The pharmaceutical companies with digitized manufacturing processes use different types of manufacturing control software: ERPs (Enterprise Resource Planning) specialized in industrial environments, MES (Manufacturing Execution System) for the execution of tasks in the manufacturing and conditioning areas, and/or LIMS (Laboratory Information Management System) of the quality control laboratory.

In these cases, employees identify themselves for each of the actions they report through their electronic signature. It is mandatory following the regulations to ensure that all processes in the manufacture of medicines are signed with a signature of the responsible person.

Specifically, the EMA in its Annex 11 of the GMP guidelines, as well as the FDA (Food and Drug Administration, USA) basically establish:

• The signature must identify the user of the signature along with the date and time of the action.
• Each electronic signature must be unique to an individual, and must not be reused or reassigned to anyone else.
• Each user must be able to be identified securely, without any doubt.

If the electronic signature is based on biometric identification, the regulation establishes that no other identification elements are required; due to the maximum security provided by biometrics in a single step at any point of identification.

Otherwise, it is regulated that:

• Electronic signatures must use at least two different identification elements, such as identification code and password.
• When an employee performs several signatures during a single, continuous period of controlled access to the system, the first signature will be made with both components of the electronic signature, and in subsequent signatures, for convenience, with only one of them will be enough.
• In the case of using username and password, controls must be applied to ensure their security and integrity. Such controls shall include maintaining the uniqueness of each identification code and password combined, avoiding two different people having the same combination.

The electronic signature used mostly in current manufacturing software in the pharmaceutical industry is based on the introduction of 2 identification codes: login + password.

Its use causes following problems:

1.- Security problems in the employee’s identification.

2.- Inconvenience for the employees using passwords.

3.- Loss of employee time in the identification.

4.- The IT team costs in password management.

5.- Risk of having to report on paper if passwords are forgotten.

In the rest of this article we focus on the most serious problem, insecurity in user identification, and leave the rest of the problems for a later article.

The use of passwords puts the integrity and traceability of the data at risk, and thus compliance with pharmaceutical regulations and the desired level of quality, derived from:

• Any employee could report activities for another, simply by knowing his or her username and password. It is very easy to share the passwords among different people in messages or chats, or even written on a piece of paper.
• The regulation allows for a series of processes in a period, that after the first signature with username and password, the following signatures in the period can only be made with username. But this is even more insecure, since an employee could have the session “open” with his or her username and password, and others could continue to sign in the session simply by knowing the username.
• There may be cases of employees approving processes remotely by entering username and password, rather than physically being at the right location, to first verify the tasks before approving them.
• The inconvenience of entering a username and password to register each operation may lead the company to decide to sign several processes at the same time, when the right thing to do is signing them one by one.
• The same inconvenience can lead the company to decide long inactivity periods before locking a workstation, which would allow an employee to use another employee’s open session either intentionally or by mistake. These issues can occur when an employee is absent from the workstation, or is on multiple work lines at the same time.

The regulation admits the maximum security provided by the use of biometric identification as an electronic signature, not requiring more identification components.

This is because biometrics allows us to identify ourselves through our body (without cards that can be stolen or copied and without passwords that can be transmitted or hacked), thus avoiding any possibility of error or fraud, and maintaining maximum security, convenience and speed.

In later articles on this blog we go into more detail on how to use biometric technologies as an electronic signature in drug manufacturing processes.

Find out how Verázial ID Pharma solves all employees’ identification problems in the pharmaceutical manufacturing processes.

Contact us for a demo and/or a customized analysis.