Selection of authorship, review, or approval in the Part 11 Module

It is important to highlight that, at a minimum, the system should include a configuration preventing a single signer from completing the entire approval workflow by selecting all three roles – authorship, review, and approval – within the same document. Allowing this practice, as currently not restricted in DocuSign, contradicts life sciences GxP good practices, since one individual must not be solely responsible for authoring, reviewing, and approving a document. The approval workflow must necessarily involve at least two distinct individuals for authorship, review, and approval, and preferably three.

Thanks for sharing this idea with us, ​@Émilin Dreher de Lima. We’ve reviewed it and appreciate the thought behind it.

At this time, we’re not planning to pursue this request, so we’ve marked it as parked. 

While it’s not on our current roadmap, ideas like yours help inform future direction if priorities change.

Thanks again for contributing your input.

Thank you Ma.Cubio!

Although your response demonstrates DocuSign’s awareness and engagement with this topic, we would like to emphasize that, at present, the platform does not fully meet the specific regulatory expectations applicable to the industry segment for which the Part 11 module is offered, particularly within Pharma and Life Sciences.

The current configuration in DocuSign allows a single user to assume multiple roles within the same document workflow, including Author, Reviewer, and Approver. While this functionality is technically feasible, it presents significant compliance concerns from a regulatory and data integrity perspective.

Although 21 CFR Part 11 does not explicitly prohibit a single individual from performing multiple roles within a document lifecycle, it establishes clear expectations regarding the trustworthiness, reliability, and integrity of electronic records and signatures. In particular, the regulation requires that electronic signatures be attributable, secure, and permanently linked to their respective records in a manner that ensures full accountability.

From a GxP compliance standpoint, segregation of duties (SoD) is considered a fundamental control, and its absence introduces the following risks:

• Lack of Independent Review:
  The same individual acting as Author, Reviewer, and Approver eliminates the independent verification step, which is a foundational control to ensure accuracy, completeness, and compliance of regulated documents.
• Increased Risk to Data Integrity:
  This configuration may compromise key data integrity principles aligned with ALCOA+ (e.g., Attributable, Accurate, and Consistent), as there is no effective second-level review or challenge mechanism.
• Potential for Bias or Undetected Errors:
  Without role segregation, errors, omissions, or intentional deviations may remain undetected, increasing both compliance and product quality risks.
• Weakness in Internal Controls:
  Regulatory authorities, including the U.S. Food and Drug Administration, expect robust internal controls such as segregation of duties to prevent conflicts of interest and ensure proper governance over GxP processes.
• Audit and Inspection Risk:
  During regulatory inspections or third-party audits, this configuration may be identified as a control deficiency, potentially resulting in observations related to inadequate quality system controls and insufficient independent review.

Alignment with Global Regulatory Expectations and Best Practices

Beyond 21 CFR Part 11, the expectation for segregation of duties is consistently reinforced across multiple global regulations, guidelines, and standards applicable to Life Sciences, including:

• EU GMP Annex 11
• EU GMP Chapter 4
• PIC/S PI 041
• FDA Data Integrity Guidance
• WHO Technical Report Series 996 Annex 5
• RDC 658/2022 and complementary guidance documents
• COSO Internal Control Framework
• ISO 9001
• ISO 27001

These frameworks consistently emphasize:

• The need for independent review and approval
• Implementation of segregation of duties as a core internal control
• Assurance of data integrity throughout the record lifecycle

Given that DocuSign offers a dedicated module aligned with 21 CFR Part 11 and is widely marketed to Life Sciences companies, there is a reasonable expectation that the platform should support, or enforce, configurations aligned with GxP best practices.

In this context, the ability to configure workflows where a single user can act simultaneously as Author, Reviewer, and Approver represents a gap in enforcing fundamental compliance controls, particularly segregation of duties.

While the current configuration may be permissible from a purely technical standpoint, it represents a significant compliance risk and a deviation from widely accepted regulatory expectations and industry best practices.

Segregation of duties is not merely a recommended control but a foundational element for ensuring data integrity, accountability, and reliability of electronic records. Therefore, systems used in regulated environments, especially those positioned as Part 11-compliant solutions, are expected to support and promote such controls by design.

I’m looking forward to a solution to address this issue within DocuSign eSignature with the Part 11 module enabled.

Regards.

Émilin Lima