Achieving a 21 CFR Part 11 Compliant eTMF


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Achieving a 21 CFR Part 11 Compliant eTMF

  1. 1. Achieving a 21 CFR Part 11Compliant eTMFPresented by Paul Fenton2nd eTMF BootcampPhiladelphiaNovember 15th 2011
  2. 2. / Overview • History of 21 CFR Part 11 • What is an electronic record? • eTMF attributes required for compliance • Risk based validation approaches for eTMF • Qualification audits and system selection • Best practices
  3. 3. / A little history • FDA introduces 21 CFR Part 11 1997 • Industry struggles to implement 21 1997-2003 CFR Part 11 compliant systems • Scope and application document 2003 limits scope of 21 CFR Part 11
  4. 4. / What is an electronic record• FDA Guidance (Electronic Records; Electronic Signatures — Scope and Application) defines electronic records as: – Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format – Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format, and that are relied on to perform regulated activities – Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic format – Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules
  5. 5. / Principal Electronic records in an eTMF • All electronic source essential documents required by predicate rule • All electronic copies of essential documents • Electronic forms used to manage regulated processes • Metadata used to make regulated decisions • Electronic signatures applied to electronic records • Audit trail on electronic records
  6. 6. / 21 CFR Part 11 – 10 Steps to Compliance 1. Fully documented and validated systems including change control 2. Ability to generate accurate and complete copies of records for inspection and review by the agency 3. Ability to protect and easily retrieve records through their retention period 4. Ability to discern changes to records through the use of audit trails 5. Proper security controls (authentication, user rights) 6. Trained and qualified individuals 7. SOPs 8. Encryption for open systems 9. eSignature components and controls 10. Linking of electronic signatures to records
  7. 7. Requirement 1 – System Documentation / Validation/ What is Computer Systems Validation?• A formal process to ensure that: – systems consistently operate as they were intended – user, business and regulatory system requirements are met – information is secure and properly managed by the system – procedures and processes are in place for the use and management of the system
  8. 8. / SDLC Process
  9. 9. Requirement 1 – System Documentation / Validation/ What is expected?• That full traceability of systems and processes be in place• That procedures should be in place to ensure that systems used in regulated activities are adequately validated• That systems should be maintained in a validated state through effective change control mechanisms• That sponsors take a risk based approach to computer systems validation (CSV)• That individuals involved in CSV activities and the maintenance of validated systems have adequate experience and training
  10. 10. Requirement 1 – System Documentation / Validation/ System Documentation Review • There should be a clear plan and process for producing documentation governed by SOP or MVP • Documentation should be traceable and original • ALCOA should be respected • Version control and change control procedures should be in place for system documentation • It should be clear whether documentation is cumulative or iterative
  11. 11. Requirement 1 – System Documentation / Validation/ System Documentation Review • If documentation is paper based, adequate controls should be in place to protect it (fire proof cabinets, offsite scans etc.) • If documentation is electronic, it should be maintained in accordance with 21 CFR Part 11 • If documentation is being provided by a third party, then it should be clear who’s SOPs are being used • Clear documentation identifiers and titles should be provided
  12. 12. Requirement 1 – System Documentation / Validation/ Traceability Review • Validation plan and validation summary report reviewed • Traceability matrix should clearly indicate which requirements were tested with which test scripts • Requirements can also be met through IQ or SOPs • Traceability matrix can also reference Functional Specifications and Design Specification documents for custom build systems • Traceability Matrix is a living document and should be maintained as part of change control
  13. 13. Requirement 1 – System Documentation / Validation/ Traceability Review • Traceability Matrix is a key tool in understanding how a system has been tested and ascertaining validated state • It is also very useful when performing impact assessments for change control • Significantly facilitates the management of the system as well as the inspection of system documentation
  14. 14. Requirement 2 - Ability to generate accurate and/ complete copies of records • Indexing and search system to be able to easily find records in the case of inspection • Ability to print records or to provide an ‘Inspector’ view to final records and associated audit trail / eSignature information • Document lifecycle status should be clear i.e. Final Record? Version? • You should be able to produce copies of records in a common portable format (PDF, XML)
  15. 15. Requirement 3 - Protect and easily retrieve records/ through their retention period • Ensure that a full system backup is in place (preferably with an offsite copy in case of disaster) • Perform regular backup restoration tests • Ensure eTMF system is part of the disaster recovery plan • Store final records in public portable format (PDF, XML) if possible to ensure system independance • Apply retention policies in the eTMF system in line with records retention SOP
  16. 16. Requirement 4 – Ability to discern changes to/ records through the use of audit trails • Audit trail should be applied to all records in the eTMF (documents, metadata, signatures) • Audit trail elements include: – Username – Record Identifier – Type of audit entry (new, modify, delete, view etc.) – Date/timestamp (with timezone) – Old/New value (can be in the document or in version history/audit trail) • If working with a 3rd party, they should provide the audit trail with the electronic records • Audit trails should be computer generated and non- modifiable
  17. 17. / Requirement 5 – Proper security controls • Each user must have a unique logon and password to access the system • Passwords should be changed periodically • The system should have the ability to detect security breaches • The system should have a granular security system based on user security profiles which can be applied up to the document level • The system should be able to enforce sequencing of events based on document status • The system should ensure that final records are read only • There should be SOPs in place that govern system security
  18. 18. / Requirement 6 – Trained and Qualified Individuals • There should be clear job descriptions for all roles required to develop, install, validate, maintain and use the system • There should be formal training on both the SOPs that govern the system and the administration/use of the system • Job descriptions should clearly describe the qualifications required for each role • A training matrix should clearly indicate which SOPs should be trained on for each role • CVs and training records should be maintained on file
  19. 19. / Requirement 7 – SOPs • There should be formal SOPs in place for: – Software development and validation – System change control – Physical and logical security / data protection – System maintenance and administration – Disaster recovery and business continuity – Use of electronic and digital signatures – Records management (including records retention and archiving) – eTMF management – Any other regulated processes managed with the eTMF system….
  20. 20. / Requirement 8 – Encryption • Definition of an open system: environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system • If the eTMF is hosted or being used by individuals outside of the organization (and therefore transiting over the internet) then it may be considered an open system • Need to ensure record authenticity, integrity, and confidentiality • Use of encryption such as SSL or VPN can be used to ensure confidentiality • Use of digital signatures can also help to show integrity and authenticity
  21. 21. Requirement 9 – eSignature components and controls/ Electronic vs. Digital Signatures Characteristic Electronic Digital Uses Token No Yes Encrypts document No Yes with token Can be independantly No Yes verified outside of the system Link to record Link resides in the Link is usually contained Database of the system within the record that was generating the signature signed Maintenance Needs to be maintained in Can be retained the system for retention independantly from the period system in the record
  22. 22. Requirement 9 – eSignature components and controls/ Components Image of Wet Ink signature Full name of signer – No regulatory value Reason for signature Unambigous date and timestamp Timezone offset
  23. 23. Requirement 9 – eSignature components and controls/ General Requirements • eSignature should be unique to an individual • There should be at least two elements of identification used to sign • Signers must be trained on the use of eSignatures and sign a non-repudiation form which clearly identifies them • eSignatures should become invalid if a record changes after being signed
  24. 24. Requirement 9 – eSignature components and controls/ General Requirements • Should be designed to require the collaboration of 2+ individuals to use someone else’s eSignature • Implement a password policy to periodically require that passwords are changed (90 days…) • Implement a loss management procedure in your SOP on eSignatures / logical security • Don’t forget to send the letter of certification…
  25. 25. Requirement 10 – Signature linking to records/ Standard Acrobat embedded signature Digital Signature Validity
  26. 26. Requirement 10 – Signature linking to records/ Electronic signature linking • Just reproducing the signature information on the record is not sufficient • Database entries must be maintained as electronic records i.e. audit trail etc. • System must be maintained over time so as to maintain the ability to discern changes to records and link to records • Impossible to know if a record has changed if record lives outside of the system
  27. 27. / Best Practices – System selection • Ask for a 21 CFR Part 11 white paper or assessment from the vendor • Perform a due diligence audit to establish if the system is properly documented and validated and that other controls are in place • Establish clear user requirements for system functionality to meet 21 CFR Part 11 • Define clear roles and responsibilities
  28. 28. / Typical Auditor Checklist – 21 CFR Part 11 • Adequate Quality System - 11.10 • Adequate SDLC and System Maintenance SOPs including: • Software Development Lifecycle - 11.10 (k) • Computer System Validation - 11.10 (a) • Change Control - 11.10 (k) • Configuration Control – 11.10 (k) • Data Backup and Restoration – 11.10 (b), (c) • Logical & Physical Security – 11.10 (d),(g),(h) • System Administration & Maintenance (k) • Disaster Recovery and Business Continuity (b) • Defect Management 11.10 (k)
  29. 29. / Typical Auditor Checklist – 21 CFR Part 11 • Policy on use of Electronic Signatures – 11.10 (j) • Adequate qualifications and training for personnel who develop and manage computerized systems (11.10(i)) • Adequate documentation and records management procedures including records retention and retrieval (11.10(b),(c), (k)) • Adequate technical controls to ensure proper security, authentication and audit trail are in place
  30. 30. / Best Practices - Controls • Ensure all users are fully trained in the use of the system and understand what an electronic record is • Implement a electronic records management policy • Define an clear electronic signature policy • Implement SOPs on how to manage and maintain the system • Ensure that proper change control and configuration control is in place • Implement a checklist which clearly describes how you meet 21 CFR Part 11
  31. 31. / Implement a 21 CFR Part 11 checklist
  32. 32. / Other regulations and Guidance • Eudralex Volume 4 Annex 11 – Computerised Systems • Directive 1999/93/EC Community framework for electronic signatures • PIC/S PI 011-3 Good Practices for Computerised Systems in Regulated GxP Envrionments (2007) • FDA: Computerized Systems used in Clinical Investigations • FDA: Electronic Source Documentation in Clinical Investigations - DRAFT
  33. 33. / Conclusion • Remember 21 CFR Part 11 compliance is both technical and procedural • Always develop clear rationale as to how you are meeting all of the requirements • Remember, you are always responsible as the sponsor so make sure you do proper due diligence • Clearly identify what you consider to be electronic records • Make sure everyone in the organization understands electronic records and electronic signatures • Perform regular follow up assessment to evaluate ongoing compliance • Don’t get rid of the paper (yet…)
  34. 34. / Contact Details Paul Fenton Montrium Inc. 507 Place d’Armes, Suite 1050 Montreal (QC) H2Y 2W8 Canada Tel. 514-223-9153 ext.206