How to Configure Electronic Signatures for GxP Compliance

Section 3

View as PDF

Before reading the document please note that the key takeaways that we provide represent our advice in regards to the regulations and how you can implement your electronic signatures to help compliance with 21 CFR Part 11 regulations. We do not represent any government agency and nothing in this guide should be taken as fact. The regulations we provide are true to the publishing date.

What are electronic signatures?

An electronic signature refers to data in electronic form (username and password), which is associated with other data in electronic form (electronic reports) and which is used by a person with the intent to sign data.

Electronic signature regulations

Regulation (Subpart C – Electronic Signatures) Key Takeaway

Sec. 11.100 General requirements.

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

  • Maintain a historical list of electronic signatures.
  • Ensure electronic signatures are historically unique.
  • Keep an account of electronic signatures to ensure that a name is not duplicated.
  • Maintain a historical list of current and historical users with access privileges.
  • Periodically review current and historical list of users with access privileges to find users who have changed roles or jobs but still retain access.

11.100 – General requirements.

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

  • Each individual who will be using an electronic signature must have their identity confirmed.

11.100 – General requirements.

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.

(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature.

  • Organisations that wish to use electronic signatures must inform the FDA in writing prior to making the switch.
  • Tips for setting up an electronic signature.

11.200 – Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

  • Every individual must have two components to their signature (username and password).

11.200 – Electronic signature components and controls.

(2) Be used only by their genuine owners; and (3) a. Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. b. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

  • Version control requires 2 individuals with administrative privileges to approve projects if an individual who should have signed is unavailable.
  • Finger print, retinal scans etc. cannot be overwritten by any individual and can only be used by the individuals whom they are assigned.

11.300 – Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include. (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

  • Maintain a historical list of electronic signatures.
  • Ensure electronic signatures are unique (including historically)
  • Ensure that no two users have the same combination of username and password. Version Control disables username and/or password replication.

11.300 – Controls for identification codes/passwords.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

Periodically check and change usernames and passwords.

11.300 – Controls for identification codes/passwords.

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

If a username and password is stolen or lost, it must be deauthorized and the individual must be given a secure replacement.

11.300 – Controls for identification codes/passwords.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

  • Configure user accounts so that any attempts to gain access to unauthorised accounts is detected and reported to the appropriate person in an organisation.
  • How to configure these settings in windows.

11.300 – Controls for identification codes/passwords.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Before electronic signatures are used they must be tested to make sure they are functioning correctly.

All the key takeaways

  • Maintain a historical list of electronic signatures.
  • Ensure electronic signatures are historically unique.
  • Keep an account of electronic signatures to ensure that a name is not duplicated.
  • Maintain a historical list of current and historical users with access privileges.
  • Periodically review current and historical list of users with access privileges to find users who have changed roles or jobs but still retain access.
  • Each individual who will be using an electronic signature must have their identity confirmed.
  • Organisations that wish to use electronic signatures must inform the FDA in writing prior to making the switch.
  • Tips for setting up your electronic signature for the FDA.
  • Every individual must have two components to their signature (username and password).
  • Finger print, retinol scans etc. cannot be overwritten by any individual and can only be used by the individuals whom they are assigned.
  • Ensure that no two users have the same combination of username and password.
  • Periodically check and change usernames and passwords.
  • If a username and password is stolen or lost, it must be deauthorized and the individual must be given a secure replacement.
  • Configure user accounts so that any attempts to gain access to unauthorised accounts is detected and reported to the appropriate person in an organisation.
  • How to configure these settings in windows.
  • Before electronic signatures are used they must be tested to make sure they are functioning correctly.

Additional Information

  • Check that your systems can’t be accessed by a public password.

What's next?

Achieving compliance with your electronic signature can be an easy process, following our guidelines above can be used as a starting point for your compliance needs. If you would like a demonstration of Version Control an end-to-end tracking and collaboration system for life science data operating in GMP/GLP labs, get in touch,

Contact Us

Phone

+44 191 255 8899

Address

Newcastle-Upon-Tyne, UK