Requirements for
Computer Systems in the
clinical practice
Danilo Neri, PhD
Pomezia, 13 Settembre 2005
Requirements for Computer Systems
in the clinical practice
 Requirements for Computer
Systems in GCP
 The old scenario
 The current scenario
 The next scenario
Fundamental Requirements for
clinical data
Security
Integrity
Traceability
attributable
Data shall be
(regardless
the format !)
legible
contemporaneous (timeliness)
original
Accurate
Different implications for
different environments
Security
Integrity
CLOSED
Traceability
Security
Integrity
OPEN
Traceability
Records are
fully under
Responsibility
of the Firm
Responsibility of
Records is
shared with
Third Parts
Requirements for Computer Systems
in the clinical practice
 Requirements for Computer
Systems in GCP
 The old scenario
 The current scenario
 The next scenario
Evolution of Computer System in
GCP: the old Scenario
Case History
Paper CRF
Clinical DB
(eCRF)
w/o eSignature
1. Data are registered in the paper Case History
2. Data are reported in the CRF Paper Form
3. Data are migrated in the Clinical DB (option:
Electronic Signature)
Compliance Requriments for
Computer Systems
Source Data Verification
Case History
Paper CRF
Clinical DB
(eCRF)
w/o eSignature
ICH E6 for Computer Systems
21 CFR Part 11 Requirements
(Closed System)
Protection of Privacy (21 CFR
Part 21, EU 95/46/EC)
Regulations
ICH E6 Requirements for Computer
Systems (1.2)
5.5.3.a Ensure and document that the electronic
data processing system(s) conforms to the
Sponsor’s established requirements for
completeness, accuracy, reliability, and consistent
intended performance (i.e. validation).
International Conference on Harmonisation of Technical
Requirements for Registration of Pharmaceuticals for Human Use - ICH
Harmonised Tripartite Guideline –
Guideline For Good Clinical Practice
ICH E6 Requirements for Computer
Systems (2.2)
Par. 5.8: Integrity of Data and Computer Software
The credibility of the numerical results of the
analysis depends on the quality and VALIDITY of
the method and software used both for data
management (data entry, storage,
verification,correction and retrieval) and also for
processing the data statistically. The computer
software used for data management and statistical
analysis should be reliable and documentation of
appropriate software testing procedures should be
available.
International Conference on Harmonisation of Technical
Requirements for Registration of Pharmaceuticals for Human Use –
ICH Harmonised Tripartite Guideline –
Guideline Guideline for statistical principle on Clinical trial
21 CFR Part 11
Code of Federal Regulations
21 CFR Part 11;
Eletronic Records;
Electronic Signature
Electronic
Records
Criteria
set forth for
August, 1997
Electronic
Signature
Criteria
set forth for
Electronic Record
Electronic Signature
EQUIVALENCE
Paper Record
Handwritten Signature
RECORD LIFE
CYCLE
•creation
•modifying
•maintenance
•archiving
•retrieving
•transmission
21 CFR Part 11 Requirements for
Electronic Records
Control for Closed Systems [ref. §11.10] The use of closed systems to manage electronic records implies:
(a)
Validation of computer system
(b)
Accurate and complete copies of records
(c)
Protection of the data
(d)
Limiting access
(e)
Audit trails
(f)
Operational system checks
(g)
Authority checks
(h)
Control on validity of input actions
(i)
Adequate education and training
(l)
Control on documentation distribution and change
control procedure application
What is Computer System
Validation?
CSV is the documented evidence, to a
high degree of assurance, that a
computer system performs its intended
functions accurately and reliably.
Documented evidence
High degree of assurance
intended functions
accurately and reliably
ISO equivalent Requirements
(The Quality is) The totality of
characteristics of an entity that bear
on its ability to satisfy stated and
implied need.
[ISO 8402: 1994]
Note: In ISO/IEC 14598 the relevant entity is a
software product
An entity is a product, process, person, activity,
machine, service, system, department,
company, institution, or organization.
GAMP Validation Lifecycle
User
Requirements
Specification
Functional
Specification
Design
Specification
Risk
related to
Assessment
Risk
Assessment
related to
related to
System
Build
Performance
Qualification
Operational
Qualification
Installation
Qualification
Validation Deliverables
User
Requirements
Specifications
Decommissioning
Plan/Report
Audit
Report
De
commissioning
Functional
Specifications
SOPs
Design
Specifications
Installation
Operational
Performance
Qualification
Protocol &
Reports
Test Plan
System
Acceptance
Testing
Unit Testing
Part 11 vs ICH E6 Requirements (1/2)
Requirement
Part 11
ICH E6
Validation of Computer system
11.10.(a)
5.5.3.a
Accurate and Complete Copies
of Record
11.10.(b)
4.9.7
11.10.(c)
2.10;
4.9.1;
5.5.3.f
Limiting Access
11.10.(d)
§ 2.11;
5.5.3.d
Audit Trail
11.10.(e)
4.9.3;
5.5.3.c
Data Protection
Part 11 vs ICH E6 Requirements (2/2)
Requirement
Part 11
ICH E6
11.10.(f)
2.6
4.9.1
Authority Check
11.10.(g)
2.11;
4.1.5;
4.9.3
5.5.3.e
Device Check
11.10.(h)
--
Training
11.10.(i)
2.8
System Documentation
11.10.(k)
5.5.3.b
Operational System check
Requirements for Computer Systems
in the clinical practice
 Requirements for Computer
Systems in GCP
 The old scenario
 The current scenario
 The next scenario
Evolution of Computer System in
GCP: the current Scenario
Case History
Network
Clinical DB
(eCRF)
+ eSignature
1. Data are registered in the Case History
2. Data are directly recorded in the Clinical DB
through remote access and electronically signed
Compliance Requriments for
Computer Systems
Source Data Verification
Case History
Network
Clinical DB
(eCRF)
+ eSignature
ICH E6 for Computer Systems
21 CFR Part 11 Requirements
(Open System + eSig Reqs)
Protection of Privacy (21 CFR
Part 21, EU 95/46/EC)
Regulations
21 CFR Part 11: Requirements for
Open Systems
Control for Open Systems [ref. §11.30] The use of open systems to manage electronic records implies:

Controls for Closed System (see previous
slide); several requirements (I.e. Device
Checks) might be enforced

Document encryption

Digital signatures standards
21 CFR Part 11: Requirements for
Electronic Signatures
[ref. §11.50; 11.70; 11.100] The use of Electronic Signature (ES) for signing Electronic Records (ER)
implies:

Using ES when required by the predicate rule(s)

ES manifestation

ES / ER linking

Procedure for managing attribution and use of ES
21 CFR
PART 11
Fundamental requirement:
Signature-Record Linking
Electronic signatures and handwritten signatures
executed to electronic records shall be linked to their
respective electronic records to ensure that the
signatures cannot be excised, copied, or otherwise
transferred to falsify an electronic record by ordinary
means.
Ref. §11.70. Preamble 15,53,107,108,109,110,11,112,113
Signed Record
Signature
IMMUTABLE BY
ORDINARY
MEANS
Requirements for Computer Systems
in the clinical practice
 Requirements for Computer
Systems in GCP
 The old scenario
 The current scenario
 The next scenario
Evolution of Computer
System in GCP:
the near next Scenario
Network
Electronic Case
History
Printed Case
History
Paper CRF
Clinical DB
(eCRF)
+ eSignature
1. Data are registered directly in the
electronic Case History (ECH)
2. Case History are printed based
upon ECH
3. Data are reported in paper CRF and
then migrated to the clinical DB or
directly entered in the Clinical DB
Current use of Computer System for
Electronic History Case
Requirements for Computer Systems
Regulations
Regulations
ICH E6 for Computer Systems
Ministry of Health Rules
21 CFR Part 11 Requirements
(Open System + eSig Reqs)
Quality ISO requirements
Privacy related local laws
(DL675/196, DL196/2003)
Protection of Privacy (21 CFR
Part 21, EU 95/46/EC)
Network
Electronic Case
History
Paper CRF
+ eSignature
Printed Case
History
?
Clinical DB
(eCRF)
+ eSignature
Source Data Verification
Requirements for Privacy Protection
Legal “trigger”
Directive 95/46/EC, 24 October 1995
Member States shall protect the
fundamental rights and freedoms of
natural persons, and in particular
their right to privacy with respect to
the processing of personal data
Directive 95/46/EC:
Processing of Personal Data
Any operation or set of operations which is performed
upon personal data, whether or not by automatic means,
such as:
•collection
•use
•recording
•disclosure by transmission
•organization
•dissemination or otherwise
making available
•storage
•alignment or combination
•adaptation or alteration,
•blocking, erasure or
•retrieval
destruction
•Consultation
Directive 95/46/EC, 24 October 1995
Chapter I, Art. 2
Directive 95/46/EC: Application Field
Processing of personal data wholly or partly by
automatic means
Processing of personal data which form part of a
filing system or are intended to form part of a
filing system
Directive 95/46/EC, 24 October 1995
Chapter I, Art. 3
Directive 95/46/EC: Data Quality
Controller has to ensure that data are:
•Processed fairly and lawfully
•Collected for specified, explicit and legitimate
purposes
•Adequate, relevant and not excessive in relation
to the purposes
•Accurate and, where necessary, kept up to date
•Kept in a form which permits identification of
data subjects for no longer than is necessary
Directive 95/46/EC, 24 October 1995
Chapter II, Art. 6
Directive 95/46/EC:
Data Subject’s Rights
• Information
• Access to Data
• Right to object
Directive 95/46/EC:
Data Subject’s Information
Data subject has to know:
•Identity of the Controller (or Representative)
•Purpose of the Data Processing
•Recipient of the Data
•Own rights
Directive 95/46/EC, 24 October 1995
Chapter II, Art. 10
Directive 95/46/EC:
Data Subject’s Access to Data
Data Subject has to obtain from the Controller:
•Information about subject’s personal data effective
use, data undergoing process, logic involved in any
automatic processing of data, own rights
•Erasure or blocking of data not compliant to
95/46/EC
•Notification about data disclosure to third parties
Directive 95/46/EC, 24 October 1995
Chapter II, Art. 12
Directive 95/46/EC:
Confidentiality of Processing
“Any person acting under the authority of the
controller or of the processor, including the
“ processor himself, who has access to personal
data must not process them except on instructions
from the controller, unless he is required to do so by
law.”
Directive 95/46/EC, 24 October 1995
Chapter II, Art. 16
Directive 95/46/EC:
Security of Processing
•Safely processing
•Protection against accidental or malicious
• loss
•alteration
•unauthorized disclosure or access
•Security measures implementation
Directive 95/46/EC, 24 October 1995
Chapter II, Art. 17
Local Laws application
Italian laws DL675/196, DL196/2003 include
the statements of EU directive
The Technical attachment B dedicated to
Electronic data management.
The law and the Technical attachment B
address nearly the same requirements set
forth by pharmaceutical regulations, such as
21 CFR Part 11
Requirements set forth by the
Technical Attachment for data
management (1.2)
(2) Le credenziali di autenticazione consistono in un codice per l'identificazione dell'incaricato
associato a una parola chiave riservata conosciuta solamente dal medesimo oppure in un
dispositivo di autenticazione in possesso e uso esclusivo dell'incaricato, eventualmente
associato a un codice identificativo o a una parola chiave, oppure in una caratteristica biometrica
dell'incaricato, eventualmente associata a un codice identificativo o a una parola chiave.
Security Management
(5) La parola chiave, quando è prevista dal sistema di autenticazione, è composta da almeno otto
caratteri oppure, nel caso in cui lo strumento elettronico non lo permetta, da un numero di
caratteri pari al massimo consentito; essa non contiene riferimenti agevolmente riconducibili
all'incaricato ed è modificata da quest'ultimo al primo utilizzo e, successivamente, almeno ogni
sei mesi. In caso di trattamento di dati sensibili e di dati giudiziari la parola chiave è modificata
almeno ogni tre mesi.
Password Management
Requirements set forth by the Technical
Attachment for data management (2.2)
(13) I profili di autorizzazione, per ciascun incaricato o per classi omogenee di incaricati, sono
individuati e configurati anteriormente all'inizio del trattamento, in modo da limitare l'accesso ai
soli dati necessari per effettuare le operazioni di trattamento. ;
User Profiles
(19.3) (Il documento programmatico sulla Sicurezza (DPS) deve contenere) l'analisi dei rischi
che incombono sui dati;
Risk Analysis
(19.4) (Il documento programmatico sulla Sicurezza (DPS) deve contenere) le misure da adottare
per garantire l'integrità e la disponibilità dei dati, nonchè la protezione delle aree e dei locali,
rilevanti ai fini della loro custodia e accessibilità
Backup
(19.5) (Il documento programmatico sulla Sicurezza (DPS) deve contenere) la descrizione dei
criteri e delle modalità per il ripristino della disponibilità dei dati in seguito a distruzione o
danneggiamento
Restore
ISO Requirements
Implementation of ISO Quality System in hospital
management has been recommended by the Ministry
of Health
The Electronic Case History may be a powerful and
fundamental key point of the Quality System
provided that following requirements are met:
Traceability
Clarity
Accuracy
Trustworthiness
Completeness
Implied requirements almost equal to the ones set
forth by pharmaceutical regulations
Electronic Data for Source Data Verification
Ministry of Health Rules
Only if these requirements
are met, Electronic Case
History can be used for
Source Data Verification
Quality ISO requirements
Privacy related local laws
(DL675/196, DL196/2003)
Network
Electronic Case
History
+ eSignature
Paper CRF
Clinical DB
(eCRF)
+ eSignature
Printed Case
History
Source Data Verification
Conclusions
Requirements for data managed by Computer
System are increasing due to the increment of
Computer System in the product life cycle
Electronic Case History might be used provided
that they verify the provisions set for Regulated
Records
The checklist for Computer System Compliance
may be used in order to justify the use of Electronic
Case History within the Source Data Verification
Thanks for your attention
Should you have any question,
feel free to contact me