Electronic Signatures Explained

MEDICAL DEVICE 21 CFR PART 820 (The Regulations)
1

[b]Electronic Signatures Explained

Electronic signature means a computer data compilation of any data or symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature. 21 CFR Part 11.3(7)

The application of an electronic signature refers to the act of affixing, by electronic means, a signature to an electronic record. Part 11 references two types of nonbiometric-based electronic signatures: password/userid combination-based signatures and digital signatures.

1. There are some basic elements to be considered:

  • An electronic signature solution must make electronic signatures secure through the use of a copy protection mechanism that makes it impossible to copy, cut or paste signatures and audit trails from an approved record. This is an element that is necessary in order to ensure the integrity of digitally signed records.
  • In an electronic environment, an electronic signature on an electronic record must carry the same legal weight as an original signature on a paper-based document.

2. The electronic signature process involves:

  • Authentication of the signer
  • A signature process that complies with the system design and software instructions specified
  • The binding of the electronic signature to the electronic record
  • Non alterability after the signature has been affixed to the electronic record

3. The controls applicable to electronic signatures include:

  • Uniqueness of the signature
  • Signature record linking
  • Electronic signature security
  • Password management (assignment, removal, loss management, aging)

4. Electronic signature manifestation
The electronic signature must be displayed in human readable from, including printouts and video displays:

  • Immediately after the signature is executed
  • After displaying a signed record
  • When printing signed electronic record
  • Password management (assignment, removal, loss management, aging)
The printed name of the signer, the date and time of the signing and the meaning associated with the signing must be displayed.

5. Multisigning
When an individual executes one or more signings that are not performed during a single, continuous period of controlled system access, each signing must be executed according to the following:

  • First signing: using both the userID and password components
  • Second and subsequent signings during a period of a continuous, controlled access: either re-entry of the password alone or using both the userID and the password components
  • One signature can be applied to multiple data entries on a screen as long as the items that the signature applies to are clearly indicated

Password based signatures

Part 11.300 allows the use of password-based signatures. There are two password based authentication schemes: static passwords and dynamic passwords. The same password combination used for authentication may also be used for an electronic signature. The affixing of a signature to a record should be an affirmative act that is deliberate, unique, and independent of the authentication process, and that serves the ceremonial and approval functions of a signature and establishes the sense of having legally consummated the transaction.

The record/signature linking using password based signatures is either centered on the use of software locks, the storage of the electronic signature in a database table separate from it’s associated record, or the storage of the signature within the subject electronic record.

[/b]electronic record.

2

[quote=gokeeffe][b]Electronic Signatures Explained

5. Multisigning
When an individual executes one or more signings that are not performed during a single, continuous period of controlled system access, each signing must be executed according to the following:

  • First signing: using both the userID and password components
  • Second and subsequent signings during a period of a continuous, controlled access: either re-entry of the password alone or using both the userID and the password components
  • One signature can be applied to multiple data entries on a screen as long as the items that the signature applies to are clearly indicated
[/quote]

Here is a question that was passed on to me regarding this…Why do you need two part identification for a signature? Especially, when it is the same user name and password to gain access to the application; and usernames typically are not difficult to determine and may be shown on the screen. If your password is already compromised so is your user name was his point.

My answer was …a…a…a…Because Part 11 says so

3

Interesting point, do you mean that the password on sign-off of a record should be different to that of the original login-password combination?

4

No no no, by all means no I am not a proponent of having multiple logins and passwords. It was just a very observant point to make. The person is an old IT guy and doesn’t understand Part 11. He was just asking why do you have to put your username in for a signature. His point was that it can’t really be for security since usernames are typically based on known rules. Just a unique perspective is all.

How about this one…Do you have to change your password every 30 or 60 days?

5

30 or 60 days, i’d go for the 60 d ay option personally.

I don’t really have any scientific answer to this one only that I hate having to change my passwords whether it be for the PC login, my doc management system, my email account, my telephone login etc etc.

due to the fact that we have so many applications that use passwords the less changing the better!

6

[quote=gokeeffe][b]Electronic Signatures Explained

5. Multisigning
When an individual executes one or more signings that are not performed during a single, continuous period of controlled system access, each signing must be executed according to the following:

Actual I believe that you meant:
“When an individual executes a series of signing during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature components that is only executable by, and designed to be used only by, the individual.” 21 CFR Part 11.200 (a)(1)(i)

The implied key here is that the “password” component, which must be used for the second or later continuous signing since in a two component signature it is the generally the only secure component.

and

“When an individual executes one or more signings not performed during a single, continuous period of controlled access, each signing shall be executed using all of the electronic signature components.” 21 CFR Part 11.200 (a)(1)(ii)

Simply that non-continuous signings require both signature components.

In the case of biometrics a single element signing is acceptable.