Suggestions for Electronic Signature Software (FDA 21 CFR Part 11 Compliant)

[Mark Meer]

Can anyone suggest a software solution for applying FDA CFR Part 11 compliant electronic signatures that:
1. Is simple to implement; and
2. Isn't going to break the bank.

We're a small organization (< 10), however, people are often travelling or otherwise unavailable for handwritten signatures, so a reliable electronic signature solution would be very useful.

I've done some preliminary searching around, but the prices are pretty staggering. For example, Adobe Sign, requires $25USD per person per month. Given that we only need to sign things every now and then (and only then require electronic signatures infrequently), such a cost is difficult to justify...

Another feature that would be nice is some developer/vendor documentation regarding validation against the Part 11 requirements.

Can anyone kindly share the solutions they have experiences with? Pros/cons, suggestions, etc...?

Thanks in advance,
MM.

 

[Sam Lazzara]

Hello Mark,

This is not the answer you are looking for but I thought this may interest some people.

Most of my clients are very small organizations (2 to 10 people) and we do not employ electronic signatures. Instead, when we require signatures (to meet FDA requires for document control for example), we use simple smartphone/tablet apps. These apps typically work best by emailing the document to the signers. They open the email attachment in the app, sign and date using a stylus, and email the document back from within the app. My favorites app is SignNow. It can accept any MS Word document and it returns a signed/dated PDF document. Other apps like the native signing app in IOS requires the email attachment to be a PDF.

Most people might think of this as an electronic signature but I am pretty sure it is a "handwritten signature" as defined by FDA.

HANDWRITTEN SIGNATURE (US 21 CFR Part 11): The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.

ELECTRONIC SIGNATURE (US 21 CFR Part 11): A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.

Regarding your question, one of my client's has been using DocuSign since their early days, and I helped them validate it by reviewing/critiquing their protocol. DocuSign provides very good Part 11 guidance, accessible from this link: How the DocuSign Part 11 Module fits with 21 CFR Part 11 - New DocuSign Experience | DocuSign Support Center

If any software company claims their e-signature solution is 21 CFR Part 11 compliant, they are full of it. Many/most of the requirements are outside of their control. DocuSign does a good job explaining the obligations of the user organization to achieve Part 11 compliance.

 

[pbojsen]

We're looking for the same type of solution for my company, that won't cost a minor fortune.

DocuSign is one solution that my IT department has worked with before that was pretty good.

Adobe also has a solution called Adobe Sign.

Here is a listing from Capterra:
Best Digital Signature Software | 2018 Reviews of the Most Popular Systems

You would have to check for Part 11 compliance if that's what you're after.

Hope this helps.

 

[Mark Meer]

...They open the email attachment in the app, sign and date using a stylus, and email the document back from within the app. My favorites app is SignNow. It can accept any MS Word document and it returns a signed/dated PDF document. Other apps like the native signing app in IOS requires the email attachment to be a PDF.

Most people might think of this as an electronic signature but I am pretty sure it is a "handwritten signature" as defined by FDA.

HANDWRITTEN SIGNATURE (US 21 CFR Part 11): The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.
...

Thanks for sharing your input Sam. I've also considered this (given everyone has a touch phone and/or touch tablet or laptop these days).

As you point out, it appears that simply opening a PDF in, for example, Adobe Reader (free), and then using the Sign->Draw feature to scrawl a signature with their finger or stylus, then saving the PDF would suffice as a "handwritten signature" according to the FDA?

I can't argue with your logic, given the 21CFR11 wording...it just seems strange that this doesn't require any additional controls, yet if a signature is placed (using the same software tool) all the other controls (authentications, date/time, meaning,...) are suddenly required. Seems terribly inconsistent, and makes me wary that the solution might be "too easy"...

Has anyone else adopted such an easy & free solution with respect to signing documents electronically?

 

[jam325]

My company uses a Sharepoint based system that is configured to be FDA compliant. You have to put your password in at every change or revision of a document. The password acts as your signature.

If I remember correctly this functionality is built into SharePoint and if you are already paying for Office 365 for your employees you have access to SharePoint. Might be the cheapest option money wise but not time wise. SharePoint is not the easiest thing to set up or manage, however, it has gotten much easier in the last few years.

 

[Mark Meer]

Adobe Acrobat Reader DC (free) can apply Digital Signatures...if setup correctly, would this suffice?

It seems that the Digital Signatures applied might be setup to meet requirements of Part 11's Electronic Signatures. I'm just not sure of the following:

1. 21 CFR 11.200(a)(1)(i) "When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual."

Our rationale is that the Windows operating system requires a user/password login, and this is considered the "continuous period", and the password setup in Adobe Reader is the "at least one electronic signature component". Personnel setup Adobe Reader on their personal computers so it is ensured that only they use it. Is this acceptable?

2. 21 CFR 11.200(a)(3) "[electronic signatures shall] Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals."

I'm not sure why this is a requirement. Is it not sufficient that NO ONE other than the owner can use a personal electronic signature? Why require that a collaboration of people can use a person's signature?

---

Thoughts? Anyone else using Adobe Acrobat Reader DC on personal computers to implement electronic signatures?

 

[v9991]

Adobe Acrobat Reader DC (free) can apply Digital Signatures...if setup correctly, would this suffice?

It seems that the Digital Signatures applied might be setup to meet requirements of Part 11's Electronic Signatures. I'm just not sure of the following:

1. 21 CFR 11.200(a)(1)(i) "When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual."

Our rationale is that the Windows operating system requires a user/password login, and this is considered the "continuous period", and the password setup in Adobe Reader is the "at least one electronic signature component". Personnel setup Adobe Reader on their personal computers so it is ensured that only they use it. Is this acceptable?

2. 21 CFR 11.200(a)(3) "[electronic signatures shall] Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals."

I'm not sure why this is a requirement. Is it not sufficient that NO ONE other than the owner can use a personal electronic signature? Why require that a collaboration of people can use a person's signature?

---

Thoughts? Anyone else using Adobe Acrobat Reader DC on personal computers to implement electronic signatures?

we do use Adobe digital signatures for certain activities viz., audit reports etc., here's quick references
https://www.adobe.com/content/dam/acom/en/security/pdfs/adobe-sign-compliance-21CFRpt11-wp-ue.pdf

https://helpx.adobe.com/content/dam...ownload_section/download-1/21_cfr_part_11.pdf

Is Adobe Sign 21 CFR Part 11 Compliant?

Security @ Adobe | "This is legal, right?" – Electronic Signatures & The Law

https://www.globalsign.com/en-sg/resources/solution-datasheet-cds-healthcare-cfr21.pdf

it has its limitations for using same for laboratory records, which are primary records !!!,

 

[Sam Lazzara]

Adobe Acrobat Reader DC (free) can apply Digital Signatures...if setup correctly, would this suffice?

2. 21 CFR 11.200(a)(3) "[electronic signatures shall] Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals."

I'm not sure why this is a requirement. Is it not sufficient that NO ONE other than the owner can use a personal electronic signature? Why require that a collaboration of people can use a person's signature?

---

Thoughts?

Hi Mark, regarding your question about 11.200(a)(3), I saw some guidance on that in this document:
https://www.perficient.com/-/media/files/guide-pdf-links/the-ultimate-guide-to-21-cfr-part-11.pdf

The subtext here is something like, “The system administrator and the individual’s supervisor would need to work together to use the individual’s signature.” This would only come into play if the individual who should have signed was unavailable (e.g., left the company, out on medical leave) and there was no workaround available.

 

[Enka_Spy]

Adobe Acrobat Reader DC (free) can apply Digital Signatures...if setup correctly, would this suffice?

It seems that the Digital Signatures applied might be setup to meet requirements of Part 11's Electronic Signatures. I'm just not sure of the following:

1. 21 CFR 11.200(a)(1)(i) "When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual."

Our rationale is that the Windows operating system requires a user/password login, and this is considered the "continuous period", and the password setup in Adobe Reader is the "at least one electronic signature component". Personnel setup Adobe Reader on their personal computers so it is ensured that only they use it. Is this acceptable?

2. 21 CFR 11.200(a)(3) "[electronic signatures shall] Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals."

I'm not sure why this is a requirement. Is it not sufficient that NO ONE other than the owner can use a personal electronic signature? Why require that a collaboration of people can use a person's signature?

---

Thoughts? Anyone else using Adobe Acrobat Reader DC on personal computers to implement electronic signatures?

I believe only paid version of AdobeSign is 21 CFR Part 11 compliant.

 

[Mark Meer]

...The subtext here is something like, “The system administrator and the individual’s supervisor would need to work together to use the individual’s signature.” This would only come into play if the individual who should have signed was unavailable (e.g., left the company, out on medical leave) and there was no workaround available.

In this case though, why would you want to have the person's signature (or allow it)? This would not be possible at all with paper records, so why allow it (or, indeed, require it) with electronic records? If a person is unavailable, then another should be delegated and justified accordingly. This "workaround" still reeks of forging someone's signature...

I believe only paid version of AdobeSign is 21 CFR Part 11 compliant.

Curious: Aside from cloud stuff and notifications (unrelated to 21 CFR Part 11), what features does the paid version of AdobeSign have that the certificates system in the free version does not?