21 cfr part 11
TRANSCRIPT
21 CFR Part 11
Details the criteria under which electronic records and signatures are considered trustworthy and equivalent to paper records thereby ensuring authenticity, integrity and confidentiality of electronic raw data.
Responsibility for ensuring compliance
In order for the FDA to accept electronic records the researcher must demonstrate that all computer systems used to generate and store data comply with 21 CFR Part 11
Responsibility
The requirements of Part 11 not only ensure the authenticity, integrity, and confidentiality of raw electronic data, but also the nonrepudiation of electronic signatures.
It is the researcher’s responsibility for demonstrating that the instruments and software used to collect and analyze data are validated to meet the 21 CFR 11.
Which records are in scope for The FDA has documentd what is in scope for 21 CFR Part 11 for
electronic records:• Generated as part of Current Good Manufacturing Practice
(cGMP) for human and animal drugs and biologics• Maintained as part of the statutory requirements for submitting
information to the FDA in an electronic format, even if they have not been specifically identified in the regulations
• Maintained or submitted as part of predicate rules
What to look for in a system Security controls for user
identificationPart 11 compliant systems must
have security features that limit user access and their privileges.
Examples of these security features include:
• Ensuring users have unique usernames and passwords
• Ability to detect and prevent unauthorized system access
• Ability to lock compromised accounts.
What to look for in a system Detailed audit trailThe ability to provide a chronological record of all operations,
namely an audit trail.The system you use must be capable of keeping a daily record of all
functions initiated by the user or software.
What to look for in a system Electronic signatures
A Part 11 compliant system must be able to assign unique electronic signatures to each user, which must be certified in writing by the owner of the signature to be legally equivalent to a binding signature.
The regulation is complex • The pace of technological development in clinical systems and
processes remains rapid.• 21 CFR Part 11 is often open to interpretation in terms of how to
comply. • The history of the regulation itself echoes this constant change. • The FDA has stated that a re-examination of the regulation is
underway and a new version forthcoming• It remains important to be fully informed about the regulation and
being able to demonstrate that your compliance plan has evaluated and addressed all requirements
CHALLENGES TO COMPLIANCE
Making a 21 CFR Part 11 Compliance Plan In planning for 21 CFR Part 11
compliance, it is advisable to create a matrix of requirements and document how each is addressed within your system. This process will highlight gaps that need to be addressed, from which you can generate an action plan.
Achieving Compliance Achieving 21 CFR Part 11
compliance is complex, but there are some basic requirements that must be addressed in your plan
This Photo by Unknown Author is licensed under CC BY-ND
1. Be unique to one individual2. Employ at least two distinct identification components such as an
identification code and password if not based on biometrics3. Use at least one electronic signature component that is only executable by
the individual (e.g. password) if used within the same session4. Use a unique identification code and password combination 5. Be periodically revised 6. Ensure lost or stolen tokens can be de-authorized and replaced with new
tokens7. Have safeguards to prevent unauthorized use of passwords and
identification codes
Each electronic signature should:
Electronic records should1. Limit system access to authorized individuals2. Be held on validated systems to ensure accuracy, reliability, and
the ability to discern invalid or altered records3. Have copies that are suitable for inspection in both human
readable and electronic form 4. Be readily retrievable throughout the records retention period5. Use secure, computer-generated, time stamped audit trails
• All organizations producing electronic records that fall within the scope outlined by the FDA must meet 21 CFR Part 11 compliance regulations
• 21 CFR Part 11 is an important regulation with costly consequences if breached, therefore it is key to understand your responsibilities in upholding the regulation
• Taking a structured approach to evaluating system compliance and addressing gaps is essential
Electronic Systems in Clinical TrialsCandida Barlow MSN, CTN, RN
Electronic Systems in Clinical Trials
FDA guidance on computerized systems applies to records in electronic form that are used to create, modify, maintain, archive,
retrieve, or transmit clinical data required to be maintained, or submitted to the FDA.
Applicable Regulations | 21CRF11 (full record) | 21CFR312.62(b) | 21CFR 812.140(b) | ICH E6 (R2)
[DATE] 16
Data Quality & Integrity
A: Attributable, who wrote this?
L: Legible, can I read this?
C: Contemporaneous, was this recorded at the time of trial conduct or later?
O: Original, is this unaltered or copied?
A: Accurate, is this a correct reflection of the conduct?
Computerized Systems in Clinical Trial Conduct
General Principles • documentation should identify what software & hardware is to be used that
create, modify, maintain, archive, retrieve, or transmit data and the documentation should be retained as part of study records
• direct data entry for original observations is the source • maintain a mirror record of source records between site and sponsor • any change to a record required to be maintained should not obscure
the original information. The record should clearly indicate that a change was made and clearly provide a means to locate and read the prior information
[DATE] 18
Electronic Record Definition
Define electronic record as ANY:
• Text
• Graphics
• Data
• Audio
• Video
• Pictorial
• Other…..
Other Information represented in digital form that is:
• Created
• Modified
• Maintained
• Achieved
• Retrieved
• Or distributed by a computer system
[DATE] 19
ICH GCP E6 (R2)
Addendum 2016 revisions to include electronic system use and data validation.
GCP standards provide public assurance that the rights, safety and well-being of trial subjects are protected, consistent with the principles that have their origin in the Declaration of Helsinki, AND that the clinical trial data are credible.
*Attributable, Legible, Contemporaneous, Orginal, and Accurate (ALCOA)
[DATE] 20
ICH-GCP 4.2 Adequate Resources
Adequate number of qualified staff to conduct trail properly & safely
Ensure that all persons assisting with trial are adequately informed• Protocol • Investigational Product • Trial-related duties & functions (includes documented training – validation)
Addendum: Ensure individuals or parties involved in trial related duties and Ensure the integrity of the data generated by implementing procedures
[DATE] 21
Data Ownership eSystems
ICH E6 R2 outlines ownership and file location for essential documents including source records.
Electronic source records are to be retained at the investigator or the institution respective of the trial conduct.
Sponsor has a duty to ensure the investigator has control of and continues access to data reported to the sponsor. And the sponsor should not have exclusive control of those data.
[DATE] 22
Source Records & Essential DocumentseSource reliability, quality, integrity, and traceability of data from electronic source to electronic regulatory submission (Electronic Source Data in Clinical Investigations (September 2013)
- promotes capturing source in electronic format
Guidance addresses source data used to populate predefined data fields in an eCRF according to the protocol.
1. identification & specification of authorized source data originators
2. creation of data elements & examination of audit trail
3. Ways to capture source data into the eCRF using either manual OR electronic methods
4. Site responsibilities with respect to reviewing and retaining electronic data
5. Use & description of computerized systems in clinical investigations
• Before the clinical phase of the trial commences
• During the clinical conduct
• After Completion or termination of the trial
[DATE] 23
Audit Entry: Monitor/Auditor
ICH E6: ALL documents addressed should be available for audit by the sponsor’s auditor and inception by the regulatory authority(ies)
Any change or correction to a CRF should be dated, initialed, and explained (if necessary) and should not obscure the original entry (i.e., an audit trail should be maintained); this applies to both written and electronic changes or corrections (see 5.18.4 (n)).
Written SOPs for making changes or corrections to the source data includes electronic systems
Completed by the designated representatives & retain records of the changes and corrections.
[DATE] 24
ICH E6 (R2)
eTMF replace eReg documents? • ICH E6 outlines trial master files should be both at the
investigator/institution’s site and at the sponsor’s office “final trial close out” can only be completed once the monitor has reviewed both investigator/institution and sponsor files and confirmed all necessary documents are present
Sponsor & Investigator/Institution required to maintain record of the source data and the location(s)
[DATE] 25
ICH E6 (R2) Record Retention Systems
eTMF replace eReg documents? • ICH E6 outlines trial master files should be both at the investigator/institution’s site and at
the sponsor’s office “final trial close out” can only be completed once the monitor has reviewed both investigator/institution and sponsor files and confirmed all necessary documents are present
Sponsor & Investigator/Institution required to maintain record of the source data and the location(s)
• Essential documents including source documents• Storage system used during the trial and for archiving (irrespective of the type of
media used) should provide for document identification, version history, search, and retrieval.
• The sponsor should ensure that the investigator has control of and continuous access to the source data entered in the CRF reported to the sponsor.
• The sponsor should not have exclusive control of those data (source data)• The investigator/institution should have control of all essential documents and
records generated by the investigator/institution before, during, and after the trial.
[DATE] 26
Certified Copies
A certified copy is a copy of a source document that has on it an endorsement or certificate that it is a true copy of the source document. It does not certify that the primary document is genuine, only that it is a true copy of the source document.
This could also include when printing records out of the system an automatic disclosure is listed at the bottom of the page indicate who printed the document, date/time when document was printed and a disclosure that the printed document is a certified copy of the orginal record at the time of printing.
• Key: many documents are living documents and will evolve over time – important to note when the “certified” copy was generated identify who generated the document.
• Additionally the generator of certified copy should be listed as part of the study team typically the regulatory and/or compliance teams.
• Equivalent of an electronic signature is best practice although the document can be signed with a wet ink signature.
• By generating electronically an electronic trail can be traced regarding all certified printed records for future inspection
eRegulatory Implementation • Site Structure & Partitions
• (Central, Service lines, Satellite; Parent/Child)
• Standardize Process - ALCOA
• Naming conventions – Metrics & KPI’s
• Folder structures (ICH E6 Essential Documents)
• Permissions – who should have access to what?
[DATE] 28
eSource Implementation
• Types of Research Workflows
• Types of Therapeutic Workflows
• Research Templates
• Clinical Care Templates: Assessments, Procedures, Questionnaires, Pro-forms
• 4.9.0 Source data should be attributable, legible, contemporaneous, original, accurate, and complete.
• Changes to source data should be traceable, should not obscure the original entry, and should be explained if necessary (e.g., via an audit trail).
[DATE] 29
eConsent Implementation
• Investigator CAN NOT delegate authority to obtain informed consent to the electronic system
• CAN NOT have system send out eICF to potential participants and have the system obtain the signature of prospective subject though automation
• What does informed consent involved? 45CFR46.116
• Sufficient opportunity to discuss and consider whether or not to participate and that minimize the possibility of coercion or undue influence
• Concise & focused presentation of key information, presented sufficient detail
• Presented in a way that does not present mere facts, but rather facilitates the prospective subject’s understanding of participation
• 4.8.8 prior to engaging in research conduct the participant and/or LAR and the person conducting consent the eICF should be signed and dated by all parties
• (consider when using electronic signatures and routing times once all signatures are completed date/time stamp)
• Consent Documentation Process Templates –eSource
• eICF• Main ICF
• Sub-Studies
• Bio-specimens
• Stand alone HIPAA
• Subject Bill of Rights
• Interactive• Hyperlinks for definitions
• Videos
• Free Text
• Initials & Check Boxes
• Remote Capabilities
[DATE] 30
FDA & ICH E6 (R2) Recommended Site SOPs
Reference List
System setup/installation (including the description and specific use of software, hardware, and physical environment and the relationship)
System operating manual
Validation and functionality testing
Data collection and handling (including data archiving, audit trails, and risk assessment)
System maintenance (including system decommissioning)
System security measures
Change control
Data backup, recovery, and contingency plans
Alternative recording methods (in the case of system unavailability)
Computer user training
Roles and responsibilities of sponsors, clinical sites and other parties with respect to the use of computerized systems in the clinical trials
[DATE] 31
Validation in Clinical Research
Laura Fluharty, MPH
33
21 CFR Part 11 Background
In effect since August, 1997
Defines criteria under which FDA considers electronic records and signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures
Defines multiple controls that must be implemented for electronic records, including system validation. Examples:
Limiting system access to authorized individuals
Use of operational checks within the system
Use of authority / identification checks
Determination of training – that those using the system have appropriate training and education to handle given tasks
Develop of written controls and process and documentation that they are followed
34
What is Validation ?
FDA definition: establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes.
This essentially means proving (and documenting) that the system does what it is intended to do and will do so throughout the entirety of its life cycle.
35
What is Validation – System Level
‣ Validation of software tools ( e consenting tools/ electronic data capture (EDC), etc) that are used during the conduct of a clinical trial is a requirement described by ICH- GCP guidelines • It ensures that clinical data generated by these
systems is done in a structured way, and makes sure the data created is reliable and has integrity.
• It is the process, and documentation, to check that each step or functionality in a system fulfills its purpose or function; basically documenting the system works the way that is intended
36
Validation Plan
System Requirements
Create Test Scripts / UATs
Execute the UATs
Write the Validation
Report
Maintenance
‣ Step 1 • Define and Document how you will carry out validation
‣ Step 2• Operating system requirements • Browser level all the way to step by step functions
‣ Step 3 • Defining how functionality works • Test steps – detail step by step and expected outcome • Fail steps
‣ Step 4• Perform the steps in the UAT script • Cyclical nature until passing • Edit system/ documentation• Final UAT pass and sign
‣ Step 5• Sum sup testing • Proof system works the way it should
‣ Step 6• Ongoing process for system changes• Process modified for study level
1 2 3 4 5 6
37
Required Validation Documents
‣ A validation documentation package typically includes the following:• Validation plan – define and provide justification for the approach you are taking. It should includes
roles and responsibilities and what will be considered acceptable testing. • Requirements specifications – define devices and browsers as part of validation. Test all
combination of operating systems and browsers and record in – RDD- Requirement Design Document – URS- User Requirement Specification Document -Design specifications (for custom systems
and/ or custom fields) • Test specifications, results and evidence- User Acceptance Testing (UAT )- Phase is all about
testing/ documentation and re-testing – Develop UAT scripts – define how you will test and confirm each function is performed
appropriately – Execute the UAT scripts
• Validation summary report • Documented procedures( in place at the time of the production release)
38
Maintaining a Validated System
‣ Have defined and documented procedures (e.g., access management, change management, backup and recovery) that govern the system.• Change control process• Documented User Acceptance Testing
‣ Evaluate changes to the functionality of the system during its life cycle (if applicable) to determine necessary re-validation effort.
‣ Periodic system reviews can be conducted to ensure ongoing accuracy, reliability, and consistent intended performance.
39
40
Validation Applied to the Study Level
‣ Data Validation in the context of a clinical trial protocol • Sponsor responsibility – generate case report forms (CRFs)/ case
report form completion guidelines/ data health reports • Part of the overall Clinical Data Management (CDM) Process which
includes – Database design – CRF design/ annotation/ tracking – Data entry – Medical coding – Data validation – Discrepancy management – Database lock
41
Data Validation – Study Level
‣ Process of testing the validity of the data according to the protocol specifications • Edit checks on the data fields entered • Ongoing quality control of data • Discrepancy management and resolution
‣ UAT at the study level to evaluate if the eCRFs are compatible with the study specifications • Entering values• Formatting values• Range checks/ edit checks • Future data checks • Auto queries • Regression testing • Extractions
‣ Audit Trail – Study Level • Changes made to eCRFs data values- by whom/ when and why
42
Validation – who is responsible?
‣ System Level:‣ Dual responsibility between the vendor and the instituting site and or/ sponsor
• Different locations will have different constructs • Local IT/ central research support general • Vendor level – make sure you choose a vendor that
understands the importance of validation documentation and is willing to provide the documentation to you
– Modify for you institution but provides you with a starting point
‣ Study Level :‣ The sponsor is ultimately responsible for the validation of computerized systems
in support of the IND/IDE ( may be multiple protocols involved) • Study Level - sponsor is ultimately responsible
