Flex Databases compliance checklist for EMA Guideline on computerised systems and electronic data in clinical trials

Early March 2023, EMA has finalised and published the updated Guideline on computerised systems and electronic data in clinical trials. Here’s how we approach compliance to Guideline requirements:

Scope and System Validation

The scope of this guideline is computerised systems, (including instruments, software and ‘as a service’) used in the creation/capture of electronic clinical data and to the control of other processes with the potential to affect participant protection and reliability of trial data, in the conduct of a clinical trial of investigational medicinal products (IMPs). Regarding the regulatory expectations, computerised systems used within a clinical trial should be subject to processes that confirm that the specified requirements of a computerised system are consistently fulfilled, and that the system is fit for purpose. Validation should ensure accuracy, reliability, and consistent intended performance, from the design until the decommissioning of the system or transition to a new system.

To meet these standards, Flex Databases has had lots of audits passed, and validation packages supported our Clients during their inspections. Furthermore, the electronic signature functionality in the closed systems should be proven during system validation to meet the expectations mentioned above. For this purpose, a validation package is provided – OQ testing ensures full compliance.

Data Protection and GDPR Compliance

The confidentiality of data that could identify trial participants should be protected, respecting privacy and confidentiality rules in accordance with the applicable regulatory requirement(s). This is achieved through controlled access to the system where user rights depends on their role.

In accordance with EU data protection legislation, if personal data of trial participants from an EU Member State are processed (at rest or in transit) or transferred to a third country or international organisation, such data transfer must comply with applicable Union data protection. Flex Databases ensures that GDPR compliance is documented and proven.

Training and Qualifications

Each individual involved in conducting a clinical trial should be qualified by education, training, and experience to perform their respective task(s). This also applies to training on computerised systems. Systems and training should be designed to meet the specific needs of the system users (e.g. sponsor, investigator or service provider). Special consideration should be given to the training of trial participants when they are users. Our approach includes the following:

• Our employees are trained in the applicable regulations.
• Training files are audit-ready.
• Our Clients (end-users) receive the training in the system.
• Current version of user manual is always available in the system.

System Security and Audit Trails

To maintain data integrity and the protection of the rights of trial participants, computerised systems used in clinical trials should have security processes and features to prevent unauthorised access and unwarranted data changes and should maintain blinding of the treatment allocation where applicable. IT Security is our main priority. The Flex Databases applications do not just provide the end-users with the ability to access data, the system controls all security parameters of each system’s user according to the client-specific model. Architecture relies on a centralized authentication and authorization security framework to control access to services. Passwords are to be complicated and fulfill a number of requirements, including number and type or of symbols.

An audit trail should be enabled for the original creation and subsequent modification of all electronic data. In computerised systems, the audit trail should be secure, computer generated and timestamped. Within Flex Databases, the audit trail captures information about all actions in the system – Is available for review.

Data Backups, Recovery, and Migration

Data stored in a computerised system are susceptible to system malfunction, intended or unintended attempts to alter or destroy data and physical destruction of media and infrastructure and are therefore at risk of loss. Data and configurations should be regularly backed up. To maintain a robust disaster recovery strategy, backups are retained at separate Flex Databases data centers at a geographically different location within the same region as the primary data center, with the same level of physical and infrastructure security described above, to maintain a robust disaster recovery strategy. All backups are encrypted-in-transit to the separate data center and are encrypted-at-rest while stored at that location.

In the course of the design or purchase of a new system and of subsequent data migration from an old system, validation of the data migration process should have no less focus than the validation of the system itself. The validation of data migration should take into consideration the complexity of the task and any foreseen possibilities that may exist to verify the migrated data (e.g. checksum, cas...