From the Experts | Montrium Services Blog

How Adobe Sign Empowers GxP Compliance for Life Science Companies

Written by Gianna De Rubertis | August 26, 2020 at 2:30 PM

More and more life sciences organizations are looking to leverage cloud-based e-signature solutions in order to remove their dependence on traditional paper-and-ink signatures. To enable an efficient signature process, tools like Adobe Sign help deliver verified and trusted electronic signatures anywhere, on any device.

Adobe Sign has been built with the necessary technical features and processes that have allowed them to complete the following certifications and attestations for Adobe Sign: SOC 2 Type 2, ISO 27001, PCI DSS, and FedRAMP tailored. In turn, a life science organization can leverage Adobe Sign features, and maintains the responsibility to implement controls that allow for compliance with 21 CFR Part 11.

With regulators around the globe mandating strict regulations around electronic signatures, solutions like Adobe Sign are in demand more than ever. Let’s dive into why that is, and how Adobe Sign is driving compliance at life science organizations.

Alleviating challenges: boundaries and bottlenecks

First, we’ll talk about some of the challenges we’re facing in the life sciences, from both a regulatory and technology perspective.

Our operating environment has changed. We’re outsourcing more than ever before, and life science teams are more geographically distributed than ever. This makes it difficult to collaborate on and sign documentation, in person and on paper. We have outdated, siloed, legacy document processes and systems that hinder efficiency and are also making this collaboration difficult. At the time we’re writing this, the world is largely working remotely, and more and more life science professionals have the option to work remotely. Information is difficult to exchange electronically without the right tools in place to share, manage, and sign documentation. We need the right tools that will help us remain productive anywhere, from any device to ensure that work continues.

Regulatory requirements today force us to validate systems used for electronic signatures and the management of electronic records. And we must demonstrate how the features and functions of these tools adhere to life science customers business needs and regulations, while ensuring that the system remains validated.

We need smarter solutions. In recent years, 30% of clinical trials were cited by the FDA because of data integrity-related violations of GxP Practices (GMP, GCP, GLP, etc.). Common violations include:

  • Forms that are incorrectly signed by the wrong individual
  • Missing signature logs
  • Forging of signatures or study-related documents

These violations can potentially hinder clinical development, drug development, and other life science GxP processes. Embracing digital transformation is paramount for creating innovative treatments. Many new challenges have been exposed because of the way we’ve been managing our businesses up until now. As illustrated by a McKinsey report, “The innovation and speed to market demonstrated by digitally enabled companies have exposed shortcomings in the R&D practices of more conventional businesses.” We can no longer work in the same way we did before.

Adobe Sign’s appeal to life sciences

Adobe Sign is an Adobe Document Cloud solution offered in a Software-as-a-Service (SaaS) model managed by Adobe. Adobe Sign can easily collect electronic and digital signatures from your co-workers and customers around the world so you can get to market faster and grow your business. Within the context of life sciences, Adobe Sign enables users to automatically send and sign documents using 21 CFR Part 11 compliant electronic signatures. Some of the benefits that come out of using the system include:

  • Minimizes risk by enabling a GxP regulated process
  • Deliver electronic and digital signatures anywhere, on any device
  • Convenient signing experience increases efficiency
  • Cost-effective in high-volume business contexts
  • Legally binding, just like traditional pen-and-paper signatures

More and more, organizations require highly reliable, flexible, and trustworthy solutions if they are to successfully modernize business processes while complying with relevant regulations.

In the life sciences, Adobe Sign can facilitate signing and approvals across a wide range of clinical, quality, internal, and external business processes. These use cases include clinical trial onboarding, quality inspections, vendor contracts, patient consent forms, procedural documents, training compliance, change authorizations, RFPs, regulatory approvals, and a whole lot more.

How does e-signature differ from digital signature?

So, what is the difference between an e-signature and a digital signature?

According to 21 CFR Part 11, an electronic signature is “A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.” An e-signature is a legal way to get consent or approval on digital documents and forms.

A certificate-based digital signature is a specific implementation of an electronic signature that uses a certificate-based digital ID to verify the signer’s identity and binds the signature to the document with encryption. Identity verification and issuance of a digital certificate is performed by an external trust services provider (TSP), an entity that is responsible for the creation, verification, and validation of digital signatures. Your vendor management procedures may require a formal assessment of the TSP in order to ensure that they comply with quality and service expectations.

As a digital signature is essentially a type of electronic signature, we will continue use the broader term electronic or e-signature throughout this article.

Shared responsibility and Adobe Sign capabilities driving compliance

Although accountability for regulatory compliance ultimately resides with the regulated entity, there is a shared responsibility with respect to implementation of controls that ensure the consistent intended performance of the SaaS application and allow compliance obligations to be met.

Given that Adobe Sign is a cloud-based system that is delivered to customers via a SaaS delivery model, the bulk of responsibility for ensuring the quality of the application resides with Adobe. However, each regulated entity must ensure the application is configured accordingly to make sure the right controls are in place. This table delineates the main activities and allocated responsibilities:

Moreover, the system is designed with regulatory capabilities in mind. 21 CFR Part 11 requirements can be satisfied using Adobe Sign when it is properly implemented to execute electronic signatures. Some of these processes and controls include:

  • Limiting system access to authorized individuals
  • Secure, computer-generated, time-stamped audit trails
  • Signatures include name of signer, date and time of signature execution, meaning associated
  • Enforce permitted sequential signing, as required
  • Controls to ensure authenticity and integrity
  • Accurate and ready retrieval of records

Let’s explore some features and controls that maintain compliance with 21 CFR Part 11 requirements more in detail.

Technical features and procedural controls: electronic signatures

Adobe Sign settings ensure that electronic signatures are linked to a user’s account with unique username (e.g. email) and password/passcode. Adobe Sign can enable identity challenges and enforce re-authentication at specified times, e.g. upon opening a document and completing a signature.

Signature delegation settings can be enabled. It is possible to enable delegation for internal users while leaving it disabled for external users.

Adobe Sign is equipped with Bio-Pharma settings. These are configuration settings used to satisfy 21 CFR Part 11 requirements with strict controls set for signing documents and identifying users. Bio-Pharma settings work with both electronic and certificate-based digital signatures and will dictate when your identity is challenged, while the other settings will dictate how you authenticate when your identity is challenged.

Bio-Pharma settings must be configured to enforce that a signing reason be provided at each signature and can also be configured to present a pre-determined list of signing reasons for the signer to choose from.

Source: https://helpx.adobe.com/ca/sign/using/reason-for-signature.html 

Signature manifestations display the required information:

  • The printed name of the signer
  • Date and time of the signature’s execution
  • Meaning associated with the signature (signing reason)

Once applied the signature cannot be amended or removed and changes cannot be made to the document without invalidating the signature

Example of signature manifestation:

Source: https://helpx.adobe.com/ca/sign/using/reason-for-signature.html 

As of the moment the first signature is applied to the agreement, the PDF document cannot be deleted, and the static document content cannot be modified by the Signer. Data fields, including text, drop down and a check box may be added in the document, should additional information capture be required prior to signing.

Technical features and procedural controls: audit trail

Adobe Sign generates an audit report for each document sent for signature which captures the identity of the user who sent the document for signature and each user who signed (full name and email address), and all audit trail entries with a date and time stamp recorded chronologically.

Audit report example:

Source: https://helpx.adobe.com/ca/sign/using/audit-reports-transaction-history.html

Once a record has been signed, the audit trail can be retrieved in PDF format along with the associated signed record. The audit report is certified with a digital certificate owned by Adobe – this ensures the origin and integrity of the audit trail and prevents tampering. It is also possible to obtain signed document records and their respective audit reports via API.

Technical features and procedural controls: data integrity and data protection

Data integrity can be split up into two areas; customer controls and Adobe Sign controls.

Regarding customer controls, Adobe Sign’s role-based identity management model means Administrators can assign permissions based on the user’s role (e.g. Administrator (account, group), Sender, Signer). As an Administrator, you can configure password rules only for Adobe Sign user accounts, and those rules apply if using Adobe Sign authentication. If you are using SAML Settings and allow SSO, your corporate identity provider takes precedence. So, for example, if you set it up to use Active Directory (AD) for SSO, then the AD settings will apply, typically set up by an AD administrator.

Those responsible for managing the transition to Adobe Sign should train personnel responsible for administering and using Adobe Sign in a secure and controlled manner according to internal procedures. Training contributes to an increased assurance that data inputs, processing, storage and outputs are managed for completeness, accuracy, and timeliness, covering all aspects of ALCOA principles of data integrity.

Adobe Sign’s built-in controls ensure data integrity, data protection, and risk management. User authentication mechanisms including basic and multifactor authentication can verify a user’s identity prior to granting access to the system. The system architecture is secured with encryption of data at rest (AES 256-bit) and in transit (HTTPS – TLS 1.2). Additionally, PKI (public key infrastructure) certifies final PDF documents with digital signatures before distributing the documents to all study participants.

As for disaster recovery, Adobe Sign has high availability and can tolerate system or hardware failures with minimal impact. Adobe has regional disaster recovery plans and creates an annual run book that outlines steps required to complete data center failover. The Recovery Point Objective in place is 2 hours and Recovery Time Objective is 8 hours.

Threat mitigation activities also make Adobe Sign a secure application. Third-party security firms perform penetration testing to uncover potential security vulnerabilities. Adobe documents vulnerabilities and evaluates their severity and priority and from there creates a mitigation strategy. Prior to each release, a highly trained security team performs risk assessment to identify insecure network setup issues across firewalls, load balancers and server hardware. Threat modeling exercises and vulnerability scanning are performed on the application layer and risk remediation plans are prepared by qualified individuals.

The Takeaway

Adobe Sign automates the signing process for life science companies to alleviate current business compliance bottlenecks. Life science companies can flexibly deploy electronic and digital signatures while complying with e-signature laws and regulations, including FDA 21 CFR Part 11. A few key benefits of Adobe Sign include optimizing GxP processes, shorter project timelines, reduced cost of clinical development, maintaining compliance and minimizing risk.

About Montrium Adobe Validation Services

Montrium’s Professional Services division provides expert consulting services related to cloud compliance and computer system validation. Montrium has produced a series of Validation Document Templates for Adobe to accelerate the validation of Adobe Sign and establish compliance with 21 CFR Part 11.

Our services make it possible to adapt each template to your organization’s unique requirements (e.g. Standard Operating Procedures, protocols) and prepare validation deliverables as part of a built-in framework for producing GxP signatures and records with Adobe Sign. Together with internal process owners and system managers, our validation experts work to ensure Adobe Sign is properly configured and maintained in a controlled state by executing the Adobe Sign Validation Pack.