Today, we routinely email documents with a request for an electronic signature. Once signed, the other party is notified that the signature is complete – and life moves on.
But things have become more complex recently – especially in highly-regulated industries such as bio/pharmaceuticals. While electronic signatures have been around for years, they are not all created equal. In the pharma industry this matters a great deal, since some regulatory agencies specify that only certain types of signatures are deemed acceptable.
In fact, some of these regulations have recently been tightened – making it essential for your LIMS to comply when processing certain types of data. To ensure that your lab is in compliance, it’s worth starting at the beginning and examining what signatures are used for and the three categories they fall into.
What’s a Signature For?
In simple terms, your signature represents your willingness to be accountable for the content of a document. This holds true whether you’re claiming to have read it, approving it, and/or taking responsibility for having created the content. It can also be used to indicate that you’re of sound mind and agreeing with the document information of your own free will.
In regulated environments, signatures are also used as proof of work completed, or to affirm that you have an acceptable level of knowledge about whatever you’re reviewing or agreeing to.
Signatures are legally binding, and contrary to popular belief it is often unnecessary for a notary to be involved. Organizations that rely on them need to be certain that the person who signs a document is who they claim to be (i.e., their signature hasn’t been forged) and that the document hasn’t been tampered with since it was signed, which is why notaries are so often used in high stakes situations.
Three Types of Signatures
What constitutes a signature today is a bit more complicated than it used to be. Modern signatures are classified into the following three categories:
The most basic and traditional signature involves signing a physical piece of paper with an ink pen. This method has been used for centuries to represent binding contracts and prevent fraud – and is still in use today.
Surprisingly, despite their history, wet signatures are less secure than the other two types discussed below, and far more difficult to verify. Discrepancies are expensive and time-consuming to resolve, often requiring the involvement of trained handwriting experts. It can also take more time to get a wet signature and can cost more as well — especially if notarization is required.
In addition, using paper is becoming less desirable in today’s world, both from a sustainability standpoint and the difficulties involved in retaining and retrieving paper records over the long term.
2. Electronic signatures
Electronic signatures, sometimes called e-signatures, describe any electronically transmitted signature. For example, when they deliver the good stuff, UPS and FedEx drivers may ask you to sign for the package with a stylus on a digital keypad.
Many different types of documents can now be signed electronically under ESIGN and UETA regulations, including HR documents, FDA-associated documents, NDAs, software licenses, technology sector documentation, consumer transactions and more.
Although electronic signatures are often used as replacements for wet signatures in today’s digital world, they vary considerably when it comes to the level of security or legality they provide.
This is of paramount importance in highly regulated industries such as healthcare, human resources and good practice (GxP) environments, some of which are moving toward ever-stricter requirements.
3. Digital signatures
Although the terms “electronic signature” and “digital signature” are often used interchangeably, they’re not considered to be the same thing by the FDA or market leaders such as GlobalSign or DocuSign. Digital signatures are a more secure type of electronic signature, in which a trusted third party – known as a Certificate Authority (CA) – is responsible for verifying your identity. They’re essentially the digital equivalent of a notarized signature.
Digital signatures can be implemented in several ways, but for the purpose of this article we’ll stick to the most common method: the CA links your signature to a digital certificate which uses an algorithm known as a cryptographic hash to ensure security and verify your identity — comparable to a digital fingerprint.
Signature Compliance in the Pharmaceutical Industry
In North America, the FDA’s 21 CFR Part 11 provides the basic guidance for electronic records and signatures in the pharmaceutical industry. Although the FDA does not require digital signatures, 21 CFR 11 lays down specific criteria that electronic signatures must meet, with additional conditions for signatures not based upon biometrics, including fields for both the action and the reason.
In the EU, electronic signatures are governed by Annex 11 – Regulation (EU) No 910/2014 of the European Parliament and of the Council. In many ways, this is the EU counterpart of 21 CFR 11, but it applies to more than just software. It also includes hardware, risk management and personnel. Under Annex 11, electronic signatures are expected to:
- have the same impact as hand-written signatures within the boundaries of the Company.
- be permanently linked to their respective record.
- include the time and date that they were applied.
These regulations can also be more stringent in places such as Germany, which have adopted laws specifically enforcing digital signature requirements.
- A simple “electronic signature”, defined as data in electronic form which is attached to or logically associated with other data in electronic form and used by the signatory to sign.
- An “advanced electronic signature” (AES), which meets additional requirements enabling changes to the signature to be detected (typically via cryptography), thus providing a higher level of trustworthiness.
- A “qualified electronic signature” (QES), which is an AES created by a qualified electronic signature creation device, linked to a certificate issued by a trusted service provider of an EU member state. A QES is the only electronic signature level to have special legal status in EU member states, being legally recognized as the equivalent of a written signature.
LIMS Signature Capabilities: Assess Your Capabilities
Your LIMS should support the ability to use electronic or digital signatures, as needed. In the pharma space, companies tend to operate in a global environment, so a LIMS should comply with both 21CFR11 electronic signature standards to ensure compliance with GxP and have the capability to meet stricter digital signature regulations in locations where they are required (e.g., in Germany).
Both electronic and digital signature options are available in LabVantage 8.8, allowing labs to use whichever is needed to ensure compliance with global regulations.
LabVantage is the only LIMS that currently offers cryptographic signatures that require a digital certificate generated and validated by a 3rd party, essential for compliance in Germany and some other EU countries.