Q: I have concerns about e-signatures supplied by a software vendor. Our company is using a Quality Management System (QMS) supplied by a software vendor who provides a validation package. The package shows how the QMS was validated, and the documents within this package are e-signed.
The tool used by the vendor for e-signing the documents is fully tested, and the test is documented. However, the validation cycle that incorporated that test is not documented as needed.
With this in mind, can we trust the e-signatures on the validation documentation supplied by the vendor?
A: You’re right to be concerned — but let’s take a step back and look at the big picture of what you’re dealing with here.
First, using a off-the-shelf QMS is usually not possible without significant modification. Each modification requires validation to assure it suits you, the user. So the validation package provided by your vendor must be supplemented by your validation of any modifications.
Then let’s assume some of the documents in the provided package are not touched by your modifications. If so, the validation of these individual documents may still be valid. (Keep in mind, though, that validation must include the system as a whole, so even unmodified documents may have had their “intent” modified, even if the words remained the same).
But for now let’s assume the intent has not changed. Making all these assumptions — which can be very dangerous if they are wrong — just gets us to point where we can actually evaluate the validity of the e-signatures portion of the documentation.
Second, as you know, software validation is achieved only through development of the software using “good software development practices” (GSDP). GSDP includes the process, procedures, “cycle”, testing, etc. — all designed to yield valid software and documented (V&V) results. Validation must include documentation, or it is not validation.
At a minimum, you must establish (note the regulatory meaning of that word) the validity of the e-sigs you want to accept based on your intended use.
Third and finally, FDA regulations require that you, the regulated entity, validate for intended use. At a minimum, you must establish (note the regulatory meaning of that word) the validity of the e-sigs you want to accept based on your intended use.
Medical companies need a validation protocol (a plan), assessments based on that protocol, audits of the vendor targeting your intended use, assessment of the vendor’s GSDP, and verification that the vendor’s e-sigs mean the same as yours.
In summary, the answer to your question is “no” — trust must be verified, and in the case of medical products, validated.
Answered by Martin Browning, President and Co-Founder of EduQuest, who served 22 years at the U.S. FDA as an expert field investigator and who also co-wrote 21 CFR Part 11, FDA’s regulation for electronic records and electronic signatures. His education and background are in computer engineering.
Martin is the chairman of EduQuest’s FDA Auditing of Computer Systems and Part 11/Annex 11 Compliance training class, next scheduled May 8-10, 2017, near Baltimore and Washington, DC.