Tag Archives: FDA regulates computerized systems used in clinical trials

Clinical Trials – Computerized Systems

The Food and Drug Administration (FDA) established the Bioresearch Monitoring (BIMO) program of inspections and audits to monitor the conduct and reporting of clinical trials to ensure that data from these clinical trials meet the highest standards of quality and integrity and conform to FDA’s regulations.

Computerized systems used in clinical trials refer to the creation, modification, maintenance, archiving, retrieving or transmitting clinical data intended for submission to the Food and Drug Administration (FDA).

Key Definitions:

Audit Trail: a secure, computer-generated, time-stamped electronic record that allows reconstructions of the data course of events relating to the creation, modification, and deletion of an electronic record.

Certified Copy: it is a copy of the original information that has been verified, as an exact copy having all of the same attributes and information as the original. It must have a dated signature.

Computerized System: it is the computer hardware, software, and associated documents (i.e manuals) that create, modify, maintain, archive, retrieve, or transmit in digital form information related to the conduct of a clinical trial.

Electronic Case Report Form (e-CRF): designed to record information required by the clinical trial protocol to be reported to the sponsor on each trial subject.

Electronic Patient Diary: an electronic record into which a subject participating in a clinical trial directly entrees observations or directly responds to an evaluation checklist or questionnaire

Electronic Record: a combination of text, graphics, data, audio, pictorial, or any other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system.

Electronic Signature: a computer data compilation of any symbol or series of symbols, executed, adopted, or authorized by an individual to be legally binding equivalent of the individual’s handwritten signature.

Software Validation: verification and validation is the process of checking that a software system meets specifications and that it fulfills its intended purpose. For these guidelines, the design level validation is that portion of the software validation that takes place in parts of the software life cycle before the software is delivered to the end-user.

Source Documents: original documents and records including, but not limited to, hospital records, clinical and office charts, laboratory notes, memoranda, subjects’ diaries or evaluation checklists, pharmacy dispensing records, recorded data from automated instruments,copies or transcriptions certified after verification as being accurate and complete, microfiches,photographic negatives, microfilm or magnetic media, x-rays, subject files, and records kept at the pharmacy, at the laboratories, and at medico-technical departments involved in the clinical trial.

Principles:

Security measures should be in place to prevent unauthorized access to the data and to the computerized system.

1-Identify at which steps a computerized system will be used to create, modify, maintain, archive, retrieve, or transmit data.

2-Documentation should identify what software and, if known, what hardware is to be used in computerized systems that create, modify, maintain, archive, retrieve, or transmit data. This document should be retained as part of the study records.

3-Source documents should be retained to enable reconstruction and evaluation of the trial.

4-When original observations are entered directly into a computerized system, the electronic record is the source document.

5-The design of a computerized system should ensure that all applicable regulatory requirements for recordkeeping and record retention in clinical trials are met with the same degree of confidence as is provided with paper systems.

6-Clinical investigators should retain either the original or a certified copy of all source documents sent to a sponsor or contract research organization, including query resolution correspondence.

7-Any change to a record required to be maintained should not obscure the original information. The record should clearly indicate that a change was made and clearly provide a means to locate and read the prior information.

8-Change to the data are stored on electronic media will always require an audit trail, in accordance with 21 CRF 11,.10(e). It should include who made the changes, when, and why they were made.

9-The FDA may inspect all records that are intended to support submissions to the Agency, regardless of how they were created or maintained.

10-Data should be retrievable in such a fashion that all information regarding each individual subject in a study is attributable to that subject.

11-Computerized systems should be designed so that all requirements assigned to these systems in a study protocol are satisfied and to preclude errors in data creation, modification, maintenance, archiving, retrieval or transmission.

As we read in this blog about guidance for the industry around computerized systems revolts around data quality and data integrity. The users or people using the data from these systems should have confidence that the data are no less reliable than data in paper form.

In the next blog, we will cover audits and inspections, data entry into this computerized system, security and electronic signatures as a way of certifying the data.

Source:

CFR 11 and ICH

FDA.com

 

 

 

21 CFR and Passwords: Mistakes You Don’t Want to Make

The free Internet that many of us loved has become a surveillance web, serving governments and mega-corps, while abusing the rest of us. It is important that you start protecting your data, while browsing the internet and using communication tools while performing your role. This article will guide you through a new set of skills using secure technology and developing careful practices.

As we know, the FDA regulates computerized systems used in clinical trials under the authority of Title 21 the Code of Federal Regulations Part 11 (21 CFR Part 11). These regulations apply only to use of systems in trials the results of which will be submitted to the FDA as part of the drug development/approval process.

As we are currently in the wake of yet another password breach, this time encompassing over 5 million Gmail passwords, it seems like no matter what you do, your password can and will be stolen. What should you do if your organization is a victim? Furthermore, how can your staff pick a safer password?

CRF 21 requires rigid and rigorous password de-activation and temporary generation protocols and data encryption and transaction safeguards to prevent sniffing (SSL, JavaScript) during a software development process of computerized systems used in clinical trials.

Here are some recommendations on how to manage your passwords:

  • Use a two-factor authentication or two-steps login: I know that it can be a pain, but it will help keep your online accounts safer. If for any reason your password is hacked, someone won’t be able to login to your account without the 2nd authentication.
  • Don’t be lazy. We have heard it all before. Using common passwords like

password
admin
12345678
iloveyou

    • Do not choose a password that is related to anything that has special meaning to you, ie: your pets name, birthday, address, family members names, etc. We know, we know, it’s easy to remember though.
    • Use a string of random words.
Source: Free Stock Photos
Source: Free Stock Photos

Which of the following two passwords is stronger, more secure, and more difficult to crack?

D0g…………………

PrXyc.N(n4k77#L!eVdAfp9

ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you may be familiar with the idea of the “entropy” or the randomness and unpredictability of data. If so, you’ll have noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually everyone has always believed or been told that passwords derived their strength from having “high entropy”. But as we see now, when the only available attack is guessing, that long-standing common wisdom  . . . is  . . . not  . . . correct! (Retrieved from: https://www.grc.com/haystack.htm)

Consider alphanumeric password of n characters. A-Z, a-z, numbers: Total 56 possible options for each slot. Therefore, a truly random password would have 56^n possible options. (Ten-character: 303,305,489,096,114,176; or, 2^58 and then some.) Of course, generating such of a password is more difficult. One way is to condense an easy-to-remember phrase, though this does limit the search space, too, if your method is know.

For disk encryption (and password safe), we recommend selecting a minimum of six words

A company I used to work for had a nice password generator for their massive database administration, which even low-level employees need to access regularly. It generates 3 words, bridges them together with special case characters and adds a spelling mistake (repeated or missing character) to one of the words.

Should your IT department provide a password generator (manager) to all clinical staff? Additionally security encryption should be taken in consideration. To make this password creator page more safe though, you should set up this page so that it didn’t cache in browser so that the initially generated password is visible there. Optionally, using SSL connection to encrypt page and hence password so that traffic isn’t intercepted.

Ask your systems administrators to look for software offering an implementation of the open standard “Time-Based One-Time Passwords” or RFC 6238.

Remember to keep a backup of your password safe

What tricks do you use when choosing and creating passwords AND keeping them safe? As far as password management goes, I’ve personally found KeePass to be an excellent solution. I use a combination of password management tools (my personal computer has a fingerprint recognition system with keepass embedded in it).

Comments? Join us at {EDC Developer}

Anayansi Gamboa, MPM, an EDC Developer Consultant and clinical programmer for the Pharmaceutical and Biotech industry with more than 13 years of experience.

Available for short-term contracts or ad-hoc requests. See my specialties section (Oracle, SQL Server, EDC Inform, EDC Rave, OpenClinica, SAS and other CDM tools)

As the 3 C’s of life states: Choices, Chances and Changes- you must make a choice to take a chance or your life will never change. I continually seek to implement means of improving processes to reduce cycle time and decrease work effort.

Subscribe to my blog’s RSS feed and email newsletter to get immediate updates on latest news, articles, and tips. I am available on LinkedIn. Connect with me there for technical discussions.

Disclaimer: The EDC Developer blog is “one man’s opinion”. Anything that is said on the report is either opinion, criticism, information or commentary. If making any type of investment or legal decision it would be wise to contact or consult a professional before making that decision.

Disclaimer:De inhoud van deze columns weerspiegelen niet per definitie de mening van {EDC Developer}.