AVO Chief

An important consideration in evaluating the impact of  FirstDoc/Documentum-based applications in helping meet 21 CFR Part 11 compliance is whether the specific system implementation is considered a closed or open system.  The FDA provides the following definitions in 21 CFR Part 11 for closed and open systems:

• Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
• Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

Closed System Controls

For closed systems there needs to be a way for “validation of the systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records”.  FirstDoc has been developed in accordance with an ISO 9001:2000 certified Quality Management System. In addition, FirstDoc has been audited by many pharmaceuticals and performed well.  This by itself is not a guarantee but an indication that many of its features were built with 21 CFR Part 11 compliance in mind.

Ability to Generate Records

For example, FirstDoc works within a Documentum environment.  Documentum along with company records management policy help satisfy the requirement to be able to generate accurate records both in human readable and electronic form suitable for inspection and review.

Features that support accurate and complete copies in human readable form include:

• The generation of PDF renditions
• The ability to view and print these renditions in accordance with system-defined security rules
• FirstDoc’s automatic PDF rendition generation feature where each time document is modified FirstDoc generates a PDF rendition (if so supported)

Protection of Records for Retrieval

• Documentum’s built in archiving capability  can be used to migrate content off-line while maintaining metadata in the docbase.  Therefore, documents can be retained in the system throughout the retention period, or in an archiving process where they are stored outside the system.
• FirstDoc uses Documentum’s robust security, which limits the capability for modifying and deleting records to designated users.
• FirstDoc also automatically applies security to Approved documents that prevents them from being deleted or modified.
• FirstDoc can track retention information to assist in managing documents in accordance with retention policies.
• FirstDoc also includes an optional Records Management module which implements retention policies and allows deletion of records which have reached the end of their retention periods.

Limiting Access to Authorized Individuals

• Documentum implements a secure username and password to limit access to authorized individuals
• FirstDoc augments Documentum security by providing automatic application of a client’s defined security scheme. And users cannot modify security outside of the rules defined.

Use of Secure Audit Trails

• FirstDoc uses the Documentum audit trail capability augmented by audit trail entries produced for custom FirstDoc events such as check-in, save, destroy, status change and user events such as review and approval outcome including electronic signature
• Unless the audit trail has been migrated offline as per a controlled SOP, Documentum’s Purge Audit Trail capability should not be used in order to maintain the audit trail for the life of the record.
• FirstDoc provides the capability for authorized users to change document metadata on approved records. And an audit trail entry captures the previously recorded values so that they are not obscured.

Use of Operational System checks

Documentum can aid in implementing many of the following controls:

• Use of approved templates only in creating documents
• Limiting property values to predefined lists wherever possible
• Entry of mandatory attributes
• Storage in a pre-defined hiearchy (cabinet/folder structure)
• Enforcing a defined document lifecycle and approval process
• Ensuring that all required electronic signatures are obtained.

Use of Authority Checks

Documentum can aid in implementing client-defined control over authorization for the following:

• Document creation
• Document access (delete, write, read, etc. via ACL security)
• Changing status
• Initiating and participating in the review and approval process
• Signing documents
• Establishing document relations

Electronic Signature Records

Electronic signatures required additional information that validates the signature.

• FirstDoc validates the signature, translates the user ID to the full user name, and captures the user name, local date an time, server date and time and reason for signature as non-editable properties of the document.
• FirstDoc will imprint signature pages and screens with the time zone reference selected.
• FirstDoc adds a signature page to the document PDF that displays all required signature information, including full name of each user who signed the document.
• Electronic signatures must be unique to one individual and must not be re-used. Documentum can assist with this via the ability to disable (and not delete) users who are removed from the system. By leaving the users in the system re-use of their user IDs will not be possible.

Code and Password Controls

• Documentum and Unix/Windows Server system can provide the ability to maintain uniqueness of code and password so that no two individuals have the same combination of code and password.
• Both Trusted Unix and Windows server system can be used as well to require periodic aging of passwords.
• Both Trusted Unix and Windows server system can be used to disable user accounts after a configurable number of unsuccessful attempts.