A reader has recently asked if I had any information on the differences between FirstDoc, FirstPoint and NextDocs.
To do a full feature-for-feature comparison of all the solutions is not something that I can easily do. However I have been able to get my hands on some great documentation, and can put together a “rough notes” comparison of the three solutions with regards to the core system, and how each solution complies with 21 CFR Part 11.
Note – this is version 2 of this post. After publishing the initial version, one of the vendors was able to provide me with a later version of their compliance statements. The table below has been updated as well as the Comparison PDF that can be downloaded. This is marked as Version 2. The link in the references still links back to the original compliance statement.
Important Note 1:
The FDA regulation, 21 CFR Part 11, is often update and modified. The documentation that I was able to find from CSC, and NextDocs appears to have been created at different times. As a result – I found some “discrepancies” between them. Sometimes the wording in the material I had, didn’t match the current version of the regulations. However, the “intent” is still the same.
Important Note 2:
I do not claim to be an expert in 21 CFR 11. Nor do I claim to be an expert in each of the different platforms/applications described in this post. I will list my references at the bottom this, but I make 2 recommendations:
- 21 CFR Part 11 can be interpreted in slightly different ways. Discuss with your internal QAV people what the expectations are.
- Make contact with the vendors in question to really determine whether their application fits your requirements.
21 CFR Part 11
Product Comparison
Below I have listed each vendors response to each of the regulations outlined in 21 CFR 11.
This was compiled using information that can be found on the Internet. (I include reference links at the bottom of this post, as well as in the PDF.)
However, as mentioned – this is intended merely as a guideline. I encourage you to contact each of the vendors directly to get an updated statements of compliance, as well as information on server configuration/sizing & prerequisite software.
(Note to vendors – if you feel that there are errors, please let me know in the comments, and I will make the necessary corrections).
You can also click HERE to download a PDF version.
FirstDoc, SPX, FirstPoint & NextDocs
Subpart B – Electronic Records |
||||||
21 CRFR 11 Requirement | FirstDoc | FirstPoint | NextDocs | |||
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. | FirstDocis developed in accordance with the CSC LSQMSadvantage™, an ISO 9001:2000 certified Quality Management System.QMSadvantage and FirstDoc have been audited by many pharmaceutical clients. As part of a formal vendor audit, CSC can provide evidence that FirstDoc is developed and tested in accordance with QMSadvantage.FirstDoc has been validated by many clients. CSC offers a validation package (consisting of validation plan, traceability matrix, and IQ/OQ/PQ protocol templates and OQ protocols) with each release of the FDRD, FDQ&M, and FDTMF products. | FirstPoint is developed in accordance with the CSC LS QMSadvantage™, an ISO 9001:2000 certified Quality Management System. QMSadvantage™ has been audited by many pharmaceutical clients. As part of a formal vendor audit, CSC can provide evidence that FirstPoint is developed and tested in accordance with QMSadvantage™.FirstPoint is “validation ready” for its clients upon completion of installation and configuration. Full IQ, OQ validation scripts, a PQ template and supporting services available from CSC for interested clients. | Validation is ultimately the responsibility of the client as validation can only be performed in the environment in which the software will be used, and against specifications defined by system users.NextDocs offers a validation toolkit to streamline the validation process.The toolkit includes a sample validation master plan and traceability matrix, ready-to-run scripts for IQ and OQ, summary report templates, and sample PQ scripts.NextDocs also has standard professional services packages that include assistance with validation planning, PQ script preparation, and managing PQ script execution and documentation activities. | |||
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. | Documentum will satisfy this requirement in conjunction with a company’s records management policy. Features of Documentum that support generation of accurate and complete copies in human readable form include the generation of PDF renditions and the ability to view and print these renditions in accordance with a system’s defined security rules.Additional support for this requirement is provided by FirstDoc’s automatic PDF rendition generation feature. Each time the content of a document is modified and the modifications checked in, FirstDoc generates a PDF rendition from an approved rendition generation station if the format supports transformation to PDF. Automatic transformation to PDF ensures that all documents will be readable in the foreseeable future. | FirstPoint satisfies thisrequirement by managingaccurate and complete copies of files in human readable form with the tight integration with the Microsoft Office Suite of products andthe generation of PDF renditions and the system generated and maintained metadata. The system also provides human readable audit trails and reports. The ability to view and print these files and associated metadatais managedin accordance with a system’s defined security rules.All relevant recordsare maintained in their native file format within a robust MS SQL database and MS SharePoint environment. FirstPoint generates a PDF rendition from an approved rendition generation station, if the format supports transformation to PDF. Automatic transformation to PDF ensures that all documents will be readable into the foreseeable future. |
Actual generation of records is a client responsibility. NextDocs facilitates generating copies of records by:
|
|||
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
|
Documentsmay be retained in the system throughout their retention periodthrough the use of a built-inlifecycle management system.FirstPoint applies robust security across the entirelifecycle, which prevents and limits approved or historical records from being deleted or modified except by specifically designated users. A document restore feature is available to the system administrator that allows for the retrieval of deleted records.All FirstPoint content is retained for retrieval until some business rule criteria has been meet to trigger the destruction. Records retention fun includes the ability to purge specific cycles of minor or major versions at the Library Level and purge working comments and draft comments after a specified retention period. | NextDocs systems automatically “lock down” official versions of documents so that they cannot be deleted or modified without following system configurable change control procedures. | |||
(d) Limiting system access to authorized individuals. |
|
In general, an SOP is needed to define the roles and responsibilities for the administration and maintenance of the groups and users for the system and/or network permissions. | Access to NextDocscan be controlled by configuration. Securitycan be configured to use Active Directory or Active Directory Lightweight Directory Services accounts or accounts created within SharePoint. Internal users with on-premises deploymentscan access NextDocs applications through single sign-on without requiringadditional system login unless performing a signature related action in the system.Alternatively, if a client’s Part 11 interpretation requires explicit sign-onto access the system, single sign-oncan be disabled. Internal users with hosted deployments access NextDocs applications by providing a user name and password.External users access NextDocs applications by providing a user name and password. Depending on a client’s security set-up, Virtual Private Network (VPN) access may be required as well. | |||
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
|
NextDocs records:
Audit trail entries include event, user name and server-based time/date stamp. Local time/date stamps can also be configured if desired. Audit trail records are retained indefinitely unless manually purged from the system. NextDocs also provides access to and copying of the audit trail. The audit trail can be saved to Excel with a single click for advanced sorting, filtering and analysis. |
||||
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. |
These checksare implemented within a number of system functions. They include client-defined control over:
|
These checks areimplemented within a number of system functions. They include client control over:
|
These checksare implemented ina number of areas. Some examples include:
|
|||
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. |
These checksare implemented within a number of system functions. They include client-defined control over authorization for:
|
A series of authority checksare implemented within system functions. They include the following client defined controls:
|
These checksare implemented ina number of areas. Some examples include limiting the following to authorized users:
|
|||
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | This requirement in general does not apply to FirstDoc since the system does not have any functionality where information is valid only when entered from specific terminals. If a specific client has this requirement, CSC will address the requirement for that client. | This requirement in general does FirstPoint since the system does not have any functionality where information is valid only when entered only from specific terminals. If a specific client has this requirement, CSC will address the requirement for that client. | This requirement does not apply to NextDocs since the system does not have any functionality where information is valid only when entered from specific terminals. | |||
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. |
|
NextDocs maintains resumes and training records s to provide evidence that our employees who develop and deploy our software are trained and qualified to do so.NextDocs also provides client-specific training documentation to help our clients comply with this requirement. We also offer end user training, train-the-trainer training and administrator training. | ||||
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | N/A | This requirement is not applicable at a system level but requires a procedure to be implemented by the client. | Client responsibility | |||
(k) Use ofappropriate controls over systems documentation including:(1) Adequate controls overthe distribution of, access to, and use of documentation for system operation and maintenance.(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. | Electronic audit trail for the appropriate document types must be enabled if documentation is maintained in electronic format. |
|
NextDocs’s documentationis maintained in our configuration management system and available for review during audits.However, ultimately it is the client’s responsibility to control system documentation in their environment.NextDocs’ release notes describe the names and versions of documentation that apply to each product release. In addition, each client receives documentation specific to their NextDocs implementation. | |||
§ 11.30 Controls for Open Systems. Same as § 11.10 plus document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. |
|
CSC believes the FirstPoint products are a closed system so section 11.30 is not applicable. | NextDocs systems that are hosted may be considered open based on the specific circumstances and the client’s 21 CFR Part 11 interpretation. The use of digital signature is available in all NextDocs products to fulfill the additional requirements imposed on open systems. | |||
Subpart B – Electronic Records |
||||||
21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | |||
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. |
|
Signatures are bound directly to a specific version of a document.NextDocs digital signaturesare based on Public Key Infrastructure (PKI) and are a result of a cryptographic operation that guarantees signer authenticity, data integrity and non-repudiation of signed documents. The digital signature cannot be copied, tampered or altered.Digital signatures appearing in a document automatically appear as invalid when the document changes in any way.During change control the signature is removed for the draft version in anticipation of future approval and signing. | ||||
Subpart C – Electronic Signatures |
||||||
21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | |||
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. |
|
Since NextDocs is generally implemented such that user credentialsare supplied via Active Directory (or Active Directory Lightweight Directory Services), complianceis built in.Active Directory willensure that a user name cannot be re-used within a given domain, andprovide the ability to disable (rather thandelete) users whoare removed from the system. By maintaining a record ofprevious users, reuse of user IDswill not be possible.NextDocs signatures authenticate the content of documents by attributing the signer to the signed document. Every signer is identified by an issued certificate (or by that of an external trusted entity). This identification is based on the fact that the user is a recognized employee in the organization. | ||||
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. | The client will need SOPs on establishing and maintaining user profiles as applied to the verification of a user identity. | This requirement needs to be met with a client’s business processes. CSC can help establish work instructions or training procedures to assist with the on-boarding process | Client Responsibility | |||
(c) Persons using electronic signatures shall,prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997,are intendedto be the legally bindingequivalent of traditional handwritten signatures.
|
|
Client Responsibility | ||||
Subpart C – Electronic Signatures |
|||||
21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | ||
(a) Electronic signatures that are not based upon biometricsshall:(1) Employ at least two distinct identification components such as an identification code and password.(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. |
NoteContact CSC directly for their comments on how FirstDoc meets this regulation. | FirstPoint incorporates the user’s network account and password for general access to the system, which is also used for electronic signature approval. FirstPoint requires the re-entry of both identification components (user ID and password) each time an electronic signature is executed.. | Each time a signature is applied, both a user name and password are required.NextDocs supports a configurable automatic time-out during periods of system inactivity. This time-out will also end a user’s continuous and controlled access to the system. | ||
|
FirstDoc can support the use of biometric solutions through customizations. Customizations for biometrics are not in the scope of this document. | FirstPoint can support the use of biometric solutions through customizations. Customizations for biometrics are not in the scope of this document. | NA – Biometrics are not used by NextDocs. | ||
Subpart C – Electronic Signatures |
||||||
21 CFR 11 Regulation |
FirstDoc |
FirstPoint |
NextDocs |
|||
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. |
|
See item § 11.100 (a). | ||||
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). |
|
This is a client responsibility, generally achieved through settings in Active Directory. Windows and Active Directory infrastructure can enforce password policy for complexity and expiration. Windows integrated authentication and Basic authentication can leverage this automatically. | ||||
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. |
|
NextDocs does not make use of tokens, cards, and other devices that bear or generate identification code or password information.Windows and Active Directory administrators can deactivate users, change users’ passwords, or require users to change passwords after issuing a temporary password. Windows integrated authentication and Basic authentication can leverage this automatically | ||||
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. |
|
This is a client responsibility, generally achieved through settings in Active Directory.The Microsoft Windows family of products can audit logon changes and failed attempts. Group policy can enforce account lockout policy to help to prevent brute force password guessing. Lockout policy is based on failed attempts for a time window and users can be locked out for specified times before they can attempt again (or not). | ||||
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. |
|
NextDocs does not make use of tokens, cards, and other devices that bear or generate identification code or password information. | ||||
Audit Trail Functionality
Audit Trails is an included feature in FirstDoc. Documentum has its own audit trail capabilities, with FirstDoc adding on to Documentum’s audit trail system. Table 3 discusses the Audit Trails functionality that FirstDoc provides in support of 21 CFR Part 11.
Subpart C – Electronic Signatures |
||||||
21 CFR 11 Regulation | FirstDoc | FirstPoint | NextDocs | |||
(a) Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
|
|||||
(b) Use of appropriate controls over systems documentation including: 1. Adequate controls over the distribution of, access to and use of documentation for system operation and maintenance. 2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
|
References
CFR – Code of Federal Regulations Title 21
(http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11)
21 CFR Part 11 Compliance Position for FirstDoc Applications
(https://developer-content.emc.com/marketplace/collateral/white_papers/CSC_FirstDoc21CFRComplianceWhitePaper.pdf)
21 CFR Part 11 Compliance Position for FirstPoint
(http://download.microsoft.com/documents/France/Entreprises/2010/CSCFirstPointLivreBlancAnglais.pdf)
21 CFR Part 11 Challenges and Solutions – NextDocs
(http://www.nextdocs.com/en-us/White%20Papers/WhitePaper-21CFR11.pdf)
21CFR11 Comparison of FirstDoc, FirstPoint & NextDocs
(http://markjowen.files.wordpress.com/2011/10/21cfr11_compliance-comparison_v21.pdf)