| Principle or Purpose of Procedure
This Standard Operating Procedure (SOP) describes the process for providing a consistent approach to determine the applicability of 21 CFR Part 11 to computer systems and applications developed, implemented and managed for the conduct of clinical research by Research and Academic Systems (RAS) at UT Southwestern. This SOP will also identify the requirements to ensure the security, authenticity, and trustworthiness of electronic records and electronic signatures (ERES) as defined by Title 21, Part 11 (21 CFR Part 11), entitled "Electronic Records, Electronic Signatures".
Applicability or Scope
This SOP applies to research systems and/or applications that are used in the conduct and support of clinical trials (subject to regulatory authority and inspection) and that store electronic records on durable medium (e.g. disk, diskette, tape, CD-ROM)
This SOP does not apply to paper records transmitted by electronic means such as fax, or to word-processed documents that are subsequently printed, authorized and maintained as paper records.
Research and Academic Systems developed, configured, installed or used computer systems or applications that create, modify, delete, copy and or delete electronic records or electronic signatures are responsible for complying with this SOP where applicable.
Materials
Regulatory Impact Questionnaire
Detailed ERES and Risk Assessment Tool
Definitions
NA
Requirements
ELECTRONIC RECORDS
1. An electronic record in the context of this SOP is any combination of text, graphics, data, audio, pictorial or other information representation in digital form that is created, modified, maintained, archived, retrieved, copied, deleted or distributed by a computer system and/or application in support of clinical research conducted within RAS applications.
2. Personnel who control systems that create, modify, maintain, archive, copy, delete, retrieve or distribute electronic records must implement and maintain procedures and controls that are designed to protect the authenticity and integrity of the electronic record and electronic signature, and when appropriate, the confidentiality of electronic records from the point of their creation to the point of their deletion.
3. Electronic records subject to signature must be signed either electronically or, where acceptable, to local regulations, by handwritten signatures. Handwritten signatures must be unambiguously linked to their associated electronic record. Where handwritten signatures are applied to printed out electronic records, both electronic records and signed paper must be maintained.
4. The computer system or application must be able to restrict access to authorized users and employ computer-generated audit trails to track actions (who and when) to create, modify, or delete electronic records. Audit trail documentation of electronic records must be automatically date and time stamped by the system.
5. Electronic records together with any required audit trails and any associated electronic signatures must be maintained and retrievable in a readable form throughout the record's retention period.
6. Procedures must be established to meet requests from regulatory authorities for access to or copies of electronic records. Where copies of electronic records are provided to regulatory authorities, exact duplicate copies must be made and retained for future reference.
7. Persons responsible for developing, maintaining or using electronic records must be trained and have the proper education or experience to perform the assigned tasks.
ELECTRONIC SIGNATURES
1. An electronic signature is a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature. In the context of this SOP, an electronic signature is any legally admissible electronic signing applied by an individual to an electronic record that is used for regulatory submission or is required by local laws and relevant regulations.
2. Clinical research sites conducting clinical research trials under the RAS applications must assure that individuals are trained and fully grasp their accountability and responsibility for actions initiated under their electronic signatures.
3. Application of electronic signatures must include the date/time of signature and a unique identifier of the signer.
4. Electronic signatures must be unique to an individual and not be reused or reassigned to another individual. Persons using electronic signatures must provide documentation certifying that the electronic signature in the system or application is intended to be the legally binding equivalent of traditional handwritten signatures.
5. Electronic signatures must be unambiguously linked to their corresponding electronic records.
6. Procedures and controls must be maintained to ensure that electronic signatures cannot be falsified by ordinary means.
7. Any disclosure of confidential electronic signature components between staff and the use of another persons' electronic signature is unacceptable and considered falsification of records. See Acceptable Use of Information Resources Policy
8. Ability to apply electronic signatures must be withdrawn for individuals whose role no longer includes a signing function (e.g. new role, or no longer employed by the clinical research site) where the system will support this. For systems that cannot support this, User IDs will be made inactive.
9. Persons responsible for developing, maintaining or using electronic signatures will be trained and have the proper education and experience to perform the assigned task.
VALIDATION
1. Computerized systems or applications supporting the regulated use of electronic records and/or electronic signatures (ERES) must be validated (tested) in accordance with requirements identified in 21 CFR Part 11. Testing must cover both technical and procedural controls of systems or applications covered by the regulation.
REGULATORY IMPACT DETERMINATION QUESTIONNAIRE
1. A computerized system or application should be evaluated to determine if the computer system or application has a regulatory impact (is subject to inspection) and is also subject to 21 CFR Part 11 .
2. A positive output from the regulatory impact assessment tool will be used to conduct a detailed ERES risk assessment of the computer system and/or application.
DETAILED ERES RISK ASSSESSMENT
A detailed ERES risk assessment should occur to determine whether the computerized system or application meets all of the policy, procedural and technical requirements of 21 CFR Part 11. The results of the detailed assessment will help identify any specific procedural and/or technical enhancement for establishing compliance with 21 CFR Part 11. This detailed assessment will also aid in identification of any interim controls or procedures that may be required for compliance, in ranking the criticality of the compliance gap(s), and listing the actions (temporary or permanent) needed to remediate and/or reduce the risk.
RISK ACCESSMENT AND DECISIONAL ANALYSIS
A decision analysis tool should be used to quantify (rank) risks in a standard and consistent manner for all computer systems and/or applications under the RAS applications that are subject to regulatory inspection and covered under 21 CFR Part 11 regulation.
Roles and Responsibilities
System Application Owner
• Provide funding and resources necessary for ERES systems and personnel to comply with the requirements outlined in this SOP.
• Ensure that the system is designed to comply with 21 CRF Part 11 requirements and that tests are conducted to validate compliance.
• Produce the necessary documentation to demonstrate that electronic records/electronic signatures are created and maintained in compliance with this SOP.
Chief Information Security Officer (CISO)
• Review the ERES Risk Assessment to determine acceptable implementation of information security requirements.
• Define acceptable methods for implementing electronic signatures.
• Establish procedures for issuing, recalling and revising system passwords.
• Conduct security reviews to ensure that the system complies with regulatory security requirements/guidelines.
Local QA
• Review ERES systems and documentation for compliance with this SOP prior to deployment. Sign-off that the system deployed is compliant with this SOP and thereby, compliant with 21 CFR Part 11.
• Conduct random audits of electronic records and audit trails to determine if a data breach has occurred in the system.
System Administrator
• Ensure electronic signature associated with electronic records belongs to the individual submitting the records.
• Perform audit checks to verify that record contents have not been falsified or altered by an unauthorized user.
• Perform audit checks to ensure access to electronic records is protected and limited to authorized users.
• Perform routine backup and maintenance on electronic records.
• Employ the use of passwords to detect and report unauthorized attempts to access information stored in electronic records.
• Manage user access to system information; performs initial and periodic testing of user identification devices (e.g., tokens or cards) to ensure that they function properly and have not been altered in an unauthorized manner.
Description of Standard Procedure
System Owner evaluates the system for regulatory impact.
A Complete the Regulatory Impact Questionnaire for the system.
B. If the answer to any question on the Questionnaire is "Yes", then the system
will fall under the authority of 21 CFR Part 11, and the Electronic
Records/Electronic Signatures (ERES) Risk Assessment must be performed.
C. If the answer is "No", then stop.
Quality Assurance (QA) Officer and the Information Systems Security
Officer review the Regulatory Impact Questionnaire.
A Review the Regulatory Impact Questionnaire for appropriate answers and to
verify whether the system will or will not fall under the authority of Title 21 CFR
Part 11.
System Owner conducts the Electronic Records/Electronic Signatures
Risk Assessment.
A Complete the ERES and Risk Assessment following instructions included in
the Detailed ERES and Risk Assessment Tool, utilizing expertise from the
system administrator, system users and regulatory/QA resources.
System Owner, QA Officer and the Information Systems Security Officer
review compliance gaps.
A Review compliance gaps identified in the Detailed ERES and Risk Assessment Tool.
B. Develop a remediation plan to address the compliance gaps. This may include:
a. Interim solutions
b. Software customizations
c. Procedural controls
Applicable Forms
ERES RISK ASSSESSMENT
Comments
This SOP falls under the umbrella of the University Handbook and the University security policy, as defined in the Department of Information Resources Security Manual (IR Security Manual), the University Handbook and the State DIR guidelines. If any statement within RAS policy should be perceived as in conflict with any of the above mentioned manuals, then the highest level policy shall prevail.
References
Chapter 6 - Information Security Privacy & Resources
Return to Table of Contents
Effective Date: 10/01/2018 Version: 1.0
|