21 CFR Part 11; Electronic Records, Electronic Signatures defines the FDA’s requirements for using records and signatures in electronic form to meet the record-keeping requirements of Agency regulations. In more than ten years dealing with Part 11 compliance, I have often seen confusion over exactly what constitutes an “Electronic Signature.” The title of the regulation itself uses the term “Electronic Signature,” which is somewhat of a misnomer since the regulation deals with several different types of signatures that are used in electronic form. The different types of signatures include standard electronic signatures, digital signatures, and handwritten signatures captured electronically.
Electronic Signatures (“e-sigs”) are the types of signatures most people think of when considering Part 11. Electronic Signatures are defined as “a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.” This indicates that some information must be entered electronically and associated to a record for that record to be considered signed. There are two standard types of e-sigs: Biometric and Non-Biometric signatures.
Biometric Electronic Signatures involve “a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.” This unique measurement must be captured every time a record is signed and such measurement would need to be securely linked to the signed record. Examples of biometric signatures included fingerprint scans or iris scans. This type of signature requires some type of measurement hardware attached to the computerized systems for the signature to be executed so it has not currently seen widespread use in the life science industries. Biometric Signatures must comply with both the General Signature Requirements and Electronic Signature Requirements as defined in §11.50, §11.70, §11.100, and §11.200(b) of the regulation.
The other type of standard e-sig is the Non-Biometric Signature. This type of signature requires entry of two or more distinct signature components into the computerized system as the e-sig execution action. The traditional e-sig requires entry of a User ID and. . .
Password as these distinct components, although there may be additional or alternate components, such as a badge scan instead of a User ID, or additional entry of a code from a SecurID token or other device. Because most modern computerized systems incorporate logical security functionality, this is the most common type of electronically captured signature implemented in FDA-regulated application. Non-Biometric Electronic Signatures must comply with both the General Signature Requirements and Electronic Signature Requirements as defined in §11.50, §11.70, §11.100, §11.200(a), and §11.300 of the regulation.
Digital signatures are a subset of Non-Biometric electronic signatures and are based upon “cryptographic methods of originator authentication, computed by using set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.” Such signatures are typically implemented using Public Key Infrastructure (PKI) and involve obtaining and utilizing Public and Private Keys that are provided and managed by a trusted third party. Most companies do not go to the level of Digital Signatures for Part 11 signature applications; however, in addition to the applicable e-sig requirements mentioned above, Digital Signatures can also be used to fulfill the requirements for “open systems” as detailed in §11.30 of the regulation.
A final type of signature is the electronically captured handwritten signature. The FDA indicates that a signature is considered handwritten if “the act of signing with a writing or marking instrument such as pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.” A common example of this is capture of the signature image via signing with a stylus on a digitizing pad or screen. This type of signature is typically used in Sales Force Automation systems utilized by pharmaceutical sales forces in the field to capture the signatures of health care practitioners receiving drug samples. Such an electronically captured handwritten signature is not considered a true electronic signature, so it would not need to comply with the e-sig specific requirements defined in §11.100-§11.300 of the regulation; however, as a handwritten signature executed to an electronic record it would need to comply with the general signature requirements defined in §11.50 and §11.70 of the regulation.
Even though they are not electronically captured, traditional wet handwritten signatures can also fall within the scope of Part 11. This can occur in a “hybrid system” which incorporates both hard copy and electronic record elements. An example of this would be printing a copy of an electronic record and signing the paper, with the intent that the signature approves the electronic version of the record. Although this type of signature application is relatively rare, it may be used in cases where the computerized system cannot support compliant e-sigs. Hybrid systems were not well considered when the Part 11 regulation was drafted; however, these hybrid signatures would fall within the definition of “handwritten signatures executed to electronic records” and would need to comply with §11.50 and §11.70 of the regulation. The most common way to ensure a secure record/signature linkage is to record unique information about the electronic record on the paper such that if the record changes the signature will be invalidated.
In all cases above, it is key to ensure that the signatures are securely captured, stored, and linked to their associated records. All of these signatures are legally binding, and as such, there must be a high degree of assurance that the signatures cannot be forged and cannot be repudiated by their genuine owners.
Even though they are not electronically captured, traditional wet handwritten signatures can also fall within the scope of Part 11. This can occur in a “hybrid system” which incorporates both hard copy and electronic record elements. An example of this would be printing a copy of an electronic record and signing the paper, with the intent that the signature approves the electronic version of the record. Although this type of signature application is relatively rare, it may be used in cases where the computerized system cannot support compliant e-sigs. Hybrid systems were not well considered when the Part 11 regulation was drafted; however, these hybrid signatures would fall within the definition of “handwritten signatures executed to electronic records” and would need to comply with §11.50 and §11.70 of the regulation. The most common way to ensure a secure record/signature linkage is to record unique information about the electronic record on the paper such that if the record changes the signature will be invalidated.
In all cases above, it is key to ensure that the signatures are securely captured, stored, and linked to their associated records. All of these signatures are legally binding, and as such, there must be a high degree of assurance that the signatures cannot be forged and cannot be repudiated by their genuine owners.
To discuss this topic further, contact Rob at mailto:robert.finamore@qpharmacorp.com
How interesting. Looks like all signatures will soon be replaced by digital files and add-ons. Things will definitely move faster when we can use those tools.
ReplyDelete