Refer: 14 Unfulfilled Promises
In my post “FirstDoc & D2″ I told you all (breathlessly) that there was going to be a webinar where CSC were going to discuss their plans regarding EMC’s D2 interface.
Unable to Fulfil Due to a family commitment I was unable to attend this webinar. I had contacted with some people at CSC beforehand to to see if it would be recorded. The answer I got was “Yes”, but since then I have been advised that, because of the commercially sensitive nature of the webinar, it wasn’t. I certainly understand that that decision has been made. As such, though, I am not able to actually deliver on this promise.
In an earlier post I discussed how EMC’s are now licencing D2 technology from C6, and that this meant that CSC are having to change their user interface strategy.
Well…on Tuesday, 6th of March, there is a webinar that will reveal what has been going on “behind the scenes”.
Some of my favourite CSC people will be discussing CSC’s “new, improved” customer interface strategy as “FirstDoc embraces D2″ (their words, not mine).
I’ve been following this with interest for awhile, and I’ve registered for the webinar.
I’ll let you know all about it after the 6th.
Related articles
In my earlier post about the FirstDoc User Group conference that was held in Vienna earlier this year, I wrote about CSC’s User Interface strategy.
To recap – CSC produce technology that provides a compliance layer for content management systems. Although available for SharePoint systems (under the name “FirstPoint), the predominant application is “FirstDoc” which is built to work with, and integrate into, EMC’s Documentum.
The native FirstDoc client application is interwoven into Documentum’s client application and, as a result, CSC need to ensure that they shadow any architecture decisions EMC makes.
Over the last few years EMC have been making it clear that their way forward (with regards to their client applications) was to be with a technology called xCP. This would allow developers to create applications through configuring and then assembling components. The core idea is that “complex solutions are composed from interaction of Documentum objects with business processes”. Initially it was made clear that this technology was for case-based applications, but, the later versions were being promoted as the “interface solution”. (You can download EMC’s whitepaper on xCP here).
At the same time, EMC have announced that they had made plans to retire their current client application “WebTop”, and the idea was to replace it with xCP technology. CSC had been invited to be involved with version 2.1 of xCP to ensure that FirstDoc functionality could be tightly integrated with it.
At this year’s Momentum, however, EMC announced that they had licenced D2 technology from a French company called C6. (You can read the announcement here.) C6 have been EMC partners for a long time, and I recall seeing them at many previous Momentum conferences, where they have certainly caught people’s attention.
C6′s products work on the basis of “configuration“, and will be technology for “content-centric” applications.
C6 have also released x3, which is a “widget-based, agnostic browser, client interface that enables to extend the use of D2 Client to various browsers such as: Firefox, Safari, Chrome, Opera.”.
Obviously this will offer incredible advantages. Especially in this mobile-age, and especially for industries (such as Pharma), that, because of strict compliance requirements (and the overarching mindset that that brings with it), have not been as ”agile” as they could.
CSC have announced that they are working together with EMC to ensure that the tight integration between CSC’s FirstDoc client interface, and D2, will be maintained.
I am watching this space with interest…
I’ve just signed up for a webinar that KnowledgeLake are holding entitled “Realizing True Records Management with Microsoft SharePoint 2010“.
KnowledgeLake were gold sponsors at the SharePoint Best Practices conference that I went to in London earlier this year, and, I have to say, it was a top-notch event. I had visited KnowledgeLake’s booth and I’m curious about how good their product actually is.
So, it was with interest that I read the “Reasons I should attend“. These included the following:
Now, the first reason seems to be pretty standard when describing the virtues of any content management system. As is a demonstration, as well as hearing a customer case study..(Just change the name of the ECM system.)
What really grabbed me by the short and curlies was the second reason “Discover why SharePoint will succeed in records management where other ECM platforms have failed“. Now, this is interesting…I want to hear about this secret sauce that McSharePoint has.
Reason 4 is also one that got my attention. Here the phrase “enterprise approach” really stood out. I’ve been involved with SharePoint since 2007, and, coming from an ECM background, it was very evident to me that SharePoint 2010 is now being hawked as a bigger beast. And this is not only in the “functionality” of SharePoint 2010, but also in other ways. There are more “enterprise-level” whitepapers out now, and the official Microsoft SharePoint training is focusing more on the “business-side” rather than just pure technology.
I’ve registered for the webinar. I’ll be taking notes, and will try and report back on my findings.
Reference Links
I’ve been very aware of something for awhile now…and that is “I don’t know where I fit in”. However, it wasn’t until recently when I read Nick Inglis’ blog post that I really came to realise that my “problem” is actually not an uncommon one.
In his post Nick comments that when he’s speaking at a SharePoint event, he often gets categorized under “Other“.
This is because (as he states) the SharePoint world doesn’t quite have a place for those who do work with SharePoint but in an ECM/ERM/Governance capacity.
The Salem Consulting Group have made a list of “plausible” SharePoint roles. I have listed them below, and have added a quick description in between parentheses. These include:
(Note – The original post (authored by Ian McNeice) from Salem offers a more detailed description of these roles. The link is at the end of this post.
In Nick’s post, he describes an “Information Professional“.
These are the people that have been busy developing models of governance … and have been driving forward the conversation about how SharePoint can be used as a “proper” ECM (and yes, maybe even ERM) system.
Looking at Ian’s list, I think the closest role that matches this is the “Information Architect”. This is the person who insists on maintaining a correct classifications, taxonomies, etc while has expertise in document management, version control techniques, data retention polices, publication and archiving practices.
Being prompted by Nick’s post, and then looking through Ian’s post has certainly help me better “label” myself.
Prior to this, even though I have worked in the Document Management field for over 10 years, I could never find a way of describing my skill set to a “SharePointy” (is that what you call a SharePoint fan?). I can set up, and administer SharePoint sites. I can design user interfaces. I can set up farms, as well as write kick-ass documentation. But I could do more than that.
Thanks to Nick and Ian, I’m going to go and update my LinkedIn profile.
Excellent References
As mentioned – I didn’t get a chance to go to Momentum in Berlin this year.
However I was able to get a pretty good idea of what was covered thanks to the great streaming video that EMC had, as well as the great tweets that be “tweeted”, and the excellent blog posts that were written.
I’ve been to a few Momentum’s now, and while they are a great opportunity to really “talk” with the EMC people, and their partners, I always had the feeling that the things I heard, I had, more or less, heard at the previous Momentum, or that what was big one year, suddenly falls to the wayside.
Now I realise that changes to strategy get made all the time, and that new technology takes more than one year to design, develop and integrate, and it’s great to see that EMC is: a) responsive to changes in the market environment, b) keeping its customers well informed of the progress that they are making, but to mention a few examples…
It wasn’t until I spoke with a colleague, who made a similar comment, that I started to really think about this. Then I saw this tweet from Jed Spink that I realised that others also had the same thought.
@HimannshuSharma Nothing that new that I saw at #mmtm11 – perhaps others got more roadmap around SharePoint?—
Jed Spink (@jedspink) November 09, 2011
I appreciate that my view might not be a perfect one, and that there might be situations where I am wrong.
I want to hear what you think? Am I right? Or am I totally wrong?…
I’ve just discovered the EMC Momentum app. Even though I’m not at the conference – this looks like a great tool to have!
It lists:
Check out the maps of MMTM11
Watch videos from MMTM11
Man! What a great tool!
Read more about it here
(https://community.emc.com/thread/120187)
A reader has recently asked if I had any information on the differences between FirstDoc, FirstPoint and NextDocs.
To do a full feature-for-feature comparison of all the solutions is not something that I can easily do. However I have been able to get my hands on some great documentation, and can put together a “rough notes” comparison of the three solutions with regards to the core system, and how each solution complies with 21 CFR Part 11.
Note – this is version 2 of this post. After publishing the initial version, one of the vendors was able to provide me with a later version of their compliance statements. The table below has been updated as well as the Comparison PDF that can be downloaded. This is marked as Version 2. The link in the references still links back to the original compliance statement.
The FDA regulation, 21 CFR Part 11, is often update and modified. The documentation that I was able to find from CSC, and NextDocs appears to have been created at different times. As a result – I found some “discrepancies” between them. Sometimes the wording in the material I had, didn’t match the current version of the regulations. However, the “intent” is still the same.
I do not claim to be an expert in 21 CFR 11. Nor do I claim to be an expert in each of the different platforms/applications described in this post. I will list my references at the bottom this, but I make 2 recommendations:
Below I have listed each vendors response to each of the regulations outlined in 21 CFR 11.
This was compiled using information that can be found on the Internet. (I include reference links at the bottom of this post, as well as in the PDF.)
However, as mentioned – this is intended merely as a guideline. I encourage you to contact each of the vendors directly to get an updated statements of compliance, as well as information on server configuration/sizing & prerequisite software.
(Note to vendors – if you feel that there are errors, please let me know in the comments, and I will make the necessary corrections).
You can also click HERE to download a PDF version.
|
Subpart B – Electronic Records |
||||||
| 21 CRFR 11 Requirement | FirstDoc | FirstPoint | NextDocs | |||
| (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. | FirstDoc is developed in accordance with the CSC LS QMSadvantage™, an ISO 9001:2000 certified Quality Management System.QMSadvantage and FirstDoc have been audited by many pharmaceutical clients. As part of a formal vendor audit, CSC can provide evidence that FirstDoc is developed and tested in accordance with QMSadvantage.
FirstDoc has been validated by many clients. CSC offers a validation package (consisting of validation plan, traceability matrix, and IQ/OQ/PQ protocol templates and OQ protocols) with each release of the FDRD, FDQ&M, and FDTMF products. |
FirstPoint is developed in accordance with the CSC LS QMSadvantage™, an ISO 9001:2000 certified Quality Management System. QMSadvantage™ has been audited by many pharmaceutical clients. As part of a formal vendor audit, CSC can provide evidence that FirstPoint is developed and tested in accordance with QMSadvantage™.FirstPoint is “validation ready” for its clients upon completion of installation and configuration. Full IQ, OQ validation scripts, a PQ template and supporting services available from CSC for interested clients. | Validation is ultimately the responsibility of the client as validation can only be performed in the environment in which the software will be used, and against specifications defined by system users.NextDocs offers a validation toolkit to streamline the validation process.
The toolkit includes a sample validation master plan and traceability matrix, ready-to-run scripts for IQ and OQ, summary report templates, and sample PQ scripts. NextDocs also has standard professional services packages that include assistance with validation planning, PQ script preparation, and managing PQ script execution and documentation activities. |
|||
| (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. | Documentum will satisfy this requirement in conjunction with a company’s records management policy. Features of Documentum that support generation of accurate and complete copies in human readable form include the generation of PDF renditions and the ability to view and print these renditions in accordance with a system’s defined security rules.Additional support for this requirement is provided by FirstDoc’s automatic PDF rendition generation feature. Each time the content of a document is modified and the modifications checked in, FirstDoc generates a PDF rendition from an approved rendition generation station if the format supports transformation to PDF. Automatic transformation to PDF ensures that all documents will be readable in the foreseeable future. | FirstPoint satisfies this requirement by managing accurate and complete copies of files in human readable form with the tight integration with the Microsoft Office Suite of products and the generation of PDF renditions and the system generated and maintained metadata. The system also provides human readable audit trails and reports. The ability to view and print these files and associated metadata is managed in accordance with a system’s defined security rules.All relevant records are maintained in their native file format within a robust MS SQL database and MS SharePoint environment. FirstPoint generates a PDF rendition from an approved rendition generation station, if the format supports transformation to PDF. Automatic transformation to PDF ensures that all documents will be readable into the foreseeable future.
|
Actual generation of records is a client responsibility. NextDocs facilitates generating copies of records by:
|
|||
| (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
|
Documents may be retained in the system throughout their retention period through the use of a built-in lifecycle management system.FirstPoint applies robust security across the entire lifecycle, which prevents and limits approved or historical records from being deleted or modified except by specifically designated users. A document restore feature is available to the system administrator that allows for the retrieval of deleted records.
All FirstPoint content is retained for retrieval until some business rule criteria has been meet to trigger the destruction. Records retention fun includes the ability to purge specific cycles of minor or major versions at the Library Level and purge working comments and draft comments after a specified retention period.
|
NextDocs systems automatically “lock down” official versions of documents so that they cannot be deleted or modified without following system configurable change control procedures. | |||
| (d) Limiting system access to authorized individuals. |
|
In general, an SOP is needed to define the roles and responsibilities for the administration and maintenance of the groups and users for the system and/or network permissions. | Access to NextDocs can be controlled by configuration. Security can be configured to use Active Directory or Active Directory Lightweight Directory Services accounts or accounts created within SharePoint. Internal users with on-premises deployments can access NextDocs applications through single sign-on without requiring additional system login unless performing a signature related action in the system.Alternatively, if a client’s Part 11 interpretation requires explicit sign-on to access the system, single sign-on can be disabled. Internal users with hosted deployments access NextDocs applications by providing a user name and password.
External users access NextDocs applications by providing a user name and password. Depending on a client’s security set-up, Virtual Private Network (VPN) access may be required as well. |
|||
| (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
|
NextDocs records:
Audit trail entries include event, user name and server-based time/date stamp. Local time/date stamps can also be configured if desired. Audit trail records are retained indefinitely unless manually purged from the system. NextDocs also provides access to and copying of the audit trail. The audit trail can be saved to Excel with a single click for advanced sorting, filtering and analysis. |
||||
| (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. | These checks are implemented within a number of system functions. They include client-defined control over:
|
These checks are imple mented within a number of system functions. They include client control over:
|
These checks are implemented in a number of areas. Some examples include:
|
|||
| (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. | These checks are implemented within a number of system functions. They include client-defined control over authorization for:
|
A series of authority checks are implemented within system functions. They include the following client defined controls:
|
These checks are implemented in a number of areas. Some examples include limiting the following to authorized users:
|
|||
| (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | This requirement in general does not apply to FirstDoc since the system does not have any functionality where information is valid only when entered from specific terminals. If a specific client has this requirement, CSC will address the requirement for that client. | This requirement in general does FirstPoint since the system does not have any functionality where information is valid only when entered only from specific terminals. If a specific client has this requirement, CSC will address the requirement for that client. | This requirement does not apply to NextDocs since the system does not have any functionality where information is valid only when entered from specific terminals. | |||
| (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. |
|
NextDocs maintains resumes and training records s to provide evidence that our employees who develop and deploy our software are trained and qualified to do so.NextDocs also provides client-specific training documentation to help our clients comply with this requirement. We also offer end user training, train-the-trainer training and administrator training. | ||||
| (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | N/A | This requirement is not applicable at a system level but requires a procedure to be implemented by the client. | Client responsibility | |||
| (k) Use of appropriate controls over systems documentation including:(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
Electronic audit trail for the appropriate document types must be enabled if documentation is maintained in electronic format. |
|
NextDocs’s documentation is maintained in our configuration management system and available for review during audits.However, ultimately it is the client’s responsibility to control system documentation in their environment.
NextDocs’ release notes describe the names and versions of documentation that apply to each product release. In addition, each client receives documentation specific to their NextDocs implementation. |
|||
| § 11.30 Controls for Open Systems. Same as § 11.10 plus document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. |
|
CSC believes the FirstPoint products are a closed system so section 11.30 is not applicable. | NextDocs systems that are hosted may be considered open based on the specific circumstances and the client’s 21 CFR Part 11 interpretation. The use of digital signature is available in all NextDocs products to fulfill the additional requirements imposed on open systems. | |||
|
Subpart B – Electronic Records |
||||||
| 21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | |||
| Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. |
|
Signatures are bound directly to a specific version of a document.NextDocs digital signatures are based on Public Key Infrastructure (PKI) and are a result of a cryptographic operation that guarantees signer authenticity, data integrity and non-repudiation of signed documents. The digital signature cannot be copied, tampered or altered.
Digital signatures appearing in a document automatically appear as invalid when the document changes in any way. During change control the signature is removed for the draft version in anticipation of future approval and signing. |
||||
|
Subpart C – Electronic Signatures |
||||||
| 21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | |||
| (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. |
|
Since NextDocs is generally implemented such that user credentials are supplied via Active Directory (or Active Directory Lightweight Directory Services), compliance is built in.Active Directory will ensure that a user name cannot be re-used within a given domain, and provide the ability to disable (rather than delete) users who are removed from the system. By maintaining a record of previous users, reuse of user IDs will not be possible.
NextDocs signatures authenticate the content of documents by attributing the signer to the signed document. Every signer is identified by an issued certificate (or by that of an external trusted entity). This identification is based on the fact that the user is a recognized employee in the organization. |
||||
| (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. | The client will need SOPs on establishing and maintaining user profiles as applied to the verification of a user identity. | This requirement needs to be met with a client’s business processes. CSC can help establish work instructions or training procedures to assist with the on-boarding process | Client Responsibility | |||
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
|
|
Client Responsibility | ||||
|
Subpart C – Electronic Signatures |
|||||
| 21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | ||
| (a) Electronic signatures that are not based upon biometrics shall:(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. |
NoteContact CSC directly for their comments on how FirstDoc meets this regulation.
|
FirstPoint incorporates the user’s network account and password for general access to the system, which is also used for electronic signature approval. FirstPoint requires the re-entry of both identification components (user ID and password) each time an electronic signature is executed.. | Each time a signature is applied, both a user name and password are required.NextDocs supports a configurable automatic time-out during periods of system inactivity. This time-out will also end a user’s continuous and controlled access to the system. | ||
|
FirstDoc can support the use of biometric solutions through customizations. Customizations for biometrics are not in the scope of this document. | FirstPoint can support the use of biometric solutions through customizations. Customizations for biometrics are not in the scope of this document. | NA – Biometrics are not used by NextDocs. | ||
|
Subpart C – Electronic Signatures |
||||||
| 21 CFR 11 Regulation |
FirstDoc |
FirstPoint |
NextDocs |
|||
| (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. |
|
See item § 11.100 (a). | ||||
| (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). |
|
This is a client responsibility, generally achieved through settings in Active Directory. Windows and Active Directory infrastructure can enforce password policy for complexity and expiration. Windows integrated authentication and Basic authentication can leverage this automatically. | ||||
| (c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. |
|
NextDocs does not make use of tokens, cards, and other devices that bear or generate identification code or password information.Windows and Active Directory administrators can deactivate users, change users’ passwords, or require users to change passwords after issuing a temporary password. Windows integrated authentication and Basic authentication can leverage this automatically | ||||
| (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. |
|
This is a client responsibility, generally achieved through settings in Active Directory.The Microsoft Windows family of products can audit logon changes and failed attempts. Group policy can enforce account lockout policy to help to prevent brute force password guessing. Lockout policy is based on failed attempts for a time window and users can be locked out for specified times before they can attempt again (or not). | ||||
| (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. |
|
NextDocs does not make use of tokens, cards, and other devices that bear or generate identification code or password information. | ||||
Audit Trail Functionality
Audit Trails is an included feature in FirstDoc. Documentum has its own audit trail capabilities, with FirstDoc adding on to Documentum’s audit trail system. Table 3 discusses the Audit Trails functionality that FirstDoc provides in support of 21 CFR Part 11.
|
Subpart C – Electronic Signatures |
||||||
| 21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | |||
| (a) Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
|
|||||
| (b) Use of appropriate controls over systems documentation including: 1. Adequate controls over the distribution of, access to and use of documentation for system operation and maintenance. 2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
|
|||||
CFR – Code of Federal Regulations Title 21
(http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11)
21 CFR Part 11 Compliance Position for FirstDoc Applications
(https://developer-content.emc.com/marketplace/collateral/white_papers/CSC_FirstDoc21CFRComplianceWhitePaper.pdf)
21 CFR Part 11 Compliance Position for FirstPoint
(http://download.microsoft.com/documents/France/Entreprises/2010/CSCFirstPointLivreBlancAnglais.pdf)
21 CFR Part 11 Challenges and Solutions - NextDocs
(http://www.nextdocs.com/en-us/White%20Papers/WhitePaper-21CFR11.pdf)
21CFR11 Comparison of FirstDoc, FirstPoint & NextDocs
(http://markjowen.files.wordpress.com/2011/10/21cfr11_compliance-comparison_v21.pdf)
This year’s EMC’s European Momentum is being was held in Berlin.
The Momentum conference is something I have always tried to attend. It is a great opportunity to:
Hopefully I will be adding to this page as I find more excellent ways to “be there” (virtually).
Also check out my Google+ stream. I’ll post regular updates there as well. (https://plus.google.com/u/0/110973870217970854594/posts)
