Document control approval/signature requirements?from DocuSign to MS Approvals

[Nichole F]

Thank you so much for the insight! I previously worked in a company who had ISO 17025 certification and e-signatures also weren't required.

Do you have any thoughts on one of the above replies regarding the ISO 13485 practical guide?

Its a guide, not a standard in itself. I've never read the practical guide so I cannot speak to the specifics of that, but practically speaking, many ISO 13485 certified medical device companies are using paper-based QMS systems. Best practices for GDP. The principles are the same regardless of if you are using Adobe DocuSign or physically signing a piece of paper. ALCOA and ALCOA+ are (from my understanding) primarily used in the pharma industry, but are very much applicable to the medical device industry. The replies above referencing the practical guide even state signatures may be handwritten or electronic.

For example, the signature must be attributable to the individual signing. Adobe DocuSign accomplishes this by having multifactor authentication and verification when an e-signature is applied. For a paper-based system, most companies have signature cards they keep in file that have examples of each employee's signature. That way if there is any doubt, you can pull the signature card to see if the signature matches. ALCOA also states the signature should be enduring. Adobe DocuSign accomplishes this by creating an electronic record of the signature that lives somewhere (my technical knowledge here is limited, perhaps a server?). For physical signatures, enduring would mean use a medium that is indelible.

Electronic signatures are convenient but make sure you consider all costs with them. The software itself is of course the most obvious cost. Don't discount the cost involved with validating the software should you choose that option. Maintaining the validation when new software revisions are released are another often unrealized cost. Whichever you opt for, ensure it meets your internally defined GDP requirements.

 

[LUFAN]

The replies above referencing the practical guide even state signatures may be handwritten or electronic.

My understanding of what the OP is asking is if he can get away without using signatures at all and instead to go approved via a check box type arrangement to avoid having to validate their e-signature software. My guess is the company is virtual or not physically in the office together. My point was that the practical guide expects signatures to be used, whether electronic or hand written to designate approval and the example below would not hold water to show who actually approved the capa.

For CAPA's, is it acceptable to replace the signature field with an approved field? That way we don't need to use an e-signature software and we could move forward with Microsoft Approvals. We don't intend to sell/distribute to the US, so our focus and basis of our QMS is just ISO 13485!

CAPA Implementation ___X___ Pass ______ Fail

Approved to move to VOE ☑ Revise to Investigation

Date: March 4, 2025. Approved by (Print Name): LuFan.

 

[Nichole F]

My understanding of what the OP is asking is if he can get away without using signatures at all and instead to go approved via a check box type arrangement to avoid having to validate their e-signature software. My guess is the company is virtual or not physically in the office together. My point was that the practical guide expects signatures to be used, whether electronic or hand written to designate approval and the example below would not hold water to show who actually approved the capa.



CAPA Implementation ___X___ Pass ______ Fail

Approved to move to VOE ☑ Revise to Investigation

Date: March 4, 2025. Approved by (Print Name): LuFan.

Oh gosh. I didn't get that. Yes, signatures are absolutely required for ISO 13485! You need to identify what the signature means so a check box for approved along with the signature is acceptable but the checkbox alone will not suffice.

 

[QuinnM]

Hi - Periodically I'm asked to look into Adobe signatures as a method to sign documents. We are 13485 certified. How would one meet the following in 21 CFR Part 11: "Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature."

The only method I can come up with is a hard copy with the verify form which is signed, hard/wet signature, by the person using electronic signature. s there another method?

 

[Nichole F]

I've seen this addressed two ways. One is to have an attestation each employee signs stating an electronic signature is equivalent to a handwritten one. I've also seen this as a company policy in GDP procedures.

 

[LUFAN]

"Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature."

I'd also expect this to be coupled in with your validation documentation to demonstrate that your electronic signature is only generated upon entering your credentials as an output to testing your part 11 compliance requirements. Therefore you can show that the system works as intended to create e-signatures, and then via one of the methods @Nichole F stated handles the paperwork aspect of it to make it a hand written equivalent. Just make sure all your e-signers are trained on that procedure to connect to dots.

Semi-related to this is also my favorite "most random" FDA requirement. 21CFR11 (c) requires companies to send a letter to FDA before using e-signatures. I've sat in an FDA inspection where the inspector specifically asked for this and it hadn't been done. QA Manager at the time was sharing his screen, literally opened word, and started typing. Inspector let it slide.

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be signed with a traditional handwritten signature and submitted in electronic or paper form. Information on where to submit the certification can be found on FDA's web page on Letters of Non-Repudiation Agreement.

(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.

 

[mer9856]

My understanding of what the OP is asking is if he can get away without using signatures at all and instead to go approved via a check box type arrangement to avoid having to validate their e-signature software. My guess is the company is virtual or not physically in the office together. My point was that the practical guide expects signatures to be used, whether electronic or hand written to designate approval and the example below would not hold water to show who actually approved the capa.



CAPA Implementation ___X___ Pass ______ Fail

Approved to move to VOE ☑ Revise to Investigation

Date: March 4, 2025. Approved by (Print Name): LuFan.

@LUFAN @Nichole F Thank you for the clarification. For CAPAs and records I now understand the importance of an signature. We are a small company that works primarily in office but we want to stay away from a paper-based QMS. However, we are currently using DocuSign and it comes out be ~$3 per document sent for signatures.

Aside from records, do documents such as SOPs, Work Instructions and Forms/Templates need to be approved with a signature, or is it acceptable to have it approved by selected reviewers where the date and name will be recorded, and account verification (aka login) is required to select "approve".

I appreciate your insight. We are new to ISO 13485 and are building are QMS from scratch!

 

[Nichole F]

I'd be very careful straying away from signatures (handwritten or verified electronic) for document approvals. There are many nuances that must be considered to use an electronic means of approval. A lot of work goes into the programming of e-signature tools, which is why they can be expensive (with mega players such as Adobe, you are paying for the well known name somewhat). If you are planning to use the log in to authenticate your user, you will need to validate your process. Consider your IT security requirements. How often are users required to change their password? How long can the system be idle before the user is logged out? What tools do you use against hacking?

The point is, you will need very robust systems in place to ensure the person using the login is the intended user. Even with eQMS systems, once you are logged in, you must enter your password each and every time an approval (or rejection) action is taken. Will your system have the same capabilities? The burden will be on your system to prove that the approval cannot be misused by potentially bad actors.

 

[LUFAN]

but we want to stay away from a paper-based QMS

Are you planning to implement an eQMS system? Does it have a Doc Control module? It sounds like you don't want to perform validation, is that the problem?

There's nothing wrong with paper approvals. Get your approvals signed, scanned, and write your record retention policy in a way that allows you to not need to keep your original so long as the record is legible and you have verifiable backups in place. It's pretty unlikely unless you a fortune 500 company that you're going to be entirely paperless with all the ERPs, MRPs, eQMS systems integrated that you'd never have a hand written signature somewhere along the way.

My comments apply to everything that requires an approval. There's a data integrity issue without using signatures in ensuring that the person who is designated as the person that can approve XYZ proces is in fact approving that process. Their signature, is that attestation.