|21 CFR 11.10 – Controls for Closed Systems||REDCap Compliance|
|Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
||Because REDCap is client/server application that uses an IP address and port to access the database and they require a unique username and password combination, the administrator can set up a closed system in which access is limited internally to the server
|(a) Validation of systems to ensure accuracy,reliability, consistent intended performance, and the ability to discern invalid or altered records.
|| The consortium partner can use the REDCap audit trail to discern between valid and invalid records. REDCap maintains an audit trail that cannot be altered without evidence of change. The consortium posts Functional Requirements and templates for validation test scripts for each Long Term Support version release. The consortium partner is responsible for documentation of the executed scripts.
|(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records
||REDCap reports include username who made changes, the date/time stamp; the type of change and reason for change and comments can be included. The full record history can be tracked and reassembled from this log. These reports can be distributed in paper or electronic form. The history of each field is available onscreen
|(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
||The security within REDCap gives complete control over which users can complete specified actions when using these tools. The consortium partner is responsible for backing up and protecting the records
|(d) Limiting system access to authorized individuals.
||REDCap uses security settings that uniquely identify the user from their username and password combination. The internal security settings in the tools determine the access and privileges of the signed in user for each form and tool. The consortium partner is responsible for implementing secure hosting
|(e) Use of secure, computer-generated, time- stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying
||The history of the actions completed within REDCap in the audit trail is used for validation purposes REDCap maintains a distinct audit trail that can be retained indefinitely. The history of each field is available onscreen. Audit file can be downloaded for review and copying
|(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
||REDCap controls cannot enforce sequencing of workflow. The consortium partner is responsible for enforcing proper sequencing of steps and events, The ability to complete any given action is controlled at the security setting for the user and is under the control of the administrator(s) to set what permissions are allowed to what users to make what changes at any given point in the process. The history of actions completed within REDCap contains timestamp information for when the action was completed and by what user, showing the sequence in which actions occurred.
|(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
|| REDCap uses a set of rules based on security settings that uniquely identify the user from their username and password combination. The internal security settings in these tools determine the access and privileges of the logged in user.
|(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction
||REDCap cannot interface with devices; administrators can restrict what actions can be done through the security settings
|(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks
||Access is controlled via security settings to those individuals deemed appropriate.
The consortium partner is responsible for this requirement
|(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
||The consortium partner is responsible for this requirement.
|(k) Use of appropriate controls over systems documentation including:
|(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
||There is online help and documentation. Printed copies of documents and guides can be made available. The consortium partner is responsible for this requirement.
|(2) Revision and change control procedures to maintain an audit trail that documents time- sequenced development and modification of systems documentation
||The history of the actions completed within REDCap maintains a distinct audit trail for this purpose. History of ach field can be viewed onscreen.
|21 CFR 11.30 – Controls for Open Systems||REDCap Compliance|
|Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in Sec. 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality
||REDCap can be used as an open system or a closed system depending on the access to the server via an IP address and port. Through the use of the username and password combination and internal security settings the administrator has the ability to secure the system as required for compliance.
|21 CFR 11.50 - Signature Manifestations||REDCap Compliance|
|(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following
||REDCap uses the username and password combination to uniquely identify the logged in user. LDAP support allows the use of an LDAP server to manage user compliance. REDCap provides table based controls
|(1) The printed name of the signer
||The full name of the signer is displayed on the homepage with the username
|(2) The date and time when the signature was executed
||A date and timestamp are contained in the history.
|(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature
||The meaning associated with the signature is entered in text which is saved in a field in the audit trail and cannot be modified.
|(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
||REDCap audit trail includes this information in the audit trail for electronic signature events.
|21 CFR 11.70 - Signatures / Record Linking||REDCap Compliance|
|Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means
||The audit trail history of events in REDCap is not modifiable and contains the details of the action taken as well as a timestamp; the user who performed the action; and the reason.