In many companies, handwritten signatures verify that everything is conducted according to regulations in essential work steps. This, for example, is how employees vouch for the creation and release of work and process instructions. The procedure is also widely accepted for the release of test specifications, manufacturing reports after production or of raw materials, bulk or finished goods in the laboratory.

A digital signature can make these and many other business processes even more secure and efficient. On the one hand, they can be used to clearly allocate who, for example, created and edited a document. Unlike handwritten signatures ("wet signature"), the digital version can neither be copied from one document to another, nor can the signed document be changed or forged unnoticed. On the other hand, the signature process is now faster because you can work from any location and no longer need a printer or scanner.

If one decides to use an electronic signature instead of a handwritten signature in a regulated environment, the question of which regulatory requirements need to be considered arises immediately, in addition to the technical implementation. The following chapters provide an overview of the essential legal requirements, explain the concept of electronic signatures in the context of the pharmaceutical and MedTech industry, and specify recommendations for their use.

Legal framework: eIDAS as a pan-European guideline

The eIDAS regulation 910/2014 (hereinafter referred to as eIDAS: electronic identification, authentication, and trust services) contains binding, pan-European regulations in the areas of “electronic identification” and “electronic trust services”. It creates a framework with unified requirements for the cross-border application of relevant resources and services, for example, for the use of smart cards in protected company networks or individual sealing cards for issuing e-seals.

In addition, eIDAS defines the European framework requirements for electronic signatures in the GxP environment. In the pharmaceutical industry, an electronic signature may be necessary for digital legal transactions, e.g., to comply with the German Packaging Act (VerpackG) or contractual written requirements for quality agreements.

Obligation or option?

However, eIDAS neither requires the use of electronic signatures, nor does it specify which signatures must be used. It follows the approach of the “Code of Federal Regulations” (CFR), which in 21 CFR Part 11 defines the regulations of the United States Food and Drug Administration (FDA) on electronic records and electronic signatures.

There, too, the use of electronic signatures is not required, only the requirements for these are specified. Pharmaceutical manufacturers should pay particular attention to 21 CFR Part 211. It defines in which cases (purpose!) a signature is required at all. For medical devices approved in the USA, 21 CFR Part 820 specifies when a signature is required. Only in these cases, the requirements of 21 CFR Part 11 apply. Thus, it is therefore directed to medical device manufacturers.

Types of signature variants

An electronic signature (or electronic signature seal) is a general term for an electronic process used to express acceptance of agreement to a contract or form. A digital signature is a special type of electronic signature. The eIDAS differentiates between “simple” electronic, advanced electronic and qualified electronic signatures. 21 CFR Part 11 distinguishes between an "electronic signature" and a "digital signature".

Figure 1: eIDAS and 21 CRF Part 11 © msg industry advisors

Electronic signatures

According to elDAS, these are defined as follows:

data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

No requirements for the technical implementation are defined for basic electronic signature.

Advanced electronic signatures

These are special types of electronic signatures that meet the highest legal requirements and the identity of the signer to be assigned without any doubt. For this purpose and according to elDAS Article 26, this type

1. It must be uniquely linked to the signatory.
2. It must be capable of identifying the signatory.     
3. It must be created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control.
4. It must be linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

From a technical point of view, advanced signatures are equivalent to software certificates. Signature cards with a certificate and a card reader (secure signature creation device = SSCD) are not required to create advanced electronic signatures.

Qualified electronic signatures

This is the only type of electronic signature that, according to eIDAS, has the same legal value as a handwritten signature. According to eIDAS, it must fulfil all the requirements of advanced electronic signatures as well as the following criteriah

1. be based on a qualified certificate that is valid at the time the signature is created, and
2. have been produced with a secure device for creating signatures.

Signers must use a certificate-based digital ID for qualified signatures. This is issued by accredited EU trust services – in Germany, for example, by Deutsche Telekom AG and Deutsche Post – and is stored on a device suitable for creating qualified signatures. This includes USB tokens, chip cards or one-time-use passwords transmitted via smartphones.

The precise requirements for the trust service provider and the qualified certificates are also described in eIDAS. An up-to-date overview of the certified EU trust services can be found in the publicly accessible EU Trust List (EUTL).

Guidelines for the use of electronic signatures

The guidelines for the use of certain electronic signatures derive from other legal provisions other than the regulations already mentioned. The following sources are relevant here:

German regulations

Article 126 of the German Civil Code (BGB) defines the following requirements:

• (1) “If written form is prescribed by statute, the document must be signed by the issuer with his name in his own hand, or by his notarially certified initials
• (3) “Written form may be replaced by electronic form, unless the statute leads to a different conclusion. If the “written form” is required by law and an electronic format is used, then qualified signatures must always be used. The written form is the higher-value form compared to the text form. The textual form is a legible, permanent form of documentation that is valid without a signature. It is often used for pure communications.

German and European GxP regulations

In the German Medicines Act (AMG), only one section states that a signature is required, namely Article 24 on expert opinions. No obligation to use the signatures defined in eIDAS can be derived from the Ordinance/Decree for the Manufacture of Medicinal Products and Active Pharmaceutical Ingredients (AMWHV) and the EU-GMP guidelines. Only in the Central Office of the Federal States for Health Protection Regarding Drugs and Medical Products (ZLG) vote V1100302 is an advanced electronic signature according to elDAS Article 26 recommended for the manufacturing, test reports and the confirmation of release.

FDA GxP regulations

The FDA takes a risk-based approach to the question of which signatures are “sufficient”. To this end, a distinction is made between “closed systems” and “open systems”. The various requirements for the systems are specified in 21 CFR Parts 11.10. and 11.30.

A system that transmits data via the internet, for example, is regarded as an open system. The risk of external manipulation is higher in open systems, therefore appropriate extended measures are required. The protection with a "digital signature" prevents abuse here. Advanced electronic signatures according to eIDAS fulfil this requirement.

Management tips: introducing electronic signatures correctly

1. Check the legal basis that must be taken into account in Germany/your country, as well as the regulatory GxP requirements for documents you want to sign electronically. The stipulation for signatures and, if necessary, the requirement to use them can be found, for example, in the AMWHV, the EU GMP guidelines, 21 CFR Part 210/211, the GCP-VO, the MDR or in the ChemG.
2. In the next step, determine the type of signature and the technical solution, i.e., technical measures.
3. Clarify to what extent the technical solutions are accepted by the authorities and whether internal organizational procedures need to be regulated. Qualified electronic signatures may already be used in your company, for example, to comply with the German Packaging Act (VerpackG).

In addition, companies in the regulated environment should note that in ERP systems, MES or LIMS signatures are often linked to workflow or business processes, but in document management systems they are more often linked to the document itself. Here, you should implement the relevant process in the computer system yourself – and ensure that electronic signatures continue to run in a validated environment and that data integrity requirements are met.