Electronic Witnessing

Electronic witnessing is the MES capability that forces an independently executed, recorded, and attributable second-person verification for defined high-risk actions before a workflow can proceed. It replaces or augments manual cosignatures by requiring a separate authorized user to authenticate and review the same critical data (e.g., dispensed weight, lot ID, yield calculation, line clearance) and to apply a compliant e-signature linked to the specific record context. Properly designed, it upholds data integrity, role separation, and contemporaneousness, and it leaves an immutable audit trail suitable for batch release and inspections.

Regulators mandate the substance of the check—independent verification—while Part 11 and Annex 11 govern how electronic records and signatures must behave. Practical implementations sit at ISA‑95 Level 3 (MES), interfacing Level 2 controls as needed (e.g., scales, barcode scanners) and orchestrating user privileges, holds, and exceptions to demonstrate that the checker is unique, trained, and independent.

Pharmaceutical GMP is explicit: 21 CFR 211.101(c) requires components’ weighing and measuring to be checked by a second person, and 21 CFR 211.103 requires yield calculations to be independently verified. Batch production and control records must capture who did what, when (21 CFR 211.188), and electronic implementations must satisfy Part 11’s signature-binding and record controls. EU GMP Annex 11 mirrors these expectations for computerised systems, requiring controls for identity, access, audit trails, and system validation to show fitness for intended use.

• Pharma: independent checks per 21 CFR 211.101(c), 211.103; electronic records per Part 11.
• Medical devices: QSR requires documented, dated signatures on acceptance and process records; electronic records must meet Part 11 where used.
• Radiopharma: time-critical operations often rely on electronic witnessing to meet dual-verification expectations under GMP time pressure.
• Dietary supplements and blood/tissue: quality functions must review/approve key steps; when done electronically, Part 11 and data integrity expectations apply.

"Where documentation is maintained electronically, firms should implement controls that ensure electronic signatures are unique to an individual and linked to their actions in a way that they cannot be excised, copied, or otherwise compromised."

Electronic witnessing belongs at ISA‑95 Level 3, where MES orchestrates human workflows, recipes, and records. The MES enforces step interlocks (no progress until witnessed), prompts for a second identity, checks role privileges (RBAC), verifies independence from the performer, and writes audit trail entries. It integrates with Level 2 equipment (e.g., calibrated scales) to capture evidence and eliminate manual transcription.

• RBAC separation: distinct roles for performer and witness; eligibility based on training status.
• Permissive conditions: step completion is locked until independent e-signature is applied.
• Edge capture: direct device interfaces reduce transcription error and enable true review of original data.

Typical witnessed steps

• Component dispensing: verify correct material/lot, weighment within tolerance, label/ID match, container status.
• Yield and reconciliation: independent review of theoretical vs actual yield calculations (21 CFR 211.103).
• Line clearance and status changes: verify equipment/area clearance and status tags (e.g., from ‘clean’ to ‘in use’).
• Critical parameter entries: setpoints/limits for sterilization, mixing, or gamma exposure where human error risk is high.
• Sampling and chain-of-custody: verification of sample IDs, seals, and custody transfers.
• Label issuance/printing: confirmation of correct label version, UDI/lot/expiry, and reconciliation counts.

Patterns that scale

1. Dual-entry with independent compare: performer enters value; witness re-enters or scans from source; MES compares before accepting.
2. Source-data review: MES pulls the raw measurement from a trusted device and presents it to the witness for acceptance/rejection.
3. Barcode-scan double: distinct scans by performer and witness of item and lot; MES ensures the scans are from separate sessions/accounts.
4. Remote QA witness: controlled remote signoff with real-time evidence (photo/video, device feed, or e-records) where allowed by procedure.

Electronic witnessing is only as strong as its data integrity controls. Part 11 requires unique credentials, signature meaning, and binding to the record; Annex 11 expects audit trails, secured access, and validated functionality. MHRA’s data integrity guidance emphasizes independence of checks, contemporaneous recording, and prohibition of shared credentials. The audit trail must show both performer and witness identities, timestamps, values reviewed, decision (accept/reject), and any comments—immutable and reviewable.

• Identity assurance: multi-factor or equivalent controls proportional to risk; credential sharing prohibited.
• Signature meaning: prompt reason (e.g., ‘performed’, ‘witnessed’), consistent with SOPs.
• Independence rules: MES rejects a witness by the same user, same account, or non-eligible trainees.
• Time synchronization: system clocks controlled and monitored to preserve event order.
• Audit trail review: periodic and pre-release review procedures include witnessed steps and exceptions.

"Audit trails should be enabled and should capture all changes to GMP-relevant data, including the identity of operators making the change, time and date, and the previous and new value."

Not every step merits a second-person e-signature. Use quality risk management (ICH Q9 principles) to target steps with high potential patient, user, or product impact and a credible pathway for human error. Consider detectability, existing technical controls, and the feasibility of engineering out the risk. Where a reliable technical control lowers risk (e.g., device integration with interlocks), the witness burden can be reduced and reallocated to higher-value checks.

Witness controls must be efficient or they will be bypassed in practice. Remove friction with proximity cards or SSO for authentication (while maintaining non-repudiation), clear step prompts, and device integrations that limit rekeying. Stagger work to ensure a qualified, independent witness is available at the right moment and location. Provide structured checklists for cognitive support and ensure witnesses can see the original data (not just a derived value) before attesting.

• Make checklists visual and concise; surface tolerances and status at the point of decision.
• Timebox witness windows to align with process takt; trigger alerts to minimize waiting.
• Train on ‘what to look for’ and when to stop the line; reinforce that the witness is accountable.
• Prevent co-location bias by allowing remote witness where well-controlled and justified.

Electronic witnessing is a configured, category-appropriate function under GAMP 5 (2nd ed.). Validation focuses on intended use: who can witness, how independence is enforced, how evidence is presented, and how the audit trail records the event. Risk-based testing should include negative tests (reject same-user witness, expired training, disabled account), boundary conditions (clock drift, partial connectivity if edge devices are used), and data integrity checks (tamper attempts, signature meaning prompts).

1. Requirement traceability: map each procedural witness requirement (e.g., 211.101(c)) to MES configuration and test cases.
2. Security testing: verify RBAC prevents performer from witnessing own work; confirm password/biometric policies.
3. Audit trail verification: ensure complete, chronological, immutable entries with old/new values and identities.
4. Device interface tests: simulate out-of-tolerance and mismatch cases; ensure system blocks and escalates correctly.
5. Report/review tests: confirm witnessed steps are visible in eBMR/eDHR summaries and release checklists.

Witnessed steps should feed directly into batch review by exception and release decisions. Exceptions (e.g., a rejected witness check) must auto-trigger deviation or nonconformance records with linked evidence and corrective actions. QA dashboards should show witness compliance KPIs (completeness, timeliness, rejections) and enable drill-down to the audit trail and underlying source data. Where label control, equipment qualification, or training systems are external, interfaces must be synchronized to prevent false negatives (e.g., an eligible user treated as ineligible due to stale training data).

• Shared credentials or badge ‘buddying’: implement strong authentication, session timeouts, and monitoring; retrain and enforce disciplinary controls.
• Witnessing the wrong artifact: present original data (device values, label preview) and block attestations without source context.
• Paper-digital hybrids: inconsistent states create gaps; converge to a single system of record or tightly manage reconciliation.
• Over-witnessing low-risk steps: apply QRM to reduce noise and focus human attention where it matters.
• Inadequate audit trail review: formalize periodic reviews and automated flags for unusual patterns (e.g., same pair always witnessing).
• Clock drift and time anomalies: implement NTP-synchronized, monitored time sources; document controls per validation.

Address root causes with procedural clarity (definitions of ‘independent’, ‘qualified’, and ‘contemporaneous’), technical blocks (role rules, geofencing, device capture), and quality system feedback loops (deviations triggering CAPA and training updates). Align remediation with inspector expectations—show design control, validation, and ongoing effectiveness checks.