REDCap Part 11 Compliance

DISCLAIMER:This web page is provided by MUSC as a guideline for people using the MUSC REDCap instance. We stress that this is a guideline and not a legally binding document or a guarantee. 

Is REDCap Part 11 Compliant?

 

This question is not the right question.  The real question is, “Can REDCap be part of a Part 11 compliant system?”  The answer to that question is YES.  To see what a system includes, see the image below:

(Source: Terri Shkuda, Systems Analyst, Lead, Penn State University)

 

SHORT ANSWER

After referencing the above diagram, you can see that, yes, you can possibly use any project(s) in MUSC REDCap instance as the database part of your study in order to adhere to Part 11 compliance. However, you will need to implement the additional necessary procedures yourself in order to become fully compliant.

LONG ANSWER

REDCap is 21 CFR Part 11-ready, meaning that if implemented in conjunction with appropriate procedures, documentation, and qualification, then your study may meet part 11 requirements. However, compliance depends on the setting, which includes both the technical aspects of the installation and maintenance, quality requirements [Implementation Quality (IQ) – Operational Quality (OQ) – Production Quality (PQ)], as well as the essential processes put in place by users.

To be clear, 21 CFR Part 11 compliance requires compliance on two fronts: (i) the MUSC side, which includes REDCap and (ii) the user side, which is outside the purview of MUSC.

MUSC has provided a secure environment for REDCap instances, which are frequently upgraded and backed up daily to a secure site. Login accounts to these instances are provided and monitored by MUSC personnel. Logins are provided to personnel of MUSC partner institutions and organizations affiliated with MUSC or its partner institutions.

Details about the general REDCap security features that may support Part 11 compliance can be found in the “About REDCap” document released by Vanderbilt University

On the user side, the individual user or study team is also responsible for ensuring compliance, and establishment and documentation of appropriate standard operating procedures for both technical and procedural compliance.  Many of the activities encouraged by Part 11 are good practice in general, including explicit definition of study team roles and responsibilities, database change control and documentation, and record retention.  Personnel training commensurate with responsibilities is also required.

FDA guidance on 21 CFR Part 11 compliance in the context of clinical studies is available on the FDA website here. Guidance documents are searchable, and the following are suggested:

(1) Part 11, Electronic Records; Electronic Signatures – Scope and Application, published 8/2003

(2) Computerized Systems Used in Clinical Trials, published 5/2007.

Vanderbilt University had a committee evaluate the Part 11 compliance status of REDCap. A PDF (created 19-Sept-2013) of their findings published on the Vanderbilt wiki page can be found below.

Part 11 Compliance Validation – REDCap Wiki