.svg "\"\"")
Would your business benefit from using electronic signatures within your digital quality management system (eQMS)? Are you hoping they will streamline your sign off processes and strengthen compliance capabilities? If so, what type of e-signature do you need?
Biotech companies, medical device developers and those running clinical trials in the US and Europe increasingly need to use digital systems and e-signatures to streamline their work and approval processes.
E-signature technology promises to make companies more dynamic and agile, allowing cutting edge technology to progress faster through regulatory stages and come to market more quickly.
WATCH: Lulu Cvetkovic, Quality Assurance Manager, at the Newcastle Cancer Centre Pharmacology Group (NCCPG) explain how integrating electronic signatures into their eQMS has transformed the speed and accuracy of their record keeping:
But use of these e-signatures are governed by specific regulations and guidelines including:
- FDA 21 CFR Part 11 (in the US)
- EU Annex 11 (In Europe)
- MHRA GxP guidelines in the UK
- EMA Guidelines on Computerised Systems and Electronic Data in Clinical Trials
- eIDAS Regulation (EU 910/2014)
So, is your current approach sufficient to meet these requirements?
What is an electronic signature, anyway?
According to the US Federal ESIGN Act, an electronic signature is any
“Electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
‘E-signatures’, therefore, run the full gamut of digital ‘sign-off’ methods including:
- Ticked boxes associated with declarations
- Scanned images of signatures dropped into documents to indicate consent
- An electronic representation of a handwritten signature
- A unique representation of characters
- Fingerprints or retina scans
- A signature created by cryptographic means
But these types of e-signatures fall into one of three types:
1. Simple electronic signatures
These are digital representations of ‘signatures’, but offer no secure authentication around the identity of the signatory. They don’t require any specialist software to operate and they can include:
- Stylus or finger drawn signatures
- A typed name in a signature box
- A scanned signature dropped into a document
2. Advanced electronic signatures (AdES)
An advanced electronic signature provides a higher level of identity verification, security, and tamper-proofing.
According to eIDAS (the EU regulation for electronic identification) an Advanced Electronic Signature must be:
- Uniquely linked to the signer
- Capable of identifying the signer
- Created using means that the signer has under their sole control
3. Qualified Electronic signatures (QES)
QES, also known in the marketplace as digital signatures are a type of advanced electronic signature.
They use PKI (Public Key Infrastructure) to encrypt and authenticate signatures with trusted third parties. These third parties, acting as notaries to the signature, are known as Certification Authorities (CA).
What type of e-signature do life science developers need?
The FDA, MHRA, and the EU’s regulatory bodies all require a high standard of identity verification for digital sign-off on life science documentation, processes, and products.
For most regulators the use of “simple electronic signatures” to sign off documents is not sufficient:
“An inserted image of a signature or a footnote indicating that the document has been electronically signed (where this has been entered by a means other than the validated electronic signature process) is not adequate”
MHRA’s Guidance on GxP data integrity, March 2018
But it should be noted that neither the FDA, MHRA or the EMA require the use of encryption or authentication with a CA to meet the regulation.
What you need for life-science e-signature compliance
Instead, advanced electronic signatures integrated into a closed-loop system can provide all the compliance elements which life science regulators need to see, namely:
- Authentication: The e-signature can always be linked to a specific individual & the document they’ve signed
- Non-repudiation: The signature is attributable to an individual and is legally binding
- Integrity: Signatures cannot be removed or altered after it has been applied to a document
But, how are these requirements expressed in the different regulations?
Controlling access to your QMS
In the first place, your system should be capable of controlling the use and validity of e-signatures across your organisation in the following ways:
What the FDA says in FDA 21 CFR 11:
11.10g: Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
What the MHRA say:
6.16 Full use should be made of access controls to ensure that people have access only to functionality that is appropriate for their job role, and that actions are attributable to a specific individual. Companies must be able to demonstrate the access levels granted to individual staff members and ensure that historical information regarding user access level is available.
Authenticating signatures in a closed-loop QMS
Your eQMS must also authenticate a signature when it is added to a document. This is required to prevent falsification and prove the identity and intent of the signatory.
What the MHRA say:
6.14
“The use of electronic signatures should be appropriately controlled with consideration given to:
How the signature is attributable to an individual
How the record of the signature will be associated with the entry made and how this can be verified.
How the act of ‘signing’ is recorded within the system so that it cannot be altered or manipulated without invalidating the signature or status of the entry.
The security of the electronic signature i.e. so that it can only be applied by the ‘owner’ of that signature. It is expected that appropriate validation of the signature process associated with a system is undertaken to demonstrate suitability and that control over signed records is maintained.
Guidance on GxP data integrity, March 2018
What the FDA say in FDA 21 CFR 11:
The FDA also focus on the way e-signatures should be controlled within a closed loop system to authenticate identity, track who has ‘signed off’ on documentation and prevent falsification.
11.100a
Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else
11.70 Signature/record linking.
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means
(FDA CFR Part 11)
What the EU Annex 11 requirements say:
- Electronic Signature Electronic records may be signed electronically. Electronic signatures are expected to: a. have the same impact as hand-written signatures within the boundaries of the company, b. be permanently linked to their respective record, c. include the time and date that they were applied.
Meanwhile, the EMA’s Guidelines on Computerised Systems and Electronic Data in Clinical trials states:
“Whenever ICH E6 requires a document to be signed and an electronic signature is used for that purpose…
The system should… include functionality to:
Authenticate the signatory, i.e. establish a high degree of certainty that a record was signed by the claimed signatory;
- Ensure non-repudiation, i.e. that the signatory cannot later deny having signed the record;
- Ensure an unbreakable link between the electronic record and its signature, i.e. that the contents of a signed (approved) version of a record cannot later be changed by anyone without the signature being rendered visibly invalid;
- Provide a timestamp provide a timestamp, i.e. that the date, time, and time zone when the signature was applied is recorded.
How to ‘say what you mean’ - requirements for signature manifestations
What is also critical to these regulations is the way signatures are ‘manifested’ on the documents they are added to.
It is essential for tracking processes and future audits that a complete history of the signing events associated with a document are recorded, but also that the ‘meaning’ of those events are clearly captured.
Regulators want businesses to capture details of who has signed off on documents, when and why to maximise transparency around decision making.
What the MHRA say:
“Electronic signature or E-signature systems must provide for “signature manifestations” i.e. a display within the viewable record that defines who signed it, their title, and the date (and time, if significant) and the meaning of the signature (e.g. verified or approved).”
What the FDA say in FDA 21 CFR 11:
Sec. 11.50 Signature manifestations.
Sec. 11.50 (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
Sec. 11.50 (1) The printed name of the signer;
Sec. 11.50 (2) The date and time when the signature was executed; and
Sec. 11.50 (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
Integrating third-party sign-offs with plug-ins
But what about documents that require signatures from individuals outside your organisation? These might include those signing contracts, consenting to participation in clinical trials, or reporting on equipment calibration.
Where required signatories do not have log ins to your eQMS, you should look for compliant integrations with third-party digital signature suppliers such as DocuSign. These are legally binding advanced digital signatures managed by specialist companies, whose application to your documentation can be controlled at your invitation.
You can read more about integrating DocuSign e-signatures to the Cognidox closed loop eQMS here.
What you really need - a checklist for e-signature compliance
- E- signature functionality should be part of a validated eQMS - to prove it is fit for its intended purpose.
- The business must have the means to control the distribution and validity of e-signatures within a system. Can you create/delete them at will, as well as set renewal or expiry dates?
- The use of e-signatures must be controlled via unique credentials applicable by, or known only to each individual.
- Companies must be able to revoke an individual’s permission to use an e-signature if required e.g. cancel or change log-ins and passwords.
- When an e-signature is added to a document there must be a record made of who signed it, when they signed it and why. The ‘meaning’ of the signature should also be appended - including reasons for approval, review and other, relevant notes.
- The eQMS must prevent any unapproved changes being made to a document after it has been signed off.
- Full reporting features should be present to enable detailed auditing of your decision making, including the ability to search records by signatory.
- The system should provide compliant integration with third-party e-signature suppliers, so those outside the QMS can attach their legally binding, digital signatures to specific documents.
Conclusion
Given all these technical requirements, choosing a flexible eQMS (created and validated by specialist software developers) is the most efficient way to integrate compliant e-signatures into your working practices.
The alternative is to build third-party digital signature integration into an open system stitched together with SharePoint, Google Docs, or other file sharing systems.
This can be time-consuming and expensive. And it risks opening up gaps in your compliance procedures as maintenance becomes more complex over time.
Instead, choose an eQMS partner that offers compliant e-signature integrations as standard - and at no extra cost.
Blog post updated on 24/09/2024
.jpg)
%20(1).webp?width=133&height=76&name=ISO%20IEC%2027001%20(1)%20(1).webp)