Electronic and digital signatures should be considered on an equal level to handwritten signatures (“wet ink”).
The requirements that need to be fulfilled depend on the extent of the binding force that is to be achieved and so depend on the document that is to be signed.
This article explains
- when manufacturers need a signature,
- under which circumstances documents may be signed electronically,
- what type of electronic signature is required,
- what the difference is between an electronic and a digital signature,
- how electronic signing can be put into practice.
1. When is a signature needed?
a) Medical Device Regulation MDR
The MDR explicitly demands signatures, for example, in Annex IV on the “EU Declaration of Conformity”:
“The EU declaration of conformity shall contain all of the following information: […] Place and date of issue of the declaration, name and function of the person who signed it as well as an indication for, and on behalf of whom, that person signed, signature.“
MDR, Annex IV
Manufacturers must also provide a signature when they request a notified body to carry out a conformity assessment. In the case of clinical investigations, the MDR requires the signatures of the “principal investigators.”
Further demands for signatures concern the notified bodies:
- obligation of employees
- decision on certifications
- certificates
b) IVDR
The IVDR has the same requirements as the MDR. The only exception is that the IVDR does not require a signature for clinical performance studies, which is equivalent to clinical investigations.
c) ISO 13485:2016
DIN EN ISO 13485:2016 does not mention the term “signature.” However, in Section 4.2.4 (Control of Documents) it demands that:
“A documented procedure shall define the controls needed to:
DIN EN ISO 13485:2016, Section 4.2.4
a) review and approve documents for adequacy prior to issue; […]“
This means that manufacturers are obliged to prove that
- documents are written, reviewed, and approved,
- this occurs in this order,
- it is not the same person who writes, reviews, and approves each document, and
- approval takes place prior to issue.
Compliance with these requirements is only possible by assigning the document and the activities to a person and a date for each activity. This assignment is usually done on paper with a signature. There are alternatives for electronic documents and records (see below).
In all cases, the following must be documented:
- Authorship: “I am responsible for the contents and consider them to be correct”
- Review: “I have reviewed the contents according to established criteria and they meet the criteria”
- Approval: “The contents can be used in the further process (and I have the authority to decide this)”
These requirements are understandable: Creating a system specification before collecting and documenting the user requirements usually makes little sense. The design must have been tested before a device is duplicated in production.
d) Summary
- Manufacturers are obliged to create documents such as technical documentation and the declaration of conformity.
- They only have to sign a few of these documents.
- A signature is more necessary to confirm device conformity (declaration of conformity) than process conformity (records, technical documentation).
- The evidence of process conformity must show who carried out which step (e.g., an approval) at which point in time and in which way.
2. When are electronic signatures needed?
Electronic documents and records are not yet mandatory everywhere. However, there is growing pressure from authorities and notified bodies to do so. Standardized electronic formats such as CDISC for clinical investigations and the FDA’s eStar program are increasingly becoming the only efficient way to exchange data and information.
The switch from paper to electronic documents does not always mean that handwritten signatures must be replaced with electronic ones. Instead, companies can assess whether a signature is mandatory or whether it is possible to track which person performed which activity at which time by other means.
Your QM system’s requirements must be adapted when changes are made.
The switch to electronic media is increasingly leading to a change from document-driven to data-driven processes. This results in a shift from paper to electronic documents based on structured data.
The structured data must also comply with the legal requirements for controlling documents and records.
The Johner Institute supports manufacturers and notified bodies in their digital transformation.
3. When are electronic signatures allowed?
a) In Germany/Europe: BGB, VDG, eIDAS
In §126 “Written Form,” the German Civil Code (BGB) explicitly gives permission to replace handwritten signatures with electronic signatures:
“… (3) Written form may be replaced by electronic form unless another form is required by law. …“
Translated from BGB, § 126
When it comes to legally required signatures, the German Civil Code raises the bar even higher:
“(1) If the legally required written form is to be replaced by the electronic form, the issuer of the declaration must add his name to it, and the electronic document must be provided with a qualified electronic signature.”
Translated from BGB § 126a
The German Trust Services Act (Vertrauensdienstegesetz VDG) (formerly the German Signature Act), which implements the EU Regulation eIDAS (formerly the Signature Directive), regulates what a “qualified electronic signature” is (see Fig. 1).
b) USA – FDA: 21 CFR part 11
The FDA allows written signatures to be replaced by electronic signatures. The signatures and the signed documents must then meet the requirements of 21 CFR part 11.
The requirements of this administrative law only apply to companies that communicate with the FDA or that have to present documents to the authority, e.g., during an inspection.
Read more on 21 CFR part 11 here.
4. What types of electronic signatures exist?
The EU Regulation on electronic identification and trust services (eIDAS (910/2014) for short) differentiates between three types of electronic signatures:
- electronic signature
- advanced electronic signature
- qualified electronic signature
a) Electronic signature
The eIDAS defines an electronic signature as follows:
“[…] data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;”
eIDAS
The inclusion of a scanned signature in a document is an example of an electronic signature. The signature in an email is also an electronic signature.
This signature is the weakest form of proof as it cannot be guaranteed that the persons themselves have “attached or logically associated” these data, nor can the time that it was attached be tracked.
b) Advanced electronic signature
The next level is the advanced electronic signature.
Electronic signature which:
- is uniquely linked to the signatory;
- is capable of identifying the signatory;
- is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
eIDAS
Examples of this type of electronic signature are version control systems like SVN or Git:
- When the user clicks on “commit,” the name of the person and the time are also saved every time.
- The person can be identified by username and password.
- On an organizational level it can be guaranteed that only the individuals themselves have these credentials.
- Finally, check sums ensure that any subsequent changes to the data do not go unnoticed.
This is precisely what version control systems are designed for.
But even advanced electronic signatures can be manipulated:
- If the organizational measures are not effective, a second person could use the same name or gain access to the access data, thus stealing the identity of the first person.
- The timestamp could be manipulated by changing the system time of the version control system.
To minimize these disadvantages, a higher “level of integrity” may be required, the qualified electronic signature.
Many electronic signature service providers “only” offer advanced signatures. Nevertheless, in practice, extensive contracts are signed with them.
c) Qualified electronic signature
This type of signature is also defined by the eIDAS:
“An advanced electronic signature which is
- created by a qualified electronic signature creation device, and
- based on a qualified certificate for electronic signatures”
eIDAS
Annex II of the regulation adds:
“(3) Generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider.“
eIDAS
These service providers include in Germany:
- The German Federal Employment Agency
- German Chamber of Notaries
- Deutsche Post AG
- D-Trust GmbH
- Deutscher Sparkassen Verlag GmbH
- Deutsche Telekom AG
- DGN Deutsches Gesundheitsnetz Service GmbH
- medisign GmbH
5. What type of electronic signature is needed?
a) Risk-based approach of ISO 13485:2016
ISO 13485:2016 states that processes and the validation of computer systems should be risk-based. The risk-based approach should also be applied when choosing the type of electronic signature.
When it comes to human life (device conformity), the highest level will be chosen. An advanced electronic signature should suffice when proving that you have followed your standard operating procedures (process conformity).
In other words, a declaration of conformity should be signed by manufacturers by hand (“wet ink”) or with a qualified electronic signature. An advanced electronic signature is sufficient for specifications, test reports, etc.
b) Legal requirements in Europe
The eIDAS makes it explicitly clear:
“1) An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.“
eIDAS
c) Legal requirements in the USA
21 CFR part 11 differentiates between the electronic signature and the digital signature:
(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.
21 CFR part 11
Here, the electronic signature corresponds to the electronic signature according to eIDAS and the digital signature at least to the advanced electronic signature.
The FDA does not impose any requirements that can only be met through a qualified electronic signature. It requires:
- Falsification must be detected (11.10)
- Appropriate standards for digital signatures to be able to guarantee the authenticity, integrity, and confidentiality of records (11.30)
- A guarantee that signatures cannot be excised or transferred to other documents (11.70)
- If a person wishes to provide several electronic signatures, he or she must first login with all data (typically username and password), then with at least one component for each individual procedure (typically password or PIN) (11.200)
- A guarantee that collaboration of two or more individuals is required to forge the electronic signature of a third party (11.200)
- On the electronically signed document the FDA expects the name of the signatory (printed, no image/scan of the signature), date and time of signing, and what is confirmed by the signature (authorship, review, approval) (11.50). This signature can also be stored in the system for documents that “live” in systems (e.g., an ALM tool) if it is technically inseparable from the document’s content.
Conclusion: None of these requirements make it compulsory to use qualified electronic signatures. An advanced electronic signature with a validated system and appropriate organizational measures are sufficient.
6. How do you create a digital signature?
The Johner Institute recommends the use of tools for creating digital signatures. The type of tool that is appropriate depends on the manufacturer’s way of working:
- If a manufacturer works primarily with documents, the products from Adobe and Microsoft (e.g., Word) alone or with plug-ins are sufficient for compliance with the technical requirements for an advanced electronic signature.
- The Johner Institute creates most documents in Markdown format and uses Git as a version control tool. The requirements for an advanced electronic signature can be met through appropriate organizational measures (e.g., specifications for branching and merging).
- A very elegant solution is to use tools that maintain the contents of the documents in a database, such as the ALM tools from Medsoto (MedPack, RiskPack, and Polarion ALM). These products already have built-in mechanisms to generate legally compliant advanced electronic signatures, such as password-protected approval confirmations.
The signing of declarations of conformity does not normally justify the effort of setting up a system with which qualified electronic signatures can be created.
7. How does digital signing work technically?
a) Digital signature: What does this have to do with a hash value?
First of all, a hash value is calculated from the document. The hash value is a character string (currently usually 254 bits or longer) and is equivalent to the document’s fingerprint. Any even slight change to the document will lead to another hash value in an inspection. It is (with realistic effort) not possible to draw conclusions about the contents of the document from the hash value.
Procedures (algorithms) that are well-known and still used to calculate this value today are MD5 (128 bits), SHA-256, and SHA-512. Every year, the BSI (German Office for Information Security) issues recommendations in this regard, which are agreed upon with experts.
Typical lengths for a digital signature are 1536 bits and more. As hash algorithms create clearly shorter character strings, these are then filled out with special characters. This procedure is called padding.
b) Encrypting, RSA, and digital signatures
Up to this point, neither the original document nor its hash value can be assigned to an author. This takes place in the second step, whereby the (padded) hash value is linked to a signature by a signature procedure using the author’s private key. Widely used, asymmetrical processes for this are RSA or DSA.
Please note: For signature purposes the hash value and not the whole document is linked with the key, as for this purpose it is not the contents of the document that should be concealed but “only” its integrity that must be guaranteed. So the hash value is an important component of the digital signature.
The BSI also analyzes the security of the recommended signature and encryption procedures annually. A signature based on RSA or DSA with a length of 3000 bits is considered secure (source, only available in German).
c) Key, certificate, and certification body
Certificates prove that the key can truly be assigned to the author in a trustworthy manner. They are issued by trust centres (certification bodies), are signed by the centre (and thus have integrity) and, alongside the name of the author and the expiration date, also contain their public key. The public and private key thereby form a pair. Whilst the public key is created from the private key, this is not possible the other way around, that is, the private key cannot be ascertained from the public key. The security of the procedure is based on such a “one-way function.”
With the public key from the certificate of the potential sender, the recipient can verify the digital signature attached to the document and, thus, check the correctness of the data on the author or sender. In doing so the saved hash value will also be visible. The recipient then compares the encrypted value with the hash value, which they themselves have calculated using the same algorithm. If both coincide, the recipient knows for sure that the document has not been modified and so is authentic.
8. Conclusion and summary
a) Avoid unnecessary effort
Some companies’ efforts to comply with alleged legal requirements produce some strange results: Electronic documents are being created, then printed out, signed, and scanned in again. This scan is then moved to a document management system for archiving, which uses a complex authorization process to ensure that the people who work with it can be identified.
It is easy to impair process efficiency by setting unreasonably high requirements and, thus, paralyze the entire company.
b) Act in a future-proof manner
The digital transformation of manufacturers, authorities, and notified bodies will not succeed by switching from paper to electronic documents. Instead, a switch from documents to structured data is necessary to automate (regulatory) processes.
The systems used for this must comply with the requirements of ISO 13485, particularly regarding the control of documents and records, even if no (electronic) documents exist at all.
The Johner Institute helps manufacturers automate regulatory processes, in particular to
- relieve regulatory affairs and quality managers of routine work,
- drastically reduce time to market,
- minimize regulatory risks, and
- ensure competitiveness and workplace safety.
If you are interested, please contact us via the contact page.
c) Act risk-based
The choice of signature level should be risk-based: The Johner Institute recommends a qualified electronic signature, especially for declarations of conformity (“it’s a matter of life and death”) and external legal transactions. In other cases, an advanced electronic signature, which can be created with many tools, is sufficient in combination with appropriate organizational measures.
Some auditors make demands regarding electronic signatures that have no legal basis. These auditors usually act inconsistently because they do not insist on a signature sample for handwritten signatures either.
Despite all the enthusiasm for electronic signatures and digitalization, isn’t it also a solemn act to sign the declaration of conformity with an actual pen and confirm that the device is safe and will benefit the patient?
Change history:
- 2024-07-29:
- Editorial changes
- Chapter 1 updated, including removal of MDD and addition of IVDR
- Chapter 2 rewritten
- Chapter 8.c) added
- 2019-04-19: Article revised and eIDAS requirements added