Tag Archives: FDA

Clinical Trials

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Source: Patient Education Institute

A Guide to Understanding Clinical Trials

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Source: ClinicalConnection

Acme Pharma Develops A Drug: Part I

Learn more about how the pharmaceutical industry has traditionally developed and brought drugs to market. Watch part II of this series to learn how Network Fortress can improve the drug development process and save pharma and biotech companies time and money.

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Clinical Trials Terminology for SAS Programmers

Entry Level SAS Programmers

Statistical Programmer:requires him to program using the SAS language to analyze clinical data and produce reports for the FDA

Bioanalyst, Clinical Data Analyst, Statistical Programmer Analyst and SAS Programmer: same as Statistical programmer.

Biotechnology:companies which is a general term used to explain a technique of using living organisms within biological systems to develop micro-organisms for a particular purpose.

protocol:outlined all the procedures and contained detailed plans of the study.

controlled experiment: the clinical trial had patients grouped into different groups such as those in the placebo controlled group which had no active drug. This is how comparisons are made within the controlled clinical trial CFR Part 11:Code of Federal Regulations set by the FDA to regulate food, drug, biologics and device industries. The part 11 specifically deals with the creation and maintenance of electronic records.
Case Report Form or CRF:forms to collect information such as demographic and adverse events. Source Data or the information collected:which include important documents because they contain the core information required to reconstruct the essential capital of the study.
sponsor:company who is responsible for the management, financing and conduct of the entire trial. randomized: subjects that are randomly assigned to groups so that each subject has an equal chance to be assigned to the placebo control
baseline: subjects are assigned to their drug change from baseline:analyses that measure differences between baseline and current visit
placebo or sugar pill:is an inactive substance designed to look like the drug being tested. blinded:they do not know if the drug that they are taking contains the active ingredient.
open-label study:all was out in the open, the drug the subject is assigned to. Pharmacokinetics or PK:analysis of that study showed that with that dosing level, there were high levels of toxicity in the subject.
informed consent: described all the potential benefits and risks involved. TLGs: Tables, Listings and Graphs
trade name:drug name that is collected from the patient and recorded into the source data. For example: Tylenol generic name: refers to its chemical compound. For example: Acetaminophen.
WHO-DRUG: list all the drug names and how they matched to the generic drug names.This dictionary is managed by the World Health Organization MedDRA:This is short for Med (Medical), D (Dictionary), R (Regulatory), and A (Activities).
SAP: Statistical Analysis Plan ANOVA: analysis of variable
confidence interval:gives an estimated range of values being calculated from the sample of patient data that is currently in the study. null hypothesis:lack of difference between the groups in a report
pilot study:perform the same analysis upon an older. DIA: Drug Information Association
CBER: Center for Biologics Evaluation and Research (medical device) CDER: Center for Drug Evaluation and Research (drug)

Source:CDER Acronym List


Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

Adverse Event Monitoring for CRAs

During monitoring visits one of the most important and impacting activities that a CRA performs is the source document verification of Adverse Events. The CRA is the eyes for the research sponsor when it comes to proper collection and documentation of subject safety information. Incorrect and inadequate monitoring of adverse events can lead to inaccurate labeling for clinical trials and impact market application inspectional reviews, as well as post marketing labeling. The safety regulatory and ICH definitions will be reviewed and applied to the monitoring process. This includes Causality, Expectedness/Unanticipated, and other important concepts. Case scenarios will be used to apply the information for better learning.

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Introduction to Clinical Trials

Video introducing cancer clinical trials and their use in clinical practice guidelines

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Source: Cancer Guidelines – Canada

CDER Common Data Standards Issues Document

 Source: FDA (Version 1.1/December 2011)

 The Center for Drug Evaluation and Research (CDER) is strongly encouraging sponsors to submit data in standard form as a key part of its efforts to continue with advancement of review efficiency and quality. CDER has been collaborating with CDISC, a standards development organization (SDO), in the development of standards to represent study data submitted in support of regulatory applications. Study data standards are vendor-neutral, platform-independent, and freely available via the CDISC website (http://www.CDISC.org). CDISC study data standards include SDTM (Study Data Tabulation Model) for representation of clinical trial tabulations, ADaM (Analysis Data Model) for clinical trial analysis files, and SEND (Standard for Exchange of Non-clinical Data) for representation of nonclinical animal toxicology studies tabulations.

CDER has accepted SDTM datasets since 2004; however, due to differences in sponsor implementation of the standard, CDER has observed significant variability in submissions containing “standardized” electronic clinical trial data. CDER has received numerous “SDTM-like” applications over the past several years in which sponsors have not followed the SDTM Implementation Guide. Furthermore, aspects of particular sponsor implementations have actually resulted in increased review difficulty for CDER reviewers. In addition, some sponsors have wrongly believed that the submission of SDTM datasets obviates the need for the submission of analysis datasets, resulting in the delay in review due to the need to request these datasets. The goal of this document is to communicate general CDER preferences and experiences regarding the submission of standardized data in order to aid sponsors in the creation of standardized datasets for both tabulation datasets and analysis datasets. .

This document is not intended to replace the need for sponsors to communicate with review divisions regarding data standards implementation approaches or issues, but instead, it is designed to complement and facilitate the interaction between sponsors and divisions. Because of specialized needs in different divisions, it is likely that divisions may have additional requests or preferences. When uncertainty exists regarding a particular data standards implementation or submission issue, the sponsor should contact the review division to discuss further.

The complete documentation on CDER data standards in .pdf version can be found at the following link: CDER

 


Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

FDA Compliance: Part 11 Checklist

PART 11 Checklist

Rule Sec. Requirement Satisfied?
11.10(a) Validation of Systems The system is validated (Documentation, Testing and Maintenance) Yes/NO/NA
11.10(k-1) Adequate controls over documentation Controls are present for the distribution, access and use of systems documentation for operation and maintenance Yes/NO/NA
11.10(d) Limiting system access System access is limited to only authorized individuals. Yes/NO/NA
11.10(i) Persons who develop,…have the education, training, and experience There is evidence of qualification (education, training or experience) for persons
who developed the system.
Yes/NO/NA
11.10(i) Persons who maintain,…have the education,training, and experience There is evidence of qualifications (education, training or experience) for persons
who maintain the system
Yes/NO/NA
11.10(i) Persons who…use…have the education, training,
and experience…
There is evidence of qualifications (education, training or experience) for persons
who use the system.
Yes/NO/NA
11.10(i) Written policies…for actions initiated
under…electronic
signatures
If electronic signatures are used, a policy is actively implemented, so that individuals
understand the significance of, and are held accountable for, their electronic
signatures.
Yes/NO/NA
11.10(a) Ability to discern invalid or altered records There is a method to detect changes made to records (including direct record changes that
bypass system controls).
Yes/NO/NA
11.10(c) Protection of records… There is a method to protect records from accidental
or deliberate damage (including direct record changes that bypass system controls
Yes/NO/NA
11.10(b) Generate accurate and complete copies…in both human readable… The system has the ability to produce complete copies of records in printed human
readable format
Yes/NO/NA
11.10(b) Generate…in…electronic form… The system has the ability to produce complete copies of records in a common
electronic format (e.g., ASCII, TXT, DOC, XLS, etc.).
Yes/NO/NA
11.10(f) Enforce permitted sequencing of steps and events… The system controls the required sequencing of steps and events, as appropriate. Yes/NO/NA
11.10(h) Use of device checks… The system checks that data entries or operating instructions originate only from
authorized locations (e.g., work‐stations),
as appropriate.
Yes/NO/NA

Source:FDA CFR Part11

Role of Project Management and the Project Manager in Clinical Data Management

 

The Project Manager is responsible for the development, oversight of implementation, and communication of clinical research studies.

So what is a Project?

A project is a work effort with a definite beginning and end, an identifiable end result (deliverable), and usually has limits on resources, costs and/or schedule.

What is Project Management?

The application of knowledge, skills, tools, and techniques to project tasks in order to meet project requirements.

In order to be a successful project manager, you need to understand the “Tripple Constraint” and how they affect your project. Let’s look up the WBS-edit checks:

Note: I will refer a project = clinical study

Scope: What is in the contract? How many edit checks, SAS checks and manual checks are required in this study? What is the effort per edit check, SAS check and manual check?

The goal is to convert the idea of data management to that of statistical analysis – an analyzable database.

Time: What are the deliverables and timelines? What resources are needed?

Cost: What are the budget restrictions? Are there any risks associated with any changes?

Project Planning: During the planning of a clinical study, we identify the project scope, develop the project management plan and we identify and schedule the clinical study activities.

Some questions might arise during the project planning phase: how many sites/subjects and pages will be collected?Who will attend team meetings? what study fields will be code (i.e. Adverse Event term)?

Other important activities that the project manager and clinical team members will need to be involved:

Work Break Down (WBS) – it is the list of activities that will be performed during the course of a clinical study.

Resourcing – it is important to assign the right person to a particular task based on skills, education and experience.

ICH Guidelines ‘…all personnel involved in clinical trials must be qualified and properly trained to perform their respective tasks…’

Estimating Cost – look at historical data as well as good estimates from effort per unit and units using your WBS as references.

Scheduling and Budgeting – you will be able to build schedules and budgets that transform project constraints into project success after you successfully construct your Work Breakdown Structures (WBS) and network diagrams and estimate task durations.

Projects managers used techniques for employed to establish project. Project Manager can decide which activity can be delayed without affecting the duration of the projects. They help improving quality and reduce the risks and costs related with the projects.

A recent survey by the Project Management Institute provided 10 challenges affecting project managers. This research intended to identify key factors affecting project team performance:

  1. Changes to Project Scope (Scope Creep)
  2. Resources are Inadequate (Excluding Funding)
  3. Insufficient Time to Complete the Project
  4. Critical Requirements are Unspecified or Missing
  5. Inadequate Project Testing
  6. Critical Project Tasks are Delivered Late
  7. Key Team Members Lack Adequate Authority
  8. The Project Sponsor is Unavailable to Approve Strategic Decisions
  9. Insufficient Project Funding
  10. Key Team Members Lack Critical Skills

Another question to ask is what tools are available to help you get the job done?

  1. Resource allocation (and the software’s ability to easily display staff who were overallocated)
  2. Web-based/SaaS option
  3. Cost/Price of the system (big one!)
  4. Contractual terms we could enter into (i.e. 6 months, 12 months, month to month)
  5. Ability to demo the software and for how long
  6. What sort of customizations could be made to the software after purchase
  7. Types of customers the software has served
  8. Report types
  9. Ability to sync with accounting software and which ones, if so
  10. Timeline generation capabilities and import function with MS Project
  11. Ability to create template projects
  12. Ability to alert on early warning signs (i.e. budget overruns over 10%)

It is suggestted that you review each suggestion on project management tool very, very carefully to determine how it fits your processes.

Your organization’s processes are unique to your organization; no other organization anywhere has quite the same processes. So what may work for one organization may not necessarily work for you. Your organization developed its processes to suit your particular corporate culture, the particular collective character attributes of the employees (their experience, etc.), the type of projects that you execute and the particular types customers/clients that you have (especially the regular ones).

You now have to make sure that the tools you choose work for you and your particular processes. Do not change your processes again to suit whatever workflow (process) is dictated by the fancy tool that the fancy salesman sold to you; you are likely to find that the tool-dictated workflows do not work that well in your organization, with the result that the employees will give up following processes and/or give up using the tool, throwing everything into chaos again.

Be careful if you are looking at tools that offer to do a number of different functions or can be made to do any function you want it to do. They seldom do the job that you bought it for particularly well. For example, I have worked with a tool that was advertised as a combination issue tracking and defect/bug tracking tool. It was used as a defect tracking tool but it was very poor; it was tremendously difficult to make it prepare useful reports. A hand-written tool set up in a spreadsheet (e.g. Microsoft Excel) or database (e.g. Microsoft Access) would have worked better.

That said, there are tools out there that are specific to one particular function but do offer flexible workflows – they may be modified to match whatever processes your organization already follows.

If your organization has just started to organize the PM processes and PMO that would mean processes & other related areas are not explicitly defined. So there may be a huge risk trying to adopt an integrated and centralized project management system. It is more likely to offer you a very comprehensive, complex but expensive solution wherein your problem is still not defined completely. In such a case you are just not ready with the environment and process maturity that an integrated tool requires prior to implementation.

A more efficient approach should be iterative, incremental and adaptive in nature. That means you shall use simple, not so expensive tools with limited scope to begin with; they can be tools with basic functionalities of WBS, scheduling, traceability and custom datasheets. These tools should have capability to exchange data both ways with more commonly uses tools like MS Excel, MS Project, and Word etc. The processes are likely to mature over time and we will then know the real effectiveness of these basic tools in the context of company requirements. That may be the time to analyze and switch to more integrated solutions.

One important key to remember. The role of project management in clinical trials is evolving. There is a debate about who should be the ‘project manager’ for a particular clinical study. CRA or Clinical Data Manager or an independent project manager? Let’s review their roles within data management.

Clinical Research Associate (CRA): main function is to monitor clinical trials. He or she may work directly with the sponsor company of a clinical trial, as an independent freelancer or for a Contract Research Organization (CRO). A clinical research associate ensures compliance with the clinical trial protocol, checks clinical site activities, makes on-site visits, reviews Case Report Forms (CRFs) and communicates with clinical research investigators. A clinical research associate is usually required to possess an academic degree in Life Sciences and needs to have a good knowledge of Good clinical practice and local regulations. In the United States, the rules are codified in Title 21 of the Code of Federal Regulations. In the European Union these guidelines are part of EudraLex. In India he / she requires knowledge about schedule Y amendments in drug and cosmetic act 1945.

Clinical Data Manager (CDM): plays a key role in the setup and conduct of a clinical trial. The data collected during a clinical trial will form the basis of subsequent safety and efficacy analysis which in turn drive decision-making on product development in the pharmaceutical industry. The Clinical Data Manager will be involved in early discussions about data collection options and will then oversee development of data collection tools based on the clinical trial protocol. Once subject enrollment begins the Clinical Data Manager will ensure that data is collected, validated, complete and consistent. The Clinical Data Manager will liaise with other data providers (eg a central laboratory processing blood samples collected) and ensure that such data is transmitted securely and is consistent with other data collected in the clinical trial. At the completion of the clinical trial the Clinical Data Manager will ensure that all data expected to be captured has been accounted for and that all data management activities are complete. At this stage the data will be declared final (terminology varies but common descriptions are Database Lock and Database Freeze) and the Clinical Data Manager will transfer data for statistical analysis.

Clinical Data Management (CDMS) Tools: (we will review each of them on a separate discussion)

  • Standard Operating Procedures (SOPs)
  • The Data Management Plan (DMP)
  • Case Report Form Design (CRF)
  • Database Design and Build (DDB)
  • Validation Rules also known as edit checks
  • User Acceptance Testing (UAT)
  • Data Entry (DE)
  • Data Validation (DV)
  • Data Queries (DQ)
  • Central Laboratory Data (CLD)
  • Other External Data
  • Serious Adverse Event Reconciliation (SAE)
  • Patient Recorded Data (PRO)
  • Database finalization and Extraction
  • Metrics and Tracking – see BioClinica article on Metrics
  • Quality Control (QC)- see discussion on A QC Plan for A Quality Clinical Database

In conclusion, a key component of a successful clinical study is delivering the project rapidly and cost effectively. Project managers must balance resources, budget and schedule constraints, and ever-increasing sponsor expectations.

Source:

To hire me for services, you may contact me via Contact Me OR Join me on LinkedIn
Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

 

21 CFR Part 11 Cheat Sheet for the EDC Developer

The FDA regulates computerized systems used in clinical trials under the authority of Title 21 the Code of Federal Regulations Part 11 (21 CFR Part 11). These regulations apply only to use of systems in trials the results of which will be submitted to the FDA as part of the drug development/approval process.
This document serves as a brief ‘cheat sheet’ of some critical aspects of the 21 CFR Part 11 rules and regulations. While it is not a substitute for a thorough understanding of the law and related FDA Guidance, it may aid in understanding and reference.

I. General Principles
FDA Guidance Documents (http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM072322.pdf) explain that the key principle behind regulations on computerized systems used in clinical trials is that the data should be attributable, original, accurate, contemporaneous, and legible.

· Attribution & Originality:
o Data entry allows freehand annotations/notes that are attributable and time-stamped
o User Authentication is required as part of a closed system, using biometrics or userid/password
o Passwords must be changed at established intervals
o The system must log users off or timeout after a specified period of inactivity
o The system should keep secure time-stamped audit trails that can’t be modified by system users
o External applications w/o the same authentication & audit protections as the main system should not modify any records in the system
· Accuracy:
o A change to a record should not obscure original record info
o Procedures should be in place to make sure system date/time are accurate
o Training is necessary for users of the system and should be documented
o Study protocols should define usage of a system to create, modify, transmit, maintain, archive, and retrieve data. The system should enforce requirements defined in protocol (eg use of metric units) and check for errors in data entry, modification, retrieval, and transmission.
o The system should have SOPs for setup/install, data collection, system maintenance, backup and recovery, security, and change control
o Vendor should provide design-level validation of software (incl design spec, test plan, test results, and write-up) as well as documentation of software. For each install, trial sponsor and/or site should validate with test data
o The system should have documented processes for change control & revalidation upon modification/upgrade, and modifications/upgrades should be documented
· Contemporaneousness
o The system should be able to display cumulative record of system users and privileges at any given time, incl. user’s name, title, and access privileges
During an audit, the FDA may inspect everything (records and systems). FDA should be able to read all audit trails and the system should generate in human-readable and electronic form accurate and complete copies of records and audit trails.

II. FDA Guidance on Enforcement and Discretion (or, What Types of Activities and Records Does 21CFR Part 11 Apply To?)
From Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and
Application, August 2003 – (http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM072322.pdf):
We intend to enforce all other provisions of part 11 including, but not limited to, certain controls for closed systems in § 11.10. For example, we intend to enforce provisions related to the following controls and requirements:
• limiting system access to authorized individuals
• use of operational system checks
• use of authority checks
• use of device checks
• determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks
• establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures
• appropriate controls over systems documentation
• controls for open systems corresponding to controls for closed systems bulleted above (§11.30)
• requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300)

Everyone working in clinical trials must comply with applicable predicate rules, and records that are required to be maintained or submitted must remain secure and reliable in accordance with the predicate rules.

III. Use of Electronic Signatures
Electronic signatures are used to ensure that actions/records are attributable in a legally binding manner. Following is a summary relevant excerpts from the regulation 21 CFR Part 11 (See http://www.fda.gov/ora/compliance_ref/part11/FRs/background/pt11finr.pdf p.36). The summary covers the controls and procedures that should be in place to ensure that the electronic signature can be considered binding and verifiable. Three important sections define system controls, signature controls, and password controls:
– System Controls include controls in workflows, procedures, and system design to ensure that attribution and electronic signatures can be verified. Most important are:
o System validation (discussed above)
o Audit trails (also discussed above)
o Operational system checks – enforcing permitted sequencing of events (workflow management)
o Authority checks – ensuring that only authorized individuals can use the system
o Device (e.g., terminal) checks to determine, as appropriate, the validity of the
source of data input or operational instruction (IP Address logging)
o Documentation of adequate user education, training, and experience.
o Policies for individual accountability for actions initiated under their electronic
signatures
o Controls over distribution of, access to, and use of system documentation
o Change control procedures documenting time-sequenced modification of system documentation.
– Signature Controls (for signatures based on passwords) include:
o Use of at least two distinct id components such as an user id and password.
o Signature Verification:
§ When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
§ When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
– Password Controls include:
o Password expiration
o Rigid and rigorous password de-activation and temporary generation protocols
o Encryption and transaction safeguards to prevent sniffing (SSL, JavaScript MD5)

Appendix
Excerpts from the Regulation 21 CFR Part 11 Related to Electronic Signatures
(See http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm).
§ 11.3 Definitions.
(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.
(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

Subpart B—Electronic Records
§ 11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
§ 11.30 Controls for open systems.
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
§ 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous
period of controlled system access, the first signing shall be executed using all
electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and
designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a
single, continuous period of controlled system access, each signing shall be
executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
§ 11.300 Controls for identification codes/passwords.
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.


Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.

Disclaimer: The legal entity on this blog is registered as Doing Business As (DBA) – Trade Name – Fictitious Name – Assumed Name as “GAMBOA”.