Can You Trust E-Signatures From Your Software Package Vendor?

EduQuest, a global team of FDA compliance experts, answers industry’s pressing questions. In this round, Martin Browning, President and Co-Founder of EduQuest, provides insight into the validity of e-signatures from vendors.

Question: I have concerns about e-signatures supplied by a software vendor. Our company is using a Quality Management System (QMS) supplied by a software vendor who provides a validation package. The package shows how the QMS was validated, and the documents within this package are e-signed.

The tool used by the vendor for e-signing the documents is fully tested, and the test is documented. However, the validation cycle that incorporated that test is not documented as needed.

With this in mind, can we trust the e-signatures on the validation documentation supplied by the vendor?

Answer: You’re right to be concerned — but let’s take a step back and look at the big picture of what you’re dealing with here.

First, using an off-the-shelf QMS is usually not possible without significant modification. Each modification requires validation to assure it suits you, the user. So the validation package provided by your vendor must be supplemented by your validation of any modifications.

Then let’s assume some of the documents in the provided package are not touched by your modifications. If so, the validation of these individual documents may still be valid. (Keep in mind, though, that validation must include the system as a whole, so even unmodified documents may have had their “intent” modified, even if the words remained the same).

But for now let’s assume the intent has not changed. Making all these assumptions — which can be very dangerous if they are wrong — just gets us to the point where we can actually evaluate the validity of the e-signatures portion of the documentation.

Second, as you know, software validation is achieved only through development of the software using good software development practices (GSDP), which includes the process, procedures, cycle, testing, etc. — all designed to yield valid software and documented results.

Validation must include documentation, or it is not validation. At a minimum, you must establish (note the regulatory meaning of that word) the validity of the e-sigs you want to accept based on your intended use.

Third and finally, FDA regulations require that you, the regulated entity, validate for intended use. At a minimum, you must establish (again, note the regulatory meaning of that word) the validity of the e-sigs you want to accept based on your intended use.

Companies need a validation protocol (a plan), assessments based on that protocol, audits of the vendor targeting your intended use, assessment of the vendor’s GSDP and verification that the vendor’s e-sigs mean the same as yours.

In summary, the answer to your question is “no” — trust must be verified, and in the case of medical devices, validated.


Mr. Browning, President and Co-Founder of EduQuest, served as an expert field investigator and Special Assistant to the Associate Commissioner for Regulatory Affairs during his 22-year career at FDA. EduQuest can be reached by email

Join us!

The best of BONEZONE content delivered to your inbox, twice each month.

RELATED ARTICLES



CONTACT BONEZONE

 

CONTACT BONEZONE