Electronic Signatures in Laboratory Systems – Are the Regulatory Requirements Enough?

Written by Piotr Kuchta

electronic signatures

In an industry that relies heavily on precise documentation, strict compliance, and rigorous regulatory oversight, the implementation of electronic signatures represented a powerful leap forward.
Traditionally, signing regulated documents involved a laborious manual process, requiring physical presence, handwritten signatures, and extensive paper trails.
This method was not only time-consuming but also prone to errors, delays, and significant logistical challenges, hindering the industry's ability to keep pace with rapidly evolving market demands.

While not necessarily revolutionary anymore in the broader sense, electronic signatures have steadily gained recognition as a transformative tool within the pharmaceutical sector, offering streamlined processes, improved efficiency, and enhanced compliance.
Furthermore, electronic signatures play a vital role in maintaining the security and integrity of electronic records. They help prevent unauthorized approval, tampering, or falsification of data, reducing the risk of data breaches and ensuring the accuracy and reliability of information.

Electronic signatures have become a crucial component in the pharmaceutical industry, aligning with regulatory guidelines such as the 21 CFR Part 11 in the United States, the EU GMP Annex 11 in the European Union, and the MHRA 'GXP' Data Integrity Guidance and Definitions in the United Kingdom. These regulatory frameworks emphasize the importance of data integrity, security, and compliance in electronic recordkeeping.

The 21 CFR Part 11 released already 25 years ago, enforced by the U.S. Food and Drug Administration (FDA), provides guidelines for the use of electronic records and signatures in pharmaceutical and biotech industry. It establishes requirements for electronic records and electronic signatures executed to electronic documents.

Part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures was a huge milestone and provided many requirements but to list a few most crucial ones, “Subpart C--Electronic Signatures” states the following:

  • Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
  • Electronic signatures that are not based upon biometrics shall employ at least two distinct identification components such as an identification code and password.
  • Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
    • o Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
    • o Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
    • o Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

Similarly, the EU GMP Annex 11: Computerized Systems serves as a guideline for Good Manufacturing Practices in the European Union. It emphasizes the importance of maintaining the integrity and confidentiality of electronic records, including the use of electronic signatures. The annex highlights controls such as access management, data protection, audit trail and signature verification to ensure the validity and traceability of electronic records. In this case the number of requirements regarding electronic signatures is quite scarce. Nevertheless, it should be mentioned that Annex 11 was the first law to define the strict requirement that batch release must be performed by an electronic signature. Chapter “14. Electronic Signature” consists of following points:

Electronic records may be signed electronically. Electronic signatures are expected to:

  • have the same impact as hand-written signatures within the boundaries of the company,
  • be permanently linked to their respective record,
  • include the time and date that they were applied.

Around 2015 and 2016 various Data Integrity guidelines started to surface. One of them was 'GXP' Data Integrity Guidance and Definitions released by the Medicines and Healthcare products Regulatory Agency (MHRA). Its final version from 2018 provides additional guidance on maintaining data integrity across various "GXP" regulated areas, including Good Laboratory Practice (GLP), Good Clinical Practice (GCP), and Good Manufacturing Practice (GMP). The guidance emphasizes the importance of implementing appropriate controls, such as electronic signatures, to ensure the integrity, accuracy, and completeness of data throughout its lifecycle. Chapter “6.14. Electronic signatures” states the following:

The use of electronic signatures should be appropriately controlled with consideration given to:

  • How the signature is attributable to an individual.
  • How the act of ‘signing’ is recorded within the system so that it cannot be altered or manipulated without invalidating the signature or status of the entry.
  • How the record of the signature will be associated with the entry made and how this can be verified.
  • The security of the electronic signature i.e. so that it can only be applied by the ‘owner’ of that signature.

Electronic signature or E-signature systems must provide for “signature manifestations” i.e. a display within the viewable record that defines who signed it, their title, and the date (and time, if significant) and the meaning of the signature (e.g. verified or approved).

The last note made it specifically clear how electronic signatures should look like throughout the systems in pharmaceutical industry. Some systems already had such functionality in place, the rest had to adapt after this, and numerous new Data Integrity guidelines were released.

But is this really everything systems should take into consideration? Are there any additional precautions computerized systems could enforce?

Quite a few systems have introduced extended signature policies which can increase data integrity without much effort from the users.

One of them is METTLER TOLEDO LabX™ V13, which takes signature policies one step further.

For many years the system allowed performing the electronic signatures in two types:

  • Review – one signature is required to fulfill the signature policies.
  • Review-Approve - Two signatures are required to meet signature guidelines.

The functionality which has been introduced quite recently is the so called “Involved user policy”, which applies to Result sets and to Reports that are generated from Result sets.

It can be configured in the following ways:

  • No restrictions: No policy is applied.
  • Only users involved: The system ensures that one of the users involved in a results record checks or approves the specific object.
  • Only not involved users: The system prevents any of the involved users of a result set from reviewing or approving the specific object.

To clarify, an involved user is any user who is involved in task execution, generating or editing results related to a particular result set.

If you already have such a policy implemented but only on procedural level, you now have a possibility to have peace of mind during audits.

With LabX™ V13, you do not have to rely solely on restrictions described in your Standard Operational Procedures anymore. You can leverage it to the system and people performing the review of the electronic records can focus on other tasks instead of double checking the data and electronic signatures back and forth.
If you do not have such a policy but started wondering about implementing it, that should be an easy task with the help of LabX™ V13.