Presentation is loading. Please wait.

Presentation is loading. Please wait.

Requirements for Computer Systems in the clinical practice Danilo Neri, PhD Pomezia, 13 Settembre 2005.

Similar presentations


Presentation on theme: "Requirements for Computer Systems in the clinical practice Danilo Neri, PhD Pomezia, 13 Settembre 2005."— Presentation transcript:

1 Requirements for Computer Systems in the clinical practice Danilo Neri, PhD Pomezia, 13 Settembre 2005

2 Requirements for Computer Systems in the clinical practice Requirements for Computer Systems in GCP Requirements for Computer Systems in GCP The old scenario The old scenario The current scenario The current scenario The next scenario The next scenario

3 Traceability Security Integrity Fundamental Requirements for clinical data attributable legible contemporaneous (timeliness) original Accurate Data shall be (regardless the format !)

4 CLOSED OPEN Records are fully under Responsibility of the Firm Responsibility of Records is shared with Third Parts Traceability Security Integrity Different implications for different environments Different implications for different environments Traceability Security Integrity

5 Requirements for Computer Systems in GCP Requirements for Computer Systems in GCP The old scenario The old scenario The current scenario The current scenario The next scenario The next scenario Requirements for Computer Systems in the clinical practice

6 Evolution of Computer System in GCP: the old Scenario Case History Paper CRF Clinical DB (eCRF) w/o eSignature 1.Data are registered in the paper Case History 2.Data are reported in the CRF Paper Form 3.Data are migrated in the Clinical DB (option: Electronic Signature) 1.Data are registered in the paper Case History 2.Data are reported in the CRF Paper Form 3.Data are migrated in the Clinical DB (option: Electronic Signature)

7 Case History Paper CRF Source Data Verification ICH E6 for Computer Systems 21 CFR Part 11 Requirements (Closed System) Protection of Privacy (21 CFR Part 21, EU 95/46/EC) Regulations Compliance Requriments for Computer Systems Clinical DB (eCRF) w/o eSignature

8 ICH E6 Requirements for Computer Systems (1.2) a Ensure and document that the electronic data processing system(s) conforms to the Sponsors established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation). International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use - ICH Harmonised Tripartite Guideline – Guideline For Good Clinical Practice a Ensure and document that the electronic data processing system(s) conforms to the Sponsors established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation). International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use - ICH Harmonised Tripartite Guideline – Guideline For Good Clinical Practice

9 ICH E6 Requirements for Computer Systems (2.2) Par. 5.8: Integrity of Data and Computer Software The credibility of the numerical results of the analysis depends on the quality and VALIDITY of the method and software used both for data management (data entry, storage, verification,correction and retrieval) and also for processing the data statistically. The computer software used for data management and statistical analysis should be reliable and documentation of appropriate software testing procedures should be available. International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use – ICH Harmonised Tripartite Guideline – Guideline Guideline for statistical principle on Clinical trial Par. 5.8: Integrity of Data and Computer Software The credibility of the numerical results of the analysis depends on the quality and VALIDITY of the method and software used both for data management (data entry, storage, verification,correction and retrieval) and also for processing the data statistically. The computer software used for data management and statistical analysis should be reliable and documentation of appropriate software testing procedures should be available. International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use – ICH Harmonised Tripartite Guideline – Guideline Guideline for statistical principle on Clinical trial

10 RECORD LIFE CYCLE creation modifying maintenance archiving retrieving transmission Electronic Record Electronic Signature Electronic Records Criteria set forth for Electronic Signature Criteria set forth for EQUIVALENCE Paper Record Handwritten Signature Code of Federal Regulations 21 CFR Part 11; Eletronic Records; Electronic Signature August, CFR Part 11

11 Control for Closed Systems [ref. §11.10] - The use of closed systems to manage electronic records implies: 21 CFR Part 11 Requirements for Electronic Records (a) Validation of computer system (b)Accurate and complete copies of records (c)Protection of the data (d)Limiting access (e)Audit trails (f)Operational system checks (g)Authority checks (h)Control on validity of input actions (i) Adequate education and training (l) Control on documentation distribution and change control procedure application

12 What is Computer System Validation? CSV is the documented evidence, to a high degree of assurance, that a computer system performs its intended functions accurately and reliably. Documented evidence High degree of assurance intended functions accurately and reliably

13 ISO equivalent Requirements Note: In ISO/IEC the relevant entity is a software product An entity is a product, process, person, activity, machine, service, system, department, company, institution, or organization. (The Quality is) The totality of characteristics of an entity that bear on its ability to satisfy stated and implied need. [ISO 8402: 1994] (The Quality is) The totality of characteristics of an entity that bear on its ability to satisfy stated and implied need. [ISO 8402: 1994]

14 GAMP Validation Lifecycle System Build related to User Requirements Specification Performance Qualification Functional Specification Operational Qualification Installation Qualification Design Specification Configuration Testing Risk Assessment Risk Assessment Design Review

15 Validation Deliverables User Requirements Specifications Audit Report Functional Specifications Design Specifications Unit Testing System Acceptance Testing Test Plan Installation Operational Performance Qualification Protocol & Reports SOPs De commissioning Decommissioning Plan/Report

16 RequirementPart 11ICH E6 Validation of Computer system11.10.(a)5.5.3.a Accurate and Complete Copies of Record (b)4.9.7 Data Protection11.10.(c) 2.10; 4.9.1; f Limiting Access11.10.(d) § 2.11; d Audit Trail11.10.(e) 4.9.3; c Part 11 vs ICH E6 Requirements (1/2)

17 RequirementPart 11ICH E6 Operational System check11.10.(f) Authority Check11.10.(g) 2.11; 4.1.5; e Device Check11.10.(h)-- Training11.10.(i)2.8 System Documentation11.10.(k)5.5.3.b Part 11 vs ICH E6 Requirements (2/2)

18 Requirements for Computer Systems in GCP Requirements for Computer Systems in GCP The old scenario The old scenario The current scenario The current scenario The next scenario The next scenario Requirements for Computer Systems in the clinical practice

19 1.Data are registered in the Case History 2.Data are directly recorded in the Clinical DB through remote access and electronically signed 1.Data are registered in the Case History 2.Data are directly recorded in the Clinical DB through remote access and electronically signed Case History Network Clinical DB (eCRF) + eSignature Evolution of Computer System in GCP: the current Scenario

20 Source Data Verification ICH E6 for Computer Systems 21 CFR Part 11 Requirements (Open System + eSig Reqs) Protection of Privacy (21 CFR Part 21, EU 95/46/EC) Regulations Compliance Requriments for Computer Systems Case History Network Clinical DB (eCRF) + eSignature

21 Control for Open Systems [ref. §11.30] - The use of open systems to manage electronic records implies: 21 CFR Part 11: Requirements for Open Systems Controls for Closed System (see previous slide); several requirements (I.e. Device Checks) might be enforced Document encryption Digital signatures standards

22 [ref. §11.50; 11.70; ] - The use of Electronic Signature (ES) for signing Electronic Records (ER) implies: Using ES when required by the predicate rule(s) ES manifestation ES / ER linking Procedure for managing attribution and use of ES 21 CFR Part 11: Requirements for Electronic Signatures

23 Fundamental requirement: Signature-Record Linking 21 CFR PART CFR PART 11 Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Ref. § Preamble 15,53,107,108,109,110,11,112,113 Signed RecordSignature IMMUTABLE BY ORDINARY MEANS

24 Requirements for Computer Systems in GCP Requirements for Computer Systems in GCP The old scenario The old scenario The current scenario The current scenario The next scenario The next scenario Requirements for Computer Systems in the clinical practice

25 1.Data are registered directly in the electronic Case History (ECH) 2.Case History are printed based upon ECH 3.Data are reported in paper CRF and then migrated to the clinical DB or directly entered in the Clinical DB 1.Data are registered directly in the electronic Case History (ECH) 2.Case History are printed based upon ECH 3.Data are reported in paper CRF and then migrated to the clinical DB or directly entered in the Clinical DB Printed Case History Electronic Case History Paper CRF Network Clinical DB (eCRF) + eSignature Evolution of Computer System in GCP: the near next Scenario Evolution of Computer System in GCP: the near next Scenario

26 Current use of Computer System for Electronic History Case

27 Electronic Case History + eSignature Paper CRF Network Printed Case History Clinical DB (eCRF) + eSignature Source Data Verification Requirements for Computer Systems ICH E6 for Computer Systems 21 CFR Part 11 Requirements (Open System + eSig Reqs) Protection of Privacy (21 CFR Part 21, EU 95/46/EC) Regulations Privacy related local laws (DL675/196, DL196/2003) Regulations Ministry of Health Rules ? Quality ISO requirements

28 Directive 95/46/EC, 24 October 1995 Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data Directive 95/46/EC, 24 October 1995 Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data Requirements for Privacy Protection Legal trigger

29 Directive 95/46/EC: Processing of Personal Data Directive 95/46/EC: Processing of Personal Data Directive 95/46/EC, 24 October 1995 Chapter I, Art. 2 Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: collectioncollection recordingrecording organizationorganization storagestorage adaptation or alteration,adaptation or alteration, retrievalretrieval ConsultationConsultation Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: collectioncollection recordingrecording organizationorganization storagestorage adaptation or alteration,adaptation or alteration, retrievalretrieval ConsultationConsultation useuse disclosure by transmissiondisclosure by transmission dissemination or otherwise making availabledissemination or otherwise making available alignment or combinationalignment or combination blocking, erasure or destructionblocking, erasure or destruction

30 Directive 95/46/EC: Application Field Processing of personal data wholly or partly by automatic means Processing of personal data which form part of a filing system or are intended to form part of a filing system Processing of personal data wholly or partly by automatic means Processing of personal data which form part of a filing system or are intended to form part of a filing system Directive 95/46/EC, 24 October 1995 Chapter I, Art. 3

31 Directive 95/46/EC: Data Quality Controller has to ensure that data are: Processed fairly and lawfullyProcessed fairly and lawfully Collected for specified, explicit and legitimate purposesCollected for specified, explicit and legitimate purposes Adequate, relevant and not excessive in relation to the purposesAdequate, relevant and not excessive in relation to the purposes Accurate and, where necessary, kept up to dateAccurate and, where necessary, kept up to date Kept in a form which permits identification of data subjects for no longer than is necessaryKept in a form which permits identification of data subjects for no longer than is necessary Controller has to ensure that data are: Processed fairly and lawfullyProcessed fairly and lawfully Collected for specified, explicit and legitimate purposesCollected for specified, explicit and legitimate purposes Adequate, relevant and not excessive in relation to the purposesAdequate, relevant and not excessive in relation to the purposes Accurate and, where necessary, kept up to dateAccurate and, where necessary, kept up to date Kept in a form which permits identification of data subjects for no longer than is necessaryKept in a form which permits identification of data subjects for no longer than is necessary Directive 95/46/EC, 24 October 1995 Chapter II, Art. 6

32 Directive 95/46/EC: Data Subjects Rights Directive 95/46/EC: Data Subjects Rights Information Access to Data Right to object

33 Directive 95/46/EC: Data Subjects Information Directive 95/46/EC: Data Subjects Information Directive 95/46/EC, 24 October 1995 Chapter II, Art. 10 Data subject has to know: Identity of the Controller (or Representative)Identity of the Controller (or Representative) Purpose of the Data ProcessingPurpose of the Data Processing Recipient of the DataRecipient of the Data Own rightsOwn rights Data subject has to know: Identity of the Controller (or Representative)Identity of the Controller (or Representative) Purpose of the Data ProcessingPurpose of the Data Processing Recipient of the DataRecipient of the Data Own rightsOwn rights

34 Directive 95/46/EC: Data Subjects Access to Data Directive 95/46/EC: Data Subjects Access to Data Directive 95/46/EC, 24 October 1995 Chapter II, Art. 12 Data Subject has to obtain from the Controller: Information about subjects personal data effective use, data undergoing process, logic involved in any automatic processing of data, own rightsInformation about subjects personal data effective use, data undergoing process, logic involved in any automatic processing of data, own rights Erasure or blocking of data not compliant to 95/46/ECErasure or blocking of data not compliant to 95/46/EC Notification about data disclosure to third partiesNotification about data disclosure to third parties Data Subject has to obtain from the Controller: Information about subjects personal data effective use, data undergoing process, logic involved in any automatic processing of data, own rightsInformation about subjects personal data effective use, data undergoing process, logic involved in any automatic processing of data, own rights Erasure or blocking of data not compliant to 95/46/ECErasure or blocking of data not compliant to 95/46/EC Notification about data disclosure to third partiesNotification about data disclosure to third parties

35 Directive 95/46/EC: Confidentiality of Processing Directive 95/46/EC: Confidentiality of Processing Directive 95/46/EC, 24 October 1995 Chapter II, Art. 16 Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law.

36 Directive 95/46/EC: Security of Processing Directive 95/46/EC: Security of Processing Directive 95/46/EC, 24 October 1995 Chapter II, Art. 17 Safely processingSafely processing Protection against accidental or maliciousProtection against accidental or malicious loss loss alterationalteration unauthorized disclosure or accessunauthorized disclosure or access Security measures implementationSecurity measures implementation Safely processingSafely processing Protection against accidental or maliciousProtection against accidental or malicious loss loss alterationalteration unauthorized disclosure or accessunauthorized disclosure or access Security measures implementationSecurity measures implementation

37 Italian laws DL675/196, DL196/2003 include the statements of EU directive Italian laws DL675/196, DL196/2003 include the statements of EU directive The Technical attachment B dedicated to Electronic data management. The Technical attachment B dedicated to Electronic data management. The law and the Technical attachment B address nearly the same requirements set forth by pharmaceutical regulations, such as 21 CFR Part 11 The law and the Technical attachment B address nearly the same requirements set forth by pharmaceutical regulations, such as 21 CFR Part 11 Italian laws DL675/196, DL196/2003 include the statements of EU directive Italian laws DL675/196, DL196/2003 include the statements of EU directive The Technical attachment B dedicated to Electronic data management. The Technical attachment B dedicated to Electronic data management. The law and the Technical attachment B address nearly the same requirements set forth by pharmaceutical regulations, such as 21 CFR Part 11 The law and the Technical attachment B address nearly the same requirements set forth by pharmaceutical regulations, such as 21 CFR Part 11 Local Laws application

38 (2) Le credenziali di autenticazione consistono in un codice per l'identificazione dell'incaricato associato a una parola chiave riservata conosciuta solamente dal medesimo oppure in un dispositivo di autenticazione in possesso e uso esclusivo dell'incaricato, eventualmente associato a un codice identificativo o a una parola chiave, oppure in una caratteristica biometrica dell'incaricato, eventualmente associata a un codice identificativo o a una parola chiave. Requirements set forth by the Technical Attachment for data management (1.2) Security Management (5) La parola chiave, quando è prevista dal sistema di autenticazione, è composta da almeno otto caratteri oppure, nel caso in cui lo strumento elettronico non lo permetta, da un numero di caratteri pari al massimo consentito; essa non contiene riferimenti agevolmente riconducibili all'incaricato ed è modificata da quest'ultimo al primo utilizzo e, successivamente, almeno ogni sei mesi. In caso di trattamento di dati sensibili e di dati giudiziari la parola chiave è modificata almeno ogni tre mesi. Password Management

39 (19.3) (Il documento programmatico sulla Sicurezza (DPS) deve contenere) l'analisi dei rischi che incombono sui dati; Risk Analysis (19.4) (Il documento programmatico sulla Sicurezza (DPS) deve contenere) le misure da adottare per garantire l'integrità e la disponibilità dei dati, nonchè la protezione delle aree e dei locali, rilevanti ai fini della loro custodia e accessibilità Backup (13) I profili di autorizzazione, per ciascun incaricato o per classi omogenee di incaricati, sono individuati e configurati anteriormente all'inizio del trattamento, in modo da limitare l'accesso ai soli dati necessari per effettuare le operazioni di trattamento. ; User Profiles (19.5) (Il documento programmatico sulla Sicurezza (DPS) deve contenere) la descrizione dei criteri e delle modalità per il ripristino della disponibilità dei dati in seguito a distruzione o danneggiamento Restore Requirements set forth by the Technical Attachment for data management (2.2)

40 ISO Requirements Implementation of ISO Quality System in hospital management has been recommended by the Ministry of Health Implementation of ISO Quality System in hospital management has been recommended by the Ministry of Health The Electronic Case History may be a powerful and fundamental key point of the Quality System provided that following requirements are met: The Electronic Case History may be a powerful and fundamental key point of the Quality System provided that following requirements are met: Traceability Traceability Clarity Clarity Accuracy Accuracy Trustworthiness Trustworthiness Completeness Completeness The Electronic Case History may be a powerful and fundamental key point of the Quality System provided that following requirements are met: The Electronic Case History may be a powerful and fundamental key point of the Quality System provided that following requirements are met: Traceability Traceability Clarity Clarity Accuracy Accuracy Trustworthiness Trustworthiness Completeness Completeness Implied requirements almost equal to the ones set forth by pharmaceutical regulations Implied requirements almost equal to the ones set forth by pharmaceutical regulations

41 Electronic Data for Source Data Verification Electronic Case History + eSignature Paper CRF Network Printed Case History Clinical DB (eCRF) + eSignature Privacy related local laws (DL675/196, DL196/2003) Ministry of Health Rules Quality ISO requirements Only if these requirements are met, Electronic Case History can be used for Source Data Verification Source Data Verification

42 Conclusions Requirements for data managed by Computer System are increasing due to the increment of Computer System in the product life cycle Requirements for data managed by Computer System are increasing due to the increment of Computer System in the product life cycle Electronic Case History might be used provided that they verify the provisions set for Regulated Records Electronic Case History might be used provided that they verify the provisions set for Regulated Records The checklist for Computer System Compliance may be used in order to justify the use of Electronic Case History within the Source Data Verification The checklist for Computer System Compliance may be used in order to justify the use of Electronic Case History within the Source Data Verification Requirements for data managed by Computer System are increasing due to the increment of Computer System in the product life cycle Requirements for data managed by Computer System are increasing due to the increment of Computer System in the product life cycle Electronic Case History might be used provided that they verify the provisions set for Regulated Records Electronic Case History might be used provided that they verify the provisions set for Regulated Records The checklist for Computer System Compliance may be used in order to justify the use of Electronic Case History within the Source Data Verification The checklist for Computer System Compliance may be used in order to justify the use of Electronic Case History within the Source Data Verification

43 Thanks for your attention Should you have any question, feel free to contact me


Download ppt "Requirements for Computer Systems in the clinical practice Danilo Neri, PhD Pomezia, 13 Settembre 2005."

Similar presentations


Ads by Google