Nov 3, 2015 - Tool for assessing the regulatory compliance of an i3P-hosted EDC system used in clinical trials. ... Systems in Clinical Trials using Service.
Tool for assessing the regulatory compliance of an i3P‐hosted EDC system used in clinical trials..
Checklist for Electronic Data Capture Systems in Clinical Trials using Service Providers Tool for assessing the regulatory compliance of an i3P‐hosted EDC system used in clinical trials
Author:
eClinical Forum EDC Hosting Task Force
Version:
2015‐11‐03
Date:
03‐Nov‐2015
DOCUMENT DESCRIPTION Document ID
EDC Hosting Checklist 2015-11-03.docx
Status
FINAL
Document Type
PROJECT DOCUMENT
Security
PUBLIC
Revision
2015-11-03
Date
03-Nov-2015
Title
Checklist for Electronic Data Capture Systems in Clinical Trials using Service Providers
Subject
Tool for assessing the regulatory compliance of an i3P-hosted EDC system used in clinical trials
DOCUMENT HISTORY Date
Revision
Author
Changes
03-Nov-2015
2015-11-03
EDC Hosting Task Force
Final Document
Property of the eClinical Forum 2016
Page 1
Checklist
Tool for assessing the regulatory compliance of an i3P‐hosted EDC system used in clinical trials ID
Description
C01
System has the ability to store and retrieve data items in a way that is attributable to a patient.
C02
The system presents an overview of all patient consents and/or authorizations.
C03
System has an audit trail to include recording date/time/author of any data creation, change, or deletion.
C04
The audit trail includes the reason for changes /deletions.
C05
The audit trail includes the following timestamp: - If not instantly available, the system shows when the record can be accessed by the Monitor or Data Management (Sponsor or Sponsor delegates).
C06
The audit trail includes the following timestamp: - PI Approval / Signing of the data
C07
Audit trail/log information is readily available.
C08
System does not allow new audit trail information to over-write existing (previous) information.
C09
The system creates an audit trail that cannot be altered.
C10
All eCRF entries and any subsequent modifications are ultimately reviewed and approved by the Investigator.
C11
Original Site Staff/Investigator eCRF entries are preserved in a copy.
C12
Controls exist to ensure system date and time are correct (e.g. system clock synchronizes to a date and time provided by international standard setting agency).
C13
Controls exist such that the ability to change system standard settings (such as date or time) is limited to authorized personnel and such personnel is notified if a significant change is detected.
C14
System allows audit trail to utilize standard time-keeping method such that the local time can be derived.
C15
Measures must be in place such that persons who create, modify, or delete patient data items cannot modify or disable the audit trail or the system clock.
C16
The system has the ability to create, maintain and apply the roles, access permissions and capabilities of each user that accesses the system, such that users have access only to those system features and functions to which they have been granted access.
C17
There is a policy and training that instructs users not to share their non-biometric access mechanisms (i.e. usernames and passwords, or access keys) or to leave their account open for others to use.
Property of the eClinical Forum 2016
Page 2
Checklist
Tool for assessing the regulatory compliance of an i3P‐hosted EDC system used in clinical trials ID
Description
C18
The monitor, auditor and inspector can within reasonable timeframe obtain direct access to trial subjects entire records in order to perform their regulatory duties.
C19
System limits the number of log-in attempts, records unsuccessful access log-in attempts and notifies a system administrator of unsuccessful log-in attempts.
C20
System limits the number of log-in attempts, records unauthorized access log-in attempts and notifies a system administrator of unauthorized log-in attempts.
C21
System allows and enforces password or other access keys to be changed at established intervals.
C22
System feature to allow automatic logoff or other data lock (such as password protected screen saver) after a set period of time of inactivity.
C23
There is a system function and/or process to ensure the ability of the site to provide a cumulative directory of all personnel.
C24
System has the ability to produce a human-readable copy of data (which includes associated audit trails and translation of any coded data).
C25
Electronically stored data can be organized in a meaningful manner and extracted by the data custodian for quality auditing purposes.
C26
There are sufficient system and/or process controls for backup and recovery procedures.
C27
Documentation of the backup and recovery process can be produced for inspection by a monitor, auditor or inspector.
C28
Process and/or system controls ensure data used for clinical research source data and metadata are enduring, continue to be available, readable and understandable and are retained for the legal period.
C29
There are sufficient process controls for the system covering Contingency Planning.
C30
There are sufficient process controls for the system covering Disaster Recovery Procedures.
C32
There is a process to demonstrate that individuals who develop, maintain, or use the system have appropriate education, training, and experience necessary to perform their assigned task.
C33
There is a vendor process to demonstrate that development and modifications of the system and system documentation use good software development lifecycle practices including documented system validation and change control such that the integrity of the data is maintained when changes are made to the system and/or documentation, such as software upgrades, security and performance patches, equipment or component replacement.
Property of the eClinical Forum 2016
Page 3
Checklist
Tool for assessing the regulatory compliance of an i3P‐hosted EDC system used in clinical trials ID
Description
C34
There is an Sponsor/CRO process to demonstrate that any changes to the system used (e.g. EHR or EDC) are documented and any required system validation and change control is performed such that the integrity of the data is maintained when changes are made to the computerized system, such as software upgrades, security and performance patches, equipment or component replacement.
C35
The site has documented procedures for controlling user process at the site (system security measures, how source data are obtained and managed, what electronic systems are used).
C36
There are sufficient system and/or process controls to prevent or mitigate effects of viruses, worms, or other harmful software code.
Property of the eClinical Forum 2016
Page 4
Checklist
