yodon

Staff member
Super Moderator
#11
Re: Electronic signatures and systems security

Ronen E,

when you use a "digital signature" MS Word interprets it as a picture, or an image. It "anchors" the image to the document. if some one comes along later and edits the document by adding additional notes, then the information is obscured by the digital signature.
Don't confuse pasting a digitized signature image in a document with electronic signing. Anyone can affix a digitized signature image to a (Word) document but that does not have the controls or carry the information required by Part 11 for electronic signing.
 

Marc

Retired Old Goat
Staff member
Admin
#12
Re: Electronic signatures and systems security

OK - Part of what I am thinking about with regard to Microsoft "Word" is unlike Excel and other Microsoft "products". It does have version control which can be turned Off or On.

I assume that Microsoft's "Sharepoint" has "versioning" which logs every change to a document and who made the "edit", as well as what the changes are. Even this discussion forum software has "versioning". It a Post is edited, if a post or thread is deleted, if a thread is renamed - It is all logged including changes made and by who.

Your feedback on this is appreciated. Trying to understand the basics as an "observer" who is not in the FDA requirements field (learning).
 
#13
Re: Electronic signatures and systems security

I don't think it's that well understood by the average inspector.
I suspect yodon is correct. Technology is evolving at such a fast pace, with many different possible systems and software solutions, that your average inspector likely does not have the technical background to really scrutinize electronic systems implementations...

It'll be interesting to see if this becomes an issue in the future... If so, I wonder how the FDA would address this? Have separate, technically trained inspectors? Require a submission of details & validations for review? Tighten up the regulations?

Given the lumbering bureaucratic pace at which government organizations typically run, I wish the FDA the best of luck in keeping up with the rapid pace of technology! :popcorn:

I assume that Microsoft's "Sharepoint" has "versioning" which logs every change to a document and who made the "edit"
Traceability is a different - albeit related - issue from security. It's great to have a system that traces all changes to accounts, but if the security of those account credentials is compromised, then the whole system is suspect.

...with user ID required immediately before signing a document...
My suspicion is that, in practice, this is rarely the case in most peoples' electronic signature systems, were they to be scrutinized. It's too easy to just have personal terminals remember passwords.
 
#14
Re: Electronic signatures and systems security

when you use a "digital signature" MS Word interprets it as a picture, or an image. It "anchors" the image to the document. if some one comes along later and edits the document by adding additional notes, then the information is obscured by the digital signature
In addition to yodon's caution that an image of a signature alone is not a "digital signature" by 21 CFR Part 11, I might also add that part of digital signing should have some controls to prevent editing after signatures are applied.

If personnel can edit the document after it has an approval signature (as it appears you are describing), then what value does the signature have?
 

Ronen E

Just a person
Super Moderator
#15
Re: Electronic signatures and systems security

Given the lumbering bureaucratic pace at which government organizations typically run, I wish the FDA the best of luck in keeping up with the rapid pace of technology! :popcorn:
It sounds like an ideal scenario for 3rd party (accredited) certification to a technical standard. That would cover all the technical aspects by a specialized CB, and FDA would only need to ensure that the system is certified.

I assume that Microsoft's "Sharepoint" has "versioning" which logs every change to a document and who made the "edit"
MS Sharepoint is actually quite flexible so it depends on the implementation, but from what I've seen, the author and those giving approval are capturd. The problem is that this is normally based on credentials provided at login when the session is started (normally username and password).

My suspicion is that, in practice, this is rarely the case in most peoples' electronic signature systems, were they to be scrutinized. It's too easy to just have personal terminals remember passwords.
With the prevalence of fingerprint scanning I think that this could be a good means for replacing the traditional wet signature, and I agree that it should take place every time a document version or record is being submitted to the system as a signed-off one.
 
Last edited:
#16
Re: Electronic signatures and systems security

Does anyone use software (e.g. such as Adobe Acrobat) to implement electronic signatures?
...if so, what is the burden of validation you implement?
I am currently planning on validating Adobe Acrobat for implementing digital signatures on regulated records. I am wondering the same thing. Can anyone provide any insight please?
 

mihzago

Quite Involved in Discussions
#17
From my experience, auditors typically do not look in detail at software validation, some just ask if the system is validated and move on. They will scrutinize it in more detail if they find problems along the way, for example, missing approvals, multiple versions of documents, etc.

FDA has issued warning letters with failure to validate findings, but there are only a few. Some examples:
(I can't post that many links so go to the FDA Warning Letters page and search for)
Instrumed Gmbh 3/28/14 (WarningLetters/2014/ucm402432
HeartWare Inc. 6/2/14 (WarningLetters/2014/ucm399525)

It also appears that FDA recently recognized that companies spend too much time and resources validating computer systems or don't implement automated systems because they believe it's too costly and appartenly plans a new guidance document on this topic. Some information about it can be found here:
FDA's Case for Quality: Simplifying the regulatory activities.
 

Top Bottom