21 CFR Part 11 FDA Compliance

CoSign computer system validation is supported in the following manner:

Most CoSign installations require only a minimal validation effort. However, some have undergone more extensive efforts including Vendor Audits, use of ARX documentation for part of the IQ validation records, and/or testing against validation scripts. 

The justification for minimal validation includes:

1. The core technology is packaged as a dedicated security appliance, in the form of a black box.  No other software can be loaded on the appliance and the appliance does not impact other applications. The thought process is that other appliances, like a network router for example, are not validated, which is much the same with the CoSign appliance validation.  The CoSign off-the-shelf appliance goes through extensive testing at ARX as it is developed and manufactured in accordance to the ARX ISO SOPs. It also adheres to global PKI standards, and has an option that has been certified at NIST FIPS 140-2 level 3 by an independent 3rd party NVLAP laboratory.  
2. The software components of CoSign are basic firmware applications or plug-ins and viewed much like Microsoft® Word, Adobe Reader, or some other canned application.  As such, there is little or no additional validation work involved here. 

• Vendor Audit: A number of clients have put ARX through a Vendor Audit, typically a Q&A process driven by a self-reported quality assessment due diligence form, although some clients have conducted a more formal, even on-site, audit.  ARX is an ISO 9001:2008 certified organization that has well-documented Systems Development Life Cycle (SDLC) procedures for design, development, engineering, QA, manufacturing, and support.  In every one of our Vendor Audits to date, no major issues were found with ARX procedure or product.
• CoSign Questionnaire: The installation-specific record starts with the client’s completion of the ARX CoSign Questionnaire, which describes the specific environment where CoSign is targeted for installation.  This Questionnaire is a requirement for order acceptance according to our SOPs (ISO certified since 2005).  Upon receipt of order, ARX assigns a technical lead for the CoSign installation and the engineer takes the Questionnaire and turns it into a Scope of Work (SOW).  The SOW is essentially a punch list of tasks and settings that need to be completed for the CoSign system to be installed, configured, and put into production in a client’s infrastructure.  Upon completion of all tasks on the SOW checklist, the client is given a signed copy of the SOW for their IQ validation records.

Additional documentation supporting client’s validation and IQ/OQ are the CoSign User and Installation manuals.

ARX also has multiple partners that can deliver standard validation scripts and custom validation services for CoSign installations.  One partner is Montrium.

It is a common practice for clients to set up a new SOP for the use of electronic signatures in their organization, including alerting the FDA (as required under Title 21 CFR Part 11 Sec. 11.100c).  In addition, most ARX clients modify this template for use in informing employees, partners and suppliers, and potential auditors of the use of electronic/digital signatures, CFR Part 11 compliance, digital signatures in general, CoSign specifically, and the corporate policies surrounding the use of electronic signatures and records in their organization.

This is basically all that is required for validation of CoSign when being used exclusively for desktop signing.  When custom integration work is done with the CoSign SDK, clients will need to follow their normal SDLC software development lifecycle procedures to support validation, and the CoSign SDK (SAPI®, a Signature API) programmer’s guide would be part of this records set as well.  This is typical in applications where CoSign is integrated with an electronic document management system (EDM); the overall integrated system goes through extensive validation but no additional effort for Cosign is required, other than including the CoSign SAPI Programmer's Guide with the documentation set and the client’s integration Quality Plan.  CoSign has been integrated with many EDM solutions and in some cases there is a standard integration connector which also aids in reducing the validation efforts as would be required for a custom integration.  Contact ARX for information about integration with various EDM solutions and other business applications.

The 21 CFR Part 11 areas covered by CoSign include:

P 11.10 Controls for closed systems

(d) Limiting system access to authorized individuals - CoSign provides Active Directory integration for identity proofing, credentialing, user management and authentication for use.

(e) Audit trails - CoSign for signing PDFs includes revision history associated with each signature/version. If integrated with an EDM, signed files have a full audit trail and revision history provided by these applications. CoSign also includes an internal audit log of all signature operations.

(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate - CoSign forces entry of Reason Code at time of signing as required. If integrated with an EDM and workflow application, additional enforcement of approval steps in process are provided.

P 11.30 Controls for open systems

Authenticity & integrity of electronic records from the point of their creation to the point of their receipt - All documents signed with CoSign provide for verification of signer ID, intent, time/date stamp, and proof of data integrity.

P 11.50 Signature manifestations

Signed electronic records shall clearly indicate printed name of signer, date & time and reason for signing - CoSign provides visible signer name, time/date, reason and data integrity status for all signed file formats, and also optionally the signer's graphical signature in PDF, Word, Excel, and InfoPath files.

P 11.100 General requirements

(a) Unique electronic signatures for each user - CoSign provides a unique, individual signature key pair and ID certificate for every signer.

P 11.200 Electronic signature components & controls

Employ at least two distinct identification components; Continuous sessions - CoSign most commonly provides Active Directory integration including forced authentication via Username + Password at time of signing.

More broadly, CoSign has been installed in several hundred validated production environments, and has been used on thousands of FDA and EMA GxP regulated applications that are 21 CFR Part 11 compliant and validated.  Our staff is well-versed in FDA requirements including 21 CFR Part 11, GxP, and computer system validation.

Perhaps most importantly, digitally signed electronic records created by CoSign have been used to support thousands of FDA, EMA, ISO, HACCP, HIPPA and SOX audits.

• CoSign has been installed in ~100 FDA regulated central labs (GLP). 

Today over 1,000,000 certificates of analysis and lab reports are signed annually using CoSign.  Some of these deployments include custom integration with LIMS systems, which includes a greater level of validation effort than typical CoSign installation.

• CoSign is installed in numerous GCP regulated applications at ~35 CROs (including 6 of the top 10 CROs) and 8 of the top 10 biopharmas. GCP applications where  CoSign is being used today include:
• Signing by CRAs of clinical documentation such as monitoring trip reports, site close-out reports, etc., for submission to the sponsor and ultimately to the FDA (about 10,000 CRAs are using CoSign today).  
• Internal applications in QA, compliance and controlled documentation for signing of SOPs, work instructions, and project specific documentation such as requirements docs, specifications, test procedures, backup procedures, training records, etc. that are called into review for an FDA or Vendor Audit.  Some of these deployments include custom integration with a document management and/or workflow system which means greater validation scrutiny. 

To date, CoSign has been integrated with Microsoft Sharepoint, NextDocs, Oracle Fusion Middleware, IBM Score, IBM/FileNet, OpenText LiveLink, OpenText Hummingbird ECM, Adobe LiveCycle, Xerox Docushare, Cardiff LiquidOffice, Docuware, Verity LiquidOffice, Laserfiche, Interwoven, Documentum and others including custom developed applications.

• External-facing Investigator Portals and Clinical Trial Management services (CTMS).  Over 10 investigator portal technology suppliers (software or SaaS vendors) have CoSign as an integrated offering, and many leading CROs and sponsors have CoSign installed in their Investigator Portal.  One such installation at a large CRO, one of the first Investigator Portals ever put into production, has over 6000 external CoSign users - primarily sites (investigators), IRBs, sponsors and CROs - where users can access and sign FDA Regulatory Packet documents (protocols, informed consents, 1572s, CVs, contracts, agreements, etc) and other periodic clinical documentation during the course of a study.  In all, tens of thousands of clinical investigators and IRBs are using CoSign today.
• CoSign is also installed in numerous cGMP applications. 

This includes many leading contract manufacturing organizations (CMOs) and pharmaceutical companies’ internal manufacturing operations.  CoSign is also being used in common regulated applications like signing of SOP and QA documentation, as well as signing of master recipes and manufacturing instructions, and then MES electronic batch records and other documentation during the production process.

The following is a list of current FDA and HIPAA regulated clients:

CoSign Installations in HIPAA, USDA and FDA Regulated Organizations
5 Hour Energy (food & beverage) Abarta (food & beverage) Abbott Labs (biopharma) Active Diagnostics (surgical monitoring) Advanced Biomedical Research (CRO) Advanced Physician Mgt Svc (provider) Alaska Sleep Centers (clinical sites) Allergan (biopharma) Alexander Youth Network (provider) Alexion (biopharma) Alta Analytical Labs (clinical central labs) American Institute of Toxicology (lab) Antisoma (biopharma) Aspyra (medical imaging systems) AstroMed (medical equipment) Bayer-Schering (pharmaceuticals) Becton Dickinson (medical devices) Beardsworth Consulting (CRO) Beebe Medical Centers (healthcare) Benchmark Biolabs (clinical labs) Bennett & Co (life science consulting) Biobide (biotech) BioClinica (clinical technology services) Biogen Idec (biotech) Biolab (central lab) Biovitrum (biopharmaceuticals) Blue Cross Blue Shield (healthcare) Capsugel (drug delivery technology) Caremaster (medical devices) Carestream Health (healthcare services) Concord Biosciences (CRO) CCL (clinical labeling) Charles River Labs (CRO) ChartOne (EMR ASP) Claims Servicing America (claims) Clarix (clinical software/services) ClinPhone (clinical software/services) Coating Place (contract manufacturing) Coca Cola Bottling (food & beverage) Columbus Childrens Hospital (provider) Comprehensive Sleep (provider) CSL Behring (biopharma) CT Office of Chief Medical Examiner Cooper Vision (medical devices) Court Square (life science services) CSC (life science services) Datalabs (clinical software) DVC (Dynport Vaccine) (CRO) Dept of Agriculture (Turkish gov’t) Daiichi Sankyo (pharmaceuticals) DTx (medical devices) Duke Clinical Research Institute (CRO) Durham County NC Dept Health Eisai (biopharma) ELAN (pharma) Encap (contract manufacturing) Entralogix (life science SaaS) eTrials (clinical software/services) ePharma Solutions (clinical services) eWebHealth (EMR SaaS) Ferring (pharmaceuticals)	Frontage Labs (central clinical lab) Galderma (biopharma) GE Healthcare (medical device) Genetix (biopharma) Glemser (life science services) Global Vet Link (animal health services) Good Products (life science software) Grass Technologies (medical devices) Grand Home Health (provider) gxpi (life science software/services) Hackettstown Regional Med Ctr Herbalife (nutraceutical) Home Health Care (provider) H2H (healthcare software) Huntingdon Life Sciences (CRO) IBM Life Sciences (software provider) IBT Labs (contract lab) Immaculate Home Health (provider) Insulet (biotech) Int’l Partnership Microbicides (biotech) Intertek (clinical central labs) Int’l Research Institute (clinical sites) Iredell County NC Dept Health (gov’t) Israeli Ministry Health (government) Kell West Regional Hospital (provider) Kendle International (CRO) Kodak Dental Systems (dental devices) LifePath Hospice (provider) Light Sciences Oncology (med devices) Living Essentials (food & beverage) L’Oreal (cosmetics) Los Alamos Nat’l Lab (gov’t labs) Luitpold Pharma (pharmaceuticals) MannKind (pharmaceuticals) Matrix Clinical (CRO) Maxxam Analytics (center labs) Medidata (clinical software/services) MEDA Pharma (biopharma) MEDRAD (medical devices) Merck (pharmaceuticals) Merck KGAA Serono (pharmaceuticals) Merge Healthcare (software/services) Merial (animal and veterinary health) Methylgene (pharmaceuticals) Mid Plains Center (mental health) Millenium Foods (food & beverage) MMS Holdings (CRO) Montrium (lifesci software) Morphotek (biopharma) Muscular Dystrophy Assc (healthcare) NAPP Pharma (biopharma) Nationwide Childrens (provider) Nektar Therapeutics (pharmaceuticals) Nestle (food) NextDocs (lifesci/healthcare software) NGC (lifescience/healthcare services) Novartis (pharmaceuticals) Nova Biologicals (contract lab) Novella (biopharmaceuticals) Novo Nordisk (pharmaceuticals) Novozymes (biotech)	NY Blood Center (network) Obagi (medical devices) Ocular Sciences (medical devices) Oracle (life science software) Organ Sharing Network (healthcare) Omnyx Pathology (medical device) Paragon Biomedical (CRO) PAREXEL (CRO) PDS (clinical technology services) Perceptive Informatics  Pfizer (pharmaceuticals) PharmaForce (pharmaceuticals) PharmaNet (CRO) PharmaLinkFHI (CRO) PhaseForward (clinical software) Philadelphia Safe & Sound (non-prof) PPD (CRO) PRA International (CRO) Practice Works (dental devices) Preferred Home Care (provider) Promedica (CRO) Prometheus (biopharma) Qualicom (life science services) Quincy Tech (healthcare software) Rambam Health Care (network) Regeneron (biopharma) Regional Cardiology (provider) REM Sleep Labs (clinical site) RMC Pharma (consulting) SAIC (life science services) Sandoz (pharmaceuticals) Sanofi Aventis (pharmaceuticals) Sanofi Pasteur (vaccines) Santen (pharmaceuticals) SFSU College of Health (provider) SIGA (biopharma) Sitrof (life science software/services) Sleep Technology (clinical sites) SC Dept Mental Health (provider) St Jude Medical (medical device) Stanford Hospital & Clinics (provider) Stem Cell Technologies (biotech) Studer Group (healthcare consulting) Swedish Orphan Intl (biopharma) Tel Aviv Sourasky Medical Center Telerx (clinical services) Thermo Fisher (lab informatics) The Imaging Center (clinical site) University Pitt Medical Ctr (provider) VCU Medical Center (provider) Veterans Health Admin (provider) ViraCor (central lab) Viropharma (biopharma) Wake Forest (WFIRM) (clinical site) Walgreens (distribution) Wallerson Cardiology (provider) Washington Grain Alliance Westat (CRO) W+H Dental (medical device) ZLB Plasma (central lab network)