Advice on capturing electronic signatures

[duff999]

Hi Folks

I am looking for some help on how to capture our teams signatures for input into documents that live outside of our QMS, signature and initials. Is it as simple as having the team provide there written signature and initials on a form, then they can copy/paste that into documents? Any help would be appreciated.

 

[William55401]

Hello Duff. Unfortunately, no, it is not as simple as you state. Cut and paste can be abused. (For example, how do you know who did the pasting? Once that image of the initials is out there, can others use that image?) The simplest solution for a small org is to have a 21 CFR 11 compliant signature solution you purchase (install, validate) off the shelf. While FDA is exercising enforcement discretion, you still need to address details to maintain signature (and approval) integrity. If your org has an IT function, consider partnering with them on a solution. HTH. Have fun. Enjoy the ride.

https://www.fda.gov/media/75414/download

 

[duff999]

Good advice, thank you. Budgets are a concern right now, so an e-service might not work. I intended this to be used for folks that are not part of our QMS to sign off on trainings that cannot be sent to them via the eQMS.

 

[Tagin]

Adobe Sign is something we've been using since COVID came along. You can buy a single-user license for $15/mo. The person with that license can upload forms, add the signature fields, and send them to multiple email recipients for signing. The person doing the uploading does NOT have to be one of the signees, just someone who has the task of gathering signatures on behalf of others in your company. There are other companies besides Adobe with this service, but this gives the general concept.

They also offer digital signatures which are another step up, where each signee has a digital certificate specific to them. This theoretically provides better confirmation of the authenticity of the signee than an email address, but at a higher cost and some more complexity.

Whatever you choose, be sure to note in your document control documentation that your company considers XYZ service and signature type (e.g., "electronic signature" vs. "digital signature") as acceptable for these particular document types or processes.

 

[duff999]

Adobe Sign is something we've been using since COVID came along. You can buy a single-user license for $15/mo. The person with that license can upload forms, add the signature fields, and send them to multiple email recipients for signing. The person doing the uploading does NOT have to be one of the signees, just someone who has the task of gathering signatures on behalf of others in your company. There are other companies besides Adobe with this service, but this gives the general concept.

They also offer digital signatures which are another step up, where each signee has a digital certificate specific to them. This theoretically provides better confirmation of the authenticity of the signee than an email address, but at a higher cost and some more complexity.

Whatever you choose, be sure to note in your document control documentation that your company considers XYZ service and signature type (e.g., "electronic signature" vs. "digital signature") as acceptable for these particular document types or processes.

I appreciate the tips. Thanks for pointing out the last portion, I will make sure we update our doc control procedure to call this out.

 

[Gisly]

Do you need e-signatures for training records at all? I have that this has been debated in here. I do not have a loid answer but an e-mail confirmation from an unique mail address may be sufficient.

 

[optomist1]

I believe MS Office 365 has a decent digital signature...see link below it may meet your requirements....

Digital signatures and certificates

 

[Tidge]

Do you need e-signatures for training records at all? I have that this has been debated in here. I do not have a loid answer but an e-mail confirmation from an unique mail address may be sufficient.

I believe this question falls in the general category of "Who bears the burden of proof that associates have been trained per 6.2 (d,e)?" This question by itself is more akin to the requirements of section 4.2.5 (with respect to 'integrity').

Many companies opt to share the burden of proof (for elements of section 6.2 d,e) by requiring employees to attest that that they have received training and that the training was understood. An employee signature (electronic or otherwise) becomes an element of the integrity of that training record. Setting aside questions of whether or not any particular piece of training is 'effective', an employee signature attesting they received training really only rules out a failure mode of an employee later saying they never got the training, and mitigates a little against third parties who might be inclined to disbelieve that the employees ever received training.

From my POV there is no logical difference between a supervisor attesting that they delivered training to a specific employee (at the time of training) then an employee attesting to that (at the same time), but because so often we make employees responsible to 'self-train' (on things like document revisions) it is far more common to have the employee self-attest across the board.

 

[Tagin]

From my POV there is no logical difference between a supervisor attesting that they delivered training to a specific employee (at the time of training) then an employee attesting to that (at the same time)

The one difference I see is that if the form is properly written, an employee signing is an attestation that they received a training and that they understood it. The supervisor cannot make the latter claim, unless there is objective evidence (e.g., passing grade on a test) to that effect.