Is REDCap Part 11 compliant?
This web page is provided by the ITHS as a guideline for people using the ITHS REDCap instance. We stress that this is a guideline and not a legally binding document or a guarantee. If you do want some form of guarantee or letter of support, please contact the ITHS Navigator.
Short answer
Yes, you can possibly use any project(s) in the ITHS REDCap instance as the database part of your study in order to adhere to Part 11 compliance. However, you will need to implement the additional necessary procedures yourself in order to become fully compliant.
Long answer
REDCap is 21 CFR Part 11-ready, meaning that if implemented in conjunction with appropriate procedures, documentation, and qualification, then your study may meet part 11 requirements. However, compliance depends on the setting, which includes both the technical aspects of the installation and maintenance, quality requirements [Implementation Quality (IQ) – Operational Quality (OQ) – Production Quality (PQ)], as well as the essential processes put in place by users.
To be clear, 21 CFR Part 11 compliance requires compliance on two fronts: (i) the ITHS side, which includes REDCap and (ii) the user side, which is outside the purview of the ITHS.
The ITHS has provided a secure environment for REDCap instances, which are frequently upgraded and backed up daily to a secure site. Login accounts to these instances are provided and monitored by ITHS personnel. Logins are provided to personnel of the ITHS partner institutions and organizations affiliated with the ITHS or its partner institutions.
Details about the general REDCap security features that may support Part 11 compliance can be found in the “About REDCap” document released by Vanderbilt University. In addition, ITHS procedures are in compliance with University of Washington’s Information Technology Services (ITS) security requirements and are described in the current version of “ITHS REDCap Security”. Information about ITHS practices that may support Part 11 compliance can be found in other parts of this FAQ. The ITHS policies supporting our REDCap instance can be found below.
Current ITHS REDCap Support Policies68 kBAbout REDCap (Vanderbilt)134 kBREDCap System Security Statement – 03-29-2013
On the user side, the individual user or study team is also responsible for ensuring compliance, including establishing appropriate standard operating procedures to protect and document data. Many of the activities encouraged by Part 11 are good practice in general, including explicit definition of study team roles and responsibilities, database change control and documentation, and record retention. Personnel training commensurate with responsibilities is also required.
FDA guidance on 21 CFR Part 11 compliance in the context of clinical studies is available on the FDA website, http://www.fda.gov/regulatoryinformation/guidances/. Guidance documents are searchable, and the following are suggested:
(1) Part 11, Electronic Records; Electronic Signatures – Scope and Application, published 8/2003
(2) Computerized Systems Used in Clinical Trials, published 5/2007.
Vanderbilt University had a committee evaluate the Part 11 compliance status of REDCap. A PDF (created 19-Sept-2013) of their findings published on the Vanderbilt wiki page can be found below.147 kBPart 11 Compliance Validation – REDCap Wiki