This article contains a collection of frequently asked questions that have been submitted by the industry to the APIC DI taskforce. Which is divided into following sections:
- Digital and electronic signatures
- Password management
- Access management
- Record life cycle management
Q1. What is the difference between a digital and an e-signature?
A digital signature is attached to an electronic file and not maintained within an electronic system and stays with the data and moves with the data. The signature can be verified by the recipient.
An e-signature is executed and maintained within a validated electronic system and stays in the electronic system. The e-signature can only be verified in the source system.
Q2. What is the best practice to handle hybrid signature?
It is the preference to sign off documents fully wet or fully digital. Hybrid signature should be more exceptional if there are no other options.
In that case the handwritten signature(s) must be applied first and afterwards the document can be prepared for digital signature(s). In that way the metadata for the digital signature(s)/e-signature(s) can be maintained.
Q3. Is it acceptable to use a scanned image of a wet signed document as GXP? (internal use)
It is only acceptable if the scanned image is a verified true copy of the original wet signed record and allowed by your local, legal and regulatory requirements. The wet or a true copy of the wet signature must be retrievable, reproducible and unaltered for the retention period of the record.
Q4. How do I need to handle a document with a scanned image of a wet signed document that I also need to sign? (external use, e.g. with third parties, working on different locations)
This document can be used if the party who’s sending this scanned document has an established true copy process in place and the scanned document is already verified and attested as a true copy. The sender should have and an established document retention policy in line with your expectations.
Q5. How do we handle digitally signed documents in an electronic document management system? (e.g. loading an Adobe digitally signed document into your document management systems without losing the digital signature certificate)
The document management system should be validated for this intended use, verifying that the digital signature is maintained in the system and that it is possible to retrieve it when necessary. This process should be defined and documented.
If it is not possible to maintain this digital signature in the system, the digitally signed document should be stored in a secure validated environment.
Q6. How do I define when a password should be entered during a specific operation when data is being recorded?
This practice is described in 21CFR11, chapter 11.200 ‘e-signature and components’:
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components (= user ID and password or biometrics); subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
Q7. Is the storage of passwords in the internet browser allowed for GXP applications?
No, ideally this feature should be deactivated in all browsers used for GXP applications.
Q8. Can I use generic accounts for 3rd party support employees access? (e.g. lab technicians, on-line support SAP)
No. The account should be attributable to the person executing the actions and there should be processes and systems in place to manage this.
Q9. How to protect critical paper records? Is it necessary to scan all records or is physical protection (fire protected cabinets, location of the paper record archive(s)) sufficient?
Records should be protected and retrievable for the appropriate retention period. There is no need to scan under the condition that the documents are stored in a safe and secure environment.
Q10. Is it allowed to replace a physical paper archive if your scan your records? Can the paper records be destroyed afterwards?
In practice this is possible if the digital copy is a true copy, however you need to comply with local legal and regulatory requirements to decide if you can destroy the paper records or not.
Q11. If hardware and/or software packages are not supported anymore (Windows updates, application software), is it possible to print out the electronic data or do you need to keep the ‘old’ systems up and running? (with the risk that you’re not able to see the electronic data anymore in case of soft and hardware errors)
A print-out is only allowed if it is a true copy with all raw data and meta-data. In practice this is very difficult. The first option is to migrate those data to an appropriate system. Another option is to create a virtual environment where you can run the legacy system in a validated state and where all data can be retrieved.
Q12. Is it allowed to use personal notes in a lab or production environment? (personal notes: containing training info/attention points you documented during training or during discussions with colleagues etc.)
No. All information needed to perform activities in a GXP environment should be described in controlled procedures and work instructions. Any data supporting a GXP batch must be controlled, maintained and reviewed.