This weekend our SAFE signing solution will go live on codeplex. It is a complete reference implementation that will allow you to apply SAFE Digital Signatures to your documents that you need to exchange with partners or submit to the FDA

here is the URL but note that the page will only be live from Monday onwards: SAFE Signing Interface for Office 2007 and Vista

George writes about what he saw around SharePoint at DIA on his blog: http://laszloletter.typepad.com/the_laszlo_letter/2007/06/is-sharepoint-r.html

I think he is right on the money and you will hear about these two solutions and others in the next few months.

Our white paper for guidance for a 21 CFR Part 11 implementation on Microsoft Office SharePoint Server 2007 is finally available for download. It is available through our new Life Sciences site on MSDN. However if the link disappears from the main page here is direct link to the download:

http://download.microsoft.com/download/d/f/b/dfb85977-02a6-4f12-a7d0-22c16c5fb943/SharePointConfigGuidanceFor21CFRPart11-doc.zip

Tomorrow (24th) I will be in Philadelphia at the Industry and Health Authority Conference on SAFE™ Digital Signatures and Identity Management to talk about our SAFE digital Signature solution for Office 2007, Vista and Windows 2008 server.

I am a bit thinly stretched right now but I will post a detailed description of our solution here in the next few weeks. If you have more urgent needs just reach out to me and I will try to help you.

Send me an email at marcd at microsoft dot com if you want to hook up for lunch

Here is a quote I took out of an email from Daniel O'Connor late yesterday. Daniel is a VP at Zorch Software who was doing demo's in our booth at DIA-EDM.

We enjoyed joining Microsoft at the DIA EDM conference this past week.  It is exciting to see the growing interest in Microsoft as a platform to solve regulated document/content management, submission management and collaboration needs in the pharmaceutical industry.  The founders of Zorch have known for some years that the SharePoint “tsunami” would happen and now we are starting to see and experience this wave of change.  Many potential customers approached us about Microsoft Office SharePoint 2007 and what is the potential for them to solve specific problems.  Everyone I spoke with was very eager about learning more about SharePoint. From large, multinational pharmaceutical companies to small, innovative biotech companies, there is a growing need for next generation, easy-to-use and cost effective regulatory content and submission management.  Microsoft’s move into the life science industry is seen as an extremely positive move.  Get ready for the tsunami!

Well I guess we better get ready for the MOSS 2007 Tsunami...

Here is a picture of Les Jordan, the Life Sciences Technology Strategist from Microsoft, and Melonie Warfel, Director WW Standards and Life Sciences from Adobe, giving each other a nice hug at the start of the SAFE digital signature workshop at DIA-EDM in Philadelphia.

I am very happily surprised at the impact of SharePoint at DIA-EDM. It is amazing how many partners have already SharePoint related solutions or are interested in having their solution support SharePoint. More than one partner has approached me on how to best support SharePoint besides LiveLink and Documentum. When asked why they mentioned customer demand as the main reason.

It definitely seems that MOSS 2007 is hitting the mark when it comes to meeting the requirements of our customers and delivers on its promise of providing a platform for our partners to build regulatory and compliant solutions on.

I am currently building a list of compliant document management and/or submission solutions that are build on MOSS so if you want to get listed please drop me a note at marcd at microsoft dot com

Both Microsoft and Adobe were demo-ing a SAFE digital signature solution at DIA-EDM. Adobe of course provides a solution for PDF files and Microsoft provides a solution for Office files.

The plug-in to Office that allows you to do SAFE signatures right from within your Office applications will be available as a free download on the all new Life Sciences section on MSDN that will be launched in the next few weeks. I will announce it here on my blog when it goes live.

One of the coolest demo's at DIA-EDM (hey I am doing the demo so it must be the coolest, but I promise to blog about other even non-MS cool demos later in the week) is the SAFE Digital Signatures demo in Office 2007 and Vista. We are showing a complete Microsoft PKI infrastructure together with a Office 2007 running on Vista. We will show how to apply a SAFE signature, how to revoke one, how it will look when one is revoked etc.

We will make the code for this demo available on Microsoft.Com in the next 6-8 weeks. This code can then be used by anybody who wants to do SAFE signing from within Microsoft Office.

See you tomorrow at booth #213 and if you mention this blog I will get you a goodie.

Zorch Software had a press release yesterday in which they announced that they will be demo-ing a solution based on MOSS and the Zorch DM Submission Manager that is targeted at regulatory content and submission management.

Go check it out as they do pretty cool stuff. And of course Zorch happens to be in the Microsoft booth at DIA so see you next week.

We have been putting the final touches on our demos for our booth (#213)

We will be having very cool (and even practical) give-away's and rumor has it that we will be having a raffle for a Zune. (I might even bring my own Zune in case you want to take a break from all that document management stuff)

See you next week.....

quite often it seems that these terms are used interchangeable but I don't have they feeling they are interchangeable so I decided to do some research.

My first stop on this trip was wikipedia:

Here I learned that digital signatures are a subset of electronic signatures. Electronic signatures are just signatures transmitted through electronic means. Digital signatures include use of cryptography most often in combination with a PKI infrastructure.

A electronic signature has legal validity and there are laws to that extend. The problem with electronic signatures is that is very hard to make sure that they are for real and that the message hasn't been tampered with.

Imagine I fax you a IOU for $10 with typed below it "Signed Marc Dencker". That is a valid electronic signature. You take the fax, use the scanner and Photoshop and add a few zeros to the $10. That wouldn't be cool...

Even email or fax headers/footers constitute electronic signatures and we all know how easy those are to forge.

With digital signatures however we also protect message integrity and authenticity. Because the signer has to use his private key most implementation explicitly prompt for that making the signer aware of the act that he signs something. Of course this also provides non-repudiation so we know that the document has been signed by the person who says he signed it.

So after the above we can indeed conclude that digital signatures are a much more secure subset of electronic signatures and that SAFE signatures are indeed digital signatures.

other references: http://www.reallegal.com/downloads/pdf/ESigAskewWhitePaper.pdf

What is DoD 5015.2 certification?
from jitc.fhu.disa.mil/recmgt/p50152s2.doc:

It sets forth mandatory baseline functional requirements for Records Management Application (RMA) software used by the DoD Components in the implementation of their records management programs; defines required system interfaces and search criteria to be supported by the RMAs; and describes the minimum records management requirements that must be met, based on current National Archives and Records Administration (NARA) regulations.

Basically it is standard that is often referenced in RFP's. So in order to be able to put a checkmark in that row of RFP responses Microsoft is getting MOSS 2007 certified.

If you look on the JITC scheduling page you will see that the test is scheduled for the week of May 14 2007. This means that shortly after that date the test report will be published and (hopefully) we are able to say that we are compliant.

Joanna Bichsel pointed me at a nice paper with sample code on this topic

The code sample and accompanying white paper which shows developers how to code item-level auditing is now available as a download from the following location:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0E4DD1E7-4B1D-4CB1-B906-6D5D272C8E9D&displaylang=en

To summarize the code sample and white paper:

Microsoft Office SharePoint Server 2007 provides auditing by default but it does not give the ability for a non-administrator to view the auditing history of a specific document or item in a list. This code sample shows a developer how to extend this auditing functionality to create an item-level auditing view in three different ways: using a custom SharePoint list, through the Excel client, and by manipulating the open XML file format to display auditing history using Excel Services on an application page. It is accompanied by a thorough white paper describing the code as well as a setup document.

If you have requests for other compliance related code samples please let me know and I will pass it on to the relevant people

I will be attending the 20th Annual DIA Conference for Electronic Document Management in Philadelphia that will be held from Feb 6-9. ( http://www.diahome.org/DIAHome/Education/FindEducationalOffering.aspx?productID=11363&eventType=Meeting )

I am considering organizing a bloggers meet to have a good chat if there is interest. Email me at marcd at microsoft dot com if you will be attending and would like to meet fellow bloggers (or readers). I am holding Feb 7th for this purpose.

You can also come by the Microsoft boot at the conference to say hello or have a chat. We will be doing some very exciting announcements (note the plural) at the conference and I am sure there will be plenty of questions and feedback.

Lastly but not least we will also have copies of our upcoming 21 CFR part 11 whitepaper available.

yesterday I emailed the whitepaper I have been talking about out to the people who have requested to review a draft copy. I have received interest from top 10 Pharma's, individual consultants and people who validate for their national/regional regulatory organization so that is very promising.

If you still want to chime in you better let me know quick at marcd at microsoft dot com as we need your feedback by next week in order to process it.

We are planning to have the paper ready by Feb 6. (and of course dates always get missed ;-) )

here is your chance to influence our solution:

So we create this set of papers around how to use the Microsoft stack in a 21 CFR part 11 environment and top that off with a reference implementation.

How important is it that we also include the capability to create/export documents in PDF format?

• Do we need to demonstrate how to do this?
• how to sign these PDFs?
• how to use PDFs in context of SAFE?
• do we need to do this serverside or is client side good enough?

What do YOU think?

btw is there anything else missing?

In an earlier post I eluded to laying out our plans regarding part 11 and MOSS. Although afterwards I already talked about the paper we are writing I kinda forgot to post the roadmap in this space so here it goes:

We figured that not only we cant do all of this overnight it also makes sense to do it incremental steps so we can get feedback and adjust if necessary. Hence the Crawl, Walk, Run approach.

Crawl

This phase is around using all the functionality that the the MOSS 2007 and Office 2007 platforms provide and how to configure them in a way that is compliant with part 11

• Content type
• Access control
• Authoring and collaboration
• Content governance and record management
• Version and information policy
• Electronic signature
• Workflow
• Audit trail

The output of this phase will be a paper that describes how to go about this. We are also looking to get this validated by an external company to make sure we didn't take any shortcuts or overlooked any important items.

Walk

In this phase we will be looking at how to integrate with SAFE and some existing document management systems. We will integrate SAFE signatures into Office 2007 and show how to Sign, Valideate and Present digital signatures in a SAFE conformant way.

The output of this phase will be documentation and a reference implementation that can be used by our customers/partners to kickstart their deployment

Run

In this phase we will demonstrate how to go about content reuse and how to deal with the publishing and project management/planning processes that are involved when you submit a IND or a NDA to the FDA

We are planning to have all 3 phases completed by next summer and hopefully earlier. As you know timelines are never set in stone though....

I will continue to post progress reports and questions and have created a new category on my blog to make it easier for you to follow this. Feel free to respond with feedback in public using comments or privately by email to marcd at microsoft dot com

Last week I reviewed a document that my collegue Harry Chen has been working on. This document describes how MOSS can be configured to adhere to "subpart B Electronic Records: controls for closed systems"

As I mentioned in one of my previous posts we are working on compliant collaboration. The document that Harry is putting together provides information on how to configure MOSS for a 21 CFR part 11 environment.

Basically we are calling out the detailed 11.xx (y) requirements and describe how/what needs to be done in MOSS to make it compliant.

If you think this would be helpfull for you to adopt MOSS feel free to drop me a note and I might be able to get you a draft to review as a christmas present.

Compliance is slowly becoming a very large burden for the Pharmaceutical industry (and I am sure for a bunch of others as well)

It affects more and more people. Here are some quotes from people that are impacted:

Clinical Trial Manager

"I have no idea how to post trial documentation in our repository for compliance purposes. I have to wait for IT to do it for me"

Impact

• Trial delays
• Slow speed-to-market
• Poor use of IT resources
• Risk of non-compliance

VP, Operations

“With data stored in so many different systems, compiling information for an FDA audit could take days, even weeks."

Impact

• Risk of non-compliance due to incompliant records
• Risk of plant shut-down

Manager, Contract Research

“Because of 21CFR11 security provisions, clinical trial data and documents are difficult to access and share.”

Impact

• Poor collaboration between company and contractor
• Trial delays
• Slow speed-to-market

I have been working with a number of colleagues to create a solution that will lower the impact and can actually turn some of these pains into competitive advantages against their peers in the industry. This week I will be presenting at an internal Microsoft Conference about this reference solution that we will be building to help customers that will alleviate these issues

 In the next few days I will lay-out some high level ideas on what we are going to do. Your feedback will be welcome and if you want to talk in more detail about them we can do that in public (hey comments still work) or in private (marcd at microsoft dot com)