• Viewing records in native electronic format with any computer running one of several supported browsers.
• Allowing records to be exported by dragging and dropping to any desired file system location
• Providing sophisticated controlled, uncontrolled and clean copy printing capabilities

• Documents may be retained in the system throughout their retention period, or an archiving process developed to store them outside the system. Documentum’s built-in archiving capability can be used to migrate content offline while maintaining metadata in the docbase.
• FirstDoc uses Documentum’s robust security, which limits the capability for modifying and deleting records to designated users. FirstDoc automatically applies security to Approved documents that prevents them from being deleted or modified.
• The FirstDoc product also includes an optional Records Management module which implements retention policies and allows deletion of records which have reached the end of their retention periods in accordance with a standard process.

• The underlying Documentum application implements a secure username and encrypted password (generally the network password) to limit access to authorized individuals.
• FirstDoc augments Documentum security by providing automatic application of a client’s defined security scheme. Users cannot modify security outside of the rules defined by the client.
• FirstPoint provides a secure username and encrypted password for all users in addition to the network access/password system.
• FirstPoint augments the SharePoint basic Library level security by allowing permission sets to be applied based on any metadata in the system. This allows for content to have a more granular security model based on role, site, project, product etc, and allows for confidential documents to have a restricted access permission set.
• FirstPoint also provides application level rights to system and business administration function such as setting up workflow and other business rules templates.

• FirstDoc uses the Documentum audit trail capability augmented by audit trail entries produced for custom FirstDoc events. Example events include checkin, save, destroy, status change and user acknowledgements, such as review and approval outcome — including electronic signature. Since the audit trail must be maintained for the life of the record, Documentum’s Purge Audit Trail capability should not be used unless the audit trail has been migrated offline as controlled by a client’s SOP. Note: This assumes that the approved record is the electronic record. Audit trail entries for draft, minor versions of records can be deleted using the FirstDoc purge minor version functionality if the clients’ policies dictate.
• FirstDoc provides thecapability for authorized users to change document metadata on approved records. In this case, an audit trail entry captures the previously recorded values so they are not obscured.
  • SharePoint records all events that occur on documents, the time and date of the and the username of individual (or system account) performing the action.
  • FirstPoint also provides a preconfigured, system generated audit trail report for each document that records the date/time of all critical events that occur during the entire of the document or record from creation, review and approval.
    The username of the individual (or system account) who invoked each action during the history of the document is also shown in the audit trail report.
    Information pertaining to previous document will continue to be displayed in the audit trail report, even as new versions of the document are created.
  • The audit trail report is presented as a single viewable and printable file.
  • The audit trail report is systematically generated, and cannot be overwritten or otherwise modified by any user.

• Record modification events including check-in and check-out.
• Move, copy, delete and undelete events.
• Electronic/Digital Signature events.
• Lifecycle promotions and demotions
• Workflow events
• Permission changes
• Record viewing (configurable).

Audit trail entries include event, user name and server-based time/date stamp. Local time/date stamps can also be configured if desired.

Audit trail records are retained indefinitely unless manually purged from the system.

NextDocs also provides access to and copying of the audit trail. The audit trail can be saved to Excel with a single click for advanced sorting, filtering and analysis.

1. Enforcing the use of approved templates only in creating documents
2. Limiting property values to predefined dictionary lists wherever possible
3. Requiring entry of mandatory attributes
4. Enforcing storage in a pre-defined hierarchy (cabinet/folder structure)
5. Enforcing a defined document lifecycle and approval process
6. Ensuring that all required electronic signatures are obtained (if electronic signatures are used)

• The use of approved templates in creating documents/records.
• Predefined metadata dictionary lists which structure dependent valid choices.
• Enforcement of mandatory metadata fields where required.
• Enforcing a defined document lifecycle requiring a specific, defined review and approval process via document workflow
• Enforcing the review and approval of the PDF rendition of the document, since that is generally considered to be the approved electronic record
• Ensuring that all required electronic signatures or electronic approvals are obtained using systematic participant selection and voting rules.

• Ensuring that documents follow a defined lifecycle
• Ensuring that workflows are used when needed to move a document through its lifecycle
• Ensuring that documents are properly set up to display digital signatures before they can be signed
• Ensuring that all required signatures are collected before a document is approved
• Ensuring that documents meet requirements such as having a valid PDF rendition before becoming approved or effective
• Ensuring that all required metadata is entered for a document
• Enforcing the use of approved templates for authoring
• Limiting pick lists to appropriate values when creating or modifying document properties

• Document creation
• Document access (delete, write, read, etc.) (via ACL security)
• Changing status
• Initiating and participating in the review and approval process
• Signing documents (if electronic signatures are used)
• Establishing document relations including change request relationships
• Performing various types of business administration functions including dictionary maintenance, training record control, etc.

• Network access with unique ID and password controlled at the operating system level.
• The SharePoint permission model controls document security at the Library (a collection of documents) and for draft versus approved documents.
• FirstPoint enhances this security model which allows additional security layers to be implemented based on document metadata. This is useful for documents required restricted, confidential controls.
• Documents that are part of a workflow process receive enhanced security in that only those selected participants have access to the in progress document.
• System configuration, maintenance and other types of business administration functions are accessed only by those individuals with specific access rights.

• Modifying a document’s content or properties
• Initiating or participating in workflows
• Applying digital/electronic signatures
• Modifying system configurations
• Generating controlled or uncontrolled copy prints
• Modifying essential information, such as study investigators
• Approving requests for system access

• CSC maintains resumes and training records on all team members.
• CSC provides training to key client team members including business users, business administrators, and system administrators.
• Upon request, CSC can provide developer training to non-CSC developers employed by the client.
• CSC maintains resumes and training records for all its team members.
• CSC will also help generate training records to track any training it provides to the client’s personnel.

• CSC will provide the client copies or access to system documentation corresponding to the licensing agreement and version of the product.
• CSC maintains a strict version and change control methodology for its product, product related documentation and training materials.

• If the system is judged to be an open system, it would require encryption and digital signature standards. This is not part of FirstDoc and can be contracted as an option if needed.

Subpart B – Electronic Records
§ 11.70 SIGNATURE/RECORD LINKING

• Signature information is stored as document properties.
• Signature information is also displayed as non-editable properties on the Properties screen.
• • Signaturesare removed when a documentis edited, copied, or otherwise modified.
  • Electronic signatures can only be applied to a documentrecord through the administrator-configured workflow process and the proper execution of approval rules.
  • The signature page is fused to the PDF rendition of the document and cannot be excised from the document.
  • Signature information is also retained as non-editable data in the database and is displayed in the document’s audit trail report.
  • When a document is revised or copied, the signature page is removed from the new version of the document.

• The client will need an SOP on establishing and maintaining user profiles as applied to the assigning of a unique ID code/password combination to only one individual and maintaining a list of user profile information in perpetuity.
• Documentum can assist with this via the ability to disable (rather than delete) users who are removed from the system. By leaving the users in the system, but disabling them, re-use of their user IDs will not be possible.
• The network operating system ensures a unique userid which is used to execute the electronic signature.
  FirstPoint allows the administrator to lockout or disable accounts, as well as delete users from the system.

1. The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
2. . Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature.

• The client will need to submit a letter to the FDA certifying that they consider electronic signatures are the legally binding equivalent to handwritten signatures.
• The client will need SOPs on establishing and maintaining user profiles showing that a given individual accepts that the electronic signature is the legally binding equivalent of handwritten signatures.
• This requirement needs to be met with a client’s business processes.

(2) Be used only by their genuine owners; and

(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

• (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

• Documentum and Unix/Windows Server will provide most of this functionality. See Item § 11.10 (a).
• The client will need an SOP on establishing and maintaining user profiles.
• The client’s network user authentication methodology provides this functionality.

• Both Trusted Unix and Windows Server can be used to require periodic aging of passwords.
• The client will need an SOP on establishing and maintaining user profiles.
• The client’s network user authentication and password encryption methodology provides this function

• The client will need an SOP covering loss management for passwords.
• If devices are used, the client must have an SOP covering loss management.
• NA

• Both Trusted Unix and Windows Server can be used to disable user accounts after a configurable number of unsuccessful attempts.
• The client will need an SOP containing the procedure for reactivating accounts.
• The client’s network user authentication methodology provides this functionality.
• Windows can disable user accounts after a configurable number of unsuccessful attempt

• If such devices are used, the client must have such a policy in place.
• NA

• • FirstDoc uses the Documentum audit trail capability augmented by audit trail entries produced for custom FirstDoc events. Example events include check-in, save, destroy, status change and user acknowledgements, such as review and approval outcome — including electronic signature.
• • Since the audit trail must be maintained for the life of the record, Documentum’s Purge Audit Trail capability should not be used unless the audit trail has been migrated offline as controlled by a client’s SOP. Note: This assumes that the approved record is the electronic record. Audit trail entries for draft, minor versions of records can be deleted using the FirstDoc purge minor version functionality if the clients’ policies dictate.
• • FirstDoc provides the capability for authorized users to change document metadata on approved records. In this case, an audit trail entry captures the previously recorded values so they are not obscured.

• • Electronic audit trail for the appropriate document types must be enabled if documentation is maintained in electronic format.