16 21 CFR Part 11 Requirements of the Researcher
21 CFR Part 11 is required of some OU REDCap projects, notably the projects containing data from clinical trials. This chapter describes the elements that a research team (RT; i.e., not Vanderbilt or OU’s OCRI) is responsible for.
Chapter Leads: Thomas Wilson
Glossary:
RA: REDCap Administrators. OU employees that are responsible for the overall instance on campus. This includes some OCRI employees (like Thomas Wilson) train users and manage the back-end servers. It also includes OU IT employees who are experts in virtual servers and Linux.
RD: REDCap Developer. Vandy {Come back to this.}
RT: Research Team. These are the people managing the research project. Their typical duties include designing the study, collecting data, analyzing the results, and publishing the findings.
These are the individuals who are responsible for the daily operations of the study, and how a study is reflected in a REDCap project.
The RT is different from the people who design the REDCap software (at Vanderbilt University) and from the people who administer the local REDCap instance (in OCRI and OU IT).
16.1 System Validation And Change Control (Sec A)
RTs are not responsible for content in this section.
16.2 Access Control And Security (Sec B)
16.2.1 User Authentication (Subsec B1)
RTs are not responsible for content in this section.
16.2.2 Role-Based Permissions (Subsec B2)
16.2.2.1 Are roles and permissions in REDCap configured to ensure that users only have the minimum necessary access to perform their job functions?
REDCap allows fine-grained permissions to users and groups within each project.
It is the RT’s responsibility to assign other study team members the appropriate permissions, while following the principles of least privilege.
16.2.2.2 Are permission sets periodically reviewed to confirm they still align with user job functions?
Yes, the REDCap dashboard to allow someone to quickly review the study’s users, groups, and permissions. It is the RT’s responsibility to periodically review this dashboard.
16.2.2.3 Do you enforce the principle of least privilege (admins vs. data entry vs. monitors)?
The RT works with their team members and should be aware of their roles approved by the IRB.
It is the RT’s responsibility to assign the appropriate levels of privileges.
16.2.3 Account Provisioning and Deprivisioning (Subsec B3)
16.2.3.1 Is there a clear process to grant, modify, or revoke system access when personnel changes roles or leave the organization?
Yes, the REDCap user rights dashboard allows RT staff to easily grant, modify, or revoke system access when personnel changes occur.
It is the RT’s responsibility to monitor staff changes and make the appropriate system access modifications when necessary.
16.2.3.2 Must accounts be removed within a certain time frame (e.g., 24 hours) after staff departure
Yes, REDCap allows for the expedient removal of staff from the appropriate REDCap projects..
It is the RT’s responsibility to monitor staff changes and remove accounts from the projects.
16.2.3.3 Do new users undergo formal training or competency checks before access is granted?
Yes, the RA team provides general REDCap training on how to operate the system. The RT will be responsible for training and competency check for the specific project that new staff will be using.
16.2.4 Audit Trail Review (Subsec C3)
16.2.4.1 Is there a process for periodically reviewing audit trails and investigating any anomalies?
Yes, REDCap maintains an audit log for all transactions within a specific project. It is easily accessible and downloadable as a .csv file.
It is the responsibility of the RT to review the audit logs and investigate any anomalies.
16.2.4.2 Is there a routine schedule (monthly, quarterly) for audit trail reviews?
With the accessibility of the REDCap audit log, scheduling of reviews can be done at any appropriate schedule.
It is the responsibility of the RT to schedule the audit trail reviews.
16.2.4.3 Who is responsible for these reviews, and are they qualified to interpret logs?
REDCap maintains the audit log in an accessible and downloadable format.
The RT is responsible for assigned the reviewer and determining their qualification to interpret the logs.
16.2.4.4 Do you conduct forensic reviews if suspicious activity is detected?
The RT is responsible for conducting forensic reviews if suspicious activity is detected.
16.2.5 Data Entry and Validation Checks (Subsec C4)
16.2.5.1 Do you conduct forensic reviews if suspicious activity is detected?
Yes, REDCap allows data fields to be configured with multiple data validation rules. These rules include format checks, ranges for dates and numeric entries, required fields, and designating that a field is an identifier. REDCap also utilizes functionality called “Action Tags” to further ensure that data are collected in an accurate efficient manner. The RA team can train the RT on all of these features, but it is the responsibility of the RT to implement the features into their projects.
16.2.5.2 How do you handle data corrections or errors (formal data query, edit check process?
REDCap allows for users with appropriate permissions to correct data or errors within a project. Any changes to the data are recorded in the REDCap audit log. Additionally, REDCap has a field comment log for each for field. The field comment log allows users to record the reason they are making a modification to the data for each field that needs to be corrected.
It is the responsibilty of the RT to make data corrections or address errors.
16.2.5.3 When data collection instruments are updated, is the previous version retained to show how dat awas collected at any point in time?
Yes, REDCap, when in production mode, creates a snapshot of all data collection instruments whenever a changes is requested.
It is the responsibility of the RT to ensure that REDCap is in production mode prior to collecting research data.
16.2.5.4 Does the system lock old forms when a new version is released, preventing retrospective changes?
Yes, when a new version of a form is released, the old form is retired from data entry.
16.2.5.5 How do you inform users about updated forms (e.g., release notes, training)?
When a REDCap project is in production and updates are requested, the individual on the RT requesting the changes will receive an email notification from the system when the changes have been approved.
It is the responsibility of the change requestor to inform the remainder of the RT of any changes that have been made.
16.2.5.6 Do you use encryption of secure FTP for high-risk data transfers?
REDCap stores data in secure vm’s on the OUHSC campus. It is the responsibility of the RT to ensure the security of that data when it has been extracted from REDCap.
16.2.5.7 How do you ensure integrity if data are exported for analysis outside of REDCap?
It is the responsibility of the RT to ensure the security of data if it has been exported outside of REDCap for analysis.
16.3 Electronic Signatures (Sec E)
16.3.1 Long-Term Accessibility (Subsec E2)
16.3.1.1 Does the signature record include the printed name of the signer, date/time of signing, and the meaning of the signature (e.g., review, approval)?
Yes, REDCap has the capability of collecting all of these various signature components. These components must be incorporated into the design of the REDCap survey.
It is the responsbility of the RT to ensure that all required signature components are included in their REDCap survey.
16.3.1.2 Is the date/time automatically captured by the system (vs. user-entered)?
Yes, REDCap automatically captures the survey completion date/time. REDCap also has the capability of capturing the date in a separate field which can either be manually entered or automatically captured.
It is the responsibility of the RT to design and implement the appropriate date/time capture as is appropriate for their study.
16.3.1.3 Can different signature “meanings” be captured (reviewed, approved, verified)?
Yes, REDCap can have multiple signature field meanings. Each signature meaning can have a custom definition based on the specific needs of the study.
It is the responsibility of the RT to design and define any and all signature fields for their study.
16.4 Organizational Policies and SOPs (Sec F)
16.4.1 User Training (Subsec F2)
16.4.1.1 Are all users (administrators and end-users) trained on system use, Part 11 awareness, and data integrity principles?
Yes, the REDCap admin team offers training on system use and data integrity principles. It is the responsibility of the RT to schedule training for their staff.
16.4.1.2 Is there role-specific training (admin vs. standard user vs. data manager)?
It is the responsibility of the RT to determine the role-based needs for their staff and implement training.
16.4.1.3 Are competency tests used to confirm user understanding of Part 11 principles?
It is the responsibility of the RT to confirm user understanding of Part 11 principles. ## Record Retention (Sec G) {#sec-check-part11-retention}
16.4.2 Long-Term Accessibility (Subsec G2)
16.4.2.1 Are file formats chosen to ensure long-term readability (e.g., PDF, CSV)?
REDCap provides the export formats shown in Figure 16.1, ranging from the highly-portable (e.g., .csv: comma separate value) to the specialized and proprietary (e.g., .sas7bdat: SAS files).
To promote portability and long-term usefulness, we recommend exporting data as a csv. Even if you want something specialized in the short-term (e.g., an SPSS file), we recommend exporting and storing second copy (as a csv) to improve the options available to others in the future.
