Is OpenSpecimen CFR Part 11 complaint?

Created by Srikanth Adiga
Last updated: Jun 29, 2020 by Prayuja Teli

To start with it is important to understand that software itself can neither be compliant nor non-compliant. It is the implementation and use of software that determines actual compliance. Therefore, one could envision a system without a lot of native features designed to support 21 CFR Part 11 and achieve compliance through the application of Standard Operating Procedures (SOPs) and other controls. Conversely, one could conceive of a system that inherently better supports compliance through specific features.


ELECTRONIC SIGNATURES

 Electronic signatures are a system feature used to ensure that actions taken by users of a system are attributable in a legally binding manner. 21 CFR Part 11 looks at System Controls, Signature Controls, and Password Controls as components of electronic signatures.

OpenSpecimen ensures that individuals have to log in to the system using a combination of login/password that is either created within OpenSpecimen database OR using the institution's Identify Provider (or LDAP). Every login action is audited. Upon login, the user is displayed the "last login time" for security purposes. Also, unsuccessful login attempts are audited and user accounts are locked after a specific number of failures. The system is designed to ensure attributability. Therefore, each entry to an electronic record, including any change, is made under the electronic signature of the individual making that entry. The printed name of the individual who enters data is displayed by the data entry screen throughout the data entry session. This is intended to preclude the possibility of a different individual inadvertently entering data under someone else's name. When someone leaves a workstation for longer than a specific time period, the system automatically logs off the user.

AUDIT TRAIL

OpenSpecimen maintains an audit trail of each and every action performed on the system by a user. The audit trail includes:

  1. Successful and unsuccessful login attempts
  2. Adding a record
  3. Editing a record
  4. Deleting a record

The audit information stored in the OpenSpecimen database includes:

  1. The timestamp of the event
  2. IP Address of the machine (or proxy server) on which the browser was running
  3. User id who performed the event
  4. Values of the records inserted or edited
  5. In the case of a modified value, the old value and new value are both stored

The Audit trail is stored in the database permanently until physically deleted by the administrator. In other words, the system will never delete the audit records automatically. System users will never be able to modify the audit log of the system. The Audit trail is created incrementally, in chronological order, and in a manner that does not allow new audit trail information to overwrite existing audit data. As such, the exact records added or edited during a given period of time can be reconstructed based on the user ID.


SOFTWARE DEVELOPMENT PRACTICES

Krishagni follows industry-proven and standard processes of software development to develop OpenSpecimen. This includes requirement definition, planning, tracking, validation & testing, release documentation, change management, and independent review activities. Krishagni extensively uses JIRA (for tracking) and Confluence (for documentation). Being an open-source project, all OpenSpecimen documentation is publicly accessible for review and audit.

SOFTWARE SUPPORT PRACTICES

Krishagni's software support practices are professionally managed and streamlined to achieve the highest degree of the provenance of tasks and ownership. Every support ticket is tracked using an online tracking tool called JIRA, and weekly logs are emailed to the clients. Every server administration activity is performed only after the client's written approval, a log of change is maintained for future reference and audit.

STANDARD OPERATING PROCEDURES

Standard Operating Procedures (SOPs) pertinent to the use of the computerized system should be available on site.

SOPs should be established for,

  • System Setup/Installation
  • Data Collection and Handling
  • System Maintenance
  • Data Backup, Recovery, and Contingency Plans
  • Security
  • Change Control

Note that these SOPs are not related to the software per se but more about the "software infrastructure". We (Krishagni) can make these documents available to our clients on request during any such audit. 

COMPUTER VALIDATION SYSTEMS

The following document developed by caBIG / National Cancer Institute describes the process of Computer System Validation :

https://wiki.nci.nih.gov/display/TBPTKC/Computer+System+Validation