Electronic Signatures - Non-Conformance - ISO 13485:2016

Syllica

Starting to get Involved
Here is a simple smell test: Is it possible for one associate to apply another associate's signature image? If it is possible, then this is a serious non-conformance, at least with respect to the FDA (11.70, 11.200). For medical device manufacturers, the element of the QSR brought into question is 820.40 (document controls).
Thank you for your reply.
Unfortunately yes, this is possible. These forms and many others are available in a Microsoft SharePoint location so you can download the form as a word document or PDF. Most of them are downloaded as a word document. For example, our CAPAs, the person working on the CAPA must submit it into our CAPA Tracker System. However, this form is passed on to investigators and to whoever it may concern so technically, anyone can copy the signature image.
We do have a system that will be used for CAPA's that has an audit trail and is validated but it is still in the works. BUT we still have an issue on the other documents such as our change control and management reviews.
 

blackholequasar

The Cheerful Diabetic
Oh this is quite interesting! Hmm, proving that the image files are not accessible is something to really think about.
You said that you stated this to the auditor, did you update your procedure to say this and to say show you prove these images are not accessible?
The way that I believe it was done is that we updated the signature requirements to state "an image kept on a secure drive at the user's location. This file path can be verified after upload"... though, that was our IT talking about how we can go into the document and verify that the image path was saved AT that particular user's location/PC. How that is done? I'm not 100% sure! But I believe there is a 'save history' that can be viewed.

We did note that the change was temporary through a deviation, due to [insert world chaos here].
 

Syllica

Starting to get Involved
The way that I believe it was done is that we updated the signature requirements to state "an image kept on a secure drive at the user's location. This file path can be verified after upload"... though, that was our IT talking about how we can go into the document and verify that the image path was saved AT that particular user's location/PC. How that is done? I'm not 100% sure! But I believe there is a 'save history' that can be viewed.

We did note that the change was temporary through a deviation, due to [insert world chaos here].

Thank you so much for your input! It's something I will definitely look into. I really appreciate your time in talking to me about this :thanx:
 
Last edited:

Jean_B

Trusted Information Resource
Question: what requires the authentic sign-off? In the lion's share of cases it's your own company.
There are only a small set of requirements that have specific requirements. Usually its
A designated individual's demonstrable approval (signature) vs
An individual's identity (note, not necessarily placed by them).
This is how a single person can declare the presence of multiple personnel in a meeting. Which does rely on trust, which can come in short supply due to both too much CYA and solitary gatekeeper behaviour.
Mostly they just require a competent person's involvement. Only add authentic approval signature requirements due to regulations, or because you distrust matters due to a solitary conflict of interest or risk indicates you definitely utterly do not want to proceed without competent expert involvement, not willy nilly for every person who vented an opinion over something or just sat in a chair with a department hat. You'll actually undo your aims if you put too many signatories on there as eventually the dreaded "I'm higher up the ladder and can sign for you, and you, and you, ... means the actual people you wanted and needed to look at it get thrown out with the non value-added lot.

The issue for integrity is that the record does not lose any of its existing information untraceably, while for authenticity is that nothing was added untraceably (usually after the cut-off moment of signatures).
These two are separate from identity or approval. They're often just used for the same purpose, but a signature never truly protected against further additions, nor against removal of pages. The practices that protect against those are "page x of y total + initialed pages" and the "mastercopy + countersigned amendment" or a chain-of-custody constructs.
 

Syllica

Starting to get Involved
Question: what requires the authentic sign-off? In the lion's share of cases it's your own company.
There are only a small set of requirements that have specific requirements. Usually its
A designated individual's demonstrable approval (signature) vs
An individual's identity (note, not necessarily placed by them).
This is how a single person can declare the presence of multiple personnel in a meeting. Which does rely on trust, which can come in short supply due to both too much CYA and solitary gatekeeper behaviour.
Mostly they just require a competent person's involvement. Only add authentic approval signature requirements due to regulations, or because you distrust matters due to a solitary conflict of interest or risk indicates you definitely utterly do not want to proceed without competent expert involvement, not willy nilly for every person who vented an opinion over something or just sat in a chair with a department hat. You'll actually undo your aims if you put too many signatories on there as eventually the dreaded "I'm higher up the ladder and can sign for you, and you, and you, ... means the actual people you wanted and needed to look at it get thrown out with the non value-added lot.

The issue for integrity is that the record does not lose any of its existing information untraceably, while for authenticity is that nothing was added untraceably (usually after the cut-off moment of signatures).
These two are separate from identity or approval. They're often just used for the same purpose, but a signature never truly protected against further additions, nor against removal of pages. The practices that protect against those are "page x of y total + initialed pages" and the "mastercopy + countersigned amendment" or a chain-of-custody constructs.
Thank you for your response!
From my understanding, and for example, CAPA forms require several approval signatures throughout the process because of conflict of interest and more so for not wanting to proceed without expert involvement. The original Quality Manager wrote up the process with a mind that if someone initiates a CAPA, a QA Designee must approve/decline it with a signature and then the person assigned this CAPA must sign as a form that they agree before it is actually moved on to the investigation stage.
You do bring up very good points and insights on signatures. Maybe something to look into our procedures?
 

Tidge

Trusted Information Resource
I consider myself to be pretty quick to accuse folks of going overboard with 21 CFR part 11 considerations, but I think some of the advice in this thread has gone too far in the other direction. I suppose if you don't ever deal with the US FDA you don't have to worry about such things, but cutting and pasting "signatures" for any reason is IMO asking for trouble. You may as well go all the way pretend that signatures mean nothing and not even identify who is doing the work and generating records. It's only MWER that will feel the penalties, after all.
 

simonyeeklang

Starting to get Involved
I was approach by this e-signature. I turn them down.
I don' believe that this is viable and waste of time and money.
I rather have physical signature rather than the printed ones
 

Jean_B

Trusted Information Resource
Thank you for your response!
From my understanding, and for example, CAPA forms require several approval signatures throughout the process because of conflict of interest and more so for not wanting to proceed without expert involvement. The original Quality Manager wrote up the process with a mind that if someone initiates a CAPA, a QA Designee must approve/decline it with a signature and then the person assigned this CAPA must sign as a form that they agree before it is actually moved on to the investigation stage.
You do bring up very good points and insights on signatures. Maybe something to look into our procedures?

TLDR: CAPA requires not a single signature. The implementation of any of its decision in the other quality management processes might, but CAPA does not.

Your process sounds like QA acts as a filter/purifier of hand-ins by people who either couldn't assess priority well or write it up clearly. Alternatively, if you're in a biased organisation it might have functioned as a dosage device, ensuring no more CAPA's were active than the organisation could act upon. This last one might create the perception everything is at a manageable level until reality catches up with you, but by then there would have been another manager.. The CAPA acceptance sounds like issues about ownership, usually because it is an ad-hoc organisation where pre-assigned responsibilities are somewhat fluid and people try to pawn it off to the next guy along the line because they're too busy making money/building reputation. Solve it by making ownership transferable by phase. Besides product block/field safety actions the first thing is root cause analysis, and that determines the course of the rest of the CAPA. People won't mind having that (in their eyes easy) phase if they can set the direction and think they can pawn the next stage off to the next guy. However, as root cause results come in a while later, feelings about the problem have quieted again and reason is in charge of their minds. Everyone will fairly evaluate the cause (but might still right-size it to what can be done with current resources, not necessarily what should be done), and accept its outcome as a group. That increases acceptance as it's not one person/party bringin a problem, but a group coming to the starting point of a solution.

From ISO 13485 there are no requirements on Corrective Action or Preventive Action that deal with signatures. You must set your own requirements.
Some of the options you have do have related requirements, but once again nothing that overrides your own parameters. Rework procedures must undergo the same approval as the original; use/release/acceptance under concession requires the identity of the person authorizing them to be maintained. Identity of person authorizing release of conforming product must also be recorded, and inspection or testing of implantables. CAPA itself has no such requirements.
The USA QSR has no requirements within 820.100 on authentication. It relies on the controls of the other section, especially 820.40 which specifies that the original approvers of documents must be involved and evidenced as such with signatures; and for changes the same approvers or someone must be specifically designated to change it, and their involvement must be evidenced with signatures. 820.180-186 means the DMR needs approval, the DHR only at crucial points, the most crucial being release and acceptance activities (test/inspection). 820.198 is heavy on the specific identity/approval because things (not) going wrong is what the FDA cares about most, and being honest and thorough about it is important.

Besides that 820.40 contains the origin of the 'QA signs off on everything' requirement "Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents established to meet the requirements of this part. " But those you didn't require up front don't need to tag on later. Depending on the characteristics of the change you can designate a select group. It's that mechanism which is most often a political playball. You get circumvention of necessary players, or bottleneck, or the mechanism made a type 2 (false negative) oopsie and now someone doesn't want to take the chance and is wasting resources viewing everything. That works in slow-moving organizations, but as things speed up the pendulum swings the other way again and since there is no governance truly caring about this (they focus on production and selling, not the underlying documentation) it doesn't get a nice framework you can train people on.
For a counter-example of what I mean please see Coordinated Regional Incident Management (Netherlands) - Wikipedia. You train your lowest level to know when to scale up to the next one, and that level when to scale up to the next one and on. Don't do a general staff appointment where one manager is in every meeting, if you must go top-down because you're that big use the liaison structure from One Mission / Team of Teams. The "QA signs off on everything person(s)" might have the responsibility to (check on) appropriate scale-up, if QA doesn't have the reputation of blowing things out of proportion and all your QA personnel is rounded enough to know what characteristics mean which people/functions. This works successfully in our company.

And in response to @Tidge : I agree. Copy pasting a signature has so many ways it can go wrong it's just tragic. What I'm describing is not to take short-cuts with signatures, but evaluate whether you really (still) need them.
 
Top Bottom