Biotech companies, medical device developers and those running clinical trials in the US and Europe increasingly need to use digital systems and e-signatures to streamline their work and approval processes.
E-signature technology promises to make companies more dynamic and agile, allowing cutting edge technology to progress faster through regulatory stages and come to market more quickly.
WATCH: Lulu Cvetkovic, Quality Assurance Manager, at the Newcastle Cancer Centre Pharmacology Group (NCCPG) explain how integrating electronic signatures into their eQMS has transformed the speed and accuracy of their record keeping:
But use of these e-signatures are governed by specific regulations and guidelines including:
So, is your current approach sufficient to meet these requirements?
According to the US Federal ESIGN Act, an electronic signature is any
“Electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
‘E-signatures’, therefore, run the full gamut of digital ‘sign-off’ methods including:
But these types of e-signatures fall into one of three types:
These are digital representations of ‘signatures’, but offer no secure authentication around the identity of the signatory. They don’t require any specialist software to operate and they can include:
An advanced electronic signature provides a higher level of identity verification, security, and tamper-proofing.
According to eIDAS (the EU regulation for electronic identification) an Advanced Electronic Signature must be:
QES, also known in the marketplace as digital signatures are a type of advanced electronic signature.
They use PKI (Public Key Infrastructure) to encrypt and authenticate signatures with trusted third parties. These third parties, acting as notaries to the signature, are known as Certification Authorities (CA).
The FDA, MHRA, and the EU’s regulatory bodies all require a high standard of identity verification for digital sign-off on life science documentation, processes, and products.
For most regulators the use of “simple electronic signatures” to sign off documents is not sufficient:
“An inserted image of a signature or a footnote indicating that the document has been electronically signed (where this has been entered by a means other than the validated electronic signature process) is not adequate”
MHRA’s Guidance on GxP data integrity, March 2018
But it should be noted that neither the FDA, MHRA or the EMA require the use of encryption or authentication with a CA to meet the regulation.
Instead, advanced electronic signatures integrated into a closed-loop system can provide all the compliance elements which life science regulators need to see, namely:
But, how are these requirements expressed in the different regulations?
In the first place, your system should be capable of controlling the use and validity of e-signatures across your organisation in the following ways:
What the FDA says in FDA 21 CFR 11:
11.10g: Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
What the MHRA say:
6.16 Full use should be made of access controls to ensure that people have access only to functionality that is appropriate for their job role, and that actions are attributable to a specific individual. Companies must be able to demonstrate the access levels granted to individual staff members and ensure that historical information regarding user access level is available.
Authenticating signatures in a closed-loop QMS
Your eQMS must also authenticate a signature when it is added to a document. This is required to prevent falsification and prove the identity and intent of the signatory.
What the MHRA say:
6.14
“The use of electronic signatures should be appropriately controlled with consideration given to:
How the signature is attributable to an individual
How the record of the signature will be associated with the entry made and how this can be verified.
How the act of ‘signing’ is recorded within the system so that it cannot be altered or manipulated without invalidating the signature or status of the entry.
The security of the electronic signature i.e. so that it can only be applied by the ‘owner’ of that signature. It is expected that appropriate validation of the signature process associated with a system is undertaken to demonstrate suitability and that control over signed records is maintained.
Guidance on GxP data integrity, March 2018
What the FDA say in FDA 21 CFR 11:
The FDA also focus on the way e-signatures should be controlled within a closed loop system to authenticate identity, track who has ‘signed off’ on documentation and prevent falsification.
11.100a
Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else
11.70 Signature/record linking.
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means
(FDA CFR Part 11)
What the EU Annex 11 requirements say:
Meanwhile, the EMA’s Guidelines on Computerised Systems and Electronic Data in Clinical trials states:
“Whenever ICH E6 requires a document to be signed and an electronic signature is used for that purpose…
The system should… include functionality to:
Authenticate the signatory, i.e. establish a high degree of certainty that a record was signed by the claimed signatory;
What is also critical to these regulations is the way signatures are ‘manifested’ on the documents they are added to.
It is essential for tracking processes and future audits that a complete history of the signing events associated with a document are recorded, but also that the ‘meaning’ of those events are clearly captured.
Regulators want businesses to capture details of who has signed off on documents, when and why to maximise transparency around decision making.
What the MHRA say:
“Electronic signature or E-signature systems must provide for “signature manifestations” i.e. a display within the viewable record that defines who signed it, their title, and the date (and time, if significant) and the meaning of the signature (e.g. verified or approved).”
What the FDA say in FDA 21 CFR 11:
Sec. 11.50 Signature manifestations.
Sec. 11.50 (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
Sec. 11.50 (1) The printed name of the signer;
Sec. 11.50 (2) The date and time when the signature was executed; and
Sec. 11.50 (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
But what about documents that require signatures from individuals outside your organisation? These might include those signing contracts, consenting to participation in clinical trials, or reporting on equipment calibration.
Where required signatories do not have log ins to your eQMS, you should look for compliant integrations with third-party digital signature suppliers such as DocuSign. These are legally binding advanced digital signatures managed by specialist companies, whose application to your documentation can be controlled at your invitation.
You can read more about integrating DocuSign e-signatures to the Cognidox closed loop eQMS here.
Given all these technical requirements, choosing a flexible eQMS (created and validated by specialist software developers) is the most efficient way to integrate compliant e-signatures into your working practices.
The alternative is to build third-party digital signature integration into an open system stitched together with SharePoint, Google Docs, or other file sharing systems.
This can be time-consuming and expensive. And it risks opening up gaps in your compliance procedures as maintenance becomes more complex over time.
Instead, choose an eQMS partner that offers compliant e-signature integrations as standard - and at no extra cost.
Blog post updated on 24/09/2024