E-Signatures on Documents in a GxP Environment – 7 Misconceptions
Electronic signatures (E-signatures) are becoming more and more commonly used in today’s world. Before electronic signatures were recognized and accepted legally, documents had to be manually signed by each of the signatories, stored and filed in squeaky compactors (compactus to some) held within a rather dark records room. Obviously, this process is very time consuming in terms of having the documents move between signatories and costly in terms of record management.
Some traditional GxP companies still embrace the old-reliable handwritten signatures in almost all levels of documents. These range from commercial documents, such as contracts, purchase orders and invoices, to quality documents, such as procedures, methods, protocols, laboratory inspections, batch records, and certificates of analysis (CoA). However, the work-from-home culture, which took the world by storm especially during the Covid pandemic, has forced these companies to look at implementing electronic signatures.
Benefits of electronic signatures include:
Increased Security – Various security controls are employed and implemented within electronic signature applications including automatic independent verification, which gives confidence that documents will reach the right people.
Reduced Risks – Several risks that are present on paper documents are eradicated with electronic signatures. Paper documents can get lost or stolen and are subject to the risk of physical damage. Electronically signed documents ensure that no required signatures are missing, prevent access to unauthorised third parties, and are marked with automatic electronic information such as the signer’s identity, the time and location of signing.
Time saved – The most evident advantage of electronic signatures is the time saved. Sending an electronic link accelerates document turnaround to a fraction of the time taken to collect signatures manually. Signatures and approvals on multiple documents can be collected at one time without printing a single page of paper.
No more lost documents – Paper documents are often easily lost during manual handling and this often results in a repeat of the printing, signing and filing process. E-signatures can be attached electronically to documents, providing greater flexibility.
Tracked workflows – Workflows can log a trail of who viewed a document and when, easily tracking who has received, viewed, signed, approved or is holding up a document.
Tear down boundaries – Signatories are no longer limited by physical location and time zones. No matter who they are or where they are located, users can be easily acquainted to the e-signature workflow and experience. Users are also not limited to the use of a desktop or laptop computer but and can easily electronically signing a document using their mobile phone or tablet.
Centralized document storage – Electronic documents can have the added advantage of having a central document repository or storage. Gone are the days of combing through document compactors, document piles on your desk, or even various document folders within your computer or company shared drives.
More space – Document archive rooms can be emptied, saving you valuable real-estate in your facility for other productive use.
Increased Compliance – Ensuring that documents are intact and without tampering is critical in avoiding lawsuits and fines. E-signature encryption technology keeps documents safe and in compliance with state and federal laws.
The benefits of e-signatures are apparent. However, there are numerous questions that companies routinely ask regarding which application to use, the minimum compliance requirements, the regulatory expectations of baseline qualification, and what investment (finances) is required.
21 CFR Part 11 Electronic Signature Definition
Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules. Part 11 signatures include electronic signatures that are used, for example, to document the fact that certain events or actions occurred in accordance with the predicate rule (e.g., approved, reviewed, and verified).
Alternative E-Signature Applications
There are multiple companies that are joining the list of electronic signature applications in the market today. Some are big known developers within the industry and some are smaller players that are providing an equally reliable and less expensive solutions.
Some of these applications are Adobe Sign, DocuSign, emSigner and eSign Genie
With the vast array of document E-signature applications, we will focus more on designing, implementing, and validating DocuSign for GxP environment. Let’s look at some common misconceptions when implementing the use of DocuSign for GxP documentation.
Misconception #1 – Electronic signature is the same as digital signature
It is common to find the terms “digital signature” and “electronic signature” used interchangeably. However, these two terms are not identical in their use, purpose, and meaning.
In the Information Technology (IT) world, a digital signature holds higher security in the sense that the document is encrypted and permanently embeds the signature manifestation. If there is any effort to modify the document in any way, the digital signature is invalidated or revoked. Electronic signature by contrast, is like a digitized handwritten signature which is verified by the signer, through username and password.
Misconception #2 – You do not need to validate the DocuSign application
The need to validate or not to validate a system depends largely on the use of the system in GxP operation.
If DocuSign is being used to sign timesheets that are commercial in nature and not used in GxP activity, the system is not required to be validated. However, if DocuSign is used to initial or sign documents in replace of handwritten initials or signature required by predicate GxP rules, then validation is required.
Misconception #3 – Users can sign documents using the standard DocuSign Module
Not all DocuSign systems are created equal. There are ranges of DocuSign Modules that are available depending on the required use and operation. The standard DocuSign eSignature module can be used for non-GxP signature requirements. However, the DocuSign’s Life Sciences Modules for 21 CFR Part 11 should be implemented to meet GxP regulatory requirements.
According to the DocuSign website, DocuSign offers modules to support compliance with the electronic signature practices set forth in the U.S. Food and Drug Administration’s 21 CFR Part 11. The core Part 11 module includes Part 11-specific eSignature functionality for authentication, reason for signature, and signature manifestation. These capabilities help to comply with regulations while using eSignature to make executing agreements faster, more cost-efficient, and more convenient for everyone involved.
An additional module is the DocuSign Validator for Life Sciences, which simplifies your validation testing and documentation required for Part 11 compliance. Its reports contain screenshots of each test, details of the specific provision tested, and the final results.
The basic DocuSign eSignature module does not require a signatory to create an account before they can sign a document. However, the Life Science Module requires a signatory to create an account and provide minimum information that is verified before the user can sign a document.
Misconception #4 – Users are not responsible for verification of DocuSign functions
With respect to DocuSign’s Life Sciences Modules for 21 CFR Part 11, DocuSign confirms that testing has been performed on the module’s capabilities and functionalities. Although DocuSign may have performed testing on these functionalities, these are tested in a general context.
Each company that employs DocuSign’s Life Sciences Modules for 21 CFR Part 11 may use and implement the system differently and with varying intentions. To ensure regulatory compliance, the specific use of the system may need to be verified and qualified to deem it fit for purpose.
Some functions that would require in-depth evaluation and assessment include but are not limited to:
- Approved document repository
- File naming convention
- Electronic signature manifestation
- Electronic signature log report to be appended to the main document
- Document revision and obsolescence
Misconception #5 – Signed document can only be stored in DocuSign Document Repository
Different companies have varying practices on how to store and manage their documents.
In DocuSign, fully signed documents (i.e., approved) are identified as Completed Documents; the DocuSign application automatically stores these documents within the Completed folder. On the user dashboard DocuSign homepage, a box labelled as Envelope Status is visible on the left-top corner of the screen. At the bottom of the Envelope Status box is a link to the Completed folder where all completed documents relevant to the user can be viewed.
The DocuSign application has a function to sync the completed folder to most of the cloud-based repositories currently available (e.g., Box®, Google®, Dropbox®, etc…).
Sharing of documents within the Completed folder or even sharing the entire Completed folder with a co-worker or colleague is also possible, however, it is important to note that granting shared access to someone means providing access to all DocuSign folders. While the document signing functionality is restricted to the main user only, the sharing function may not be ideal if there are private or confidential documents within the DocuSign folders. Furthermore, the share access for each user will need to be individually configured.
The business and/or quality risks associated with the use of the share functionality will have to be assessed by the companies. There is also the option of implementing a local drive folder to store and manage approved documents to address some of the risks.
Local Drive Folder
Similar to the DocuSign repository, there are advantages and disadvantages to consider when deciding to use a local drive folder to store and manage fully signed documents.
Downloading documents in DocuSign is a simple workflow through the Download button above the document on the screen. There are options available to download the document only, or a combined document (document and electronic signature log report) or to archive the document. When downloading a document or combined document, DocuSign provides a portable document file (.pdf). When archiving a document, DocuSign saves the document and all relevant certification into a zip file. The of .pdf or zip files can be saved in the local drive folder or in a location nominated by the user.
Defining a local drive folder to retain approved documents would require manual intervention. The steps to download from the DocuSign application can be defined in a procedure to control and standardise the approach on the items listed in item# 4 above. Employing this solution may address the possible risks or limitation associated with the repository.
Based on the known advantages and limitations DocuSign, one may argue that one is better than the other. The decision may be boiled down to the number of users that would need to access the approved documents.
Misconception #6 – Location of the approved documents does not need to be validated
Since the decision on the location of approved documents completes the overall workflow for the use of the electronic signature system, it is vital that the rationale for the decision is documented.
Once the decision is made, it is important that the process is verified through testing. The level of testing can be determined via a detailed risk assessment. The use of either the DocuSign cloud repository or a local drive folder should be validated to ensure and ascertain data integrity.
The most common areas of concern requiring validation would be access control, master document, and document versioning.
Misconception #7 – Format of signature fields does not need to be configured
One of the important aspects of data is legibility. Data supporting the quality and safety of product must meet the ALCOA+ elements in order to steer clear of regulatory observations or non-compliance for data integrity issues. Any record that is obliterated, intentionally or unintentionally, may not be easily readable, therefore impacting its legibility.
Companies that are to implement electronic signatures must ensure that their record templates are configured and catered for the signature manifestation of the system to be used. The most common mistake is that the template does not accommodate enough space for the signature. Below are some examples of where the lines of the signature box on the template block or obliterate the information in the electronic signature.
DocuSign’s Life Sciences Modules for 21 CFR Part 11 https://www.docusign.com/products/life-sciences-modules
Local: can be a disk drive physically installed in a computer or server that is accessible to authorised users. Or a cloud-based document drive accessible to authorised users.
It is significant to assess all document templates that would use the electronic signature functionality for their appropriateness and readiness to receive signature manifestation. The minimum required signature area, as well as the positioning of the signature mark, should ideally be defined and indicated in a procedure to minimise or avoid this common error.
PharmOut can help you!
No matter which electronic signature application you are using or intend to use, PharmOut can help in providing and assessment and roadmap to validate your system. Contact us or send a query to email@example.com.
If you are interested in reading more on this topic, check out the following CSV related blogs:
Cannabis Seed to Sale Software – the caveats and CRF Part 11 clashes
Pharmaceutical Cloud Computing – safer than an on-site server?
Requirements Traceability Matrices (RTMs)
CSV and IT Compliance Training