To start with it is important to understand that software itself can itself can neither be compliant nor non-compliant. It is the implementation and use of software that determines actual compliance. Therefore, one could envision a system without a lot of native features designed to support 21 CFR Part 11 and achieve compliance through the application of Standard Operating Procedures (SOPs) and other controls. Conversely, one could conceive of a system that inherently better supports compliance through specific features.
...
OpenSpecimen ensures that individuals have to login log in to the system using a combination of login/password that is either created within OpenSpecimen database OR using the institution's Identify Provider (or LDAP). Every login action is audited. Upon login, the user is displayed the "last login time" for security purposepurposes. Also, unsuccessful login attempts are audited and user accounts are locked after a specific number of failures. The system is designed to ensure attributability. Therefore, each entry to an electronic record, including any change, is made under the electronic signature of the individual making that entry. The printed name of the individual who enters data is displayed by the data entry screen throughout the data entry session. This is intended to preclude the possibility of a different individual inadvertently entering data under someone else's name. When someone leaves a workstation for longer than a specific time period, the system automatically logs off the user.
AUDIT TRAIL
OpenSpecimen maintains an audit trail of each and every action performed on the system by an a user. The audit trail includes:
...
The audit information stored in the OpenSpecimen database includes:
- Timestamp The timestamp of the event
- IP Address of the machine (or proxy server) on which the browser was running
- User id who performed the event
- Values of the records inserted or edited
- In the case of a modified value, the old value and new value are both stored
| Info |
|---|
The Audit trail is stored in the database permanently until physically deleted by the administrator. In other words, the system will never deletes delete the audit records automatically. System users will never be able to modify the audit log of the system. The Audit trail is created incrementally, in chronological order, and in a manner that does not allow new audit trail information to overwrite existing audit data. As such, the exact records added or edited during a given period period of time can be reconstructed based on the user ID. |
SOFTWARE DEVELOPMENT PRACTICES
Krishagni follows industry-proven and standard processes of software development to develop OpenSpecimen. This includes requirement definition, planning, tracking, validation & testing, release documentation, change management, and independent review activities. Krishagni extensively uses JIRA (for tracking) and Confluence (for documentation). Being an open-source project, all OpenSpecimen documentation is publicly accessible for review and audit.
...
Krishagni's software support practices is are professionally managed and streamlined to achieve the highest degree of the provenance of tasks and ownership. Every support ticket is tracked using an online tracking tool called JIRA, and weekly logs are emailed to the clients. Every server administration activity is performed only after the client's written approval, a log of change is maintained for future reference and audit.
...
SOPs should be established for,:
- System Setup/Installation
- Data Collection and Handling
- System Maintenance
- Data Backup, Recovery, and Contingency Plans
- Security
- Change Control
...