Achieving a 21 CFR Part 11 Compliant eTMF

Presented by Paul Fenton 2nd eTMF Bootcamp Philadelphia November 15th 2011

/ Overview

•History of 21 CFR Part 11

•What is an electronic record?

•eTMF attributes required for compliance

•Risk based validation approaches for eTMF

•Qualification audits and system selection

•Best practices

/ A little history

1997 • FDA introduces 21 CFR Part 11

1997-2003

• Industry struggles to implement 21 CFR Part 11 compliant systems

2003

• Scope and application document limits scope of 21 CFR Part 11

/ What is an electronic record

• FDA Guidance (Electronic Records; Electronic Signatures — Scope and Application) defines electronic records as: – Records that are required to be maintained under predicate rule

requirements and that are maintained in electronic format in place of paper format

– Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format, and that are relied on to perform regulated activities

– Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic format

– Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules

/ Principal Electronic records in an eTMF

• All electronic source essential documents required by predicate rule

• All electronic copies of essential documents

• Electronic forms used to manage regulated processes

• Metadata used to make regulated decisions

• Electronic signatures applied to electronic records

• Audit trail on electronic records

/ 21 CFR Part 11 – 10 Steps to Compliance

1. Fully documented and validated systems including change control

2. Ability to generate accurate and complete copies of records for inspection and review by the agency

3. Ability to protect and easily retrieve records through their retention period

4. Ability to discern changes to records through the use of audit trails

5. Proper security controls (authentication, user rights)

6. Trained and qualified individuals

7. SOPs

8. Encryption for open systems

9. eSignature components and controls

10. Linking of electronic signatures to records

/

• A formal process to ensure that:

– systems consistently operate as they were intended

– user, business and regulatory system requirements are met

– information is secure and properly managed by the system

– procedures and processes are in place for the use and management of the system

Requirement 1 – System Documentation / Validation

What is Computer Systems Validation?

/ SDLC Process

/

• That full traceability of systems and processes be in place

• That procedures should be in place to ensure that systems used in regulated activities are adequately validated

• That systems should be maintained in a validated state through effective change control mechanisms

• That sponsors take a risk based approach to computer systems validation (CSV)

• That individuals involved in CSV activities and the maintenance of validated systems have adequate experience and training

Requirement 1 – System Documentation / Validation

What is expected?

/ Requirement 1 – System Documentation / Validation

System Documentation Review

• There should be a clear plan and process for producing documentation governed by SOP or MVP

• Documentation should be traceable and original

• ALCOA should be respected

• Version control and change control procedures should be in place for system documentation

• It should be clear whether documentation is cumulative or iterative

/ Requirement 1 – System Documentation / Validation

System Documentation Review

• If documentation is paper based, adequate controls should be in place to protect it (fire proof cabinets, offsite scans etc.)

• If documentation is electronic, it should be maintained in accordance with 21 CFR Part 11

• If documentation is being provided by a third party, then it should be clear who’s SOPs are being used

• Clear documentation identifiers and titles should be provided

/ Requirement 1 – System Documentation / Validation

Traceability Review

• Validation plan and validation summary report reviewed

• Traceability matrix should clearly indicate which requirements were tested with which test scripts

• Requirements can also be met through IQ or SOPs

• Traceability matrix can also reference Functional Specifications and Design Specification documents for custom build systems

• Traceability Matrix is a living document and should be maintained as part of change control

/ Requirement 1 – System Documentation / Validation

Traceability Review

• Traceability Matrix is a key tool in understanding how a system has been tested and ascertaining validated state

• It is also very useful when performing impact assessments for change control

• Significantly facilitates the management of the system as well as the inspection of system documentation

/ Requirement 2 - Ability to generate accurate and

complete copies of records

• Indexing and search system to be able to easily find records in the case of inspection

• Ability to print records or to provide an ‘Inspector’ view to final records and associated audit trail / eSignature information

• Document lifecycle status should be clear i.e. Final Record? Version?

• You should be able to produce copies of records in a common portable format (PDF, XML)

/ Requirement 3 - Protect and easily retrieve records through their retention period

• Ensure that a full system backup is in place (preferably with an offsite copy in case of disaster)

• Perform regular backup restoration tests

• Ensure eTMF system is part of the disaster recovery plan

• Store final records in public portable format (PDF, XML) if possible to ensure system independance

• Apply retention policies in the eTMF system in line with records retention SOP

/ Requirement 4 – Ability to discern changes to records through the use of audit trails • Audit trail should be applied to all records in the eTMF

(documents, metadata, signatures)

• Audit trail elements include:

– Username

– Record Identifier

– Type of audit entry (new, modify, delete, view etc.)

– Date/timestamp (with timezone)

– Old/New value (can be in the document or in version history/audit trail)

• If working with a 3rd party, they should provide the audit trail with the electronic records

• Audit trails should be computer generated and non-modifiable

/ Requirement 5 – Proper security controls

• Each user must have a unique logon and password to access the system

• Passwords should be changed periodically

• The system should have the ability to detect security breaches

• The system should have a granular security system based on user security profiles which can be applied up to the document level

• The system should be able to enforce sequencing of events based on document status

• The system should ensure that final records are read only

• There should be SOPs in place that govern system security

/ Requirement 6 – Trained and Qualified Individuals • There should be clear job descriptions for all roles

required to develop, install, validate, maintain and use the system

• There should be formal training on both the SOPs that govern the system and the administration/use of the system

• Job descriptions should clearly describe the qualifications required for each role

• A training matrix should clearly indicate which SOPs should be trained on for each role

• CVs and training records should be maintained on file

/ Requirement 7 – SOPs

• There should be formal SOPs in place for:

– Software development and validation

– System change control

– Physical and logical security / data protection

– System maintenance and administration

– Disaster recovery and business continuity

– Use of electronic and digital signatures

– Records management (including records retention and archiving)

– eTMF management

– Any other regulated processes managed with the eTMF system….

/ Requirement 8 – Encryption

• Definition of an open system: environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system

• If the eTMF is hosted or being used by individuals outside of the organization (and therefore transiting over the internet) then it may be considered an open system

• Need to ensure record authenticity, integrity, and confidentiality

• Use of encryption such as SSL or VPN can be used to ensure confidentiality

• Use of digital signatures can also help to show integrity and authenticity

/ Requirement 9 – eSignature components and controls

Electronic vs. Digital Signatures

Characteristic Electronic Digital

Uses Token No Yes

Encrypts document with token

No Yes

Can be independantly verified outside of the system

No Yes

Link to record Link resides in the Database of the system generating the signature

Link is usually contained within the record that was signed

Maintenance Needs to be maintained in the system for retention period

Can be retained independantly from the system in the record

/ Requirement 9 – eSignature components and controls

Components

Full name of signer

Reason for signature

Unambigous date and timestamp Timezone offset

Image of Wet Ink signature – No regulatory value

/ Requirement 9 – eSignature components and controls

General Requirements

• eSignature should be unique to an individual

• There should be at least two elements of identification used to sign

• Signers must be trained on the use of eSignatures and sign a non-repudiation form which clearly identifies them

• eSignatures should become invalid if a record changes after being signed

/ Requirement 9 – eSignature components and controls

General Requirements

• Should be designed to require the collaboration of

2+ individuals to use someone else’s eSignature

• Implement a password policy to periodically require that passwords are changed (90 days…)

• Implement a loss management procedure in your SOP on eSignatures / logical security

• Don’t forget to send the letter of certification…

/ Requirement 10 – Signature linking to records

Standard Acrobat embedded signature

Digital Signature Validity

/ Requirement 10 – Signature linking to records

Electronic signature linking • Just reproducing the signature information on the

record is not sufficient

• Database entries must be maintained as electronic records i.e. audit trail etc.

• System must be maintained over time so as to maintain the ability to discern changes to records and link to records

• Impossible to know if a record has changed if record lives outside of the system

/ Best Practices – System selection

• Ask for a 21 CFR Part 11 white paper or assessment from the vendor

• Perform a due diligence audit to establish if the system is properly documented and validated and that other controls are in place

• Establish clear user requirements for system functionality to meet 21 CFR Part 11

• Define clear roles and responsibilities

/

Typical Auditor Checklist – 21 CFR Part 11

• Adequate Quality System - 11.10

• Adequate SDLC and System Maintenance SOPs including:

• Software Development Lifecycle - 11.10 (k)

• Computer System Validation - 11.10 (a)

• Change Control - 11.10 (k)

• Configuration Control – 11.10 (k)

• Data Backup and Restoration – 11.10 (b), (c)

• Logical & Physical Security – 11.10 (d),(g),(h)

• System Administration & Maintenance (k)

• Disaster Recovery and Business Continuity (b)

• Defect Management 11.10 (k)

/ Typical Auditor Checklist – 21 CFR Part 11 • Policy on use of Electronic Signatures – 11.10 (j)

• Adequate qualifications and training for personnel who develop and manage computerized systems (11.10(i))

• Adequate documentation and records management procedures including records retention and retrieval (11.10(b),(c), (k))

• Adequate technical controls to ensure proper security, authentication and audit trail are in place

/ Best Practices - Controls

• Ensure all users are fully trained in the use of the system and understand what an electronic record is

• Implement a electronic records management policy

• Define an clear electronic signature policy

• Implement SOPs on how to manage and maintain the system

• Ensure that proper change control and configuration control is in place

• Implement a checklist which clearly describes how you meet 21 CFR Part 11

/ Implement a 21 CFR Part 11 checklist

/ Other regulations and Guidance

• Eudralex Volume 4 Annex 11 – Computerised Systems

• Directive 1999/93/EC Community framework for electronic signatures

• PIC/S PI 011-3 Good Practices for Computerised Systems in Regulated GxP Envrionments (2007)

• FDA: Computerized Systems used in Clinical Investigations

• FDA: Electronic Source Documentation in Clinical Investigations - DRAFT

/ Conclusion • Remember 21 CFR Part 11 compliance is both technical and

procedural

• Always develop clear rationale as to how you are meeting all of the requirements

• Remember, you are always responsible as the sponsor so make sure you do proper due diligence

• Clearly identify what you consider to be electronic records

• Make sure everyone in the organization understands electronic records and electronic signatures

• Perform regular follow up assessment to evaluate ongoing compliance

• Don’t get rid of the paper (yet…)

/ Contact Details

Paul Fenton

Montrium Inc.

507 Place d’Armes, Suite 1050

Montreal (QC) H2Y 2W8

Canada

Tel. 514-223-9153 ext.206

pfenton@montrium.com

www.montrium.com