Two-person e-signature

A two-person electronic signature is an approval pattern that requires two distinct, independent, re-authenticated human signatories to execute a regulated action — typically one as the preparer / doer / dispenser and one as the independent reviewer / witness / checker. Both signatures are bound to the same record, the same content snapshot and the same point in time. Neither signer can act for the other and the system enforces the independence at the data layer.

Two-person is sometimes called four-eyes, dual-signature, witnessed signature, preparer-and-reviewer, or maker-and-checker. The pattern long pre-dates electronic signatures — pharmaceutical and supplement plants have had two-person paper charge-in books since the 1970s. What changed with Part 11 is that the electronic version has to enforce, in software, what the paper version enforced by physical presence and ink.

The two-person obligation is scattered across multiple sections of cGMP rather than living in a single 'two-person' rule. The principal US loci:

Note 211.186 says 'full signature, handwritten' — in 1978. Part 11 (1997) and subsequent FDA guidance made clear that electronic signatures satisfying Part 11.200 are equivalent. The substantive obligation is two-person; the form is electronic.

Part 11.200 sets the floor for any electronic signature, and the two-person variant has to satisfy it twice.

Part 11.200(a) — non-biometric electronic signatures

1. Employ at least two distinct identification components — typically userid + password.
2. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
3. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Part 11.50 — signature manifestations

Each signed electronic record must contain information associated with the signing that clearly indicates the printed name of the signer, the date and time of execution, and the meaning (review, approval, responsibility, authorship). This information must be subject to the same controls as for electronic records and must be included as part of any human-readable form of the record (display, printout).

Two-person additions on top

• The two signers must be distinct individuals. The system must not allow the same user to satisfy both roles.
• The second signer must independently re-authenticate — not inherit the first signer's session.
• The two signatures must bind to the same content snapshot. If the record changes between signature 1 and signature 2, signature 1 must be invalidated.
• Both signatures must satisfy Part 11.50 manifestations: printed name, timestamp, meaning, embedded in the rendered PDF / display.
• Both signatures must be in the audit trail under 11.10(e) and Annex 11 §9.

Independence has two layers: identity-independence (the two signers are different humans) and role-independence (the second signer has not been compromised by reporting line, conflict of interest, or shared accountability with the first). Identity-independence is enforceable in software. Role-independence is enforceable in policy, with software support.

Identity-independence — enforceable at the data layer

• The two signature records must reference different user IDs.
• Each signer must re-authenticate (Part 11.200(a)(2) for same-session second signing) or fully re-login (Part 11.200(a)(3) for non-continuous).
• The system rejects an attempted second signature from the same user ID; it should also detect and reject same-device same-session same-IP signatures as a configurable warning.

Role-independence — enforced by policy and role

• The reviewer cannot be the preparer's direct report (Quality Unit independence under 211.22).
• The reviewer must hold a role qualified to review the document type. A weighing operator cannot review the formulation chemist's MMR.
• The reviewer must be trained and current on the SOP governing the record they are reviewing.
• For QP release, the QP cannot be the same person who prepared the BMR or signed off the in-process tests.

A subtle and frequently-failed requirement: the two signatures must bind to the same content. If the preparer signs version 1 of the MMR and then the chemist edits the MMR before the reviewer signs, the reviewer is signing version 2 — but the audit trail must show that the preparer's signature is no longer valid on the current content.

Two implementations exist. Either the preparer's signature is invalidated by any post-signature edit, forcing re-signing (the more common approach), or the record is locked between signatures (no edits allowed). V5 uses the lock-between-signatures approach because it is operationally cleaner — the preparer's signature is captured against a hash of the content, and any edit after signature 1 requires explicit unlock-edit-re-sign with reason.

On the rendered PDF or display, both signatures must show the meaning, name, timestamp and the hash of what was signed. A defensible PDF includes a signature manifest at the end of the document with both signers' details and the content checksum each one signed.

Same-session sequential (preparer then reviewer)

Both signers are physically present at the same terminal. Preparer authenticates fully, signs. Reviewer authenticates fully (not just one component — different session for the second signer counts as non-continuous under 11.200(a)(3)), reviews, signs. Common at the kiosk for charge-in two-person under 211.101.

Different-session sequential (workflow)

Preparer authenticates and signs at their terminal. The record routes to the reviewer's queue. Reviewer logs in at their own terminal at their own time, reviews, authenticates and signs. Common for MMR approval under 211.186.

Witness signature (preparer + concurrent witness)

Preparer performs the action and signs. Witness, physically present and observing the action in real time, signs immediately after. Used for high-risk operations where the witness must observe the action being performed (sterilisation load, IRT inventory dispense).

Independent review signature (preparer + later review)

Preparer signs at the time of action. Reviewer signs later, after reviewing the record, the audit trail, the linked deviations and the supporting data. Used for BMR review under 211.188 final approval.

1. Both signatures by the same user — credentialing failure, often discovered by audit-trail analysis weeks later.
2. Preparer signs, content edited, reviewer signs on edited content without re-signing the original — snapshot-binding failure.
3. Reviewer is the preparer's direct report — Quality-Unit independence under 211.22 finding.
4. Same-session second signature uses only one component (just password, no userid re-entry) — Part 11.200(a)(2) is more permissive than commonly read but still requires a component 'only executable by' the individual. Shared passwords break this.
5. Signature manifest missing from rendered PDF — Part 11.50 finding.
6. Reviewer's training on the SOP being reviewed is expired — kiosk-side check missing.
7. Charge-in 'second person' is the same person physically holding the scanner, with the second login executed by them — physical-presence falsification.
8. Same device, same session, same IP, two userids within 30 seconds — pattern indicates shared workstation with credential-sharing, not two-person.
9. Audit-trail review does not include a check on two-person validity for the batch.

• Re-authentication is mandatory for the second signer, not optional.
• User-ID equality check rejects same-user second signatures at the database, not just at the UI.
• Direct-report relationships are encoded in the role hierarchy; the system warns when reviewer reports to preparer.
• Signature is bound to a content hash. Edit after signature 1 invalidates signature 1 and requires re-signing.
• Rendered PDF and screen display include both signers' name, role, meaning, timestamp and a fragment of the content hash.
• Audit-trail review SOP includes a two-person validity check on the batch — same-user detection, same-device-same-IP detection, training-currency check.
• Anomaly queries surface unusual two-person patterns — repeated same-pair signing, signatures within physically impossible time windows, reviewer-and-preparer-from-same-direct-report-line.

• Signature primitive at the data layer — every signature carries signer (auth.uid()), role, meaning, ISO timestamp, content hash (SHA-256), session ID, device fingerprint, IP, user-agent.
• Workflow definitions specify the required signature meanings for each state transition. Two-person workflows require two distinct signers with the configured meanings before the transition is allowed.
• Same-user detection at the database — a workflow requiring two signers rejects a second signature attempt from the same auth.uid().
• Same-session detection — if the workflow requires non-continuous signing (e.g. MMR approval, 211.186 'independent'), the system rejects a second signature in the same session ID.
• Snapshot-binding — every signature is bound to a SHA-256 of the canonicalised record content at the moment of signing. Any subsequent edit invalidates the signature and requires re-signing with reason.
• Role-independence — the role hierarchy encodes Quality-Unit independence; the system warns if the reviewer's role reports to the preparer's role.
• Training currency — kiosk-side check that the signer is trained-and-current on the SOP governing the record being signed; expired training blocks signing.
• Rendered PDF (BMR / DHR / MMR / CoA) includes a signature manifest with both signers' name, role, meaning, timestamp, content-hash fragment.
• Audit trail captures every signature attempt — successful and rejected — with reason for rejection.
• Anomaly queries on the Quality dashboard flag repeated same-pair signing, signatures within physically impossible time windows, and reviewer-preparer direct-report relationships.