Tag Archives: 21 CFR 11

21 CFR and Passwords: Mistakes You Don’t Want to Make

The free Internet that many of us loved has become a surveillance web, serving governments and mega-corps, while abusing the rest of us. It is important that you start protecting your data, while browsing the internet and using communication tools while performing your role. This article will guide you through a new set of skills using secure technology and developing careful practices.

As we know, the FDA regulates computerized systems used in clinical trials under the authority of Title 21 the Code of Federal Regulations Part 11 (21 CFR Part 11). These regulations apply only to use of systems in trials the results of which will be submitted to the FDA as part of the drug development/approval process.

As we are currently in the wake of yet another password breach, this time encompassing over 5 million Gmail passwords, it seems like no matter what you do, your password can and will be stolen. What should you do if your organization is a victim? Furthermore, how can your staff pick a safer password?

CRF 21 requires rigid and rigorous password de-activation and temporary generation protocols and data encryption and transaction safeguards to prevent sniffing (SSL, JavaScript) during a software development process of computerized systems used in clinical trials.

Here are some recommendations on how to manage your passwords:

  • Use a two-factor authentication or two-steps login: I know that it can be a pain, but it will help keep your online accounts safer. If for any reason your password is hacked, someone won’t be able to login to your account without the 2nd authentication.
  • Don’t be lazy. We have heard it all before. Using common passwords like


    • Do not choose a password that is related to anything that has special meaning to you, ie: your pets name, birthday, address, family members names, etc. We know, we know, it’s easy to remember though.
    • Use a string of random words.
Source: Free Stock Photos
Source: Free Stock Photos

Which of the following two passwords is stronger, more secure, and more difficult to crack?



ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you may be familiar with the idea of the “entropy” or the randomness and unpredictability of data. If so, you’ll have noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually everyone has always believed or been told that passwords derived their strength from having “high entropy”. But as we see now, when the only available attack is guessing, that long-standing common wisdom  . . . is  . . . not  . . . correct! (Retrieved from: https://www.grc.com/haystack.htm)

Consider alphanumeric password of n characters. A-Z, a-z, numbers: Total 56 possible options for each slot. Therefore, a truly random password would have 56^n possible options. (Ten-character: 303,305,489,096,114,176; or, 2^58 and then some.) Of course, generating such of a password is more difficult. One way is to condense an easy-to-remember phrase, though this does limit the search space, too, if your method is know.

For disk encryption (and password safe), we recommend selecting a minimum of six words

A company I used to work for had a nice password generator for their massive database administration, which even low-level employees need to access regularly. It generates 3 words, bridges them together with special case characters and adds a spelling mistake (repeated or missing character) to one of the words.

Should your IT department provide a password generator (manager) to all clinical staff? Additionally security encryption should be taken in consideration. To make this password creator page more safe though, you should set up this page so that it didn’t cache in browser so that the initially generated password is visible there. Optionally, using SSL connection to encrypt page and hence password so that traffic isn’t intercepted.

Ask your systems administrators to look for software offering an implementation of the open standard “Time-Based One-Time Passwords” or RFC 6238.

Remember to keep a backup of your password safe

What tricks do you use when choosing and creating passwords AND keeping them safe? As far as password management goes, I’ve personally found KeePass to be an excellent solution. I use a combination of password management tools (my personal computer has a fingerprint recognition system with keepass embedded in it).

Comments? Join us at {EDC Developer}

Anayansi Gamboa, MPM, an EDC Developer Consultant and clinical programmer for the Pharmaceutical and Biotech industry with more than 13 years of experience.

Available for short-term contracts or ad-hoc requests. See my specialties section (Oracle, SQL Server, EDC Inform, EDC Rave, OpenClinica, SAS and other CDM tools)

As the 3 C’s of life states: Choices, Chances and Changes- you must make a choice to take a chance or your life will never change. I continually seek to implement means of improving processes to reduce cycle time and decrease work effort.

Subscribe to my blog’s RSS feed and email newsletter to get immediate updates on latest news, articles, and tips. I am available on LinkedIn. Connect with me there for technical discussions.

Disclaimer: The EDC Developer blog is “one man’s opinion”. Anything that is said on the report is either opinion, criticism, information or commentary. If making any type of investment or legal decision it would be wise to contact or consult a professional before making that decision.

Disclaimer:De inhoud van deze columns weerspiegelen niet per definitie de mening van {EDC Developer}.

Data Management Plan in Clinical Trials


The preparation of the data management plan (DMP) is a simple, straightforward approach designed to promote and ensure comprehensive project planning.

The data management plan typically contains the following items. They are:

  1. Introduction/Purpose of the document
  2. Scope of application/Definitions
  3. Abbreviations
  4. Who/what/where/when
  5. Project Schedule/Major Project Milestones
  6. Updates of the DMP
  7. Appendix

The objective of this guidelines is to define the general content of the Data Management Plan (DMP) and the procedures for developing and maintaining this document.

The abbreviation section could include all acronyms used within a particular study for further clarification.

e.g. CRF = Case Report Form
TA = Therapeutic Area

The Who/What/Where/When section should describe the objective of the study specific data management plans for ABC study. This section provides detail information about the indications, the number of subjects planned for the study, countries participating in the clinical trial, monitoring guidelines (SDV) or partial SDV, if any CROs or 3rd party are involved in the study (e.g. IVRS, central labs), which database will be used to collect study information (e.g. Clintrial, Oracle Clinical, Medidata Rave or Inform EDC).

The Appendix provides a place to put supporting information, allowing the body of the DMP to be kept concise and at more summary levels. For example, you could document Database Access of team members, Self-evident correction plan, Data Entry plan if using Double-data entry systems or Paper-Based clinical trials systems.

Remember, this is a living document and must be updated throughout the course of the clinical trial.

If problems arise during the life of a project, our first hunch would be that the project was not properly planned.

Reference: Role of Project Management in Clinical Trials
Your comments and questions are valued and encouraged.
Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica, Open Source and Oracle Clinical.

To hire me for services, you may contact me via Contact Me OR Join me on LinkedIn

Disclaimer: The legal entity on this blog is registered as Doing Business As (DBA) – Trade Name – Fictitious Name – Assumed Name as “GAMBOA”.

CDISC Clinical Research “A” Terminology

acronym: A word formed from the beginning letters (e.g., ANSI) or
a combination of syllables and letters (e.g., MedDRA) of a name or phrase.
admission criteria:Basis for selecting target population for a clinical trial.
Subjects must be screened to ensure that their characteristics match a list of admission criteria and that none of their characteristics match any single one of the exclusion criteria set up for the study.
algorithm: Step-by-step procedure
for solving a mathematical problem;
also used to describe step-by-step
procedures for making a series of
choices among alternative decisions to
reach a calculated result or decision.
amendment: A written description
of a change(s) to, or formal clarification
of, a protocol.
analysis dataset:An organized collection of data or
information with a common theme arranged in rows and columns and
represented as a single file; comparable to a database table.
analysis variables: Variables used
to test the statistical hypotheses
identified in the protocol and analysis
plan; variables to be analyzed.
approvable letter:An official communication from FDA to an
NDA/BLA sponsor that lists issues to be resolved before an approval can be issued.
[Modified from 21 CFR 314.3;Guidance to Industry and FDA Staff

arm: A planned sequence of elements,
typically equivalent to a treatment

attribute (n): In data modeling,
refers to specific items of data that can
be collected for a class.
audit:A systematic and independent
examination of trial-related activities
and documents to determine whether
the evaluated trial-related activities were
conducted and the data were recorded,
analyzed, and accurately reported
according to the protocol, sponsor’s
standard operating procedures (SOPs),
good clinical practice (GCP), and the
applicable regulatory requirement(s).
[ICH E6 Glossary]
audit report: A written evaluation by
the auditor of the results of the audit.
[Modified from ICH E6 Glossary]
audit trail. A process that captures
details such as additions, deletions,
or alterations of information in an
electronic record without obliterating the original record. An audit trail
facilitates the reconstruction of the
history of such actions relating to the
electronic record.

Source:Applied Clinical Trials

Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

Acme Pharma Develops A Drug: Part I

Learn more about how the pharmaceutical industry has traditionally developed and brought drugs to market. Watch part II of this series to learn how Network Fortress can improve the drug development process and save pharma and biotech companies time and money.

“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Clinical Trials Terminology for SAS Programmers

Entry Level SAS Programmers

Statistical Programmer:requires him to program using the SAS language to analyze clinical data and produce reports for the FDA

Bioanalyst, Clinical Data Analyst, Statistical Programmer Analyst and SAS Programmer: same as Statistical programmer.

Biotechnology:companies which is a general term used to explain a technique of using living organisms within biological systems to develop micro-organisms for a particular purpose.

protocol:outlined all the procedures and contained detailed plans of the study.

controlled experiment: the clinical trial had patients grouped into different groups such as those in the placebo controlled group which had no active drug. This is how comparisons are made within the controlled clinical trial CFR Part 11:Code of Federal Regulations set by the FDA to regulate food, drug, biologics and device industries. The part 11 specifically deals with the creation and maintenance of electronic records.
Case Report Form or CRF:forms to collect information such as demographic and adverse events. Source Data or the information collected:which include important documents because they contain the core information required to reconstruct the essential capital of the study.
sponsor:company who is responsible for the management, financing and conduct of the entire trial. randomized: subjects that are randomly assigned to groups so that each subject has an equal chance to be assigned to the placebo control
baseline: subjects are assigned to their drug change from baseline:analyses that measure differences between baseline and current visit
placebo or sugar pill:is an inactive substance designed to look like the drug being tested. blinded:they do not know if the drug that they are taking contains the active ingredient.
open-label study:all was out in the open, the drug the subject is assigned to. Pharmacokinetics or PK:analysis of that study showed that with that dosing level, there were high levels of toxicity in the subject.
informed consent: described all the potential benefits and risks involved. TLGs: Tables, Listings and Graphs
trade name:drug name that is collected from the patient and recorded into the source data. For example: Tylenol generic name: refers to its chemical compound. For example: Acetaminophen.
WHO-DRUG: list all the drug names and how they matched to the generic drug names.This dictionary is managed by the World Health Organization MedDRA:This is short for Med (Medical), D (Dictionary), R (Regulatory), and A (Activities).
SAP: Statistical Analysis Plan ANOVA: analysis of variable
confidence interval:gives an estimated range of values being calculated from the sample of patient data that is currently in the study. null hypothesis:lack of difference between the groups in a report
pilot study:perform the same analysis upon an older. DIA: Drug Information Association
CBER: Center for Biologics Evaluation and Research (medical device) CDER: Center for Drug Evaluation and Research (drug)

Source:CDER Acronym List

Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

Adverse Event Monitoring for CRAs

During monitoring visits one of the most important and impacting activities that a CRA performs is the source document verification of Adverse Events. The CRA is the eyes for the research sponsor when it comes to proper collection and documentation of subject safety information. Incorrect and inadequate monitoring of adverse events can lead to inaccurate labeling for clinical trials and impact market application inspectional reviews, as well as post marketing labeling. The safety regulatory and ICH definitions will be reviewed and applied to the monitoring process. This includes Causality, Expectedness/Unanticipated, and other important concepts. Case scenarios will be used to apply the information for better learning.

“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Introduction to Clinical Trials

Video introducing cancer clinical trials and their use in clinical practice guidelines

“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Source: Cancer Guidelines – Canada

Standard Naming Conventions for InForm Trials

This document is intended to provide a common set of rules to apply to the naming of clinical trials build using InForm EDC system.

Why use naming conventions?

Naming objects consistently, logically and in a predictable way will distinguish similar records from one another at a glance, and by doing so will facilitate the storage and retrieval of records, which will enable users to browse clinical objects more effectively and efficiently. Naming records according to agreed conventions should also make object naming easier for colleagues because they will not have to ‘re-think’ the process each time.

It has been said that InForm follows the “Hungarian” notation because it is one of Microsoft’s “Best Practices” for .Net standards when defining objects (the code to support those objects use it).

Component Prefix
Form (e.g., frmDemo…) frm
Section sct
Itemset its
Radio Control rdc
Item itm
Pulldown Control pdc
Text box txt
Date and time dtm
Group Control grp
Checkbox chk
Calculated Control cal
Simples smp
Study Element elm
Codelist cl
Study Event evt
Codelist Item citm
Workflow Rule wr
Global Conditions gc
Data Entry Rules (e.g., rulDMConsDTCompare) rul
DataType Prefix
Boolean bln
Byte byt
Character chr
Date dtm
Decimal dec
Double Precision dbl
Integer int
Long Integer lng
Object obj
Short Integer sht
Single Precision sng
String str
User-defined Type udt
Object Prefix
Button btn
CheckBox chk
ComboBox cbo
Control ctr
DataSet ds
DataTable dt
Form frm
GroupBox grp
Label lbl
ListBox lst
PictureBox pic
RadioButton rdb
String str
TextBox txt

Remember keep it consistent. This means that you stick to one particular pattern through out your clinical project. This also includes the words you use for namespaces, classes, methods, interfaces, properties and variables. A prerequisite is that they should be meaningful, significant, descriptive and easily understood with respect to purpose and functionality by anyone who reads the source code.

Happy Programming!

Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

The Next Best Thing – Timaeus Trial Builder?

First of all, let me clarify by saying that I am not an expert when it comes to Timaeus. I recently came across this EDC tool while working on a project. We were testing out different EDC applications as part of their new infrastructure solution.

At first, I was hesitant to learn about it. All I knew was that you need it to know ‘Python’. The main programming language for their edit checks/validations and back-end structure but after my first encounter with the tool, I changed my mind. This is one of the easiest tool to use and deploy your clinical study you can find in the market, nowadays.

With that being said, What is Timaeus? This another EDC tool, trial builder application provided by Cmed Technology www.cmedresearch.com which helps build eCRF (data entry screens), edit checks/validations, external loading data and other config files.

In order to grasp this new tool, you will need to familiarize yourself with other technologies such as HTML, XML, Emacs, SVN, Python and the like and understand the TMPL element concept.

TMPL stands for “Timaeus Markup Language”. It has a bit of pieces of codes similar to what you see in HTML or XML files.

Even though the system is lacking of front-end features we are so used to in comparison with similar EDC solutions, nevertheless, this tool gets my thumps up for ease of use, cost-effectiveness, change control capabilities and one of the most robust security systems to capture electronic records as per CFR11 regulations.

CDER Common Data Standards Issues Document

 Source: FDA (Version 1.1/December 2011)

 The Center for Drug Evaluation and Research (CDER) is strongly encouraging sponsors to submit data in standard form as a key part of its efforts to continue with advancement of review efficiency and quality. CDER has been collaborating with CDISC, a standards development organization (SDO), in the development of standards to represent study data submitted in support of regulatory applications. Study data standards are vendor-neutral, platform-independent, and freely available via the CDISC website (http://www.CDISC.org). CDISC study data standards include SDTM (Study Data Tabulation Model) for representation of clinical trial tabulations, ADaM (Analysis Data Model) for clinical trial analysis files, and SEND (Standard for Exchange of Non-clinical Data) for representation of nonclinical animal toxicology studies tabulations.

CDER has accepted SDTM datasets since 2004; however, due to differences in sponsor implementation of the standard, CDER has observed significant variability in submissions containing “standardized” electronic clinical trial data. CDER has received numerous “SDTM-like” applications over the past several years in which sponsors have not followed the SDTM Implementation Guide. Furthermore, aspects of particular sponsor implementations have actually resulted in increased review difficulty for CDER reviewers. In addition, some sponsors have wrongly believed that the submission of SDTM datasets obviates the need for the submission of analysis datasets, resulting in the delay in review due to the need to request these datasets. The goal of this document is to communicate general CDER preferences and experiences regarding the submission of standardized data in order to aid sponsors in the creation of standardized datasets for both tabulation datasets and analysis datasets. .

This document is not intended to replace the need for sponsors to communicate with review divisions regarding data standards implementation approaches or issues, but instead, it is designed to complement and facilitate the interaction between sponsors and divisions. Because of specialized needs in different divisions, it is likely that divisions may have additional requests or preferences. When uncertainty exists regarding a particular data standards implementation or submission issue, the sponsor should contact the review division to discuss further.

The complete documentation on CDER data standards in .pdf version can be found at the following link: CDER


Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.