User ID verification for in-house e-signature compliance

Icculus

Starting to get Involved
Hello - We'll be employing e-signatures for some specific documents, and I'm hoping somebody can provide insight on whether this methodology might comply with part 11 requirements. As it is, we're on the fence.

Specifically, user verification (11.00(b)) and executing a series of signatures (11.200a(1)(i))

Verification: The way our system is configured, a user will sign a document directly without creating an account to access the signing system (e.g. as one would with DocuSign). For ID verification we provide a link to the user's email address. The link contains a phone number entry, and then the user receives an SMS with a unique verification code. If the user leaves the page, then need to obtain a new code. (ID is verified via email, phone, and unique verification code)
Signature series: This verification code is then used to enter each subsequent signature within the document.

I appreciate if anybody can point out gaps here that may not comply with verification or multiple signature regs. Thanks!
 

yodon

Leader
Super Moderator
Interesting. I'm a bit unclear on how the email fits in. Does the user get an email that has a button to trigger an SMS? I don't understand just having a link to the user's email (maybe I'm just being dense... it's been a long week).

Otherwise, on the surface, it sounds defensible.

Does the code ever time out? In other words, could they stay on the page all day and use the code in the morning and then in the afternoon? That may be an issue.

I presume there are no 'shared' email accounts? I guess it still goes to a single phone so maybe not a big concern unless there's also a shared phone.

Do you meet all the requirements in 11.50.

Have you validated it (that's beyond Part 11 but necessary).

As far as I know, FDA is still practicing enforcement discretion so if you have a reasonably well-controlled system and you have high assurance of who the signer was (and when signed and for what reason) then you're probably ok.
 

Icculus

Starting to get Involved
Thanks for the feedback - that's very helpful!

Basically the user gains access into our 'system' via the email link, then they enter their phone number and receive the SMS with the one-time access code. The access code expires if they leave the page before the document is signed, but I'm not sure if there's a time limitation. I believe that's something we can easily implement.

There are no shared email accounts, it all goes to an individual with their own phone.

We do meet the requirements of 11.50.
 
Top Bottom