Key takeaways
- USDM partnered with DocuSign to build the requirements that let electronic signatures and records meet 21 CFR Part 11 expectations.
- The USDM Validation Accelerator Package (VAP) delivers a complete GAMP® 5 risk-based validation set so customers go live quickly, cost effectively, and compliantly.
- Because DocuSign is a multi-tenant cloud platform, USDM analyzes every scheduled release in advance and supplies a detailed cGxP impact report with clear remedial actions — keeping you compliant after go-live, not just at go-live.
- Many customers now have USDM execute the required monthly testing for a true "fire and forget" approach to maintaining compliance.
Back in early 2014, USDM and DocuSign first embarked on the partnership that has seen over 50 life sciences companies begin using DocuSign with the 21 CFR Part 11 add-on. Initially, USDM was approached by DocuSign to drive the creation of a set of requirements that would, once built into the system, ensure that 21 CFR Part 11 regulations around electronic signatures and records could be met.
In order to achieve this, USDM was able to draw on a pool of knowledge deriving from personnel from every area of the life sciences ecosystem — from FDA current and past employees to people who have worked in the industry commercially and in a consultancy capacity for over 25 years. Needless to say, the requirements for the system were drawn up, and the engineers at DocuSign got to work building the solution.
Building the Validation Accelerator Package for DocuSign Part 11
While this was in progress, USDM also got to work building out our Validation Accelerator Package (VAP) for DocuSign Part 11, consisting of a set of complete processes and protocols based on GAMP® 5 risk-based validation methodology. Included are the Validation Plan, User and Functional Requirements, Risk Assessments, Test Protocols for IQ and OQ, Trace Matrices, System Admin and Change Control SOPs, and Summary Report. Also included — to take advantage of the work DocuSign puts in to operate “compliant ready” software — was an audit of both the DocuSign headquarters and their data centers in both the US and now in Europe. That kind of vendor and data-center scrutiny is exactly the discipline life sciences teams expect from rigorous third-party risk management when they entrust regulated records to a cloud provider.
The VAP was and is designed to get customers live quickly and cost effectively, and in a compliant manner. But it is also important to ensure that once that state of compliance is met, that it is maintained. Since DocuSign is a multi-tenant cloud system, the updates DocuSign makes per scheduled release (monthly service packs and quarterly releases) have a potential effect on every user’s compliant state.
Getting live compliant is only half the job. Because DocuSign is multi-tenant, every scheduled release can touch your validated state — so compliance has to be a continuous activity, not a one-time event.
Staying Compliant After Go-Live
USDM takes this worry out of the customer’s hands. We analyze the releases on your behalf and produce a detailed report prior to each release, based on early access to the upcoming changes, containing all updates, any that are considered cGxP in nature — and why — and also a rationalization for those not considered cGxP. Further analysis on the cGxP changes is conducted to ascertain if they relate to core platform changes (and hence potentially impact everyone), or if they are perhaps bug fixes or enhancements to optional elements that the majority of customers do not currently use.
Remedial actions are then drawn up — including the creation of or updates to requirements, the risk assessment thereof, and any new or regression tests deemed necessary commensurate with that risk. A clear instruction in each report is given as to the actions to be taken. For example: “Change 12345 — execute test script 7.1 steps 1 thru 12 contained herein.” This risk-based, test-only-what-changed cadence mirrors the principles behind computer software assurance (CSA) — focusing assurance effort where the risk to patient safety and product quality actually lives.
USDM point of view: Protecting electronic signatures and records is ultimately about protecting data integrity in life sciences. By analyzing each DocuSign release before it ships and prescribing exactly which tests to run, USDM keeps your validated state intact so that the records you sign today still hold up to inspection tomorrow.
As time has passed, more and more of USDM’s customers are requesting that USDM actually perform any monthly testing required — and simply provide a fully executed report with completed test scripts (executed within the customer’s own test environments) for customer review and approval. This gives a true “fire and forget” approach to compliance and lets customers get on with the job of helping people and not have to worry about keeping systems up to date — which, let’s be honest, is one of the reasons people are moving to the cloud in droves.
Faster Go-Live, From Weeks to One Week
USDM and DocuSign are always working on improvements to the solution and to the way it is implemented and validated. While standard projects for simple use cases take around 4 to 6 weeks from start to finish using the VAP, it is possible — even with complex use cases — to go live in less than 3 weeks (demonstrated with a global biotech company with multiple integrations and single sign-on requirements). And if you just want an out-of-the-box, non-configurable solution that gives you simple Part 11 compliant e-signatures on any documents you can upload, then USDM is working on a solution that can get you there (and be compliant and maintained as such) in as little as 1 week.
How USDM keeps DocuSign “compliant now, compliant forever”
- Validate fast. The Validation Accelerator Package delivers a complete GAMP® 5 risk-based validation kit — plan, requirements, risk assessments, IQ/OQ protocols, trace matrices, SOPs, and summary report.
- Audit the vendor. Headquarters and data-center audits (US and Europe) leverage DocuSign’s “compliant ready” posture.
- Analyze every release. Each monthly service pack and quarterly release is reviewed before it ships; cGxP changes are flagged and rationalized.
- Prescribe remediation. New or regression tests are scoped to the actual risk, with explicit, step-by-step execution instructions.
- Optionally execute it for you. USDM can run the monthly testing and hand back a fully executed report for your review and approval.
Leveraging DocuSign’s activities around testing, and the clear and concise documentation they are producing to demonstrate the development of the solution is in line with regulatory expectations, enables USDM to provide compliant solutions very quickly and inexpensively.
USDM as Your Compliance-Savvy Success Architect
USDM is also in a unique position as the “compliance savvy” go-between, between you and DocuSign. Because we are analyzing the changes on a regular cadence, using established and honed procedures, we are able to ascertain the elements that are not in “common use” by the majority of end users. From this standpoint we are able to act as success architects for you, to help determine the elements of the system that may in fact benefit your business — and that you may not, without our analysis, even be aware of. We can determine the specific elements that would fit your business and recommend you begin utilizing them for specific use cases to save you even more money and time. We can even provide example ROIs for the processes — in case you need even more convincing that all this cloud stuff really is a good idea and is here to stay — and all of course in a compliant now, compliant forever way.
This managed, release-by-release approach is the same philosophy behind USDM Cloud Assurance: keep validated cloud systems continuously compliant so your teams never fall behind the next update.
FAQ: USDM and DocuSign Part 11 Compliance
What is the USDM Validation Accelerator Package (VAP) for DocuSign?
The VAP is a complete set of GAMP® 5 risk-based validation deliverables — Validation Plan, User and Functional Requirements, Risk Assessments, IQ/OQ Test Protocols, Trace Matrices, System Admin and Change Control SOPs, and a Summary Report — designed to get customers live on DocuSign quickly, cost effectively, and in a compliant manner.
How does USDM keep DocuSign compliant after go-live?
Because DocuSign is a multi-tenant cloud system, its monthly service packs and quarterly releases can affect a customer’s validated state. USDM reviews each release in advance, flags and rationalizes any cGxP-relevant changes, and prescribes the specific tests to run — so compliance is maintained continuously, not just at the initial go-live.
How fast can a DocuSign Part 11 solution go live with USDM?
Standard projects for simple use cases typically take about 4 to 6 weeks using the VAP. Complex use cases — including multiple integrations and single sign-on — have gone live in under 3 weeks, and USDM is working on an out-of-the-box, non-configurable Part 11 e-signature solution that can be live in as little as 1 week.
Can USDM perform the ongoing monthly testing for us?
Yes. Many customers now have USDM execute the required monthly testing in the customer’s own test environments and deliver a fully executed report with completed test scripts for review and approval — a true “fire and forget” approach to maintaining compliance.
What is 21 CFR Part 11 and why does it matter for e-signatures?
21 CFR Part 11 is the FDA regulation governing electronic records and electronic signatures in regulated industries. Meeting its requirements is what allows DocuSign e-signatures and records to be used in cGxP processes, which is why USDM built the original requirements into the platform and validates them on an ongoing basis.
Ready to go live — and stay compliant? See how USDM can build out the DocuSign Part 11 solution you need to save time and money. Contact our team to get started, or explore USDM Cloud Assurance to keep every validated cloud system compliant now and compliant forever.
Read More Cloud Blogs
Watch Cloud Webinars
Learn More About Cloud Services
About the Author
David Blewitt is the Vice President of Cloud Compliance at USDM Life Sciences. David is an accomplished life sciences regulatory and IS compliance professional with extensive hands-on and leadership experience in the pharmaceutical, medical device, biotech, and blood management industries, specifically in the fields of computer systems validation, risk management, issue investigation — root cause analysis and remediation, quality assurance, software development lifecycle, lean IS compliance enhancement initiatives, business analysis, product lifecycle management, and systems/process analysis with compliance roadmap development.
About USDM Life Sciences
USDM Life Sciences is a global life science and healthcare services company, providing strategy and compliant technology solutions to regulated industries. If you work in life sciences or healthcare, partnering with USDM Life Sciences makes it easy to accelerate innovation and maximize productivity. USDM Life Sciences only focuses on regulated industries and has built trusted partnerships with the most innovative technology companies in the world, and boasts a staff of industry-leading experts in the areas of technology and compliance.