompt the user for a touchless, passwordless, and handsfree
Nymi Band tap instead of user ID and password. The authenticity of the Nymi Band and the action are
verified cryptographically, and the identity of the user is also authenticated (since the Nymi Band had to
be biometrically authenticated prior to use). The subsequent record generation sequence remains the
same.
After the Nymi CWP is integrated, the customer may be required to perform an incremental or full
validation, to ensure that the system (not just the Nymi CWP) remains in compliance with the relevant
standards.
For more information, connect with us at info@nymi.com

References
1Food and Drug Administration. (1997). TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG 

ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER A-- GENERAL, PART 11, ELECTRONIC RECORDS; ELECTRONIC SIGNATURES. Retrieved from https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11
2 Food and Drug Administration. (1997). 21 CFR Part 11 Electronic Records; Electronic Signatures; Final 

Rule. (Federal Register / Vol. 62, No. 54 / Docket No. 97-6833). Retrieved from https://www.govinfo.gov/content/pkg/FR-1997-03-20/pdf/97-6833.pdf