CoSign Compliance with FDA 21 CFR Part 11, GxP and Validation

“We operate in a regulated environment and are subject to compliance with numerous US government regulations governed by the FDA and USDA. CoSign ensures we stay in compliance while helping improve efficiency in all aspects of animal health records.”

– Kevin Maher, CEO, GlobalVetLink

Computer System Validation of CoSign

CoSign computer system validation is supported in the following manner:

Because of CoSign’s “black box” appliance architecture, most CoSign installations require only a minimal validation effort. Still, some customers have undergone more extensive efforts including Vendor Audits, use of ARX documentation to support IQ validation records, and/or executing test scripts.

A minimal validation effort can be justified as follows:

  1. The core technology is packaged as a dedicated security appliance in the form of a black box. No other software can be loaded onto the appliance and the appliance does not impact other applications. The CoSign appliance goes through extensive testing and is developed and manufactured in accordance to the ARX ISO 9001:2008 certified SOPs. It also adheres to global PKI standards for digital signatures and has an option that has been certified at NIST FIPS 140-2 level 3 by an independent 3rd party NVLAP laboratory.
  2. If using client-side software, the software components of CoSign are basic firmware applications or plug-ins and are viewed much like Microsoft Word, Adobe Reader, or other canned applications. As such, there is little or no additional validation work involved here.

The following are some steps that clients have taken in order to validate CoSign:

  • Vendor Audit –  A number of clients have put ARX through a Vendor Audit, typically a Q&A process driven by a self-reported quality assessment due diligence form, although some clients have conducted a more formal, even on-site, audit. ARX is an ISO 9001:2008 certified organization that has well-documented Systems Development Life Cycle (SDLC) procedures for design, development, engineering, QA, manufacturing, and support. In every one of our vendor audits to date, no major issues were found with ARX procedures or products.
  • CoSign Questionnaire –  If using the on-premises CoSign Central system, the installation-specific record starts with the client’s completion of the ARX CoSign Questionnaire, which describes the specific environment where CoSign is targeted for installation. This Questionnaire is a requirement for order acceptance according to our SOPs (ISO certified since 2005). Upon receipt of order, ARX assigns a technical lead for the CoSign installation and the engineer takes the Questionnaire and turns it into a Scope of Work (SOW). The SOW is essentially a punch list of tasks and settings that must be completed for the CoSign system to be installed, configured, and put into production in a client’s infrastructure. Upon completion of all tasks on the SOW checklist, the client is given a signed copy of the SOW for their IQ validation records.

The CoSign User manual and Installation manual may serve as additional documentation supporting a client’s validation and IQ/OQ.

Finally, ARX also has multiple partners that can deliver standard validation scripts and custom validation services for CoSign installations. Please contact us for more information.

SOP for the use of electronic/digital signatures

It is a common practice for clients to set up a new SOP for the use of electronic signatures in their organization, including alerting the FDA (as required under Title 21 CFR Part 11 Sec. 11.100c). In addition, most ARX clients modify this template for use in informing employees, partners and suppliers, and potential auditors of the use of electronic/digital signatures, CFR Part 11 compliance, digital signatures in general, CoSign specifically, and the corporate policies surrounding the use of electronic signatures and records in their organization.

Integration using the CoSign SDK

When custom integration work is done with the CoSign SDK, clients will need to follow their normal SDLC software development lifecycle procedures to support validation, and the CoSign SDK (SAPI, a Signature API) programmer’s guide would be part of this documentation set as well. This is typical in applications where CoSign is integrated with an electronic document management system (EDM); the overall integrated system goes through extensive validation but no additional effort for Cosign is required, other than including the CoSign SAPI Programmer’s Guide with the documentation set and the client’s integration Quality Plan. CoSign has been integrated with many EDM solutions, and in some cases there is a standard integration connector which also aids in reducing the validation efforts as would be required for a custom integration. Contact ARX for information about integration with various EDM solutions and other business applications.

21 CFR Part 11 Compliance

The 21 CFR Part 11 areas covered by CoSign include:

P 11.10 Controls for closed systems

(d) Limiting system access to authorized individuals – CoSign provides Active Directory integration for identity proofing, credentialing, user management and authentication for use.

(e) Audit trails – CoSign for signing PDFs includes revision history associated with each signature/version. If integrated with an EDM, signed files have a full audit trail and revision history provided by these applications. CoSign also includes an internal audit log of all signature operations.

(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate – CoSign forces entry of a Reason Code at time of signing as required. If integrated with an EDM and workflow application, additional enforcement of approval steps are provided.

P 11.30 Controls for open systems

Authenticity & integrity of electronic records from the point of their creation to the point of their receipt – All documents signed with CoSign provide for verification of signer identity, intent, time/date stamp, and proof of data integrity.

P 11.50 Signature manifestations

Signed electronic records shall clearly indicate printed name of signer, date & time and reason for signing – CoSign provides visible signer name, time/date, reason and data integrity status for all signed file formats, and also optionally the signer’s graphical signature in PDF, Word, Excel, and InfoPath files.

P 11.100 General requirements

(a) Unique electronic signatures for each user – CoSign provides a unique, individual signature key pair and ID certificate for every signer.

P 11.200 Electronic signature components & controls

Employ at least two distinct identification components; Continuous sessions – CoSign most commonly provides Active Directory integration including forced authentication via Username + Password at time of signing.

Existing Installations, Integrations and Applications

CoSign has been installed in hundreds of validated production environments, and has been used on thousands of FDA and EMA GxP regulated applications that are 21 CFR Part 11 compliant and validated. Our staff is well-versed in FDA requirements including 21 CFR Part 11, GxP, and computer system validation. Perhaps most importantly, digitally signed electronic records created by CoSign have been used to support thousands of FDA, EMA, ISO, HACCP, HIPPA and SOX audits and e-submissions.

  • CoSign is installed in ~100 FDA-regulated central labs (GLP)
    Today, over 1 million certificates of analysis and lab reports are signed annually using CoSign. Some of these deployments include custom integration with LIMS systems, which includes a greater level of validation effort than typical CoSign installations.
  • CoSign is installed in hundreds of GCP regulated applications (7 of the top 10 CROs, 9 of the top 10 BioPharmas, over 10,000 CRAs)
    CoSign is being used today for GCP applications including signing clinical documentation such as monitoring trip reports and site close-out reports by CRAs for submission to the sponsor and ultimately to the FDA. In addition, it is being used as part of internal applications in QA, compliance and controlled documentation for signing of SOPs, work instructions, and project specific documentation such as requirements, specifications, test procedures, backup procedures, and training records that are called into review for an FDA or vendor audit. Some of these deployments include custom integration with a document management and/or workflow system which delivers greater validation scrutiny.
  • External-facing Investigator Portals and Clinical Trial Management services (CTMS)
    More than 10 investigator portal technology suppliers (software or SaaS vendors) have CoSign as an integrated offering, and many leading CROs and sponsors have CoSign installed in their Investigator Portal. One such installation at a large CRO, one of the first Investigator Portals ever put into production, has over 6,000 external CoSign users, who include primarily sites (investigators), IRBs, sponsors and CROs. These users can access and sign FDA Regulatory Packet documents (protocols, informed consents, 1572s, CVs, contracts, agreements, etc.) and other periodic clinical documentation during the course of a study. In all, tens of thousands of clinical investigators and IRBs are using CoSign today.
  • CoSign is installed in numerous cGMP applications
    Including many leading contract manufacturing organizations (CMOs) and pharmaceutical companies’ internal manufacturing operations. CoSign is also being used in common regulated applications such as signing of SOP and QA documentation, as well as signing of master recipes and manufacturing instructions. CoSign is also used in the production process for signing MES electronic batch records and other documentation.

To date, CoSign has been integrated with a wide variety of third party document-centric applications including Microsoft SharePoint, NextDocs, Oracle WebCenter Content, OpenText LiveLink, Adobe LiveCycle, Laserfiche, Alfresco, as well as custom-developed applications.