Digital Signatures: New MHRA guide clarifies remote approval requirements

A lot of us have been challenged by remote working lately, whether it’s the back ache acquired from working on a kitchen stool or the daily trial of conference calls interrupted by riotous offspring. But as we’ve noted elsewhere, many companies operating in highly collaborative and regulated industries have been feeling new pressures during the UK’s lock down, as processes have come under extra strain by the realities of physical separation.

The MHRA have issued new guidance

It’s a problem with such serious potential consequences for the safety of end products, and the smooth running of industry and its regulation that the MHRA have issued new guidance entitled: Approval of GxP documents when working from home during the coronavirus (COVID-19) outbreak.

For those businesses that are still dependent on paper filing systems and sign off using ‘wet signatures', they point out how those approvals and confirmations that were once gained in person should be translated into virtual scenarios.

The guidance covers approaches to the approval of documentation including:

• Validation protocols and reports
• Risk assessments
• Technical reports
• Quality management system documents that are paper-based such as SOPs, investigations and change requests.

The guidance acknowledges:

“The solution will vary between organisations depending on the type of document and the tools available to the person performing the approval e.g. printer, scanner/smartphone, secure email, third party software or existing systems that have tools to capture electronic signatures.”

It states that consideration need to be given to the following elements of risk management:

• How the method of document distribution and approval should be defined to minimise the risk of error due to misunderstanding of what is being reviewed/approved
• How the approval signature is attributable to an individual
• The security of the electronic signature i.e. can it only be applied by the ‘owner’ of that signature?
• How the act of ‘signing’ is recorded so that the document cannot be altered or manipulated without invalidating the signature or status of the entry
• Ensuring that all required associated data is available to a remote reviewer that would have been available to them if they were performing the review at a site

But the MHRA also notes that if there is a legislative requirement for a signature, the need for cast iron authentication of documents increases significantly.

Operating without a digital Document Management System presents real challenges

Trying to guarantee the above without the organising influence of an integrated digital Document Management System might seem a tall order. It might entail a lot of scanning, printing, emailing, signing and virtual filing. And as the number of manual processes involved in signing off work increases, so does the risk of errors and omissions that could endanger successful audits or the guarantee of product safety.

The current crisis might well have been a wake up call for many businesses about the need to digitise more effectively in the long term, particularly as the trend towards distance collaboration is only likely to continue post lockdown.

It’s a reminder that the DMS tools that you choose to adopt in the future will need to be properly equipped to deliver on the exacting authentication demands of approval methods for regulated industry.

Not all digital sign off methods are created equal

As the MHRA guidelines make clear, not all digital sign off mechanisms are created equal. There is a hierarchy of signature and approval types that represent different levels of control and authentication. For those working in Pharma and life sciences who must adhere to GxP guidelines certain documents need to have maximum traceability and be demonstrably tamper-proof.

What is 21 CFR Part 11? FDA requirements explained

E-signatures are not enough - integrated digital signatures are needed for regulated industry

For this kind of sign off it’s not enough to drop an image of a signature into a PDF and re-save the document. For this kind of sign off your need ‘a digital signature’ as defined by the FDA:

"A digital signature is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified." (FDA CFR Part 11)

Digital signatures work through Public Key Infrastructure (PKI) technology. They are like fingerprints,  each one is unique to an individual with a trusted third party known as a Certificate Authority (CA) serving as notary. Once a document has been digitally signed, it cannot be tampered with; if the content of a file is changed in anyway, the signature will be invalidated.

Finding a DMS that can properly integrate digital signatures into your approval methods will ensure

• That the risk of mistakes and omissions in regulated sign off processes are minimised
• There is full traceability of every approved document in a system in ways that cannot be falsified (including capturing the date, time, location and identity of those who approved it in an indelible way)
• That sign off procedures are easily auditable by external, certificating bodies

7 ways digital signatures should be integrated into your DMS

1. A good DMS should support the creation and management of multiple signing certificates, including the ability to block users immediately if security has been compromised.
2. Signing certificates should require periodic renewal to ensure authorisation is still valid.
3. An administrator should be able to ensure that signing can only occur from trusted locations if required.
4. Formatted signature pages should be able to be appended to documents, including a full version history together with notes added by any signatories.
5. A good DMS should enable a document owner to request multiple signatures from key stakeholders to acknowledge they have had sight of and approved relevant documentation.
6. It should allow email notifications to be sent out when signatures are required and notify document owners when approval is complete.
7. Full reporting rights should be present in a Document Management System, including the ability to search for signed or unsigned documentation in any approval flow.

The MHRA has flagged up the challenges of approving and authenticating documents by remote workers who don’t have access to the right cloud-based tech. For some businesses it’s a glimpse of the problems to come if they don’t commit to digitisation soon.

Blog post updated on 01/06/2022