You’ve decided to implement an Electronic Data Capture (EDC) system and need it to be validated to comply with 21 CFR Part 11. But what does that really mean? There has been confusion on the sponsor’s role during validation of an EDC system versus the responsibilities of an EDC vendor.
Below are five steps to keep in mind when implementing a validated EDC system at your organization.
Step 1: Familiarize Yourself with 21 CFR Part 11
Whether you are solely responsible for completing validation efforts or you plan to outsource some, or all, of the validation, it’s important to familiarize yourself with the Part 11 regulation and guidance document. After all, you’re the one responsible for FDA compliance. Broadly speaking, the regulation is divided into three categories: technical controls, procedural controls, and validation.
Technical controls are features built into the software to meet the requirements of the Part 11 regulation. Audit trails and security requirements, such as unique usernames and password requirements, are examples of technical controls. The EDC system vendor builds technical controls into the application.
In some cases, if a system lacks technical controls, implementing a procedural control can satisfy this regulatory requirement.
Some of the requirements of Part 11 are purely procedural. Procedures may be required for both the sponsor using the EDC system as well as the system vendor.
Let’s look at the requirement that limits system access to authorized individuals as an example with both vendor and sponsor involvement. While the technical control component generally requires a unique username and password to access the system, the rest of the requirement is procedural. In this case, the system owner should have a process in place for requesting, granting, modifying and revoking access to their instance of the EDC. For cloud-based EDC systems, the vendor providing the hosting services should also have policies in place for their technical and administrative staff to limit direct access to the database and servers.
Validation for 21 CFR Part 11-compliant submissions to the FDA is required “to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records.” This means the sponsor must have a procedure in place to validate EDC software for the intended use, and follow that procedure to evaluate and test the software used to produce Part 11-compliant electronic records and signatures.
Step 2: Complete an Internal Assessment
After reviewing the regulation and guidance document, you’ll likely discover you have existing procedures in place addressing many of the 21 CFR Part 11 requirements. Sponsors usually have procedures in place to govern the process for granting and revoking access to other electronic systems or describe how employee training is conducted and tracked. Existing processes may meet the Part 11 regulatory requirements, or simply need revisions.
Completing a gap analysis of your existing policies and procedures to the regulation is an important activity. It helps identify existing processes needing revisions and also determines if any new procedures need implementing.
Step 3: Define Your EDC Requirements
There are many features within EDC systems, some essential for your workflows and others you’ll never use. Before you start your search for an EDC system, it’s important to evaluate which features are required for your workflow and those not essential, but would be nice to have.
Start by defining the core functionality you must have (those deal-breakers) and any additional modules or integrations you may need now or in the future. It is helpful to prioritize these requirements as:
- Must have
- Nice to have
- Not needed
Make sure to include 21 CFR Part 11 specific requirements in your list. For example, will you use electronic signatures for case report form approval by the principal investigator? If so, label this as a “must have” requirement.
Having this list of EDC requirements prior to starting your search will save you time. You’ll be able to quickly evaluate EDC systems using your requirements and immediately rule out those systems that do not meet your “must have” conditions.
Use the same list of requirements later when you are validating the EDC system by mapping risk assessment and testing to the requirements.
Special Considerations for Cloud-based EDC Systems
If the system you are considering is cloud-based, the organization providing the hosting services is responsible for some items specified in 21 CFR Part 11. The vendor responsibilities include areas such as physically restricting access to the servers where the software is installed and having policies for backup, restoration, and disaster recovery.
In the instance where the EDC vendor is not the cloud hosting vendor, the EDC vendor should provide evidence that the cloud hosting vendor has been subject to an audit and has demonstrated their facility meets the requirements of 21 CFR Part 11 pertaining to physical security and backup & recovery.
Step 4: Confirm the EDC System and Vendor are Compliant
You have narrowed down your selection of possible EDC systems by doing your due diligence in evaluating systems for your must-have features, user experience, pricing model, and a general indication Part 11 compliance. What’s next? You’ll want to take a deeper look into each viable system to confirm it is truly 21 CFR Part 11 compliant and the vendor meets their procedural requirements for it.
This can be done via phone calls, virtual meetings or on-site audits. Most vendors won’t send a full written copy of their policies and procedures off site, but they should be willing to answer specific questions about their processes and provide an index or list of policies and procedures pertinent to 21 CFR Part 11 compliance. Viewing documents through virtual web sessions is a common practice when a site visit is not feasible. Once your audit is complete, you should have the information you need to make a purchase decision. It’s important to remember you’ll need to complete validation testing after you purchase the selected EDC system.
Step 5: Allocate Sufficient Time to Complete Validation Testing
Once you’ve completed the steps above and purchased an EDC system, you can proceed with testing the software to complete validation. You will want to:
- Configure the system for your use
- Create documentation proving the system meets your requirements
- Build out and test your first protocol
Keep in mind: Configuration, testing, and finalizing the validation documentation can be time consuming, especially if it’s your first time. If you’ve never been through the validation process, give yourself ample time to complete the validation before you need to enter protocol data in the live production environment.
Approach Your Decision with Confidence
Purchasing and validating an EDC system seems like a daunting task, especially if it’s your first time. Approach the process with confidence by educating yourself on the regulation and best practices and determining clear requirements before starting your search. Allowing enough time to complete validation activities will also help smooth out the implementation.