Unlock the eSignature Legality for Life Sciences in Canada with airSlate SignNow

How to eSign a document: e-signature legality for Life Sciences in Canada

I'd like to introduce our presenter for today he is Rod slurf the FDA markets manager with ARX with over 25 years of experience in electronic signatures for FDA regulated markets Rod has led ARX to be the largest supplier of digital signatures in the FDA regulated industry as a result clinical operations organizations around the world are benefiting from reduced costs faster operations regulatory compliance secure document exchange and electronic submission to the FDA with that I will bring Rod's slides up and Rod I'll pass the presenter ball to you okay well thank you Elizabeth and thank you to all the participants taking an hours worth of time this morning or this afternoon to participate in this webinar as Elizabeth mentioned I am the FDA markets manager for ARX and have been in this position for the past 8 years years today's presentation I will be discussing the use of digital signatures throughout the clinical operations of FDA regulated operations and not specifically talking about our product cosign so I'm going to try to keep the conversation vendor neutral just uh a little background on my company ARX to kind of build the credibility of why I'm speaking today is the company ARX is the world's largest supplier of standard digital signatures both to Industry as well as government in fact our cosign product is being used by more organizations today than all the alternative approaches combined so we have a healthy market share specifically in the Life Sciences Marketplace it's estimated that cosign has about 90% of the market share 90% of all the installations of digital signatures in the FDA regulated markets are using our cosign product but as you can see we compete in many other highly regulated and security minded Industries some of these industries like the FDA require digital signatures uh for instance certain states in the US certain provinces in Canada require the use of digital signatures for engineering drawings both here in the US at the at the federal level and the the state local government level as well as in the EU in government applications digital signatures are required but in general the markets we go after either required digital signatures are very much security minded again I mentioned about 90% market share in the light Sciences industry as you would expect most of the major players are using our product including nine of the top 10 Pharma the majority of the leading cro and many of the cloud applications that are being hosted using our product today about 20 to 30,000 different investigators irb's labs and cras are using our cosign product we also do business in government government research including the uh US Department of Health and Human Services but also other governments around the world and even non research-based government here in the US including departments such as Department of Justice Homeland Security energy the veterans uh administration department of transportation Etc as well as in Europe recognized entities such as the Supreme Court of the Netherlands the ministry in Portugal the Italian Senate even the European commission itself uses uses our cosign product we've changed the agenda a little bit today so if you've attended one of our webinars in the past we've tended to focus on the most common applications for digital signatures within gcp mostly use of digital signatures in quality document Management Systems the use by cras and signing trip reports when they visit sites as well as within Cloud applications what we Chang this presentation today to really be more of a blueprint and guidelin and how you select and how you deploy digital signatures regardless of the application where you plan on using the technology so we'll talk a little bit more about the relevance of digital signatures and life sciences and uh and really the the heart of the conversation is on what of the major components and considerations in choosing and deploying a proper digital signature solution so clearing the fog is what we're talking about here there's lots of different areas where you may hear the term digital signatures there's vendors out there including us with our cosign product there's vendors out there that sell digital or electronic signatures companies like or echosign or veras sign or qualified CA in Europe even self- sign certificates there's uses for digital signatures and some confusion about what the requirements are and areas like electronic submissions through the gateway to the FDA what are quality management system vendors using electronic or digital what's property use for electronic Trial Master files and signing of the regulatory packets how do workflow vendors and document management vendors and eow vendors fit into this puzzle and one of the compliance requirements as far as part 11 GXP how do you validate these systems and what is ISO 32,000 for pdfa so hopefully we'll cover most of these items and clear some of the fog in the conversation today first of all I'll talk about why digital signatures in case you're not uh familiar with digital signatures digital signatures is a term that is used for a standard form of electronic signature we'll talk about the standards bodies that that publish and maintain these standards throughout this presentation before we get started we'll take a look at what information is available in a signed a digitally signed electronic record in this case it's just a visible information It's contained in a PDF so for every digital signature that's selfcontained within a PDF you will see visible information and this information includes things like the name of the signer the job title of the signer perhaps the email address of the signer the reason code the reason for signing that was entered at the time of signing the time date stamp when the signature was applied the handwritten signature of the signer so the John Hancock is also included and most the major desktop applications including PDFs include indication of whether you should trust not trust or have questionable trust over the digital signatures and digital identities contained within that file now digital signatures are Active Components of these electronic records so if I click on any of the digital signatures I start to see additional metadata about the signature details this includes the three eyes of digital signat first the identity of the signer so again the name of the signer the email address I can click and see the digital certificate the digital identity of the signer how long this identity is valid for what organization the signer is from and why I'm trusting this digital identity again more information about the intent the reason code that was entered the time gate stamp when the signature was applied and information about the Integrity so how has the file been altered and changed since the signature was applied and what are these changes so these the three eyes of digital signatures and as you as you can see digital signatures are not just paper on glass it's not just an electronic replacement for pen and paper there's lots of security wrapped into adding a digital signature when you sign an electronic record um again we're not going to go over a demo today but I just want to walk through a simple signing process to set the expectations of how a document signed so in this case an employee or anyone that needs to sign the document is sitting sitting in front of a file could be an office file PDF a web form InfoPath form what have you and either have that file open on the local PC or they're accessing that file through a web application through SharePoint but through some other business application now as a best practice but also as a requirement for 21 CFR part 11 the person needs to authenticate before they can earn the file this is typically through like an active directory ldap or whatever username and password's been uh given to that individual to authenticate themselves before they can sign and they're also asked to enter a reason code why am I signing this document once this takes place then within a fraction of a second a number of things happen in the background first thing that happens is that the document contents to be signed are calculated as what is known as a hash value which is then securely sent to a secure signing environment either a server or in the old days a smart card contained within this server is the three components that constitute the digital signature first this individual digital certificate or digital identity unique to that individual there's also a unique signing key a mathematical key that's going to be used to sign the document contents and the most digital signature systems there's also the ability to register a handwritten signature perhap perhaps it's their John Hancock Andor maybe their corporate logo or maybe multiple graphical signatures such as their initials that they can choose to use every time they sign next that document hasch value the contents are signed with the digital identity and the digital certificate and all this information is then bound back to the file since most digital signature systems that employees employees are using is integrated with the user directory structure of that organization whether this the active directory or lb these digital identities are what what are known as high Assurance there's a high Assurance a high level of confidence that the person signing is indeed someone who's been fully vetted by the or organization from which that individual comes however there are other lower forms of digital identities and even non-digital signature systems where there's essentially no or a very low level of assurance of the identity of the signers and obviously you want to avoid these type of systems now looking at the signed document someone who receives this document 50 years from now offline can simply open up that digitally signed electronic record and they can Bridge trust with that signer and with that signer's organization so this is not just by recipients that are employees of that same organization but any outside party whether it be business partners vendors courts of law Regulators in government any auditor or contractors anyone accessing this file can perform this verification and when you verify digitally signed electron records this verification is completely independent of the vendor who supplied the technology the vendor themselves the signer even if that signer is no longer part of the organization or even no longer alive as well as the signer's organization even if all these individuals and organizations are no longer in business we can still perform this verification so what you're doing with digital signatures embedded in electronic records is you're creating self-contained portable and sustainable documentation that's verifiable um overtime across geographies across organization regulators and governments and across Technologies so how is this trust established how is someone receiving a signed document able to trust the signature of the signer and the signer organization well this is a core concept of digital signatures and these relying parties only need to establish trust in the public root certificate the public identity if you will of that signing organization and this is usually performed through a one-time trust ceremony and then after that point all signed documents from that organization received by my organization can be fully verified now there's multiple trust models that are being used today the most common trust model is what's known as controlled Trust this goes back to this one-time ceremony or one-time process so there's a manual bridge on a case-by casee basis of who you want to trust and uh how you want to trust these signatures from this organization so again need to make a decision that I want to trust all signed documents from this organization establish that trust and then from that point forward all the signatures will be verified when I receive them or my employees receive them there are other trust marks models uh that's been around for a while two most common web trust models are offered by Microsoft and Adobe what Microsoft and Adobe do is once you your digital signature system you hand over this public ID this public root certificate to Microsoft or adobe and they publish it in their certificate store this is not a universal solution in that Microsoft only trust signatures in Microsoft documents Adobe only trust documents and there PDF format hence it's less common not widely ised today but it is an interesting concept there's other trust models these are typically membership based trust networks most commonly used over in Europe by third party certificate authorities but also you might see this somewhat in the US particularly with large Pharma that use these trust based or membership based trust models like safe biofarma but safe in general is largely still just a conceptual idea not why ly used even some of the founding members are not using safe today so it's really not relevant to the conversation okay next they'll talk about the use of digital signatures in life sciences there's really three basic areas where digital signatures are relevant in life sciences the first area is being used by employees within any Enterprise with within a government agency or department where you're looking for a consistent digital signature service to have your employees sign any document it requires a signature on the other side here we have SAS services and clouds so this could be a cloud service propped up as a private Cloud by an Enterprise or it could be a sass vendor that has digital signatures embedded as their signature engine in their service and the third area where digital signatures are relevant is with all the software vendors that are out there the desktop authoring vendors the document management workflow vendors they all simply need to support the digital signature standard to know that regardless of what digital signature system you're using within your Enterprise or within your Cloud these systems will work with their software a little more detail again for the relevance within an Enterprise a life sciences Enterprise from my experience in the marketplace digital signatures are being used extensively throughout many Enterprises in both GXP regulated and non-regulated operations literally thousands of companies and Enterprises today are using digital signatures throughout their operations you may also note that the FDA does require the use of digital signatures and open systems so any system as defined as an open system where outside parties need to re receive the signed documents or any organization that allows outside parties to sign documents this is what an open system is but there's also extensive use of digital signatures in close systems such as a quality management system and there's H significant reasons why youd want to use digital signatures in these closed systems the applications Within These Enterprises where digital signatures are being used are throughout the Enterprise both within regulated non-regulated departments such as HR Finance legal procurement Etc but also the highly regulated stuff such as your core quality management system electronic lab notebooks manufacturing operations clinical operations Su I mentioned digital signatures for cloud operations many if not most of the private Cloud applications propped up by sponsors as well as public SAS vendors are using digital signatures as their signature engine and as these are open systems they have to use digital signatures as I mentioned before tens of thousands of doctors sites irbs monitors labs are using digital signatures that are embedded as part of these cloud applications and these Cloud applications that are using digital signatures again span a pretty wide spectrum one of the more common applications today is within investigator portals where sites need to sign off on regulatory packets as part of the electronic Trial Master file another hot area is for patient reimbursement and assistance so doctors and patients that are prescribed medications can sign off on reimbursement and assistance in affording those drugs but it can also be non-regulated stuff so many companies just want their business partners and their customers to sign off in various contracts and agreements and as I mentioned digital signatures are very important to the desktop authoring vendors and to the other business system vendors so many of these vendors today support digital signatures and really any eforms workflow or document management vendor can easily integrate their technology with digital signature and many already have so most of the common eforms vendors already have an integration with digital signatures Microsoft Office InfoPath PowerPoint Excel word PDFs whether this be an Adobe PDF or another PDF vendor XML AutoCAD drawings Etc custom applications particularly web applications can have digital signatures easily integrated and then many of the leading document management system vendors already have support for digital signatures we happen to do a lot of work with with SharePoint in fact about half the projects we do today include integration with SharePoint and integration anyone with a web browser on a PC Mac or a mobile Computing device can access and sign documents through this browser okay now in the selection of digital signatures and deployment of digital signatures I've boiled down the common things to think about in choosing a digital signature solution into five different categories call the 5Ds of selecting and deploying a proper digital signature this includes compliance and who do we need to comply with Choice how much Choice should the vendor allow in the selection of the surrounding Technologies control so how do you control the overall environment where digital signatures are being used cost effective how cost effective are the various digital signature Technologies con centralized the new wave of digital signature products over the past 5 to 10 years all use a centralized architecture which greatly minimizes system administration as well as validation efforts associated with the deployment so let's start with compliance so the first area of compliance obviously is you need to comply with the digital signature standards now here in the US the main standards body is n but these various organizations and governments that support digital signatures and in some cases require digital signatures all adhere and support to the same digital signature standard so there's not multiple standards you have to concern yourself with there's a single standard here in the US that happens to be missed the first question you want to ask a vendor is are you a digital signature vendor these same standards are recognized and endorsed by other St independent standards bodies so for instance ISO with the pdfa standard ISO 32000 incorp op Ates the digital signature standard Oasis Oasis is the old pki Forum they've developed a digital signature standard for web services so if you're going do a web services integrated with an application they include this standard as well as these other standards bodies so you comply with the digital signature standards that are out there obviously in the Life Sciences Marketplace we also have to comply with the fda's requirements most people focus on the fda's 21 CFR part I'm not going to get into all the different details where where part 11 compliance is supported by digital signatures I will call your attention however to paragraph 11.30 in controls for open systems where they specifically call for the use of standard digital signatures so any open system s include procedures controls they include the the appropriate use of of digital signature standards now there is some confusion in Marketplace about the need to use digital signatures with submissions to the FDA if you go to the fda's website for the electronic submissions Gateway there's a lot of great information here and one thing you'll find out is that the FDA does not require digital signatures for signing of the common FDA forms the 1571 the 356h itself in fact they don't care about the the supplementary sign documents associated with these submissions the only thing the FDA requires when doing a submission across the Gateway is that the transaction of the submission uses a digital certificate and although they call this a digital signature you really should be calling this an authentication based digital identity and they point you to the different ways that you can acquire an identity to support this submission including creating your own self-signed certificate which is fully acceptable now at ARX with our cosign product we do not promote cosign for authenticating yourself for this electronic submission transactions that's because our perception is that what they're asking for breaks the basic rules and tenants of digital signatures in order to perform this this simply submission regardless this is a a very small fraction of the total use of digital signatures in the marketplace and is not something that's talking about signing of documents and then people call the use of digital signatures the third wave of compliance with part 11 and I agree with this the first wave would be all the system remediation that took place before or just after the release of the original part 11 in March of 1997 where companies were remediating computer systems to comply with what they perceived to be the FDA requirements however right after part 11 came out all of a sudden the vendors like documentum and open text came out with a different concept and that is a huge secure repository of controlled documents that may or may not include electronic signatures if they did include electronic signatures it was just an electronic authentication and this authentication along with the reason code time date stamp was secured separately from the document in the database of the repository it's not really a digital signature solution now come around year 2000 J&J and fizer kind of led the third wave here which is said let's apply digital signatures directly to the documents independent of the repository so that we can extract documents out of the repository and share them with outside parties for full verification or if we wanted to migrate to a new document management or quality management system in some sometime in the future this migr is made easier because we've severed the tie between verification and access to the repository the third area of compliance that we talk about is compliance with the EU directive on electronic signatures unlike eign in the law around the use of electronic signatures in the US the European Union is very specific on the requirements for digital signatures in fact for government applications in Europe they only allow digital signatures they give them different terms they call them qualified electronic signatures or Advanced electronic signatures but in both cases we're talking about the use of standard digital signatures so if your organization is doing business in Europe I would definitely take this in consideration is that in Europe you're going to find the requirement for digital signatures to be much more prevalent and then the fourth area where there needs to be compliance is with the independent software vendors so companies like Microsoft and Adobe have invested in making sure that their applications work with any standard digital signature solution and they don't provide add-ons or connectors to proprietary based electronic signature systems as well as the standards bodies that support these other forms and I mentioned before the iso 32,000 standard for pdfa includes the digital signature standard so that's compliance the second choice and from our perspective is the most successful digital signature deployments do not include the vendor providing an eform solution a workflow solution or a document management solution instead the deployments include the most robust and secure signature engine so a solution it just provides a signing solution and then allows the organization to choose their Best in Class preferred existing or whatever future workflow document management system or eform solution that they desire for their specific applications so again the the recommendation is choose the best signature engine and then choose the best complimentary Technologies and easily integrate with the signature engine when you integrate the signature Engine with these complimentary Solutions you're creating a machine and these machines can be as complex or as simple as the application requires the most simple machine is typically just a digital signature engine and then the desktop authoring tools so whether it be office documents InfoPath PowerPoints PDF documents or other file formats having just the signature engine and the documents is a simple machine and can be readily used upon installation of the digital signature solution a more complex and comprehensive machine can be integration with some other Enterprise business system most typically this is a quality management system or an Erp system or a document management system so leading vendors like NEX stocks SharePoint openex documentum Etc where the workflow vendors like K and nintex all support digital signatures and can be easily integrated and then finally you need to consider that any of these machines need to accommodate the modern worker that may not be sitting in front of a PC in the office but instead may be working from a Mac or from a smartphone or from a a tablet device so these digital signature deployments need to work with all these Computing Technologies so again compliance and choice of the complimentary Technologies the third is control so if we control perspective it's our philosophy that the newus organizations the company that's using the digital signatures need to in fact must have the freedom to choose their policies procedures methods and technologies that they want to govern their business so the vendor should not be forcing the organization to re-engineer or change the way they're governing their business so the digital signature deployment the digital signature system that you choose must adopt to your policies and procedures and not the other way around so what are some of these policies procedures and enforcement technologies well today companies already have in place identity proofing strategies this includes includes your onboarding policies and procedures for how you bring a new employee into the organization through a signing of a I9 or other forms add them to your network access and user directory structure as well as for your customers and suppliers and how you screen them and prove who they are before you give them access to secure documentation or in this case allow them to sign documents you already have these user provisioning and user management Tools in house today the most common user directory structure happens to be Microsoft active directory but there's other ldap and user directory structures that can easily integrate with digital signature systems to provide medium to high Assurance digital identities and Easy System administrative and user management functions and you already have authentication methods today that you're using inous and you should continue to use these authentication strategies with your new digital signature system as I mentioned before the most common authentication strategy is username and password most commonly active directory username and password however we have clients that prefer to have secondary Factor authentication techniques particularly in Europe or in certain High highly sensitive applications where you may want to use one-time password devices Biometrics or even pki smart cards okay so the fourth consideration is then cost effective the good news is is the price for digital signature Solutions have come down in price dramatically over the past decade so the solutions are more affordable and the time frame to achieve a nice Roi has been reduced however what needs to be considered is not just the price of the licenses but the total cost of ownership of the the deployment and these total cost of ownership still vary quite dramatically from one vendor to the other from one approach to the other the article I'd like to point you to is a great article that was in the Bia version of Applied clinical trials way back about six years ago where the article talks about the value of digital signatures in e-clinical but also includes a workup an analysis of what the costs are of various digital signature options and alternatives for a typical three-year deployment for a thousand users and what this analysis looked at was server-based digital signature Solutions and happen to gather information from us about our our cosign products manage pki services so this would be someone like a veras sign that used to have a service some of the qualified Casa that you might find in Europe even someone like safe biopharma CA and then the third category was build your own this is what Jane J and fizer did way back when and the yield of this analysis is that the server based Solutions the newer Technologies are typically five to 10% of the cost of building your own um and roughly 20 to 25% of the cost of going to these third- party services so the most coste effective solution and strategy for deploying digital signatures is to to deploy a server-based digital signature product that integrates with your existing active directory as you mentioned before it's not just the price of the license or the digital certificates that make up the total cost there's many other factors obviously validation what is the cost to validate these products and qualify the system you should ask the vendor how do you support this who's doing the validation if we don't want to do the validation do have business partners that are experienced in validating your system how does your system support part 11 specifically around Microsoft Office signing so Microsoft Office has some basic support for digital signatures however most people feel that it's not part of leing compliant for various reasons so how do you address that for signing of PDFs does the vendor require you to have licenses from Adobe for Adobe Acrobat for every user that's going to be signing with your system what type of PDF viewers are supported and can these PDF viewers properly interpret digital signatures what's the cost and effort to integrate with various business applications and how are these system is validated are there standard connectors to Common business applications like like SharePoint or is this all part of a custom integration effort can the signing be performed from any machine Any Computing device or are you limited to just PCS or can we sign from Macs smartphones Tablet PCs tablet devices are the license is transferable so if I have an employee that leads the company can I transfer that license at no cost to another employee what if I have someone that loses the digital identity and I get another identity regenerated without any additional cost are there restrictions in these licenses are the restrictions like this user can only sign a given number of times in a year and then they have to pay more these are questions you need to ask how are these digital certificates these digital identities generated where are they sourced can I Source my own how are they renewed refreshed and most importantly revoked so if I have someone that I want to remove their signing capabilities how quickly and how efficiently can I remove their signing capabilities eight how are the users managed and were the associated system administrative costs so am I manually managing each of these users or is through the integration with active directory or ldap making my life easier so I can easily generate identities remove identities and renew identities on an annual basis nine how long ises it take to deploy the digital signature systems is it an OnDemand service so it is a SAS service where I register and start signing well if that's the case is it a dedicated service or am I sharing the service with tens or hundreds of thousands of other companies and then finally do you offer just the core digital signature engine and is this engine centralized or is a dist a distributed architecture if it's a shared service how robust is the service is there going to be a point when 10,000 companies are all using the same SAS service and performance slows down or bogs down or is no longer available so these are the 10 questions to ask of any vendor or any method that you plan on considering for digital signatures and finally is the architecture centralized I mentioned way back back when 15 years ago even 10 years ago digital signatures were largely depl deployed on pki Smart cards that people physically carried around with themselves in order for them to authenticate the sign this is a con a concept that's gone away and most of the modern-day digital signature systems are centralized servers so if you look at a basic Network there's lots of boxes lots of applications hanging off the network one of which is the user directory structure which is going to be integrated with the digital signature system that you deploy so this digital signature system is just another box another server it's hanging off the network as a single server or redundant servers and these servers are going to generate manage and secure these digital identities the signing Keys the digital certificates or ID cards and the graphical signatures of the signers in order to use these identities typically there's a software agent or client that's distributed out to the local PCS on the network that tells that PC anytime I want to sign a document I simply use the server that's connected to the network many people today also use a virtual server a VPN terminal server Citrix Etc and so the digital signature system should be able to work in this configuration so the agent is loaded to the server in any application software but the actual PCS Macs and Computing devices only have Citrix or terminal server access to the VPN server and all signing is possible and then from an integration with these Business Systems there should be software loaded onto the business system servers themselves but again for the local machines where the signing is going to take place there should be signing enabled only through a web browser with no local software on those smartphones on those tablets on those Macs on those PCS and finally just looking at the vendor landscape from our perspective the typical vendors we see out there that are both digital and electronic signatures I'll start with ourselves at ARX we would put ourselves at the right end of the spectrum as far as adhering to the compliance Choice control and centralized architecture that I recommended and we do have a large star we do have a large market share in this space so we are the 800lb gorilla in the room I would also be fair and say the cosign is in the middle of the road as far as cost and complexity so it's high functionality at a fair price now there are other pure digital signature Solutions including these qualified Casa these third party Casa even safe biopharma certified Casa which have in some cases similar functionality and some cases less functionality than sign but usually at a higher price and not not widely adopted now on the left hand side of the spectrum here is either low functioning digital signature Solutions or non-digital signature Solutions the lowest form of electronic signature would be something like Adobe Echo sign where there's no digital identities there's not even data Integrity checks included with the signatures one of the major electronic signatures SAS vendors is and I put further to the right here because my perception is that as they start to enter new markets is going to start to include digital signature functionality along with the existing proprietary electronic signature capabilities that they have so in summary digital signatures are not just a replacement for paper and Inc all digitally signed electronic records contain these three eyes data Integrity signer identity and signer intent Trust of signed documents is an easy process typically through a one-time trust ceremony between the recipients and the sign new organization digital signatures are used extensively throughout the market today within Enterprises and clouds and in choosing a proper digital signature solution you need to consider the five Cs which include compliance Choice control cost effectiveness and centralized architecture that's a wrap on my presentation today if you want to speak to me directly you can reach out to me at FDA atx.com and we're now going to open the floor to questions and we already see a bunch of questions from the audience yes Rod we have quite a few and we'll do our best to get them all addressed before the end of the event should that not happen I'll make sure that those questions are forwarded to Rod directly and he can answer them through email how does site Personnel such as investigators or coordinators get their digital signatures so that's a good question and my guess is that the question is more around how do we identity proof the investigators and the site Personnel before they're given credentials to sign with what we do at ARX is we usually recommend that you first Benchmark what's happening today what's happening today is that the regulatory packet or any document that site Personnel needs to signs is either t as hard copy paper or emailed as an email attachment that's then printed out the paper and then thisel sign that those pieces of paper and then FedEx or scan and email it back and at no time in that processes anyone ever witnessed that individual signed those documents or check their identity to make sure that that handwritten signature properly represents that individual now for site personnel it's Unique in that there's always going to be a CRA visiting that site at some time during site initiation and part of the ca's responsibility can be closing the loop on that identity proofing by checking the identity of those individuals during the kickoff meeting but even without doing that you can force the site personel to have to enter enough unique identifying information for them to either self-register El with the system or you can have the CRA or the project manager go ahead and generate an identity for them to use based on the ongoing and previous conversation with those individuals as far as how they sign we found is that a mandatory requirement for every investigator portal that we've worked on is that the signing needs to take place through a web browser so you don't want to have the investigators have to download any Insight software only Point them to a web application a web portal where they can go see documents listed and enter their username and password every time they want to sign we have another question relative to security with these systems how can you tell if it's the correct person or someone who is using your name could someone buy this software and create their own signature with your information at the at the most basic level where this might happen happen would be what's known as a self-signed certificate so I can go ahead today from my PC and create a self-signed certificate create an identity that has a trust network of one me and I can claim that I'm Barack Obama and even make up a email address for Barack Obama signed with this digital identity now anyone receiving this document when they click on the active digital certificate they're going to see that there is no trust Network and no organization from where this certificate came from and immediately identify that this is a self-signed certificate on the other hand a proper digital certificate used for signing has this full trust Network as part of the metadata self-contain within the digital signature in the signed document and typically this includes two or three levels that I can verify the individual the individual's organization and in some cases a third party that touches for both the individual and the individual's organization all right and we have a question specific to your slides what does the size of each decagon represent in in the chart where I tried to show some of the vendors the size of the star was a relative market share associated with each vendor for instance the largest stars were ax cosign as a digital signature vendor in life sciences the second largest star was docy sign which is an electronic signature vendor it also supports life sciences although they they don't support FDA regulated operations it's uh it's just a a popular application for signing of contracts and agreements and a question about differences what is the difference between digital signature and digital identity digital identity I'll I'll kick this up a level All Digital signatures and all the terminology I use today comes from a um a core concept a core set of standards known as pki public key cryptography you don't need to know what this is but it's a set of Standards using cryptographic algorithms to perform one of three things digital signatures authentication or encryption what I'm talking about today is the use of pki or digital certificates for digital signatures in the pki world you never use the same digital identity digital certificate for more than one function so if I wanted to use the same technology for authentication I may generate a digital identity for someone to authenticate with or if I want to encrypt something I may generate a digital identity for that person to encrypt with but you never use the same digital certificate digital identity to perform more than one of these functions so with digital signatures there is an embedded identity with that each signature known as the the digital certificate and it has one purpose for digital signing all right and here's a person with a little bit different problem for you to address what happens when I need to apply a digital signature with a centralized system and I'm not currently online or have internet access for example in some countries overseas what happens when that centralized service can't be reached right and this is a question that's come up it came up before even centralized or online only services in the old Smart Card World people would need to swipe their card physically and they could do this offline although they would need a smart card reader which isn't always the easiest thing what I can comment on is in the eight years I've been involved with ARX we've seen the availability of internet access to be much more prevalent in fact we have clients that do research out in little villages in Africa doing AIDS research and although internet access isn't available via internet service provider these people own themselves with phones that can get access and get them online to sign with but also vendors in general have a fail say for instance at ARX we also have a version that that can be used locally on an individual machine in an offline mode sounds like an excellent solution does the FDA have a list of e signature software that they approve or is there an easy way to tell software meets regulations by the FDA no they don't so under the electronic submissions Gateway I mentioned that for authentication purposes of the transactions of a submitt they they give you a few suggestions but for for the bulk of signing within an Enterprise the FDA doesn't doesn't have a list of vendors what what I will say is that they would never even if they could they would never have a list of 21 CFR part 11 compliant or validated products there's really no such thing compliance part 11 compliance in particular is not just about the product it's about the product and the way you and use and maintain that product so it's uh it's process procedure a documentation showing that you're adhering to those those policies and procedure and wrapped around the technology and that's what get you gets you compliance so the best example I always come up with is that with our product it can be used in a in an FDA compliant manner but if you choose to allow all of your employees to have the password 1 2 3 4 5 6 7 8 it's a system that's very easily hackable and breakable and no one would find that a reasonable approach nor a part 11 compliant approach okay and a question that gets down to the real nitty-gritty what is the typical return on investment or payback period associated with digital signatures yeah so I didn't address uh much of this still in my presentation whereas in the past I have and that's because I think the market in general understands and appreciates more the value of of digital signatures and in completing the Automation and the investments in the surrounding Technologies we do have some benchmarks though from our clients the typical payback period is six months but it depends on the application we've had clients that have gotten a payback period in 45 days but again it depends on the business process one of the more expensive processes is is clinical research Associates working for C signing trip reports and uh with these trip reports every trip report they FedEx back to the home office for a second signature than FedEx off through the sponsor so some of these large cro were spending half million 750,000 annually just in FedEx so obviously there's a very quick payback for applications like this the other area where this there's uh benefit is just in overall speed site initiation you need these regulatory packets signed by the investigator and if there's a bottleneck in getting the signatures from the site Personnel you could delay the study startup for a few days weeks months just because you don't have these sign documents excellent and perfect timing I see we've come up on the two o'clock hour Rod I want to thank you so much for your presentation and all of your colleagues there at ARX to our attendees thank you so much for taking the time out of your day to come and learn about this technology and its use in the field and I do hope on behalf of Bio it world and ARX that we'll see you at Future Global web symposia with that I'll sign off and say have a great day bye-bye