Signature Logs

A colleague asks “In the era of digitalization and electronic signatures, do you believe in continuing to collect wet ink signature as part of employee training file? Can Part 11 electronic signature be used as an attestation that electronic signature is legally binding as handwritten signature?”

Great question. Collecting wet signatures is a real pain. Transitioning to digital practices can also significantly streamline our processes. It seems like a win-win. What could go wrong?

First, let’s ask “just how digital are you?”. It is essential to inventory your various practices and determine what is what. I think there are several categories here:

Starts as paper, retained as paper
It starts as paper and is retained as electronic. For example, you might print a form, fill it out, and route it through DocuSign or your eDMS for approval.
Starts as electronic, retained as paper
The entire lifecycle is electronic.

Most pharmaceutical companies are in a weird situation where we do a lot of work, starting on paper, scanning it, and then approving it. This is especially true at virtual companies, where a lot of the action happens at a CxO.

Do that inventory because you probably have more paper than you think—lots of paper. Plus, having an inventory will allow you to decide on future steps.

Before we get to the solution, let’s look at the regulatory requirements.

A is for Attributable (that’s good enough for me)

First Principle: Records should be signed and dated using a unique identifier attributable to the author. (PIC/S Data Integrity Guidance 8.6.1 Expectation 4.)

The guidance then goes on to say, “Check that there are signature and initials logs that are controlled and current and that demonstrate the use of unique examples, not just standardized printed letters.”

Second Principle: Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (21CFR11.100(c))

To comply with 21 CFR 11.100(c), organizations must:

Prepare a Certification Letter: Draft a letter to the FDA certifying that the electronic signatures used in their system are legally binding.
Submit the Certification: Send the certification letter to the FDA.
Maintain Records: For future reference, keep a copy of the certification letter in the organization’s regulatory information management system (RIM) or quality management system (QMS) records.
Keep Individual Records: Everyone should affirm that the electronic signature used across systems is binding.
Be Prepared for Requests: Be ready to provide additional certification or testimony if the FDA requests. Like, say, an inspection.

This regulation ensures that electronic signatures are treated with the same level of trust and legal standing as traditional handwritten signatures, thereby supporting the integrity and reliability of electronic records in FDA-regulated industries.

Third Principle: The FDA lives within a constellation of other laws

Individual employees generally do not need to provide a wet signature attesting to the legally binding nature of an electronic signature. However, there are some important considerations:

Legal validity: Electronic signatures are legally binding in the United States under the ESIGN Act and UETA, provided certain conditions are met.
Intent and consent: Two critical elements for a legally binding electronic signature are:

Intent to sign
Consent to do business electronically

Best practices for employers:

Implement a uniform policy on how employees sign agreements and onboarding documents.
Consider using two-factor verification for electronic signatures to provide additional proof of authenticity.
Ensure clear labeling of buttons and boxes for electronic signatures.
Include a consent clause for electronic transactions.
Provide an opt-out option for those unable to sign electronically.

While employees generally don’t need to provide a wet signature attesting to the legally binding nature of an electronic signature, employers should ensure their electronic signature process demonstrates intent and consent.

What to do

If your inventory showed everything is electronic, great. Get that attestation from the user as part of new hire orientation, and you are good to go. That attestation can be electronic. It just needs to be quickly retrievable in a way to answer an inspection.

If the inventory showed any paper, then yes, keep collecting those signature/initial logs.

Forms, forms, everywhere

When the FDA Describes a CAPA Program, Listen

Occasionally the FDA writes a Warning Letter that is a succinct lesson in what is important about a quality system. In this Warning Letter they masterfully describe what a CAPA Program is. As this one further describes how to deal with an inadequate cleaning program it is near and dear to my heart.

Deviation Review for CxO – Best Practice

Regulatory agencies have continually continued to make it clear that when a Contract Manufacturing Organization (CMO) or Contract Research Organization (CRO) experiences a deviation, the sponsor/Marketing Authorization Holder (MAH) has several key responsibilities:

Review the deviation: The sponsor must thoroughly review the deviation to ensure it was appropriately defined and investigated. This review is crucial as the sponsor cannot delegate their responsibility to ensure the drug product is safe, effective, and conforms to specifications and regulatory commitments.
Assess product impact: The sponsor should ensure that the CMO has properly assessed the impact of the deviation on the product. This includes evaluating whether the deviation affected material quality, safety, or efficacy.
Verify appropriate material control: It’s the sponsor’s responsibility to ensure the CMO has appropriately controlled the affected material and extended this control to any other potentially affected materials.
Make disposition decisions: Ultimately, the sponsor is responsible for deciding whether the product should be released, reprocessed, or rejected. This decision is especially critical if the deviation affected material in clinical trials.
Oversee corrective and preventive actions: The sponsor should understand how the CMO’s corrective and preventive action (CAPA) system operates and ensure appropriate measures are taken to prevent recurrence of the deviation.
Maintain oversight: While the quality agreement defines the CMO’s responsibilities, the sponsor retains 100% oversight, including executed batch record review, change control, and deviation review and approval.
Risk-based approach: For major or critical deviations, sponsors should employ a risk-based approach to assess the severity and potential impact.

To simplify the deviation notification process with a Contract Organization (CxO), sponsors and can implement several strategies:

Clear Communication and Documentation

Establish a Well-Defined Quality Agreement: Create a comprehensive quality agreement that clearly outlines the deviation notification process, including timelines, classification criteria, and reporting requirements.
Implement Standardized Templates: Develop and provide standardized templates for deviation reporting to ensure consistency and completeness of information.
Set Clear Notification Timelines: Agree on specific timelines for different deviation categories. For example, critical and major deviations should be reported within one business day.

Risk-Based Approach

Adopt a Quality Risk Management (QRM) Mindset: Approach the partnership with a focus on risk management, ensuring that both parties understand the potential impact of deviations on product quality and patient safety.
Calibrate Risk Classification: Align the deviation classification system between the sponsor and CxO to avoid discrepancies in severity assessment.

Streamlined Processes

Utilize Electronic Quality Management Systems: Implement digital tools to facilitate real-time reporting and tracking of deviations, improving efficiency and transparency. Yes, the sponsor should be taking a risk based approach to tracking deviations in their eQMS that captures the important sponsor/MAH decision making.
Define Clear Roles and Responsibilities: Clearly delineate who is responsible for each step of the deviation management process, from identification to reporting and investigation.

Training and Support

Provide Comprehensive Training: Ensure that CxO staff are well-trained on the sponsor’s quality expectations, deviation reporting procedures, and the use of any specific tools or systems.
Offer Ongoing Support: Establish a dedicated point of contact or support team to assist the CxO with questions or issues related to deviation reporting.

Regular Review and Improvement

Conduct Periodic Reviews: Schedule regular meetings to review the deviation notification process, discuss any challenges, and identify areas for improvement.
Encourage Open Dialogue: Foster an environment where the CMO feels comfortable reporting issues promptly without fear of punitive action.

I strongly believe that a CxO needs to implement these strategies (do not put it only on the MAH’s shoulders) as part of their client onboarding and management process to create a more efficient and effective deviation notification process. This approach not only simplifies the process but also ensures that critical quality information is communicated promptly and accurately, ultimately contributing to better product quality and regulatory compliance. Add some value and don’t make the sponsor beg for information.

Classification of Changes for GMP/GDP

Classification of change controls within change management is a common and widely accepted best practice. It stems from the requirement that change proposals as assessed from a risk perspective, where:

the level of rigor, effort and documentation is commensurate with the level of risk,
the risk assessments adequately evaluate the potential risks and benefits of changes to product quality, safety and efficacy, and
those risk assessments consider the potential risks and benefits to other products, processes and systems.

Classification for GMP/GDP changes itself is not a requirement, it is a guidance, best found in the PIC/S Recommendation “How to Evaluate and Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management” (PI 054-1) which states in section 5.2 “Change Management procedures often require a risk-based classification (e.g. critical, major, minor) to be assigned to proposed changes as well as an impact assessment to be performed. The latter routinely determines the potential impacts of the proposed change on various items, such as product quality, documentation, cleaning, maintenance, regulatory compliance, etc. In some cases, especially for simple and minor/low risk changes, an impact assessment is sufficient to document the risk-based rationale for a change without the use of more formal risk assessment tools or approaches.”

The PIC/S tells us that these categories drive the amount of rigor a change control requires, which is a great reason to have them. We spend time creating and confirming our categories, and then we only need to perform more rigorous risk assessments on the big changes.

How should we build this risk-based classification system? There are four criteria that drive this:

Potential regulatory impact
Potential impact on the qualified and validated state
Potential impact on the ability to disposition and ship product
Complexity

I tend to use only two categories, defined like this:

Major has Significant Impact: Changes that have a considerable potential impact on the process, product quality, safety, or regulatory status.

Minor has Limited Impact: Changes that have minimal or no significant impact on the process, product quality, safety, or regulatory status.

Change Management is Bigger than Change Control So Think Beyond Individual Changes

For regulatory impact, it really is as easy as dividing things into the four categories. “Do, Report, and Do and Record are minors. “Do and Tell” are majors, and “Tell and Do are either majors or critical based on how you slice it.

When considering potential validation impact you’ll leverage your process risk assessments and your validated state to determine what is in that bucket. This is why I like a document like an operational control strategy because this tells me exactly what impacts my validated state and I can just it to form this category.

The potential impact on the ability to disposition and ship the product has me looking at what can impact the ability to release and get the product out the door, which is an important aspect of what we do. Remember, a shortage of products is a quality issue.

Complexity looks at how many processes and systems are impacted and how many functions and areas are involved. The more complex, the more formal risk assessment is required. For example, you might use groupings like this:

Low level of complexity

Requires actions from the change owner and the system owner’s department(s) only
Impacts 1 system
<10 document revisions (approximate)
<2 potential training audiences (approximate)

Higher complexity:

Requires actions from more than change owner and system owner
Impacts more than one system
>10 document revisions
>2 potential training audiences (approximate)

The where of making the classification also makes a difference. I recommend up front, agreed to by the change owner and quality and it then drives everything. Doing it just before approval really just decides who gets to approve the change control and whether it goes to CCRB or not.

These classifications can be loose guidelines; for example, a table that looks at the first three categories and then by complexity. Your rating depends on whichever Impact or Complexity is higher.

Impact of Change (regulatory, validation, product)		Complexity of Change
Minor	No risk to patient as assessed by SISPQ, product, or validated equipment or process AND No regulatory impact.	Limited impact to only one system/functional area AND Has defined process for implementation of change. (e.g. all action items are per defined procedures)
Major	Potential impact to patient or product SISPQ or validated equipment or process or compliance	Impacts multiple systems / functional areas OR Has defined process for implementation of change
Critical	High likelihood of impact to patient, product SISPQ or validated equipment or process or compliance	Impacts multiple systems / functional areas OR Implementation activities are not pre-defined or governed by formal internal system

Or we could try for something much more specific. The advantage of specific is any change owner can start making the determination. Something like this:

Change Category	Change Description
Manufacturing Processes	In-process labeling
	Changes to Process Control and Operating Parameters (tightening/shifting) within current batch record (does not impact established conditions)
	The addition of in-process or final product samples
	Changes to sample volume for in-process or finished product samples
	Addition of new ancillary equipment (e.g. no product contact, does not control process steps) to the process
Analytical Methods	Changes to the qualification of a critical reagent (i.e., in-house produced assay standards and controls)
	Use of an additional new instrument of the identical model and vendor
	Change in compendial method to comply with formal updates to compendia, provided it does not involve the widening of system suitability or acceptance criteria
	Equipment/instruments calibration, maintenance, and cleaning
	Changes to software or validated analytical spreadsheets that do not impact the current validated state of the method
	Movement of instruments from one location to another in the same room/lab
	Initial validation of analytical spreadsheets for use in calculation of data and results defined by a specific analytical method, provided it does not replace a worksheet in an SOP (if so, this change may be reportable)
	Changes to non-critical equipment or materials that allow “or equivalent” in current method, provided method re-validation is not required
Drug Substance or Drug Product Specifications/ Limits	Changes to the sampling plan involving changes to the number of extra samples or amount of sample provided to QC or CMO as appropriate.
Drug Substance or Drug Product Specifications/ Limits	Changes to the storage and/or shipping conditions of samples (except for stability vials)
Raw Materials/Com ponents	Compendial Specification Changes to meet Compendial updates
	Non-product contact filters
	Vendor increase or decrease in the number of items per shipping container, or the size of the shipping or outer container
	Changes to the vendor Certificate of Analysis (format change only)
	Changes in recommended expiration date and/or storage conditions of raw material
Finished Goods	Catalog Number changes to components
	Creation of label at contract manufacturing site for existing presentation (assuming ‘No’ other change to already approved label)
	Changing position of pharmacode on leaflet
Computer	When there is no validation impact
Facility, Utilities, Systems and Equipment (including Automation)	Equipment/instrument maintenance
	Decommissioning of equipment not classified as critical equipment
	Computer programming that affects non-production equipment
	Alarms (i.e., notification system for out of tolerances)
	Cleaning and Sanitization of Manufacturing facilities and non-product Contact equipment
	Upgrade of Application Software or operating system
	Alarm set point changes
	Creating user groups and modifying user group privileges
	Tuning parameter, adjustment to the gain, reset and rate of a PID controller
	Phase or sequence change that does not affect the function and performance
	Modifying a phase prompt or message (technical change)
	Addition of a graphic, adding or changing a non-static device to a graphic (technical change)
	Addition or changing to an interlock/permissive trigger
	Changes to alarm paging/notification functionality

Spend the time on your classification structure. You will use it to:

Determine level of risk assessment (major yes, minor no)
Determine approvals (minors can be as simple as change owner and quality)
Does this change require a CCRB? Only send majors.

Crowdstrike debacle, Three Brief Thougths

This is not an unexpected accident. It has happened before on a smaller scale. We’ve seen companies like Crowdstrike under-resource their system controls that should prevent this. There is probably a strong case for regulation here. Maybe the EU will do something.
Pharma companies should consider situations like the Crowdstrike incident in their business continuity plans. Plan for a week or more of what happened Friday.
While my flight was only delayed an hour, there were sure to be a lot of grumpy and angry-looking people at Sea-Tac and Logan. I really think if we didn’t have a dysfunctional Congress, we would have seen a real change in how the airline industry is regulated by now.