What is a Trial Master File (TMF)?
The TMF is a standalone collection of records that tells the story of the clinical trial in its entirety. It is composed of a set of records held by the sponsor organization and an investigator TMF held by the investigation/institution, often called the Investigator Site File (ISF). Both the sponsor TMF and the investigator/site TMF are established at the start of the study. It is important that the sponsor and investigator/institution TMFs are maintained separately and the institution/investigator should maintain control of their files at all times. Sponsor records represent the activities of all functional areas involved in the conduct of the clinical trial. Contributors to the Sponsor TMF include Data Management, Biostatistics, Clinical Trial Material Management, Safety, Legal, Clinical Operations, Medical Writing, Quality, and Regulatory. In some cases, the investigator is employed by the institution that is acting as the sponsor. In that case, the investigator is responsible for their portion of the TMF and the institution is responsible for the sponsor TMF. When the investigator is also serving as the sponsor, the investigator is responsible for maintaining all aspects of the TMF.
What is the purpose of the TMF?
The TMF serves as a record of compliance with the requirements of GCP and SOPs by the investigator, sponsor, and monitor. It ensures that all essential records required by regulatory authorities (i.e. FDA, MHRA, EMA, PMDA, etc.) are collected, organized, and readily available for inspection during audits or inspections. It provides documented evidence that the clinical trial conduct was aligned with a regulatory and ethics approved protocol. The TMF is a tool that can be used in trial oversight and management. Access to the TMF allows the study team to monitor the progress of the study through ongoing review of the TMF content. The TMF serves as the source of truth during regulatory inspections.
If a sponsor is utilizing an eTMF, do all clinical trial records need to be kept within that eTMF?
No. In many cases sponsors hold TMF content in different systems. As long as these systems are compliant with the requirements for maintaining electronic records (i.e. 21 CFR, Part 11 & Annex 11) and there is a method for the long-term archive within these systems, then it is acceptable to leave them in this location. Some sponsors determine that all safety reporting should be maintained by the Pharmacovigilance department with all of the SUSAR/CIOMS reporting retained in one location for that compound. Sometimes eTMF systems do not have capability for maintaining certain filetypes (i.e. SAS data files). All organizations should have in place an index/map that documents the location of the different records that comprise the TMF. This will facilitate the timely retrieval of records in the event of a regulatory inspection. The TMF content must be readily available during the life of the study as well as at archive following the completion of the trial. If content is held outside the eTMF, then the organization should identify the party that is accountable for the completeness of that portion of the TMF. This content must be maintained in a GCP compliant manner, and it is important that there is a plan for providing a health authority inspector access to all locations where the TMF content is retained. When determining systems where TMF content is to be held, organizations should take into consideration the future need to provide regulatory agencies access to the system where the content is being held as well as the need to provide audit trails for these systems. For this reason, many organizations choose to limit the number of systems where TMF content is held.
What are the requirements for the eTMF in terms of security?
TMF content should be maintained in a secure environment with access limited to study team members and those involved in reviewing TMF content. In many cases, there are role-based access requirements. There should be a formal process in place for creating and managing user accounts. Individuals should only have access to the TMF if it is required for their respective job responsibilities.
TMFs that are not controlled risk having missing records at the end of the study. There should be a process for ensuring that there is traceability of records once they are added to the TMF. Security requirements should include measures to prevent, detect and manage any security breaches. ICH E6 R3 Draft identifies the importance of firewalls, antivirus software, system monitoring, and penetration testing. Companies should have procedures in place to govern these activities.
~Donna Dorozinsky, Founder and CEO
