%20formatted-1.png?width=2528&height=739&name=SIGNiX%20Logo%20Main%20(white)%20formatted-1.png)
In many years dealing with Part 11 compliance, I have often seen confusion over exactly what constitutes an “Electronic Signature.” The FDA’s definition is found in 21 CFR Part 11; Electronic Records, Electronic Signatures, the regulations specifying the FDA’s requirements for using records and signatures in electronic form to meet the record-keeping requirements of Agency regulations in the Life Sciences industry.
The title of the regulation itself uses the term “Electronic Signature,” which is somewhat of a misnomer since the regulation deals with several different types of signatures that are used in electronic form. The different types of signatures include “standard” electronic signatures, digital signatures, and handwritten signatures captured electronically.
1. Electronic Signatures
Electronic Signatures (“e-sigs”) are the types of signatures most people think of when considering Part 11. Electronic Signatures are defined as “a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.” This indicates that some information must be entered electronically and associated to a record for that record to be considered signed. By FDA definition, there are two standard types of e-sigs: Biometric and Non-Biometric signatures.
Biometric Signatures
Biometric Electronic Signatures involve “a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.” This unique measurement must be captured every time a record is signed and it must be securely linked to the signed record.
Examples of biometric signatures include fingerprint scans or iris scans. This type of signature requires measurement hardware attached to the computerized systems for the signature to be executed, and for this reason it has not currently seen widespread use in the Life Sciences industry. Biometric Signatures must comply with both the General Signature Requirements and Electronic Signature Requirements as defined in §11.50, §11.70, §11.100, and §11.200(b) of the regulation.
Non-Biometric Signatures
The other type of standard e-sig is the Non-Biometric Signature. This type of signature requires entry of two or more distinct signature components into the computerized system as the e-sig execution action. The traditional e-sig requires entry of a User ID and Password as these distinct components, although there may be additional or alternate components, such as a badge scan instead of a User ID, or additional entry of a code from a token or other code generating device.
Because most modern computerized systems incorporate logical security functionality, this is the most common type of electronically captured signature implemented in FDA-regulated application. Non-Biometric Electronic Signatures must comply with both the General Signature Requirements and Electronic Signature Requirements as defined in §11.50, §11.70, §11.100, §11.200(a), and §11.300 of the regulation.
2. Digital Signatures
Digital signatures, also known as independent electronic signatures, are a subset of Non-Biometric electronic signatures and are based upon “cryptographic methods of originator authentication, computed by using set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.” Such signatures are typically implemented using Public Key Infrastructure (PKI) and involve obtaining and utilizing Public and Private Keys that are provided and managed by a trusted third party.
In addition to the applicable e-sig requirements mentioned above, Digital Signatures can also be used to fulfill the requirements for “open systems” as detailed in §11.30 of the regulation. Digital Signatures are also increasingly being preferred for their trusted level of security. Organizations like SAFE-BioPharma, the European Medicines Agency and the U.S. Drug Enforcement Agency (for prescriptions for controlled substances) have standards that require e-signatures to be digital signatures.
3. Electronically Captured Handwritten Signatures
A final type of signature is the electronically captured handwritten signature. The FDA indicates that a signature is considered handwritten if “the act of signing with a writing or marking instrument such as pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.” A common example of this is capture of the signature image via signing with a stylus on a digitizing pad or touch screen.
A common Life Sciences application for this type of signature is in Sales Force Automation systems utilized by pharmaceutical sales forces in the field to capture the signatures of health care practitioners receiving drug samples. Such an electronically captured handwritten signature is not considered a true electronic signature, so it would not need to comply with the e-sig specific requirements defined in §11.100-§11.300 of the regulation; however, as a handwritten signature executed to an electronic record it would need to comply with the general signature requirements defined in §11.50 and §11.70 of the regulation.
4. Hybrid Systems
Even though they are not electronically captured, traditional wet handwritten signatures can also fall within the scope of Part 11. This can occur in a “hybrid system” which incorporates both hard copy and electronic record elements. An example of this would be printing a copy of an electronic record and signing the paper, with the intent that the signature approves the electronic version of the record.
Although this type of signature application is relatively rare, it may be used in cases where the computerized system cannot support compliant e-sigs. Hybrid systems were not well considered when the Part 11 regulation was drafted; however, these hybrid signatures would fall within the definition of “handwritten signatures executed to electronic records” and would need to comply with §11.50 and §11.70 of the regulation. The most common way to ensure a secure record/signature linkage is to record unique information about the electronic record on the paper such that if the record changes the signature will be invalidated.
In all cases above, it is key to ensure that the signatures are securely captured, stored, and linked to their associated records. All of these signatures are legally binding, and as such, there must be a high degree of assurance that the signatures cannot be forged and cannot be repudiated by their genuine owners.
About the Author: Robert J. Finamore serves as the Director, IT Compliance & Validation for QPharma, Inc., a regulatory compliance consulting firm based in Morristown, NJ. He has been a leader at QPharma over the past 16 years in the management and execution of over 100 regulatory compliance projects, and is a recognized expert in computer system validation and 21 CFR Part 11 compliance. To learn more, head to www.qpharmacorp.com.