A White Paper from Zaizi Limited March 2013 Zaizi Ltd is registered in England and Wales with the registration number 6440931. The Registered Office is 222 Westbourne Studios, 242 Acklam Road, London W10 5JJ, UK. T: +44(0)20 7193 6847 E: enquiries@zaizi.com W: www.zaizi.com
Executive Summary This paper aims to look at specific control of electronic records and electronic signatures in the life sciences industry enforced by the FDA 21 CFR part 11 requirements, and how Zaizi has succeeded in presenting the fully- fledged solution, Alfresco CoSign in compliance with the regulatory requirement, to the market. The first section sets ground to the FDA 21 CFR part 11 requirements, and then goes onto specify why Zaizi saw the importance of developing Alfresco CoSign. Following up, the solution in its basic form as business logic is graphically represented, followed by the salient features and functionalities that comply with the FDA 21 CFR part 11. This includes a detailed comparison of the expected core standards laid out alongside the main components of the Alfresco CoSign solution. The business case for Alfresco CoSign is strengthened with business benefits that organisations seek to reap and illustrations of the integrated records management and digital signatures solution is provided for unambiguous interpretation of Alfresco CoSign. Background to FDA 21 CFR Part 11 Requirements in Business Recent developments in technology have transformed the traditional business organisation to an electronically networked enterprise. Ever since, organisations have achieved faster, easier and cost- effective business processes with fully electronic workflows in place. Complementing the paperless concept in organisations, digital signatures came into add in more value to authenticity of electronic documents exchanged in lieu of handwritten signatures. Then grew the number of beneficiaries within and beyond organisational control. With such changes in industry, new corporate rules, industry regulations and stricter legislations aimed at controlling businesses have emerged. In response, companies have introduced Governance, Retention and Compliance policies and procedures to strengthen their corporate responsibility and transparency to demonstrate control. When using electronic workflows and documents, appropriate control of records management, user account control and managing document records are an integral part of achieving compliance within these policies. However, many are struggling to maintain the required level of control with existing records management software available in the market. As a result, the demand for compliant records management software and digital signatures have increased at a rapid pace across the Life Sciences industry, to meet the compliance requirements of FDA 21 CFR Part 11 reinforced by the US Food and Drug Administration. The aim is to exclusively ensure information submitted to fulfil regulatory requirements, preserves its timeliness, authenticity and reliability as a responsibility towards ensuring health and safety of communities and general public. It widely applies to both International and US firms doing business across the US. This discussion sets forth a robust and viable business case for Alfresco CoSign in compliance with FDA 21 CFR Part 11 developed by Zaizi Limited. Electronic Record: Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system. Electronic Signature: A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual s handwritten signature. Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rule sand a set of parameters such that the identity of the signer and the integrity of the data can be verified. (Food and Drugs Administration of the United States, 2012)
Introduction to FDA s Regulatory Requirements In brief statement, FDA 21 CFR Part 11 focuses on following considerations for firms when submitting regulatory information: Consideration of electronic records and electronic signatures as equivalent to paper records and traditional handwritten signatures, respectively. Maintenance of standardised electronic records in open or closed systems by adherence to procedures and control put forward by the FDA. Maintain consistency and linkage of signed electronic records with respective original records, whether displayed electronically or printed. Certification of information given by electronic signatures, identifying its distinctiveness via controls that ensure its security and integrity. Given the complexity and detail of FDA 21 CFR Part 11, Zaizi identified that many software solutions in the market have failed to completely embrace diverse business requirements in compliance with FDA s regulatory standards. Why did Zaizi develop Alfresco CoSign? When electronic documents essentially needed authentication from originators and approval from reviewers, signatures came into extensive need to have on documents. AIIM 2013 survey conducted across many companies claimed, 41% needed signatures on more than half of their documents. 65% added more than 1 day to their processes just to collect signatures. 48% printed more than half of their documents just to add signatures. Signatures reintroduced paper back into the workflow and hindered the effectiveness of cost- effective strategy, requiring additional time, and prohibited organizations from realising true benefits of a fully electronic workflow. Quoting an example, an average company with 200 employees each signing 500 documents per year, will sum up to 100,000 pages per year. Following is a calculation of the costs associated with pages utilized per year, which can be saved via electronic documents and digital signatures alone (table 1 below): Printing Costs Scanning Costs Paper Archiving Costs Document Loss and Reproduction Costs 100,000 x $0.03 50,000 x $0.05 50,000 x $0.83 $120,000 + $60,000 = $3,000 = $25,000 = $41,500 = $180,000 Table 1: Benefits of Digital Signatures in Business Organisations (ARX Inc., 2013) Total = $ 249,500 For this reason, digital signatures came into replace slow approvals by completely eliminating the need to print paper for handwritten signatures, at a remarkably low cost and fully equipped with: Integrity: Person signing the document, date and time, Intent: Purpose associated with the signature, Distinct identification: Unique identification code and password. Realising the long- term benefits of digital signatures, organisations moderately adopted the technology, and recent data claims, digital signatures have reduced the time taken for an organisation to complete a sale by 50%. In addition, latest research done by AIIM and ARX Inc. (2010) presents strong evidence of extensive advantages for organisations (figure 1):
significant benefit too. Ease of signing for staff who are not in the local office is an important factor, and would also have an influence on the number of lost documents. Alfresco CoSign Figure 9: Which THREE of the following would you describe as the biggest benefits of your digital signatures system? (N=84 users) Speeding up of approval process me 0% 10% 20% 30% 40% 50% 60% 70% 80% hite Paper Saving of staff me scanning, copying and rou ng documents Saving of paper-handling costs (eg, prints, photocopies, faxes and post) Proven compliance for audit and electronic archive Ease of signing for remote, overseas, travelling or field-based staff Fewer lost documents Ability to include external approvers in the electronic cycle Easier management of user cer ficates via Ac ve Directory Figure 1: Benefits of Digital Signatures in Business Organisations (AIIM and ARX Inc., 2010) The expectations of those planning a system were very similar, except for a slightly higher expectation for the hard dollar benefits of cost saving on paper handling, with less on time savings. At the same time, Zaizi not only understood the importance of digital signatures, but also realised the potential of a paperless organisational strategy for businesses and harnessed the partnership achieved opportunities ROI in 12 months and or brought less, and together 78% in 18 a months winning or less. connection This was well between ahead of Alfresco, the expectations the leading of partner those planning ECM, an installation, and CoSign, and represents one of the an excellent largest return digital for signature any IT project. companies in the world. When asked to put a financial figure on the benefits compared to the set up costs, nearly two-thirds of users Figure 10: Considering financial, operational and customer-service benefits, what would you consider to be the payback period from your investment in digital signature systems? (N=84 Users, 78 Planned users) Here is where Zaizi illustrated simplicity through its cutting edge solution, Alfresco CoSign; a solution that organisations now rely upon, for flexibility, ease and consistency. 0% 5% 10% 15% 20% 25% 30% 35% 40% and SharePoint Alfresco CoSign 6 months or less Zaizi developed the Alfresco 12 months CoSign connector (refer White Paper by F. Alvarez), a solution that integrates Alfresco s electronic records management with CoSign s digital signatures, in response to compliance with the FDA 21 CFR Part 11 and many other similar regulations. Users 18 months In isolation, Alfresco is an outstanding open source ECM system that optimises business processes and facilitates 2 the years paperless concept in organisations by digitising content and documents in an inexpensive environment. 3 years Planned users Alfresco differentiates from other ECM solutions as an ideal integration for CoSign because it has records management built- in, and certified to the US Department of Defence 5015.02 More than 3 years standard, as a discipline that defines and applies business rules related to the creation, classification, protection, retrieval and disposition of an organization s records over time. CoSign has provided a critical competitive advantage to Alfresco by capturing digital signatures AIIM without 2010 www.aiim.org the / expenses ARX 2010 www.arx.com of paper, yet with a degree of security, reliability and simplicity unmatched by other signing technologies. 11 Following image (figure 2) illustrates the signing process of Alfresco CoSign, in a nutshell:
Figure 2: Alfresco CoSign Process As outlined above, Alfresco CoSign is smoothly designed to exhibit strong characteristics well matched with organisational requirements: Lets users sign documents without requiring anything installed in their computers, but a web browser, Users won t be tied to their local machines; they will be able to sign on- the- go, as long as they have access to the web application, CoSign web application, known as Signature Web Agent, is fully integrated with LDAP, so organizations may increase its confidence to assimilate with similar products. FDA Regulations versus Alfresco CoSign It is important to debate why organisations prefer Alfresco CoSign above many other similar solutions in the market. Many business organisations have trouble getting involved in projects to implement their compliance software due to misinterpretation of requirements. With Alfresco CoSign coupled with Zaizi s quality expertise, it is needless to say how easier it has become for organisations to work with less effort to explain complex scenarios, because Zaizi understands the importance of simplicity to customers. Let s look at a comparison on how Alfresco CoSign streamlines its core features and functionalities with FDA 21 CFR Part 11 (table 2 below). Follow the figures section as referred, along with explanations to see how easy Alfresco CoSign comes integrated to serve organisations better.
FDA 21 CFR Part 11 Requirement Sub Part A General Guidelines 1 The FDA considers electronic records, electronic signatures and handwritten signatures executed to electronic records, to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures on paper. Sub Part B - Controls for Open and Closed Systems 2 Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. 3 Ability to generate accurate and complete copies of records in both human readable and electronic form. 4 Protection of records to enable their accurate and ready retrieval throughout the records retention period. Alfresco CoSign Features and Functions Alfresco CoSign was built for organisations to adopt fully electronic workflows, while reducing the cost of printed- paper for signatures and introduce faster business processes. Alfresco have built- in records management certified by the Department of Defence (figure 3). Alfresco offers a traceable records management solution that tracks record modifications, with information on accountability, updated date and time of records. Renditions enable the ability to generate different formats of records/documents, even in portable formats. Simple Export for Archival, document/records control throughout the entire lifecycle from creation to disposition. 5 Limit system access to unauthorized individuals. The solution enables user controls and access rights for a defined set of tasks or even individual documents. 6 Use of secure, computer- generated, time stamped audit trails to independently record or retain operator entries on electronic records. 7 Record changes shall not obscure previously recorded information. 8 Use of authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access the operation or computer system etc. 9 Determination that persons who develop, maintain or use electronic record/electronic signature systems have the education, training and experience to perform assigned tasks. 10 Signature Manifestations: Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: The printed name of the signer, The date and time when the signature was executed, and, The intent (such as review, approval, responsibility etc.) associated with the signature. (Available for both electronic display and/or printout). 11 Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Sub Part C Electronic Signatures 12 Unique electronic signature per person, whether biometric or non- biometric. 13 Verification of the identity of the individual for which the electronic signature is assigned. 14 Non- biometric electronic signatures shall employ at least two distinct identification components such as an identification code and password. Table 2: Compliance of Alfresco CoSign with FDA 21 CFR Part 11 Complete auditing for every user action. Metadata is used for Audit trail and make records management complete. Alfresco automatically versions documents by identifying the latest changes made (figure 4). Signature profiles configurations, administered and accessible by Share Admin Console. Zaizi on- site experts ensure system training and 24- hour support for organisations. Easy- to- use Custom Sign Action (figure 5), enables the chance to Sign as any other Alfresco action, and Custom Sign Workflows by using Sign action in them. Alfresco CoSign records the electronic signature in biometric or non- biometric forms, indicating the following: Signer profile, Name and Email, Date and time, Validity status/document integrity (figure 6). Modification of an electronically signed document breaks the seal of the electronic signature to be no longer valid. CoSign embeds the digital signature directly into the document itself. After signature capture, anyone can verify the signature (figure 7). Unique digital fingerprint of the document is created using a mathematical algorithm. Even the slightest difference in documents creates a separate digital fingerprint of each. Trusted parties issue Certificate Authorities to ensure the authenticity of the signer. Plus, Alfresco CoSign provides custom document details view with Signature details. Background operations to retrieve information of signature field of documents, so performance is not compromised.
Conclusion With no questions asked, Alfresco CoSign delivers the best of ECM and digital signatures combined for organisations with FDA 21 CFR Part 11 compliance, by bringing out the following highlights: Records management comes built- in, certified by Department of Defence. Colossal amounts of time saved, as it is needless to verify system/record compliance with regulatory standards of the FDA 21 CFR Part 11. A standardized platform for collaborative exchange of digitally signed documents among field staff, business partners, contractors, customers, also including handling of invoices and point of sale systems. Alfresco CoSign embeds the digital signature directly into the document itself, enabling it to serve as a form of self contained e- record. After embedding, anyone can verify the signature and content integrity anywhere at anytime - with a simple click. Audit trails track and trace signed documents that enables to even track a series of approvers in a document with multiple signatures, ensured with integrity. A secure server manages credentials and issues certificates to authorised signers, using PKI- based digital signatures while removing the expensive management requirements. It does not only provide compliance with FDA 21 CFR Part 11, but also comply with many other regulatory standards such as: Electronic Signature in Global and National Commerce Act (ESIGN), Uniform Electronic Transactions Act (UETA), FAA's CFR Title 14, EU VAT Directive, Health Insurance Portability and Accountability Act (HIPAA). Figures: Figure 3: Alfresco built- in Records Management Figure 4: Versioning in Alfresco Figure 5: Custom Sign Action for each Document on Alfresco
Figure 6: Alfresco CoSign Digital Signing Figure 7: Verifying Digitally Signed Document
References: Alvarez, F., (2013). Alfresco CoSign Connector: A White Paper. Alfresco, (2013). Alfresco Records Management Software and Compliance Software. [online]. Available at: http://www.alfresco.com/products/records- management Alfresco, (2013). The Importance of Records Management within a Governance, Retention and Compliance Strategy: A White Paper. AIIM and ARX Inc., (2010). Digital Signatures for Document Workflow and Sharepoint: A White Paper. ARX Inc., (2013). 12 Business Cases for Digital Signatures. ARX Inc., (2013). CoSign Digital Signatures. [online]. Available at: http://www.arx.com/digital- signature/how- it- works US Food and Drug Administration (2012). Code of Federal Regulations Title 21. Available at: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11&showfr=1&subpartn ode=21:1.0.1.1.7.1