1. Achieving a 21 CFR Part 11
Compliant eTMF
Presented by Paul Fenton
2nd eTMF Bootcamp
Philadelphia
November 15th 2011
2. / Overview
• History of 21 CFR Part 11
• What is an electronic record?
• eTMF attributes required for compliance
• Risk based validation approaches for eTMF
• Qualification audits and system selection
• Best practices
3. / A little history
• FDA introduces 21 CFR Part 11
1997
• Industry struggles to implement 21
1997-2003 CFR Part 11 compliant systems
• Scope and application document
2003 limits scope of 21 CFR Part 11
4. / What is an electronic record
• FDA Guidance (Electronic Records; Electronic Signatures —
Scope and Application) defines electronic records as:
– Records that are required to be maintained under predicate rule
requirements and that are maintained in electronic format in place of
paper format
– Records that are required to be maintained under predicate rules,
that are maintained in electronic format in addition to paper format,
and that are relied on to perform regulated activities
– Records submitted to FDA, under predicate rules (even if such
records are not specifically identified in Agency regulations) in
electronic format
– Electronic signatures that are intended to be the equivalent of
handwritten signatures, initials, and other general signings required
by predicate rules
5. / Principal Electronic records in an eTMF
• All electronic source essential documents required
by predicate rule
• All electronic copies of essential documents
• Electronic forms used to manage regulated
processes
• Metadata used to make regulated decisions
• Electronic signatures applied to electronic records
• Audit trail on electronic records
6. / 21 CFR Part 11 – 10 Steps to Compliance
1. Fully documented and validated systems including change
control
2. Ability to generate accurate and complete copies of records for
inspection and review by the agency
3. Ability to protect and easily retrieve records through their
retention period
4. Ability to discern changes to records through the use of audit
trails
5. Proper security controls (authentication, user rights)
6. Trained and qualified individuals
7. SOPs
8. Encryption for open systems
9. eSignature components and controls
10. Linking of electronic signatures to records
7. Requirement 1 – System Documentation / Validation
/ What is Computer Systems Validation?
• A formal process to ensure that:
– systems consistently operate as they were intended
– user, business and regulatory system requirements
are met
– information is secure and properly managed by the
system
– procedures and processes are in place for the use
and management of the system
9. Requirement 1 – System Documentation / Validation
/ What is expected?
• That full traceability of systems and processes be in place
• That procedures should be in place to ensure that systems
used in regulated activities are adequately validated
• That systems should be maintained in a validated state
through effective change control mechanisms
• That sponsors take a risk based approach to computer
systems validation (CSV)
• That individuals involved in CSV activities and the
maintenance of validated systems have adequate
experience and training
10. Requirement 1 – System Documentation / Validation
/ System Documentation Review
• There should be a clear plan and process for
producing documentation governed by SOP or MVP
• Documentation should be traceable and original
• ALCOA should be respected
• Version control and change control procedures
should be in place for system documentation
• It should be clear whether documentation is
cumulative or iterative
11. Requirement 1 – System Documentation / Validation
/ System Documentation Review
• If documentation is paper based, adequate
controls should be in place to protect it (fire proof
cabinets, offsite scans etc.)
• If documentation is electronic, it should be
maintained in accordance with 21 CFR Part 11
• If documentation is being provided by a third party,
then it should be clear who’s SOPs are being used
• Clear documentation identifiers and titles should
be provided
12. Requirement 1 – System Documentation / Validation
/ Traceability Review
• Validation plan and validation summary report
reviewed
• Traceability matrix should clearly indicate which
requirements were tested with which test scripts
• Requirements can also be met through IQ or SOPs
• Traceability matrix can also reference Functional
Specifications and Design Specification documents
for custom build systems
• Traceability Matrix is a living document and should
be maintained as part of change control
13. Requirement 1 – System Documentation / Validation
/ Traceability Review
• Traceability Matrix is a key tool in
understanding how a system has been tested
and ascertaining validated state
• It is also very useful when performing
impact assessments for change control
• Significantly facilitates the management of
the system as well as the inspection of
system documentation
14. Requirement 2 - Ability to generate accurate and
/ complete copies of records
• Indexing and search system to be able to easily find
records in the case of inspection
• Ability to print records or to provide an ‘Inspector’
view to final records and associated audit trail /
eSignature information
• Document lifecycle status should be clear i.e. Final
Record? Version?
• You should be able to produce copies of records in
a common portable format (PDF, XML)
15. Requirement 3 - Protect and easily retrieve records
/ through their retention period
• Ensure that a full system backup is in place
(preferably with an offsite copy in case of disaster)
• Perform regular backup restoration tests
• Ensure eTMF system is part of the disaster
recovery plan
• Store final records in public portable format (PDF,
XML) if possible to ensure system independance
• Apply retention policies in the eTMF system in line
with records retention SOP
16. Requirement 4 – Ability to discern changes to
/ records through the use of audit trails
• Audit trail should be applied to all records in the eTMF
(documents, metadata, signatures)
• Audit trail elements include:
– Username
– Record Identifier
– Type of audit entry (new, modify, delete, view etc.)
– Date/timestamp (with timezone)
– Old/New value (can be in the document or in version
history/audit trail)
• If working with a 3rd party, they should provide the audit
trail with the electronic records
• Audit trails should be computer generated and non-
modifiable
17. / Requirement 5 – Proper security controls
• Each user must have a unique logon and password to access
the system
• Passwords should be changed periodically
• The system should have the ability to detect security
breaches
• The system should have a granular security system based
on user security profiles which can be applied up to the
document level
• The system should be able to enforce sequencing of events
based on document status
• The system should ensure that final records are read only
• There should be SOPs in place that govern system security
18. / Requirement 6 – Trained and Qualified Individuals
• There should be clear job descriptions for all roles
required to develop, install, validate, maintain and
use the system
• There should be formal training on both the SOPs
that govern the system and the administration/use
of the system
• Job descriptions should clearly describe the
qualifications required for each role
• A training matrix should clearly indicate which
SOPs should be trained on for each role
• CVs and training records should be maintained on
file
19. / Requirement 7 – SOPs
• There should be formal SOPs in place for:
– Software development and validation
– System change control
– Physical and logical security / data protection
– System maintenance and administration
– Disaster recovery and business continuity
– Use of electronic and digital signatures
– Records management (including records retention and
archiving)
– eTMF management
– Any other regulated processes managed with the eTMF
system….
20. / Requirement 8 – Encryption
• Definition of an open system: environment in which system
access is not controlled by persons who are responsible for
the content of electronic records that are on the system
• If the eTMF is hosted or being used by individuals outside of
the organization (and therefore transiting over the internet)
then it may be considered an open system
• Need to ensure record authenticity, integrity, and
confidentiality
• Use of encryption such as SSL or VPN can be used to ensure
confidentiality
• Use of digital signatures can also help to show integrity and
authenticity
21. Requirement 9 – eSignature components and controls
/ Electronic vs. Digital Signatures
Characteristic Electronic Digital
Uses Token No Yes
Encrypts document No Yes
with token
Can be independantly No Yes
verified outside of the
system
Link to record Link resides in the Link is usually contained
Database of the system within the record that was
generating the signature signed
Maintenance Needs to be maintained in Can be retained
the system for retention independantly from the
period system in the record
22. Requirement 9 – eSignature components and controls
/ Components
Image of Wet Ink signature
Full name of signer
– No regulatory value
Reason for signature
Unambigous date and timestamp Timezone offset
23. Requirement 9 – eSignature components and controls
/ General Requirements
• eSignature should be unique to an individual
• There should be at least two elements of
identification used to sign
• Signers must be trained on the use of eSignatures
and sign a non-repudiation form which clearly
identifies them
• eSignatures should become invalid if a record
changes after being signed
24. Requirement 9 – eSignature components and controls
/ General Requirements
• Should be designed to require the collaboration of
2+ individuals to use someone else’s eSignature
• Implement a password policy to periodically
require that passwords are changed (90 days…)
• Implement a loss management procedure in your
SOP on eSignatures / logical security
• Don’t forget to send the letter of certification…
25. Requirement 10 – Signature linking to records
/ Standard Acrobat embedded signature
Digital Signature Validity
26. Requirement 10 – Signature linking to records
/ Electronic signature linking
• Just reproducing the signature information on the
record is not sufficient
• Database entries must be maintained as electronic
records i.e. audit trail etc.
• System must be maintained over time so as to
maintain the ability to discern changes to records
and link to records
• Impossible to know if a record has changed if
record lives outside of the system
27. / Best Practices – System selection
• Ask for a 21 CFR Part 11 white paper or
assessment from the vendor
• Perform a due diligence audit to establish if the
system is properly documented and validated and
that other controls are in place
• Establish clear user requirements for system
functionality to meet 21 CFR Part 11
• Define clear roles and responsibilities
28. / Typical Auditor Checklist – 21 CFR Part 11
• Adequate Quality System - 11.10
• Adequate SDLC and System Maintenance SOPs including:
• Software Development Lifecycle - 11.10 (k)
• Computer System Validation - 11.10 (a)
• Change Control - 11.10 (k)
• Configuration Control – 11.10 (k)
• Data Backup and Restoration – 11.10 (b), (c)
• Logical & Physical Security – 11.10 (d),(g),(h)
• System Administration & Maintenance (k)
• Disaster Recovery and Business Continuity (b)
• Defect Management 11.10 (k)
29. / Typical Auditor Checklist – 21 CFR Part 11
• Policy on use of Electronic Signatures – 11.10 (j)
• Adequate qualifications and training for personnel
who develop and manage computerized systems
(11.10(i))
• Adequate documentation and records
management procedures including records
retention and retrieval (11.10(b),(c), (k))
• Adequate technical controls to ensure proper
security, authentication and audit trail are in place
30. / Best Practices - Controls
• Ensure all users are fully trained in the use of the
system and understand what an electronic record is
• Implement a electronic records management policy
• Define an clear electronic signature policy
• Implement SOPs on how to manage and maintain
the system
• Ensure that proper change control and
configuration control is in place
• Implement a checklist which clearly describes how
you meet 21 CFR Part 11
32. / Other regulations and Guidance
• Eudralex Volume 4 Annex 11 – Computerised
Systems
• Directive 1999/93/EC Community framework
for electronic signatures
• PIC/S PI 011-3 Good Practices for Computerised
Systems in Regulated GxP Envrionments (2007)
• FDA: Computerized Systems used in Clinical
Investigations
• FDA: Electronic Source Documentation in Clinical
Investigations - DRAFT
33. / Conclusion
• Remember 21 CFR Part 11 compliance is both technical and
procedural
• Always develop clear rationale as to how you are meeting
all of the requirements
• Remember, you are always responsible as the sponsor so
make sure you do proper due diligence
• Clearly identify what you consider to be electronic records
• Make sure everyone in the organization understands
electronic records and electronic signatures
• Perform regular follow up assessment to evaluate ongoing
compliance
• Don’t get rid of the paper (yet…)
34. / Contact Details
Paul Fenton
Montrium Inc.
507 Place d’Armes, Suite 1050
Montreal (QC) H2Y 2W8
Canada
Tel. 514-223-9153 ext.206
pfenton@montrium.com
www.montrium.com