Rethinking “State of Control” in a Cloud-Driven Clinical Environment
Why Annex 11 Matters for eTMF — Even Outside GMP
By Kathie Clark, Industry Expert; Technology & Innovation Partner, Just in Time GCP
The new draft of EMA’s Annex 11 of the EU GMP guidelines governs computerized systems used in manufacturing environments. However, its principles—lifecycle validation, data integrity, access control, and supplier oversight—are increasingly relevant to clinical systems like the electronic Trial Master File (eTMF).
Modern eTMF platforms are:
- cloud-hosted and vendor-managed, with frequent push updates and configurable features
- used by multiple stakeholders, including sponsors, CROs, and affiliates
- subject to inspection, where regulators expect traceability, data integrity, and sponsor accountability
Additionally, while the eTMF is not a GMP system, it is a regulated repository of essential documents supporting trial conduct, regulatory submissions, and inspection readiness. Applying Annex 11’s rigor to eTMF operations helps sponsors maintain control, mitigate risk, and ensure defensibility, especially in decentralized, multi-tenant environments.
To understand Annex 11’s relevance, it helps to consider how regulators define system control.
What Is a “State of Control”? A Regulatory Perspective
ICH Q10 defines a state of control as:
“A condition in which the set of controls consistently provides assurance of continued process performance and product quality.”
In addition, FDA guidance signals a system may be out of control when:
- validation is incomplete or outdated
- deviations are not investigated
- CAPAs are missing or ineffective
- oversight is fragmented or undocumented
For eTMF environments, this means maintaining a system that consistently supports:
- document integrity
- access governance
- auditability
- validation
- oversight
Sponsors must be able to demonstrate that their eTMF, even when vendor-hosted, is operating in a controlled, validated, and inspection-ready state.
Validation Responsibilities for Configured Cloud eTMF Systems
As a result, sponsors using cloud-based eTMF platforms must go beyond relying on vendor-supplied validation. Maintaining a validated state typically involves the following key activities.
Sponsor-Led Validation Activities
Activity
Description
URS
Ownership
Define and maintain a User Requirements Specification (URS) reflecting sponsor-specific workflows, metadata, and compliance needs. It may be based on a vendor-supplied URS, but Annex 11 makes clear:
“This principle should be applied regardless of whether a system is developed in-house, is a commercial off-the-shelf product, or is provided as-a-service.”
Risk-Based Testing
Prioritize validation of high-risk features such as audit trails, access controls, document versioning, e-signatures, and inspection-readiness reports.
Release Impact Assessment
Review vendor release notes and assess the impact on validated workflows. Document the rationale for regression testing and determine whether additional testing or conditional approvals are required.
Supplemental Testing
Perform sponsor-led testing for configured features or workflows not covered by vendor scripts.
Conditional Validation
When full testing is not feasible before a release, document conditional approval with defined follow-up actions.
Traceability Matrix
Maintain traceability between requirements, test cases, and validation evidence—particularly for critical features.
Enhanced Vendor Audit Expectations
Annex 11 emphasizes supplier oversight. For eTMF vendors, sponsors should treat audits as strategic compliance tools, not just checkboxes.
What a Robust Vendor Audit Should Cover
Validation Package Review: Assess whether vendor validation aligns with sponsor configuration and regulatory expectations.
Release Management: Evaluate how updates are tested, documented, and communicated, including rollback procedures.
Security Controls: Review authentication methods, password policies, encryption, and patching cadence.
Audit Trail Functionality: Confirm that audit trails are immutable, searchable, and exportable.
Data Governance: Assess backup, archival, and data migration protocols.
Inspection Support: Ensure vendor readiness to support the sponsor during health authority inspections.
Exit Strategy: Confirm sponsor access to data and metadata in case of vendor transition or contract termination.
Translating “Alarms” to eTMF: Signals of Risk, Not Sirens
In Annex 11, alarms are literal—triggered when a system detects a condition that may compromise product quality, patient safety, or data integrity. In eTMF environments, the equivalents are not flashing warnings, but signals that something requires attention.
eTMF “Alarms” Might Include:
- overdue expected documents (e.g., missing ICFs, unfiled monitoring reports)
- unacknowledged quality issues (e.g., duplicates, misfiled artifacts)
- unreviewed audit trail entries for critical actions
- unresolved system errors (e.g., failed uploads, metadata mismatches)
- unacknowledged system notifications (e.g., failed migrations, permission changes)
Therefore, these “soft alarms” should be:
- logged in a way that supports traceability
- reviewed periodically to detect trends or systemic issues
- acknowledged by authorized users, with rationale documented
- linked to CAPA where appropriate
Sponsors should treat these eTMF signals with the same seriousness as GMP alarms. They do not impact product quality directly, but they indicate breakdowns in documentation integrity, which regulators increasingly scrutinize.
Annex 11 Principle
eTMF Application
Sponsor Responsibility
Lifecycle Validation
System remains validated across updates
Maintain URS, perform risk-based testing, document conditional approvals
System Requirements
Configured workflows and metadata tagging
Own and update URS, trace requirements to validation
Risk Management
Prioritize controls for high-risk documents (e.g. ICFs, safety reports)
Conduct risk assessments, tailor validation scope
Supplier Oversight
Vendor manages hosting, updates, and support
Audit vendor, define SLAs/KPIs, ensure inspection readiness
Identity & Access Management
Role-based access across sponsor, CRO, and affiliates
Enforce least privilege, conduct periodic access reviews
Audit Trails
Track who/what/when/why for document actions
Review audit trails, document procedures, ensure QP access
Electronic Signatures
Used for approvals and document finalization
Validate signature workflows, ensure regulatory compliance
Handling of Data
Migration, transfer, and encryption of trial documents
Validate data flows, secure backups, document archival
Periodic Review
System health, alarm logs, and audit trail trends
Conduct CAPA-linked reviews, escalate findings to management
Final Thoughts: Accountability Is Not Optional
Annex 11 reinforces a core principle:
“When using outsourced activities, the regulated user remains fully responsible for adherence to the requirements… for maintaining the evidence for it, and for providing it for regulatory review.” (Section 2.6)
This is especially relevant for eTMF systems where vendors manage hosting, updates, and even validation artifacts. Regardless of how much is outsourced, the sponsor remains accountable for ensuring the system is validated, secure, and inspection-ready.
In summary, by applying Annex 11 principles to eTMF oversight, sponsors can:
- strengthen inspection readiness
- reduce compliance risk
- improve cross-functional accountability
- ensure defensibility of trial documentation
By Kathie Clark, Industry Expert; Technology & Innovation Partner, Just in Time GCP
Kathie is an integral part of Just in Time GCP’s growing innovation team. As Founder & CEO, Donna Dorozinsky has said “Kathie offers a strategic vision for innovative technology application that embraces AI and clinical data analytics, allowing Just in Time GCP to translate increased quality and efficiencies to our partners.” Click here to learn more about how Kathie and Just in Time GCP are applying AI with purpose, not hype, and realizing results.
