After meeting with members of the pharmaceutical industry in 1991, the FDA* created a task force on electronic identification/signature to address the scope, implementation procedures, and general requirements of electronic signatures, and to develop a uniform approach by which it could accept electronic signatures and records. The goal: to take a major step toward creating a "paperless" laboratory.

On March 20, 1997, the final ruling on electronic records, signatures and submissions, known as 21 Code of Federal Regulations, Part 11, was signed and published.

The FDA defines electronic signatures as the computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of an individual's handwritten signature.

Electronic Records: Unique Risks

The main issues surrounding electronic signatures involve the controls needed to address the unique risks associated with an electronic records system. Unlike paper records that contain static information, electronic records built upon information databases are actually representative of information that is dispersed in various parts of the database. The same software that generates database representation can also misrepresent it, depending on how a query is prepared, for example.

Password or Biometric ID?

Electronic signature systems, although not considered to be guaranteed foolproof by the FDA, are nonetheless significant in providing security against unauthorized access or control of electronic records. There are two main forms of electronic signatures, biometric signatures such as retinal scans, and identification code signatures (user ID) in combination with a unique password. Electronic devices based on biometrics, while inherently more secure, are expensive and difficult to implement.

An electronic signature based on a keyboard entry such as user name and a password, on the other hand, is easy to implement and has been in use for some time. The important requirement is that the signature be unique to one individual and not be reused by, or assigned to, anyone else in that particular organization. For most laboratories, this method is preferable to biometric devices.

HP Paves the Way

Hewlett-Packard's ChemStation is designed to make using electronic signatures as easy as possible. One of the key FDA requirements is that of validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records (Section 11.10a). Taking validation as seriously as it does, HP has implemented a five-step validation program that offers software tools and kits to facilitate and automate the necessary steps, ensuring that you meet the requirements.

The 5 Steps for Validation

1. Qualify your vendor and your vendor's design

   A Declaration of System Validation, shipped with each computer system, is your assurance that your product has been validated during development.

2. Qualify the instrument in your laboratory before beginning operation

   HP furnishes checklist forms for installation qualification (IQ) and standard operating procedures, software and services for operational qualification and performance verification (OQ/PV).

3. Validate your analytical method

4. Qualify system performance during routine operation

5. Ensure data security, integrity and traceability

At Least Two IDs

The FDA states that an electronic signature that is not based on biometrics must employ at least two distinct identification components, such as an identification code and a password. The HP ChemStation satisfies these requirements. Its mandatory NT logon requires user identification and password, and an NT session can be locked, with a password required for reentry. Screen savers are password-protected also. For added security, entry into the software itself also requires a password.

The FDA additionally requires that the signature should contain the printed date/time stamp, and activity (review/ approval, etc.) associated with the signature. The date/time stamp should be generated by a mechanism that is controlled independently of the person executing signatures. The electronic signature should also be linked to the respective records so that it cannot be copied and used to falsify another record. To meet these requirements, the HP ChemStation's data files, methods, and logbooks contain computer-generated time stamps, with the data files and method registers also carrying the operator's name, and the NT user account system carrying user identification, user name, and password.

These are just a few examples of how the HP ChemStation has been developed to provide electronic signature. A full list of the FDA requirements can be found at the web site of the U.S. Food and Drug Administration at

*U. S. Food and Drug Administration