You’ve decided to implement an Electronic Data Capture (EDC) system and need it to be validated to comply with 21 CFR Part 11. But what does that really mean? There has been confusion on the sponsor’s role during validation of an EDC system versus the responsibilities of an EDC vendor.
Below are five steps to keep in mind when deciding to implement a validated EDC system at your organization.
Step 1: Familiarize Yourself with 21 CFR Part 11
Whether you are solely responsible for completing validation efforts or you plan to outsource some, or all, of the validation, it’s important to familiarize yourself with the Part 11 regulation1 and guidance document2. After all, you’re the one responsible for FDA compliance. Broadly speaking, the regulation can be divided into three categories: Technical Controls, Procedural Controls and Validation.
Technical controls are features built into the software to meet the requirements of the part 11 regulation. Audit trails and security requirements, such as unique usernames and password requirements, are examples of technical controls. The EDC system vendor builds technical controls into the application.
In some cases, if a system lacks technical controls, implementing a procedural control can satisfy this regulatory requirement.
Some of the requirements of Part 11 are purely procedural. Procedures may be required for both the sponsor using the EDC system as well as the system vendor.
Let’s look at the requirement that limits system access to authorized individuals as an example that has both vendor and sponsor involvement. While the technical control component generally requires a unique username and password to access the system, the rest of the requirement is procedural. In this case, the system owner should have a process in place for requesting, granting, modifying and revoking access to their instance of the EDC. If the EDC is a cloud-based system, the vendor providing the hosting services should also have policies in place for their technical and administrative staff to limit direct access to the database and servers.
To learn more about vendor and sponsor responsibilities when validating an EDC system, watch our free, on- demand webinar “21 CFR Part 11: Vendor Vs. Sponsor Responsibilities.”
Validation for 21 CFR Part 11 compliant submissions to the FDA is required “to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records.1”
This means the sponsor must have a procedure in place to validate EDC software for the intended use, and follow that procedure to evaluate and test software that will be used to produce Part 11 compliant electronic records and signatures.
Step 2: Complete an Internal Assessment
After reviewing the regulation and guidance document, you’ll likely discover you have existing procedures in place that address many of the requirements of 21 CFR Part 11. Sponsors usually have procedures in place that govern the process for granting and revoking access to other electronic systems or describe how employee training is conducted and tracked. Existing processes may meet the Part 11 regulatory requirements, or simply need revisions.
Completing a gap analysis of your existing policies and procedures to the regulation is an important activity. It helps identify existing processes that need revisions and also determines if any new procedures need to be implemented.
Step 3: Define Your EDC Requirements
There are many features within EDC systems, some essential for your workflows and others you’ll never use. Before you start your search for an EDC system, it’s important to evaluate which features are required for your workflow and those that aren’t essential, but would be nice to have.
Start by defining the core functionality you must have (those deal-breakers) and any additional modules or integrations that may be needed now or in the future. It is helpful to prioritize these requirements as:
- Must have
- Nice to have
- Not needed
Make sure to include 21 CFR Part 11 specific requirements in your list. For example, will you be using electronic signatures for case report form approval by the principal investigator? If so, this would be labeled as a “must have” requirement.
Having this list of EDC requirements prior to starting your search will save you time. You’ll be able to quickly evaluate EDC systems using your requirements and immediately rule out those systems that do not meet your “must have” conditions.
The same list of requirements can be used later when you are validating the EDC system by mapping risk assessment and testing to the requirements.
Special Considerations for Cloud-based EDC Systems
If the system you are considering is cloud-based, the organization providing the hosting services is responsible for some items specified in 21 CFR Part 11. The vendor responsibilities include areas such as physically restricting access to the servers where the software is installed and having policies for backup, restoration and disaster recovery.
In the instance where the EDC vendor is not the cloud hosting vendor, the EDC vendor should provide evidence that the cloud hosting vendor has been subject to an audit and has demonstrated their facility meets the requirements of 21 CFR Part 11 pertaining to physical security and backup & recovery.
Step 4: Confirm the EDC System and Vendor are Compliant
You have narrowed down your selection of possible EDC systems by doing your due diligence in evaluating systems for your must-have features, user experience, pricing model and a general indication Part 11 compliance. What’s next? You’ll want to take a deeper look into each viable system to confirm that it is truly 21 CFR Part 11 compliant and that the vendor meets their procedural requirements for Part 11.
This can be done via phone calls, virtual meetings or on-site audits. Most vendors won’t send a full written copy of their policies and procedures off-site but they should be willing to answer specific questions about their processes and provide an index or list of policies and procedures pertinent to 21 CFR Part 11 compliance. Viewing documents through virtual web sessions is a common practice when a site visit is not feasible. Once your audit is complete, you should have the information you need to make a purchase decision. It’s important to remember that you’ll need to complete validation testing after you purchase the selected EDC system.
Step 5: Allocate Sufficient Time to Complete Validation Testing
Once you’ve completed the steps above and purchased an EDC system , you can proceed with testing the software to complete your validation. You will want to:
- Configure the system for your use
- Create documentation proving the system meets your requirements
- Build out and test your first protocol
Keep in mind that configuration, testing and finalizing the validation documentation can be time consuming, especially if it’s your first time. If you’ve never been through the validation process, give yourself ample time to complete the validation before you need to enter protocol data in the live production environment.
Approach Your Decision with Confidence
Purchasing and validating an EDC system can seem like a daunting task, especially if it’s your first time. You can approach the process with confidence by educating yourself on the regulation and best practices and determining clear requirements before starting your search. Allowing enough time to complete validation activities will also help smooth out the implementation.
This article was originally published on March 1, 2016.
Want to learn more about the roles organizations and vendors play in validating an EDC system? Watch our on-demand webinar, Understanding, Achieving and Maintaining 21 CFR Part 11 Compliance.