1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Part 11 and Electronic Signatures

Discussion in 'Qualification & Validation (Also 21 CFR Part 11)' started by mdfi13, Apr 13, 2017.

  1. mdfi13

    mdfi13 New Member

    Joined:
    Apr 13, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    We use a PDF software called FOXIT which has an option for electronically signing documents. It also give you an option to create a password protected certificate to sign with.

    If this certificate is protected by a Windows login and certificate password itself, will this meet the requirements for Electronic signatures in Part 11?

    Other paid for document signing certificates I have looked at are stored on a USB drive and password protected.

    Thank you
     
    mdfi13, Apr 13, 2017
    #1
  2. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    First off, you have read the regulation, right? (https://www.ecfr.gov/cgi-bin/text-i...2cd232be553cd&mc=true&node=pt21.1.11&rgn=div5)

    Can you explain the "certificate password" a bit? Who assigns that, how is it controlled, how is it used, etc?

    Without knowing more about the application and your use, the sections of the regulation that seem least likely to be met include:
    • 11.50 - signature manifestation
    • 11.200.1(i) - continuous session
    And really, even after signing, much of 11.10 is a concern regarding management of the (signed) records. (You may already have a system for that, though).

    If you have specific concerns about a particular aspect, it may be easier to assess than a general question of compliance.
     
    yodon, Apr 13, 2017
    #2
  3. mdfi13

    mdfi13 New Member

    Joined:
    Apr 13, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi Yodon,

    The "certificate password" is a password set by the signer when first setting up the certificate. Anytime that certificate is used, the password is required. I believe this meets the requirements of 11-200.1(i) since we are basically prompted for a password every time a signing happens.

    Everything else you have mentioned Yodon we have already taken care of.

    I know auditors interpret regulations in different ways. My question is more around how an FDA auditor is going to feel about us using a self generated certificate for signing (free) vs. a paid for document signing certificate from a third party. For example, here is the document signing certificate product from Entrust (https://www.entrust.com/document-signing-certificates/).

    Matt
     
    mdfi13, Apr 17, 2017
    #3
  4. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    Yes, that's the rub, isn't it! If you can demonstrate that you meet the requirements and that the records are safe and the veracity of the signature then they *shouldn't* care if it's paid / 3rd party or not. But validation data would go a long way (either way).
     
    yodon, Apr 17, 2017
    #4