The ABCs of Electronic Signatures

Successful Transition from Paper to Electronic Depends on SOPs, Software Features, and Validation

The Food and Drug Administration’s 21 CFR Part 11 allows a company to implement computer systems that will greatly increase the efficiency of individuals, reduce errors by identifying risks in the processes that use software applications, and increase overall productivity. When the law took effect in 1997, it aligned the world of regulation with the evolution of computers. It allows “paperwork” documentation to be significantly reduced or completely eliminated.

Computers have made people much more productive, so it is natural to use electronic records in place of paper records. Every company has electronic records, but most companies are so unsure about electronic signatures that they print out copies of electronic records and sign the paper. What these companies don’t understand is that it doesn’t take much effort to become Part 11 compliant for both electronic records and electronic signatures.

While regulatory and accrediting agencies are auditing companies for compliance, computer systems in general are changing, and therefore what needs to be audited is changing. The law hasn’t been changed to provide any meaningful details, so companies and the auditors are continually trying to understand the specifics of compliance. This problem is shared by all industries under regulation.

How can you eliminate paperwork altogether by implementing electronic signatures?

If you have electronic records and you print them out for signature approval, the implementation of the electronic signature will completely replace the need to print. Every approver will instead provide his or her signature electronically.

Any signature process involves these steps: review what is to be approved, identify who is to do the approvals, identify the meaning of the signature, make a unique indication that the person really did make the approval, and include the date of the approval. Once all approval signatures are made, the document being signed is kept in a safe place with limited access to avoid loss or alteration.

An electronic signature can be one of several different things. Most of the time an electronic signature uses the same username and password that is used for system access. Biometric devices such as fingerprint scanners are superior, but concerns about civil liberties have prevented this technology from being adopted. Also, fingerprint scanners don’t work well for people who wear gloves. Retinal scanners are the next type of biometric device, but most people aren’t willing to look into a laser beam several times a day. A few years ago the digital signature was touted as being the next best thing. A digital signature, also known as a digital certificate, is a complex computer-to-computer system that involves encryption.

Most companies are sticking with the familiar username and password for secure access to their computer systems and therefore use the same for their electronic signatures. The process for this type of electronic signature follows the same basic steps as any approval process but has some differences that are far superior.

To review the electronic records to be approved, a user can read the document directly on the computer screen or print a disposable copy of the document. Despite all the advances in computers and the idea of going paperless, many people prefer to read documents on paper. The difference here is that the paper used for reviewing is not going to be retained. To perform an electronic signature, the computer software displays the names of the approvers and the meaning of the signature. The meaning is usually a short sentence. An approver enters his or her username and password and the system confirms they match, just as it does when that person logs in to the system. As soon as the first electronic signature is made, the software immediately locks the electronic records to prevent modification by anyone and the date, time, and meaning of the signature are permanently linked to the electronic record. This is to ensure that all approvers are approving the same information. At this point you have a securely approved set of electronic records that cannot be modified, is available online, and is backed up to allow for disaster recovery. In all ways, electronic records with electronic signatures are superior to paper records. And electronic signatures are much less expensive and readily available.

What is preventing companies from using electronic signatures?

Even after people understand the specific requirements, there is still resistance due to the elimination of the handwritten signature. The electronic version is far superior but it doesn’t offer the same level of comfort.

Is there a way to have electronic signatures and still have the handwritten signature?

The answer is absolutely yes! A digital pen allows for an electronic signature on paper with a real ink pen. What is amazing is that people get to work with pen and paper while at the same time everything they do with the pen is captured on an electronic equivalent. See Figure 1.

The digital pen works exceptionally well for data capture on forms and for electronic signatures. Here is how it works for an electronic signature. You create a form or document. The digital pen software prints the electronic document record and a hidden pattern on plain paper. People sign and date the paper documents with the digital pen that records everything they write. Many people can share the same pen. When someone inserts the pen into a dock connected to a standard computer, the data in the pen is transferred to the digital pen software, where the original electronic document record and the electronic copies of the handwritten signatures are combined. The entire process is fully secured by encryption. At this point you have a securely approved set of electronic records that cannot be modified, is available online, is fully searchable, and is backed up to allow for disaster recovery. In addition, you have the familiar and comfortable paper record with the ink signatures. If that paper should be lost, all you have to do is print the electronic copy of it and again have the familiar handwritten signatures on paper.

When using a paper form with a digital pen, the process is much the same. Each time a form is printed, a unique hidden pattern is automatically added. When someone writes on the form with a digital pen, every ink stroke is captured. If someone writes on multiple forms and performs multiple electronic signatures, all are kept straight by the software when the pen is docked. This is also true when multiple people using multiple digital pens write on the same form. A digital pen can hold about 200 pages and be used for a week before needing to be docked to transfer the data and recharge the battery. It is natural and easy to fill out a form with a pen. You can supply dates, times, numbers, and text; check boxes; and write cursively without any training. It really is less expensive, faster, easier, and more comfortable than a handheld computer device such as an iPhone or BlackBerry.

What exactly is required to use electronic records and signatures in place of paper records?

There are three primary areas of compliance: standard operating procedures (SOPs), software product features, and validation. What the regulations intend is for companies to implement good business practices. This is in alignment with the concepts of Good Manufacturing/ Clinical/Laboratory Practices (GxP).

As all regulated companies know, the company’s SOPs describe how processes are to be performed. In the implementation of those processes, Part 11 allows any paper record to be replaced with an electronic record provided the computer system has appropriate features and is validated. Let’s explore the details of each area one at a time.

SOPs

There are several SOPs needed to address the overall SOP system and IT infrastructure for software and electronic data.

1. SOP Management–how to create, approve, and distribute SOPs
2. Training–how to record the training of staff and ensure that they have the experience and education necessary to perform their jobs
3. Internal Audits–how to conduct self-assessments to ensure that staff comply with their SOPs
4. Facility Security–how buildings are secured to ensure that the data is physically secure
5. Data Backup–how electronic data is backed up and stored off-site
6. Data Archiving–how to make room on a server by copying data to removable media and then deleting it from the server
7. Network/Computer Security–how the network, server, and workstations are logically secured
8. Software Installation–how to perform computer hardware and software installation
9. System Security Reviews/Audits–how audits of security vulnerabilities are conducted in order to ensure ongoing data protection
10. System Maintenance Event Recording–how to record hardware and software changes to your servers
11. Disaster Preparation/Recovery–the plan for dealing with disasters both small and large
12. Record Retention–how long to keep each type of document, file, etc.
13. Electronic Signature Policy–how to use electronic signatures so they are the legal equivalent of handwritten signatures
14. Computer System Validation–how to validate commercial off-the-shelf software (COTS); this often is the 10-step risk-based documentation approach

System features

More than 40 industry standard software product features are needed to ensure that the computer system is secure, contains audit trails for data values, and guarantees the integrity of electronic signatures. Examples of industry standards for security include minimum password length and minimum password change frequency. Examples of industry standards for audit trails include recording of user, date, time, old data value, and new data value. The product features are included in the software by the software developer and are often configured by the users during validation.

Computer system validation

Every computer system must have documented evidence that the system does what is intended and that users of the system can detect when the system is not working as intended. Validation must follow the company’s SOPs, and virtually all companies find the risk-based approach to computer system validation to be the most efficient and cost-effective method of validation available. The 10-step risk-based approach includes the following fill-in-the-blank documents:

1. User Requirements
2. Validation Project Plan
3. Installation Protocol
4. Installation Report
5. Functional Specifications
6. Hazard Analysis
7. User Testing Protocol
8. User Testing Report
9. System Release Report
10. Validation Completion Report

The key to compliance is to use the law to your benefit, and not to try to ignore it or circumvent it. When you buy a computer system to become more productive, doesn’t it make sense to use Part 11 to maximize productivity?

How much effort is required to become compliant?

To draft all the required SOPs takes approximately two days.

To perform a gap analysis of a software product vs. the required software features takes approximately two hours. Once the gaps are identified, the users will need to work with the software vendor to coordinate upgrades, and user procedures need to be drafted to define workarounds for both the short and the long term. This “filling of the gaps” takes approximately one day.

Validation, following the 10-step risk-based approach, takes approximately seven team days for a medium-sized software application. A team usually consists of three to five people who represent the interests of all the users of the system. These “congressmen,” so to speak, complete the fill-in-the-blank validation documents.

Why is there is so much noncompliance and so much fear of Part 11 and especially validation?

The simple answer is that there has been little leadership in this area. Historically, all the players involved have not known what to do and have pointed fingers at each other. The regulated company gets very little from the regulations. IT departments are not experts on regulations and the many different software applications that they support. In fact, the users and IT are often confused by the inconsistency in the product features of the applications they use. Quality assurance staff most often do not have the computer skills and experience needed. Software vendors are themselves not regulated and therefore don’t really understand what the users need. Users are focused on doing their jobs and don’t understand the requirements that Part 11 places on them.

The FDA and the Department of Health and Human Services have not, and legally cannot, provide specifics for compliance. Industry has developed standards, but sharing between companies that compete with each other is difficult at best. And probably the biggest problem of all is that there are few resources who know all the pieces and can provide the leadership needed to coordinate all the players.

Achieving higher productivity and security

If you want to make your staff more productive quickly, you can use the computers you already have. 21 CFR Part 11 and all the equivalent laws make it possible. In about two weeks you can address the SOPs needed for the IT infrastructure, industry-standard product features, and validation of a computer system. During validation you can include electronic signatures, eliminate paper, and increase security. This is the recipe for how companies can compete globally.