Boost Online Signature Legitimacy for Product Quality in the United States

How to eSign a document: online signature legitimacy for Product quality in United States

in the previous course you learned the meaning of electronic records and audit trails the use of electronic signatures is key to improving productivity in the regulated quality control laboratory and to releasing products faster to Market if your organization uses digital tools and automated processes or if it is in transition to electronic systems you must understand the 21 CFR part 11 and EU GMP Annex 11 guidelines in this short course I will describe what you need to do to comply with the 21 CFR part 11 electronic signature requirements you will learn the difference between open and close systems as well as the advantages of using electronic signatures over handwritten signatures I will provide an in-depth understanding of the components and controls of electronic signatures ing to part 11. if you are in any way connected to the life sciences industry you have almost certainly heard of the FDA 21cfr part 11 requirements 21 CFR part 11 addresses the use of technology in Quality Systems it outlines the fda's controls for electronic signatures and records are trustworthy and equivalent to paper-based records if you choose to use electronic records instead of paper-based Records part 11 applies to your documentation systems what this may sound daunting the fda's expectations and regulations for electronic systems Echo the requirements for paper-based documentation systems part 11 requirements apply to electronic records and electronic signatures and to the electronic systems used to create modify maintain archive retrieve or transmit them Life Sciences organizations and device manufacturers regulated by the FDA are required to follow 21 CFR part 11. the purpose of part 11 is to ensure electronic records and electronic signatures can be trusted as not just paper record and ink signatures what is the background of fda's part 11 requirements in March 1997 the FDA published a final rule with criteria for records that are created modified maintained archived retrieved or transmitted in electronic form instead of paper form and when electronic signatures are used instead of traditional handwritten signatures in September 2003 the FDA provided a narrow and practical interpretation of part 11 requirements the FDA recommends using a risk-based approach to validating electronic systems implementing electronic audit Trails And archiving electronic records the FDA also confirmed that if you choose to use records in electronic form instead of paper form part 11 would apply conversely if you use computers to generate paper printouts of electronic records and those paper records meet all the requirements of the applicable predicate rules and you rely on the paper records to perform your regulated activities then the FDA would generally not consider you to be using electronic records instead of paper records in this case the use of computer systems in the generation of paper records would not trigger part 11. in summary as mentioned in the previous course any information that is generated and stored within an electronic system is a part 11 record in addition part 11 records include those that are maintained in electronic format instead of paper format and records are maintained in electronic format in addition to paper format a closed system is an environment where system access is controlled by people within the company who are responsible for the content of electronic records in the system in closed systems the organization can confirm the identity of all users before providing access to the electronic record system and only electronic signatures are required enclosed systems the company keeps their records exclusively on its own Hardware these records are accessible on the company's internal Network the system owners are responsible for the closed systems they oversee the content and security of the electronic records they're in these records are usually stored in a repository for example on a data server or in the cloud databases with audit trails are typically considered examples of closed systems which are designed to ensure the authenticity integrity and confidentiality of electronic records whereby the signer cannot reject the signed record as inauthentic open systems do not have these capabilities most systems in analytical Laboratories are closed systems with an appropriate security system in place the lab has full control over who can access the system close systems require an ID and password to access the information the information is controlled by user privilege examples of closed systems in a regulated environment include electronic document Management Systems like scilife laboratory Management systems lims and Training Systems if an organization wants to use electronic records it must document the procedures it follows and the controls it has in place to ensure electronic records have the following qualities authenticity Integrity confidentiality and irrefutability irrefutability means there is no way to deny that a record is genuine now let's discuss some of the most important FDA requirements for the electronic records of closed systems validation means you need to conduct computer system validation CSV to ensure the unquestionable nature of the data processed they're in you need to make sure all electronic records an auditor might want to see can be provided in both human and computer readable forms to the agency for inspection and copying this is related to storage and retention before the life cycle ends records must be readily available in their original form this is about ensuring only the right people have access to each computer system each system that records GXP data must have an audit Trail functionality for all actions for example creation modification deletion in the local date and time without altering the earlier data the audit Trail functionality must be activated with a complete history of an electronic record captured automatically by the computer system retained in the system for the right amount of time and viewable by humans throughout this is about sequencing the workflow of the digital systems per GXP requirements you must prevent your electronic systems from performing activities in the wrong sequence for example modifying the record after it has been digitally signed controls must be in place to limit user access at both the system level and the record level and verify the user's performing functions in the system are authorized to do so you should check that the PC is used for regulator purposes are functioning as intended the source of where the data is being added into the regulated system must be validated responsibility and accountability are essential this statement ensures only trained and qualified people can perform functions on the system you should hold individuals accountable for the Integrity of their actions related to electronic records and electronic signatures to discourage data falsification Sops must document responsibility and accountability criteria for actions taken using electronic signatures document control is critical controls must be in place for documents involving system operation and maintenance including those that preserve the complete history of changes made to the following documents qualifications Sops validation Change Control deviations operational and maintenance procedures audit Trails Etc an open system is an environment where system access is not controlled by the people in the company who are responsible for the content of the electronic records on the system data could reside in an open system for some period of time outside the control of the organization that owns the data the organization cannot confirm the identity of all users before providing access to the electronic record system this means that digital signatures are required to verify the identity of the person signing the document open systems can be perfectly compliant but sponsors must ensure data Integrity record authenticity and confidentiality more controls are needed to protect the records from being read modified destroyed or compromised by unauthorized people the Assurance of security and data Integrity can be challenging in an open system for example consider a vendor offering a license to a record keeping software solution to a company in this case the vendor controls access to the software and the records vendors may require certain technical elements of a compliant system but the system is not inherently compliant it is therefore the responsibility of the sponsor or user to implement the procedural and administrative controls to guarantee compliance another example of an open system in a laboratory is one where the data is stored on a server that is used under third party control other examples of open systems are websites where everyone has access electronic signatures documents have traditionally been printed on paper physically handed to each reviewer in an office and approved using wet ink signatures there are lots of documents in our quality management system that have traditionally been signed by wet ink signature paper-based Sops investigations risk assessments change requests validation protocols and Records training records Etc that said there are alternatives and more efficient methods available including the use of electronic signatures an electronic signature is a simple and legally binding way to authenticate the identity of a signer of a digital document or form equivalent to a handwritten signature for example using your electronic signature to approve a document in an eqms is the same as using your handwritten signature on a document paper the FDA allows electronic signatures to be used instead of handwritten signatures with pen and ink on paper documents if you apply the following requirements for electronic signatures first the electronic signature must be unique to one individual second the printed name of the signer the date and time and the digital signature should be listed as well and finally the meaning of the signature that is authorship review approval Etc should be displayed note that before people in your organization can use electronic signatures your organization should certify to the FDA the electronic signatures or the legally binding equivalent of traditional handwritten signatures 21 CFR part 11.100 c 1 2. let's review some of the 21 CFR part 11 requirements regarding the use of electronic signatures note that one of the fda's overriding objectives in the rule is to prevent fraud so make sure you have controls in place to demonstrate your system is under control electronic signatures are not based on Biometrics for example access systems based on fingerprint analysis and Retina Display analysis must employ at least two distinct identification components such as a username and password this is meant to ensure electronic signatures cannot be used by anyone other than their genuine owners the FDA allows users to execute a series of signings during a single continuous period of controlled system access for the first login the user must enter a username and password the track further activities password authentication alone is sufficient if the user is logged out they can sign in but must re-enter their username and password for each subsequent sign-in the electronic signature must be executed by the original owner of that signature sharing electronic signatures is not permitted if the original signer is absent their supervisor and system admin can jointly sign electronically on behalf of that person the system cannot allow duplication two individuals may not have the same identification code or password sharing electronic signatures is not permitted passwords should be changed periodically for example the system might require password changes every 30 days expired passwords must be renewed in a timely manner the system should be able to detect intrusion to identify fraud online transactions this includes multiple failed login attempts logins from a large number of IP addresses or unusual account activity note that the system could temporarily suspend accounts showing any of these activities it may require logged explanations of the activities by administrators including any actions taken in the case of unauthorized login attempts the system must be able to detect and Report issues promptly to the responsible Authority for examples administrators should be alerted to all attempts of logging failure and electronic signature failure when logging in with a valid username and invalid password or with an invalid username and valid password in such cases after a number of attempts the user account should be locked only designated administrators can unlock the user account reasons for a lockout are provided by the security system to the administrator foreign