SlideShare a Scribd company logo
1 of 34
Download to read offline
Achieving a 21 CFR Part 11
Compliant eTMF


Presented by Paul Fenton
2nd eTMF Bootcamp
Philadelphia
November 15th 2011
/ Overview

  • History of 21 CFR Part 11
  • What is an electronic record?
  • eTMF attributes required for compliance
  • Risk based validation approaches for eTMF
  • Qualification audits and system selection
  • Best practices
/ A little history

             • FDA introduces 21 CFR Part 11
   1997


             • Industry struggles to implement 21
 1997-2003     CFR Part 11 compliant systems

             • Scope and application document
   2003        limits scope of 21 CFR Part 11
/ What is an electronic record
• FDA Guidance (Electronic Records; Electronic Signatures —
  Scope and Application) defines electronic records as:
   – Records that are required to be maintained under predicate rule
     requirements and that are maintained in electronic format in place of
     paper format
   – Records that are required to be maintained under predicate rules,
     that are maintained in electronic format in addition to paper format,
     and that are relied on to perform regulated activities
   – Records submitted to FDA, under predicate rules (even if such
     records are not specifically identified in Agency regulations) in
     electronic format
   – Electronic signatures that are intended to be the equivalent of
     handwritten signatures, initials, and other general signings required
     by predicate rules
/ Principal Electronic records in an eTMF

 • All electronic source essential documents required
   by predicate rule
 • All electronic copies of essential documents
 • Electronic forms used to manage regulated
   processes
 • Metadata used to make regulated decisions
 • Electronic signatures applied to electronic records
 • Audit trail on electronic records
/ 21 CFR Part 11 – 10 Steps to Compliance
 1. Fully documented and validated systems including change
     control
 2. Ability to generate accurate and complete copies of records for
     inspection and review by the agency
 3. Ability to protect and easily retrieve records through their
     retention period
 4. Ability to discern changes to records through the use of audit
     trails
 5. Proper security controls (authentication, user rights)
 6. Trained and qualified individuals
 7. SOPs
 8. Encryption for open systems
 9. eSignature components and controls
 10. Linking of electronic signatures to records
Requirement 1 – System Documentation / Validation
/ What is Computer Systems Validation?
• A formal process to ensure that:
   – systems consistently operate as they were intended
   – user, business and regulatory system requirements
      are met
   – information is secure and properly managed by the
      system
   – procedures and processes are in place for the use
      and management of the system
/ SDLC Process
Requirement 1 – System Documentation / Validation
/ What is expected?

• That full traceability of systems and processes be in place
• That procedures should be in place to ensure that systems
  used in regulated activities are adequately validated
• That systems should be maintained in a validated state
  through effective change control mechanisms
• That sponsors take a risk based approach to computer
  systems validation (CSV)
• That individuals involved in CSV activities and the
  maintenance of validated systems have adequate
  experience and training
Requirement 1 – System Documentation / Validation
/ System Documentation Review
 • There should be a clear plan and process for
   producing documentation governed by SOP or MVP
 • Documentation should be traceable and original
 • ALCOA should be respected
 • Version control and change control procedures
   should be in place for system documentation
 • It should be clear whether documentation is
   cumulative or iterative
Requirement 1 – System Documentation / Validation
/ System Documentation Review
 • If documentation is paper based, adequate
   controls should be in place to protect it (fire proof
   cabinets, offsite scans etc.)
 • If documentation is electronic, it should be
   maintained in accordance with 21 CFR Part 11
 • If documentation is being provided by a third party,
   then it should be clear who’s SOPs are being used
 • Clear documentation identifiers and titles should
   be provided
Requirement 1 – System Documentation / Validation
/ Traceability Review
 • Validation plan and validation summary report
   reviewed
 • Traceability matrix should clearly indicate which
   requirements were tested with which test scripts
 • Requirements can also be met through IQ or SOPs
 • Traceability matrix can also reference Functional
   Specifications and Design Specification documents
   for custom build systems
 • Traceability Matrix is a living document and should
   be maintained as part of change control
Requirement 1 – System Documentation / Validation
/ Traceability Review
 • Traceability Matrix is a key tool in
   understanding how a system has been tested
   and ascertaining validated state
 • It is also very useful when performing
   impact assessments for change control
 • Significantly facilitates the management of
   the system as well as the inspection of
   system documentation
Requirement 2 - Ability to generate accurate and
/ complete copies of records

  • Indexing and search system to be able to easily find
    records in the case of inspection
  • Ability to print records or to provide an ‘Inspector’
    view to final records and associated audit trail /
    eSignature information
  • Document lifecycle status should be clear i.e. Final
    Record? Version?
  • You should be able to produce copies of records in
    a common portable format (PDF, XML)
Requirement 3 - Protect and easily retrieve records
/ through their retention period

  • Ensure that a full system backup is in place
    (preferably with an offsite copy in case of disaster)
  • Perform regular backup restoration tests
  • Ensure eTMF system is part of the disaster
    recovery plan
  • Store final records in public portable format (PDF,
    XML) if possible to ensure system independance
  • Apply retention policies in the eTMF system in line
    with records retention SOP
Requirement 4 – Ability to discern changes to
/ records through the use of audit trails
 • Audit trail should be applied to all records in the eTMF
   (documents, metadata, signatures)
 • Audit trail elements include:
      – Username
      – Record Identifier
      – Type of audit entry (new, modify, delete, view etc.)
      – Date/timestamp (with timezone)
      – Old/New value (can be in the document or in version
         history/audit trail)
 • If working with a 3rd party, they should provide the audit
   trail with the electronic records
 • Audit trails should be computer generated and non-
   modifiable
/ Requirement 5 – Proper security controls
  • Each user must have a unique logon and password to access
    the system
  • Passwords should be changed periodically
  • The system should have the ability to detect security
    breaches
  • The system should have a granular security system based
    on user security profiles which can be applied up to the
    document level
  • The system should be able to enforce sequencing of events
    based on document status
  • The system should ensure that final records are read only
  • There should be SOPs in place that govern system security
/ Requirement 6 – Trained and Qualified Individuals
  • There should be clear job descriptions for all roles
    required to develop, install, validate, maintain and
    use the system
  • There should be formal training on both the SOPs
    that govern the system and the administration/use
    of the system
  • Job descriptions should clearly describe the
    qualifications required for each role
  • A training matrix should clearly indicate which
    SOPs should be trained on for each role
  • CVs and training records should be maintained on
    file
/ Requirement 7 – SOPs
 • There should be formal SOPs in place for:
    – Software development and validation
    – System change control
    – Physical and logical security / data protection
    – System maintenance and administration
    – Disaster recovery and business continuity
    – Use of electronic and digital signatures
    – Records management (including records retention and
      archiving)
    – eTMF management
    – Any other regulated processes managed with the eTMF
      system….
/ Requirement 8 – Encryption
 • Definition of an open system: environment in which system
   access is not controlled by persons who are responsible for
   the content of electronic records that are on the system
 • If the eTMF is hosted or being used by individuals outside of
   the organization (and therefore transiting over the internet)
   then it may be considered an open system
 • Need to ensure record authenticity, integrity, and
   confidentiality
 • Use of encryption such as SSL or VPN can be used to ensure
   confidentiality
 • Use of digital signatures can also help to show integrity and
   authenticity
Requirement 9 – eSignature components and controls
/ Electronic vs. Digital Signatures
 Characteristic      Electronic                  Digital
 Uses Token          No                          Yes
 Encrypts document   No                          Yes
 with token
 Can be independantly No                         Yes
 verified outside of the
 system
 Link to record      Link resides in the         Link is usually contained
                     Database of the system      within the record that was
                     generating the signature    signed
 Maintenance         Needs to be maintained in   Can be retained
                     the system for retention    independantly from the
                     period                      system in the record
Requirement 9 – eSignature components and controls
/ Components

     Image of Wet Ink signature
                                               Full name of signer
      – No regulatory value



                                                       Reason for signature



                     Unambigous date and timestamp         Timezone offset
Requirement 9 – eSignature components and controls
/ General Requirements
 • eSignature should be unique to an individual
 • There should be at least two elements of
   identification used to sign
 • Signers must be trained on the use of eSignatures
   and sign a non-repudiation form which clearly
   identifies them
 • eSignatures should become invalid if a record
   changes after being signed
Requirement 9 – eSignature components and controls
/ General Requirements
 • Should be designed to require the collaboration of
   2+ individuals to use someone else’s eSignature
 • Implement a password policy to periodically
   require that passwords are changed (90 days…)
 • Implement a loss management procedure in your
   SOP on eSignatures / logical security
 • Don’t forget to send the letter of certification…
Requirement 10 – Signature linking to records
/ Standard Acrobat embedded signature




       Digital Signature Validity
Requirement 10 – Signature linking to records
/ Electronic signature linking
 • Just reproducing the signature information on the
   record is not sufficient
 • Database entries must be maintained as electronic
   records i.e. audit trail etc.
 • System must be maintained over time so as to
   maintain the ability to discern changes to records
   and link to records
 • Impossible to know if a record has changed if
   record lives outside of the system
/ Best Practices – System selection
 • Ask for a 21 CFR Part 11 white paper or
   assessment from the vendor
 • Perform a due diligence audit to establish if the
   system is properly documented and validated and
   that other controls are in place
 • Establish clear user requirements for system
   functionality to meet 21 CFR Part 11
 • Define clear roles and responsibilities
/ Typical Auditor Checklist – 21 CFR Part 11
 • Adequate Quality System - 11.10
 • Adequate SDLC and System Maintenance SOPs including:
       • Software Development Lifecycle - 11.10 (k)
       • Computer System Validation - 11.10 (a)
       • Change Control - 11.10 (k)
       • Configuration Control – 11.10 (k)
       • Data Backup and Restoration – 11.10 (b), (c)
       • Logical & Physical Security – 11.10 (d),(g),(h)
       • System Administration & Maintenance (k)
       • Disaster Recovery and Business Continuity (b)
       • Defect Management 11.10 (k)
/ Typical Auditor Checklist – 21 CFR Part 11
 • Policy on use of Electronic Signatures – 11.10 (j)
 • Adequate qualifications and training for personnel
   who develop and manage computerized systems
   (11.10(i))
 • Adequate documentation and records
   management procedures including records
   retention and retrieval (11.10(b),(c), (k))
 • Adequate technical controls to ensure proper
   security, authentication and audit trail are in place
/ Best Practices - Controls
 • Ensure all users are fully trained in the use of the
   system and understand what an electronic record is
 • Implement a electronic records management policy
 • Define an clear electronic signature policy
 • Implement SOPs on how to manage and maintain
   the system
 • Ensure that proper change control and
   configuration control is in place
 • Implement a checklist which clearly describes how
   you meet 21 CFR Part 11
/ Implement a 21 CFR Part 11 checklist
/ Other regulations and Guidance
 • Eudralex Volume 4 Annex 11 – Computerised
   Systems
 • Directive 1999/93/EC Community framework
   for electronic signatures
 • PIC/S PI 011-3 Good Practices for Computerised
   Systems in Regulated GxP Envrionments (2007)
 • FDA: Computerized Systems used in Clinical
   Investigations
 • FDA: Electronic Source Documentation in Clinical
   Investigations - DRAFT
/ Conclusion
 • Remember 21 CFR Part 11 compliance is both technical and
   procedural
 • Always develop clear rationale as to how you are meeting
   all of the requirements
 • Remember, you are always responsible as the sponsor so
   make sure you do proper due diligence
 • Clearly identify what you consider to be electronic records
 • Make sure everyone in the organization understands
   electronic records and electronic signatures
 • Perform regular follow up assessment to evaluate ongoing
   compliance
 • Don’t get rid of the paper (yet…)
/ Contact Details

                    Paul Fenton
                  Montrium Inc.
           507 Place d’Armes, Suite 1050
             Montreal (QC) H2Y 2W8
                      Canada

             Tel. 514-223-9153 ext.206
              pfenton@montrium.com
                www.montrium.com

More Related Content

What's hot

Webinar on eTMF – Challenges, Opportunities & Trends
Webinar on eTMF – Challenges, Opportunities & TrendsWebinar on eTMF – Challenges, Opportunities & Trends
Webinar on eTMF – Challenges, Opportunities & Trendsnancykathlen
 
Csv 21 Cfr11
Csv 21 Cfr11Csv 21 Cfr11
Csv 21 Cfr11aquitazol
 
21 cfr part 11 compliance
21 cfr part 11 compliance21 cfr part 11 compliance
21 cfr part 11 complianceKiran Kota
 
Data integrity in Pharmaceutical industry
Data integrity in Pharmaceutical industry Data integrity in Pharmaceutical industry
Data integrity in Pharmaceutical industry GxPProfessional
 
Computer system validations
Computer system validations Computer system validations
Computer system validations Saikiran Koyalkar
 
21 cfr part 11 an approach towards compliance
21 cfr part 11   an approach towards compliance21 cfr part 11   an approach towards compliance
21 cfr part 11 an approach towards compliancedeepak mishra
 
Computer system validation
Computer system validationComputer system validation
Computer system validationGaurav Kr
 
computer system validation
computer system validationcomputer system validation
computer system validationGopal Patel
 
Good Documentation Practices
Good Documentation PracticesGood Documentation Practices
Good Documentation PracticesNikhil Soni
 
Pharmaceutical Data integrity training
Pharmaceutical Data integrity trainingPharmaceutical Data integrity training
Pharmaceutical Data integrity trainingMoataz El Halawany
 
FDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixesFDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixesVidyasagar P
 

What's hot (20)

Webinar on eTMF – Challenges, Opportunities & Trends
Webinar on eTMF – Challenges, Opportunities & TrendsWebinar on eTMF – Challenges, Opportunities & Trends
Webinar on eTMF – Challenges, Opportunities & Trends
 
Csv 21 Cfr11
Csv 21 Cfr11Csv 21 Cfr11
Csv 21 Cfr11
 
Computer system validations
Computer system validationsComputer system validations
Computer system validations
 
21 cfr part 11 compliance
21 cfr part 11 compliance21 cfr part 11 compliance
21 cfr part 11 compliance
 
21 cfr part 11
21 cfr part 1121 cfr part 11
21 cfr part 11
 
Data integrity in Pharmaceutical industry
Data integrity in Pharmaceutical industry Data integrity in Pharmaceutical industry
Data integrity in Pharmaceutical industry
 
Computer system validations
Computer system validations Computer system validations
Computer system validations
 
Cfr 21 part 11
 Cfr 21 part 11 Cfr 21 part 11
Cfr 21 part 11
 
21 cfr part 11 an approach towards compliance
21 cfr part 11   an approach towards compliance21 cfr part 11   an approach towards compliance
21 cfr part 11 an approach towards compliance
 
Computer system validation
Computer system validationComputer system validation
Computer system validation
 
computer system validation
computer system validationcomputer system validation
computer system validation
 
Gdp alcoa
Gdp  alcoaGdp  alcoa
Gdp alcoa
 
21 CFR part 11 Overview
21 CFR part 11 Overview21 CFR part 11 Overview
21 CFR part 11 Overview
 
21 CFR Part 11.pptx
21 CFR Part 11.pptx21 CFR Part 11.pptx
21 CFR Part 11.pptx
 
Good Documentation Practices
Good Documentation PracticesGood Documentation Practices
Good Documentation Practices
 
Pharmaceutical Data integrity training
Pharmaceutical Data integrity trainingPharmaceutical Data integrity training
Pharmaceutical Data integrity training
 
Data Integrity.pptx
Data Integrity.pptxData Integrity.pptx
Data Integrity.pptx
 
Data Integrity 101
Data Integrity 101Data Integrity 101
Data Integrity 101
 
FDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixesFDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixes
 
Presentation on US FDA Data Integrity Guidance.
Presentation on US FDA  Data Integrity Guidance.Presentation on US FDA  Data Integrity Guidance.
Presentation on US FDA Data Integrity Guidance.
 

Viewers also liked

eTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyeTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyAdair Turner, MS, RAC
 
Practical considerations for eTMF Planning
Practical considerations for eTMF PlanningPractical considerations for eTMF Planning
Practical considerations for eTMF PlanningParagon Solutions
 
eTMF in the fast lane
eTMF in the fast laneeTMF in the fast lane
eTMF in the fast lanedirkbeth
 
Essential documents and_managing_trial_files
Essential documents and_managing_trial_filesEssential documents and_managing_trial_files
Essential documents and_managing_trial_filesLanka Praneeth
 
21 CFR Part 11 Compliance
21 CFR Part 11 Compliance21 CFR Part 11 Compliance
21 CFR Part 11 ComplianceAITalent
 
Cloudbyz ppm, integrated enterprise ppm-alm-apm on force.com
Cloudbyz ppm,   integrated enterprise ppm-alm-apm on force.comCloudbyz ppm,   integrated enterprise ppm-alm-apm on force.com
Cloudbyz ppm, integrated enterprise ppm-alm-apm on force.comDinesh Sheshadri
 
PhlexEview 4, The Smart eTMF Solution
PhlexEview 4, The Smart eTMF SolutionPhlexEview 4, The Smart eTMF Solution
PhlexEview 4, The Smart eTMF SolutionGillian Gittens
 
Electronic trial master filest
Electronic trial master filestElectronic trial master filest
Electronic trial master filestLanka Praneeth
 
CDISC & Risk Based Monitoring to Compress Clinical Trial Duration
CDISC & Risk Based Monitoring to Compress Clinical Trial DurationCDISC & Risk Based Monitoring to Compress Clinical Trial Duration
CDISC & Risk Based Monitoring to Compress Clinical Trial DurationClinical Data Inc .
 
Changing Regulatory Landscape of 2017
Changing Regulatory Landscape of 2017Changing Regulatory Landscape of 2017
Changing Regulatory Landscape of 2017aidentyler6
 
Updated capabilities overview1
Updated  capabilities overview1Updated  capabilities overview1
Updated capabilities overview1malbergo
 
Centralized Translation Processes: Overcoming Global Regulatory and Multiling...
Centralized Translation Processes: Overcoming Global Regulatory and Multiling...Centralized Translation Processes: Overcoming Global Regulatory and Multiling...
Centralized Translation Processes: Overcoming Global Regulatory and Multiling...Scott Abel
 
SDL How Global Life Sciences Leaders Solve the Customer Experience Puzzle
SDL How Global Life Sciences Leaders Solve the Customer Experience PuzzleSDL How Global Life Sciences Leaders Solve the Customer Experience Puzzle
SDL How Global Life Sciences Leaders Solve the Customer Experience PuzzleChip Gettinger
 
Static Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareStatic Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareErika Barron
 
Quality systems v3
Quality systems v3Quality systems v3
Quality systems v3Ravi Pamnani
 
Excel spreadsheets how to ensure 21 cfr part 11 compliance
Excel spreadsheets  how to ensure 21 cfr part 11 complianceExcel spreadsheets  how to ensure 21 cfr part 11 compliance
Excel spreadsheets how to ensure 21 cfr part 11 compliancecomplianceonline123
 

Viewers also liked (20)

eTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case StudyeTMF Structure, Setup, and Implementation Case Study
eTMF Structure, Setup, and Implementation Case Study
 
eTMF ppt
eTMF ppteTMF ppt
eTMF ppt
 
Practical considerations for eTMF Planning
Practical considerations for eTMF PlanningPractical considerations for eTMF Planning
Practical considerations for eTMF Planning
 
eTMF in the fast lane
eTMF in the fast laneeTMF in the fast lane
eTMF in the fast lane
 
Essential documents and_managing_trial_files
Essential documents and_managing_trial_filesEssential documents and_managing_trial_files
Essential documents and_managing_trial_files
 
21 CFR Part 11 Compliance
21 CFR Part 11 Compliance21 CFR Part 11 Compliance
21 CFR Part 11 Compliance
 
Cloudbyz ppm, integrated enterprise ppm-alm-apm on force.com
Cloudbyz ppm,   integrated enterprise ppm-alm-apm on force.comCloudbyz ppm,   integrated enterprise ppm-alm-apm on force.com
Cloudbyz ppm, integrated enterprise ppm-alm-apm on force.com
 
PhlexEview 4, The Smart eTMF Solution
PhlexEview 4, The Smart eTMF SolutionPhlexEview 4, The Smart eTMF Solution
PhlexEview 4, The Smart eTMF Solution
 
Electronic trial master filest
Electronic trial master filestElectronic trial master filest
Electronic trial master filest
 
eTMF ppt
eTMF ppteTMF ppt
eTMF ppt
 
CDISC & Risk Based Monitoring to Compress Clinical Trial Duration
CDISC & Risk Based Monitoring to Compress Clinical Trial DurationCDISC & Risk Based Monitoring to Compress Clinical Trial Duration
CDISC & Risk Based Monitoring to Compress Clinical Trial Duration
 
Changing Regulatory Landscape of 2017
Changing Regulatory Landscape of 2017Changing Regulatory Landscape of 2017
Changing Regulatory Landscape of 2017
 
Clinical Trials ~ Challenges of Labeling ~ Infographic
Clinical Trials ~ Challenges of Labeling ~ InfographicClinical Trials ~ Challenges of Labeling ~ Infographic
Clinical Trials ~ Challenges of Labeling ~ Infographic
 
Updated capabilities overview1
Updated  capabilities overview1Updated  capabilities overview1
Updated capabilities overview1
 
Centralized Translation Processes: Overcoming Global Regulatory and Multiling...
Centralized Translation Processes: Overcoming Global Regulatory and Multiling...Centralized Translation Processes: Overcoming Global Regulatory and Multiling...
Centralized Translation Processes: Overcoming Global Regulatory and Multiling...
 
PrisymID Clinical Trials Whitepaper
PrisymID Clinical Trials WhitepaperPrisymID Clinical Trials Whitepaper
PrisymID Clinical Trials Whitepaper
 
SDL How Global Life Sciences Leaders Solve the Customer Experience Puzzle
SDL How Global Life Sciences Leaders Solve the Customer Experience PuzzleSDL How Global Life Sciences Leaders Solve the Customer Experience Puzzle
SDL How Global Life Sciences Leaders Solve the Customer Experience Puzzle
 
Static Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareStatic Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device Software
 
Quality systems v3
Quality systems v3Quality systems v3
Quality systems v3
 
Excel spreadsheets how to ensure 21 cfr part 11 compliance
Excel spreadsheets  how to ensure 21 cfr part 11 complianceExcel spreadsheets  how to ensure 21 cfr part 11 compliance
Excel spreadsheets how to ensure 21 cfr part 11 compliance
 

Similar to Achieving a 21 CFR Part 11 Compliant eTMF

Data Integrity II - Chromatography data system (CDS) in Pharma
Data Integrity II - Chromatography data system (CDS) in PharmaData Integrity II - Chromatography data system (CDS) in Pharma
Data Integrity II - Chromatography data system (CDS) in PharmaSathish Vemula
 
21 CFR Part 11 checklist software.pptx
21 CFR Part 11 checklist software.pptx21 CFR Part 11 checklist software.pptx
21 CFR Part 11 checklist software.pptxAartiVats5
 
Joe Buonomo-ASQ Presentation
Joe Buonomo-ASQ PresentationJoe Buonomo-ASQ Presentation
Joe Buonomo-ASQ PresentationJoe Buonomo
 
Integrating and appling tmf regulation into your buisness process
Integrating and appling tmf regulation into your buisness processIntegrating and appling tmf regulation into your buisness process
Integrating and appling tmf regulation into your buisness processMontrium
 
Information system audit
Information system audit Information system audit
Information system audit Jayant Dalvi
 
Calibration/PM and Asset Management in Bio-Med Applications
Calibration/PM and Asset Management in Bio-Med ApplicationsCalibration/PM and Asset Management in Bio-Med Applications
Calibration/PM and Asset Management in Bio-Med ApplicationsSanjay Dhal , MS, MBA
 
Electronic Data Management Systems.ppt
Electronic Data Management Systems.pptElectronic Data Management Systems.ppt
Electronic Data Management Systems.pptTim Sandle, Ph.D.
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptxams1ams11
 
SharePoint And 21 CFR Part 11 Share Fest
SharePoint And 21 CFR Part 11   Share FestSharePoint And 21 CFR Part 11   Share Fest
SharePoint And 21 CFR Part 11 Share Festpaulkfenton
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controlsLou Foja
 
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...Montrium
 
Systems Life Cycle
Systems Life CycleSystems Life Cycle
Systems Life CycleNirmal PR
 
Transforming eTMF Management: Moving to a Data-Driven Approach
Transforming eTMF Management: Moving to a Data-Driven ApproachTransforming eTMF Management: Moving to a Data-Driven Approach
Transforming eTMF Management: Moving to a Data-Driven ApproachMontrium
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Anand Pandya
 

Similar to Achieving a 21 CFR Part 11 Compliant eTMF (20)

Data Integrity II - Chromatography data system (CDS) in Pharma
Data Integrity II - Chromatography data system (CDS) in PharmaData Integrity II - Chromatography data system (CDS) in Pharma
Data Integrity II - Chromatography data system (CDS) in Pharma
 
21 CFR Part 11 checklist software.pptx
21 CFR Part 11 checklist software.pptx21 CFR Part 11 checklist software.pptx
21 CFR Part 11 checklist software.pptx
 
Joe Buonomo-ASQ Presentation
Joe Buonomo-ASQ PresentationJoe Buonomo-ASQ Presentation
Joe Buonomo-ASQ Presentation
 
Integrating and appling tmf regulation into your buisness process
Integrating and appling tmf regulation into your buisness processIntegrating and appling tmf regulation into your buisness process
Integrating and appling tmf regulation into your buisness process
 
Information system audit
Information system audit Information system audit
Information system audit
 
Calibration/PM and Asset Management in Bio-Med Applications
Calibration/PM and Asset Management in Bio-Med ApplicationsCalibration/PM and Asset Management in Bio-Med Applications
Calibration/PM and Asset Management in Bio-Med Applications
 
MES systems
MES systemsMES systems
MES systems
 
Epitome Corporate PPT
Epitome Corporate PPTEpitome Corporate PPT
Epitome Corporate PPT
 
Electronic Data Management Systems.ppt
Electronic Data Management Systems.pptElectronic Data Management Systems.ppt
Electronic Data Management Systems.ppt
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
 
SharePoint And 21 CFR Part 11 Share Fest
SharePoint And 21 CFR Part 11   Share FestSharePoint And 21 CFR Part 11   Share Fest
SharePoint And 21 CFR Part 11 Share Fest
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controls
 
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
 
Systems Life Cycle
Systems Life CycleSystems Life Cycle
Systems Life Cycle
 
CH18-CompSec4e.pptx
CH18-CompSec4e.pptxCH18-CompSec4e.pptx
CH18-CompSec4e.pptx
 
Lec # 1 chapter 2
Lec # 1 chapter 2Lec # 1 chapter 2
Lec # 1 chapter 2
 
A075434624
A075434624A075434624
A075434624
 
Transforming eTMF Management: Moving to a Data-Driven Approach
Transforming eTMF Management: Moving to a Data-Driven ApproachTransforming eTMF Management: Moving to a Data-Driven Approach
Transforming eTMF Management: Moving to a Data-Driven Approach
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .
 

Achieving a 21 CFR Part 11 Compliant eTMF

  • 1. Achieving a 21 CFR Part 11 Compliant eTMF Presented by Paul Fenton 2nd eTMF Bootcamp Philadelphia November 15th 2011
  • 2. / Overview • History of 21 CFR Part 11 • What is an electronic record? • eTMF attributes required for compliance • Risk based validation approaches for eTMF • Qualification audits and system selection • Best practices
  • 3. / A little history • FDA introduces 21 CFR Part 11 1997 • Industry struggles to implement 21 1997-2003 CFR Part 11 compliant systems • Scope and application document 2003 limits scope of 21 CFR Part 11
  • 4. / What is an electronic record • FDA Guidance (Electronic Records; Electronic Signatures — Scope and Application) defines electronic records as: – Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format – Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format, and that are relied on to perform regulated activities – Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic format – Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules
  • 5. / Principal Electronic records in an eTMF • All electronic source essential documents required by predicate rule • All electronic copies of essential documents • Electronic forms used to manage regulated processes • Metadata used to make regulated decisions • Electronic signatures applied to electronic records • Audit trail on electronic records
  • 6. / 21 CFR Part 11 – 10 Steps to Compliance 1. Fully documented and validated systems including change control 2. Ability to generate accurate and complete copies of records for inspection and review by the agency 3. Ability to protect and easily retrieve records through their retention period 4. Ability to discern changes to records through the use of audit trails 5. Proper security controls (authentication, user rights) 6. Trained and qualified individuals 7. SOPs 8. Encryption for open systems 9. eSignature components and controls 10. Linking of electronic signatures to records
  • 7. Requirement 1 – System Documentation / Validation / What is Computer Systems Validation? • A formal process to ensure that: – systems consistently operate as they were intended – user, business and regulatory system requirements are met – information is secure and properly managed by the system – procedures and processes are in place for the use and management of the system
  • 9. Requirement 1 – System Documentation / Validation / What is expected? • That full traceability of systems and processes be in place • That procedures should be in place to ensure that systems used in regulated activities are adequately validated • That systems should be maintained in a validated state through effective change control mechanisms • That sponsors take a risk based approach to computer systems validation (CSV) • That individuals involved in CSV activities and the maintenance of validated systems have adequate experience and training
  • 10. Requirement 1 – System Documentation / Validation / System Documentation Review • There should be a clear plan and process for producing documentation governed by SOP or MVP • Documentation should be traceable and original • ALCOA should be respected • Version control and change control procedures should be in place for system documentation • It should be clear whether documentation is cumulative or iterative
  • 11. Requirement 1 – System Documentation / Validation / System Documentation Review • If documentation is paper based, adequate controls should be in place to protect it (fire proof cabinets, offsite scans etc.) • If documentation is electronic, it should be maintained in accordance with 21 CFR Part 11 • If documentation is being provided by a third party, then it should be clear who’s SOPs are being used • Clear documentation identifiers and titles should be provided
  • 12. Requirement 1 – System Documentation / Validation / Traceability Review • Validation plan and validation summary report reviewed • Traceability matrix should clearly indicate which requirements were tested with which test scripts • Requirements can also be met through IQ or SOPs • Traceability matrix can also reference Functional Specifications and Design Specification documents for custom build systems • Traceability Matrix is a living document and should be maintained as part of change control
  • 13. Requirement 1 – System Documentation / Validation / Traceability Review • Traceability Matrix is a key tool in understanding how a system has been tested and ascertaining validated state • It is also very useful when performing impact assessments for change control • Significantly facilitates the management of the system as well as the inspection of system documentation
  • 14. Requirement 2 - Ability to generate accurate and / complete copies of records • Indexing and search system to be able to easily find records in the case of inspection • Ability to print records or to provide an ‘Inspector’ view to final records and associated audit trail / eSignature information • Document lifecycle status should be clear i.e. Final Record? Version? • You should be able to produce copies of records in a common portable format (PDF, XML)
  • 15. Requirement 3 - Protect and easily retrieve records / through their retention period • Ensure that a full system backup is in place (preferably with an offsite copy in case of disaster) • Perform regular backup restoration tests • Ensure eTMF system is part of the disaster recovery plan • Store final records in public portable format (PDF, XML) if possible to ensure system independance • Apply retention policies in the eTMF system in line with records retention SOP
  • 16. Requirement 4 – Ability to discern changes to / records through the use of audit trails • Audit trail should be applied to all records in the eTMF (documents, metadata, signatures) • Audit trail elements include: – Username – Record Identifier – Type of audit entry (new, modify, delete, view etc.) – Date/timestamp (with timezone) – Old/New value (can be in the document or in version history/audit trail) • If working with a 3rd party, they should provide the audit trail with the electronic records • Audit trails should be computer generated and non- modifiable
  • 17. / Requirement 5 – Proper security controls • Each user must have a unique logon and password to access the system • Passwords should be changed periodically • The system should have the ability to detect security breaches • The system should have a granular security system based on user security profiles which can be applied up to the document level • The system should be able to enforce sequencing of events based on document status • The system should ensure that final records are read only • There should be SOPs in place that govern system security
  • 18. / Requirement 6 – Trained and Qualified Individuals • There should be clear job descriptions for all roles required to develop, install, validate, maintain and use the system • There should be formal training on both the SOPs that govern the system and the administration/use of the system • Job descriptions should clearly describe the qualifications required for each role • A training matrix should clearly indicate which SOPs should be trained on for each role • CVs and training records should be maintained on file
  • 19. / Requirement 7 – SOPs • There should be formal SOPs in place for: – Software development and validation – System change control – Physical and logical security / data protection – System maintenance and administration – Disaster recovery and business continuity – Use of electronic and digital signatures – Records management (including records retention and archiving) – eTMF management – Any other regulated processes managed with the eTMF system….
  • 20. / Requirement 8 – Encryption • Definition of an open system: environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system • If the eTMF is hosted or being used by individuals outside of the organization (and therefore transiting over the internet) then it may be considered an open system • Need to ensure record authenticity, integrity, and confidentiality • Use of encryption such as SSL or VPN can be used to ensure confidentiality • Use of digital signatures can also help to show integrity and authenticity
  • 21. Requirement 9 – eSignature components and controls / Electronic vs. Digital Signatures Characteristic Electronic Digital Uses Token No Yes Encrypts document No Yes with token Can be independantly No Yes verified outside of the system Link to record Link resides in the Link is usually contained Database of the system within the record that was generating the signature signed Maintenance Needs to be maintained in Can be retained the system for retention independantly from the period system in the record
  • 22. Requirement 9 – eSignature components and controls / Components Image of Wet Ink signature Full name of signer – No regulatory value Reason for signature Unambigous date and timestamp Timezone offset
  • 23. Requirement 9 – eSignature components and controls / General Requirements • eSignature should be unique to an individual • There should be at least two elements of identification used to sign • Signers must be trained on the use of eSignatures and sign a non-repudiation form which clearly identifies them • eSignatures should become invalid if a record changes after being signed
  • 24. Requirement 9 – eSignature components and controls / General Requirements • Should be designed to require the collaboration of 2+ individuals to use someone else’s eSignature • Implement a password policy to periodically require that passwords are changed (90 days…) • Implement a loss management procedure in your SOP on eSignatures / logical security • Don’t forget to send the letter of certification…
  • 25. Requirement 10 – Signature linking to records / Standard Acrobat embedded signature Digital Signature Validity
  • 26. Requirement 10 – Signature linking to records / Electronic signature linking • Just reproducing the signature information on the record is not sufficient • Database entries must be maintained as electronic records i.e. audit trail etc. • System must be maintained over time so as to maintain the ability to discern changes to records and link to records • Impossible to know if a record has changed if record lives outside of the system
  • 27. / Best Practices – System selection • Ask for a 21 CFR Part 11 white paper or assessment from the vendor • Perform a due diligence audit to establish if the system is properly documented and validated and that other controls are in place • Establish clear user requirements for system functionality to meet 21 CFR Part 11 • Define clear roles and responsibilities
  • 28. / Typical Auditor Checklist – 21 CFR Part 11 • Adequate Quality System - 11.10 • Adequate SDLC and System Maintenance SOPs including: • Software Development Lifecycle - 11.10 (k) • Computer System Validation - 11.10 (a) • Change Control - 11.10 (k) • Configuration Control – 11.10 (k) • Data Backup and Restoration – 11.10 (b), (c) • Logical & Physical Security – 11.10 (d),(g),(h) • System Administration & Maintenance (k) • Disaster Recovery and Business Continuity (b) • Defect Management 11.10 (k)
  • 29. / Typical Auditor Checklist – 21 CFR Part 11 • Policy on use of Electronic Signatures – 11.10 (j) • Adequate qualifications and training for personnel who develop and manage computerized systems (11.10(i)) • Adequate documentation and records management procedures including records retention and retrieval (11.10(b),(c), (k)) • Adequate technical controls to ensure proper security, authentication and audit trail are in place
  • 30. / Best Practices - Controls • Ensure all users are fully trained in the use of the system and understand what an electronic record is • Implement a electronic records management policy • Define an clear electronic signature policy • Implement SOPs on how to manage and maintain the system • Ensure that proper change control and configuration control is in place • Implement a checklist which clearly describes how you meet 21 CFR Part 11
  • 31. / Implement a 21 CFR Part 11 checklist
  • 32. / Other regulations and Guidance • Eudralex Volume 4 Annex 11 – Computerised Systems • Directive 1999/93/EC Community framework for electronic signatures • PIC/S PI 011-3 Good Practices for Computerised Systems in Regulated GxP Envrionments (2007) • FDA: Computerized Systems used in Clinical Investigations • FDA: Electronic Source Documentation in Clinical Investigations - DRAFT
  • 33. / Conclusion • Remember 21 CFR Part 11 compliance is both technical and procedural • Always develop clear rationale as to how you are meeting all of the requirements • Remember, you are always responsible as the sponsor so make sure you do proper due diligence • Clearly identify what you consider to be electronic records • Make sure everyone in the organization understands electronic records and electronic signatures • Perform regular follow up assessment to evaluate ongoing compliance • Don’t get rid of the paper (yet…)
  • 34. / Contact Details Paul Fenton Montrium Inc. 507 Place d’Armes, Suite 1050 Montreal (QC) H2Y 2W8 Canada Tel. 514-223-9153 ext.206 pfenton@montrium.com www.montrium.com