CWWeekly presents this biweekly feature as a spotlight on issues that executives in clinical research face. This week, writer Suz Redfearn spoke with Kevyn Matijevich, validation specialist at Rho, a full-service CRO that focuses on moving clinical research in a more digital direction.
Q: How accepting have regulatory bodies been of eSignatures in clinical research?
A: In 1999, the FDA released the 21 CFR Part 11 regulation, which allows for the use of electronic signatures and electronic records in the clinical research space. An eSignature can be any symbol, series of symbols or a graphic authorized by an individual to be the legally binding equivalent to the individual’s handwritten signature. The agency is accepting of eSignatures in clinical research, and in fact favors them now for submissions, which they’ve expressed in guidance documents. Along the way, there have been a few obstacles from the regulatory side.
Since the release of Part 11, other agencies, like the U.K.’s Medicines and Healthcare products Regulatory Agency (MHRA) are now accepting electronic submissions and electronically signed data and documents. However, there are a few instances where MHRA doesn’t accept digital signatures during a submission.
Q: What is holding the industry back from diving in wholeheartedly with eSignatures?
A: Back in 1999, the industry said, “Whoa, we have a lot of work to do before we can adopt eSignatures.” When 21 CFR Part 11 was released, the industry realized they needed to validate all of their current software to add audit trails. Then and only then could the industry start building systems with eSignatures. Prior to using those systems, they also needed to create policies, procedures and training programs.
Currently, most companies are using some form of electronic signatures. Few companies today are 100% paper-based, but there are still many companies using paper documentation for clinical research work. There is still work to do to get the industry closer to 100% electronic-based.
The next step in eSignatures technology is digital signatures, which use public key cryptography. When implemented correctly, it’s more secure than a handwritten signature and is flexible enough to be used within different types of software, such as email or document sharing. But as usual, the industry has been slower to adopt digital signatures because its inner workings are not as easily understood, and there are some additional measures that have to be taken to get it in place. If you use a digital signature to sign a legal real estate document, for example, no one would blink an eye—but you can’t do that for clinical research. In research you must have policies, procedures, training and validation of software.
There seems to be a 10-year adoption period for anything new in the clinical research industry. We have accepted electronic records and electronic signatures. The industry has been talking about digital signatures for about five years, and the Electronic Common Technical Document (eCTD) guidance released in 2015 requires use of electronic signatures for signing FDA forms 1571 or 356h. So, I think in about five years we’ll see a lot more acceptance.
Q: The FDA has provided instructions on creating a self-certified digital signature for documents such as the 1572, the form that establishes a relationship between the FDA and clinical investigators in advance of study startup. How do you verify those signatures?
A: The FDA has said you may sign with a self-certified certificate. They have stated on the FDA website that they cannot hold a digital signature to a greater standard than a handwritten signature. A self-certified certificate is a signature that one creates on their own, as opposed to using a certificate authority, like Verisign. A signature with a certificate from a certificate authority has been verified. This is more secure and allows the receiver of the signatures to accept that the signer is associated with the digital certificate. A self-certified certificate is trickier to accept because when you receive one of these, you cannot be 100% certain exactly who it came from.
For example, a site investigator can ask his coordinator to create a signature for him. She can create it on her computer, and that’s where it “lives.” She can then sign the FDA form 1572 for him, and the recipient wouldn’t know if the investigator signed or not. For this reason, I recommend companies work to create a training program and procedures for how to verify and accept self-certified certificates. In the example above, the FDA form 1572 is created at study startup. At this point, you may not have had a monitor travel to the site yet. The only way to verify the self-certified signature is to call the investigator and ask if the signature is his. Once at the site, the monitor can ask to verify the validity of the self-certified certificate by viewing the site investigator’s computer. That type of verification is complicated and time consuming.
The industry continues to struggle with self-certified certificates. Why is it that this technology isn’t required to meet Part 11 requirements? Hopefully, the agency will release additional guidance with regard to self-certified signatures and Part 11. Until then, I recommend that companies using and receiving self-certified certificates work with their legal teams to ensure signatures meet all legal and regulatory requirements.
This article was reprinted from Volume 20, Issue 39, of CWWeekly, a leading clinical research industry newsletter providing expanded analysis on breaking news, study leads, trial results and more. Subscribe »