Electronic VS Digital Signatures? What do you need for a med-tech eQMS?

Would your business benefit from using electronic signatures within your digital quality management system (eQMS)? Are you hoping they will streamline your sign off processes and strengthen compliance capabilities? If so, what type of e-signature do you need?

What is an electronic signature, anyway?

According to the US Federal ESIGN Act, an electronic signature is any

“Electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."

‘E-signatures’, therefore, run the full gamut of digital ‘sign-off’ methods including:

• Ticked boxes associated with declarations
• Scanned images of signatures dropped into documents to indicate consent
• An electronic representation of a handwritten signature
• A unique representation of characters
• Fingerprints or retina scans
• A signature created by cryptographic means

But all these types of e-signatures fall into one of three categories, offering different levels of authentication and proof of intent. These categories are:

1. Simple electronic signatures

These are digital representations of ‘signatures’, but offer no secure authentication around the identity of the signatory.  They don’t require any specialist software to operate and they can include:

• Stylus or finger drawn signatures
• A typed name in a signature box
• A scanned signature dropped into a document

2. Advanced electronic signatures (AdES)

An advanced electronic signature provides a higher level of identity verification, security, and tamper-proofing.

According to eIDAS (the EU regulation for electronic identification) an Advanced Electronic Signature (AdES) must be:

• Uniquely linked to the signer
• Capable of identifying the signer
• Created using means that the signer has under their sole control
• Voided if there are subsequent changes to the signed document

Advanced e-signature software solutions must use electronic authentication methods to confirm a signer’s identity before a signature can be applied to a document. 

Different methods of digital authentication offer different levels of security and certainty around a signer’s identity. They can include everything from a basic digital confirmation of details to robust credential checks before a signature can be added. 

3. Qualified Electronic signatures (QES)

QES, also known in the market place as digital signatures are a type of advanced electronic signature. 

They use PKI (Public Key Infrastructure) to encrypt and authenticate signatures with trusted third parties.  These third parties, acting as notaries to the signature, are known as Certification Authorities (CA).

A 21 CFR Part 11 checklist: 7 key FDA e-signature requirements

Digital Signature software - when you need to encrypt and authenticate

Software solutions like AdobeSign and GlobalSign let you add digital signatures to a document using unique credentials (such as log in and passwords or biometric tokens). Once these are verified with a CA, an encrypted signature is added to the PDF, together with a date and time-stamped ‘certificate’ of the action. If the document is altered at any stage after this signature is added, the signature itself will be shown to be void on the document. APIs are available to integrate these digital signatures into workflows within digital Quality Management Systems.

Some CAs also offer an additional level of security through the use of Dongles.  These ‘USB tokens’ are password-protected physical devices in which an individual’s digital signature is stored. In these cases users cannot add their digital signature to a document unless the Dongle is present in the USB port. 

It should be noted that accessing this kind of hardware could cost you £1000s per user per year.

Which type of e-signature do you need?

Med tech developers often assume they need the highest level of encryption and CA authentication to prove to regulators their sign off and security measures are fit for purpose.

But this is not the case.  Nowhere in the FDA regulation is CA authentication mentioned or required.

Other businesses, simply choose off-the-shelf software such as PandaDoc or GlobalSign to help them stitch together DIY quality management systems in the quickest way possible.

In both cases, we would argue, paying for an extra license to access and integrate a third-party digital signature solution can lead to unnecessary maintenance, complexity and expense.  And using them as stand alone applications is practically useless for compliance purposes.

So, what do you really need your electronic signatures to do?

What does the FDA require?

The FDA has some key requirements for electronic signatures.  These include:

Sec. 11.50 Signature manifestations

(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

Sec. 11.50 (1) The printed name of the signer;

Sec. 11.50 (2) The date and time when the signature was executed; and

Sec. 11.50 (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

and 

11.70 Signature/record linking

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means

Typically, this is done by the eQMS turning the approved document into a PDF with a ‘signing certificate’ appended to the end, acting as an indelible audit trail.

In addition to this there are a host of requirements to control the use of those signatures using unique credentials (such as user name and password) known only to the individuals who own them. 

11.100a

Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else

And other provisions:

Credential checks: Before a signature can be added to a document you should be required to enter ”at least two distinct identification components”  (11.200a)

Repeated credential requests: If signings take place in separate sessions these identification components must be requested again.  (11.200a)

Unique combinations: it should be impossible to duplicate the assignment of codes and passwords (11.300a)

Focus on your eQMS

For med-tech specialists, then, neither the FDA nor the MHRA require the use of encryption or authentication with a CA to meet the regulation.

Instead, what is critical for regulators is the way e-signatures are controlled within an eQMS. And the way that, together, they will

• Positively identify signatories
• Prevent falsification
• Always indicate the latest, approved version of any document

eQMS functionality meets the regulatory requirements

A med tech eQMS, operates as the single source of truth about the history of all your documents. And the ‘meaning” of every signing event should be automatically stored within it, showing a manifestation’ of each electronic signature applied to it as part of an indelible audit trail. 

When a signed document is stored within a secure eQMS, the document simply cannot be altered without requiring subsequent approval from named individuals within an organization.  And if approval permissions have been revoked from a signatory, or the documents validity has expired, then the eQMS will flag the document’s invalid status.

Digital signature software on its own is not enough for FDA compliance

On its own, a DocuSign or equivalent will do none of this.  It will only append authenticated digital signatures (with the date and time stamp on which they were added) to a document.  This is enough to prove consent for a legal document. But it will not automatically show the meaning of those signatures in a med tech development context, or prove unequivocally that what you are looking at is the latest, approved version of a document. 

And without considerable integration and workarounds it is very hard for third party e-signature solutions to work in these specific ways.

Choosing a med tech eQMS with electronic digital signatures built in is the most cost effective and efficient way to feel the commercial benefits of a more streamlined sign off process and meet the regulatory requirements.

Conclusion

Understanding the differences between simple, advanced and qualified e-signatures is helpful to understand the different levels of authentication around identity and data that are possible using various digital approaches. 

But to understand whether e-signature software will help you with compliance you need to focus on the functionality of the eQMS that will implement and control the solution.

It is the eQMS that should give you the means to control who is able to sign off on documents.  It is the eQMS that will prove you are able to administer these privileges effectively.  It is the link between the eQMS and e-signature that will demonstrate what is the latest, valid and approved version of any document in your system.