Electronic Signatures - Non-Conformance - ISO 13485:2016

[Syllica]

Hello everyone,
Recently a 3rd party audited us and we received a non-conformance for using images of signatures to document approval of processes such as CAPA actions and change controls.

The organization uses images of signatures to document approval of processes such as CAPA actions and change controls. According to interviewee, at the end the area Manager approves the form to validate the previous signatures. Record integrity per ISO 13485:2016 (4.2.5) shall be maintained, applying uncontrolled signature images prevents the assurance of the record integrity. Control of records also include control of electronic records, which includes access, storage, reproducibility, readability, audit trails and electronic signatures as appropriate.

We have up until November to respond and unfortunately, the company does not have much an appetite to invest in e-signatures, so e-signatures are not much of an option for us at this time.
Given that there is this evidence and the company doesn't want to invest, I am at a loss. Are there any alternatives/corrections? What would be the recommended next steps in answering to this?

 

[Jim Wynne]

When posting about an audit nonconformity, it's best to give us the full text of the auditor's NC statement.

 

[blackholequasar]

Uh-oh! Not a great situation to be in... I would say that since the company does not want to invest in e-signature software, perhaps you could try to align to 21 CFR Part 11 and file notice - IF you are able to meet those requirements.
If not, then, you'll have to tell the company that they will not longer be able to use the image signatures and will have to hand-sign everything.

 

[Syllica]

When posting about an audit nonconformity, it's best to give us the full text of the auditor's NC statement.

Hi Jim, thanks for your reply.
I quoted the auditor's statement right after I posted so it probably didn't show up right away.
I added just a little bit more, but not much different.

3 Measurement Analysis and Improvement
3.1 Corrective and Preventive Action

•Quality Manual
•Internal CAPA program
•TUV 13485:2016
•Certificate SX 60152433 0001
•Overseas facility certificate MD85963 with scope including the sterilization of medical devices in accordance with EN ISO 11137-1:2015
•CAPAs
•Feb 24, 2021 Management review meeting minutes
•Recall ID (FDA)
•Change control records
•Quality Records Maintenance and Good Documentation Practices Procedure

The requirements audited were:
•8.5.2, 8.5.3, 820.100

Requirement:
8.5.2, 8.5.3, 820.100, 4.2.5

NC -There are multiple processes that have a CAPA such as:
•Training
•CAPA
•Electronic signatures

The organization uses images of signatures to document approval of processes such as CAPA actions and change controls.
Evidence: Feb 24, 2021 Management review meeting minutes, CAPAs, Change control record. The organization uses images of signatures to document approval of processes such as CAPA actions and change controls. According to interviewee, at the end the area Manager approves the form to validate the previous signatures. Record integrity per ISO 13485:2016 (4.2.5) shall be maintained, applying uncontrolled signature images prevents the assurance of the record integrity. Control of records also include control of electronic records, which includes access, storage, reproducibility, readability, audit trails and electronic signatures as appropriate

 

[blackholequasar]

I suppose that 4.2.5 does apply to the protections of the document... I imagine anyone can drop the signature image and therefore has no control?

 

[Syllica]

Uh-oh! Not a great situation to be in... I would say that since the company does not want to invest in e-signature software, perhaps you could try to align to 21 CFR Part 11 and file notice - IF you are able to meet those requirements.
If not, then, you'll have to tell the company that they will not longer be able to use the image signatures and will have to hand-sign everything.

Thank you for your reply. A reason we were doing images is that we were and currently still are working from home. Majority of the employees do not have a printer/scanner, so employees were using images for their signatures. Some of our SOP's actually state how signatures must be captured but with the pandemic, it ended up resulting in that alternative.

 

[blackholequasar]

What we did, in a very similar situation to this, was stated that the employee log-in is a safety feature in which the signature image is secure in lieu of scanning... From what I recall, our auditor gave us a pass on it because of the situation (it was in FL and there were hurricanes) - perhaps the same could be said for your processes if you can prove the image files are not accessible by any other employee?

 

[Syllica]

I suppose that 4.2.5 does apply to the protections of the document... I imagine anyone can drop the signature image and therefore has no control?

Yes, that's what happens. For example, our CAPA forms have signature approval's in a few areas throughout the process and you can take your signature image and attach it if you are an approver. One section has a approval signature requirement for a QA designee and CAPA Lead in the initiation of a CAPA.

 

[Syllica]

What we did, in a very similar situation to this, was stated that the employee log-in is a safety feature in which the signature image is secure in lieu of scanning... From what I recall, our auditor gave us a pass on it because of the situation (it was in FL and there were hurricanes) - perhaps the same could be said for your processes if you can prove the image files are not accessible by any other employee?

Oh this is quite interesting! Hmm, proving that the image files are not accessible is something to really think about.
You said that you stated this to the auditor, did you update your procedure to say this and to say show you prove these images are not accessible?

 

[Tidge]

Here is a simple smell test: Is it possible for one associate to apply another associate's signature image? If it is possible, then this is a serious non-conformance, at least with respect to the FDA (11.70, 11.200). For medical device manufacturers, the element of the QSR brought into question is 820.40 (document controls).