Flex Databases compliance checklist for EMA Guideline on computerised systems and electronic data in clinical trials
March 24, 2023
Early March 2023, EMA has finalised and published the updated Guideline on computerised systems and electronic data in clinical trials. Here’s how we approach compliance to Guideline requirements:
| EMA Guideline | Flex Databases |
| The scope of this guideline is computerised systems, (including instruments, software and ‘as a service’) used in the creation/capture of electronic clinical data and to the control of other processes with the potential to affect participant protection and reliability of trial data, in the conduct of a clinical trial of investigational medicinal products (IMPs). The electronic signature functionality in the closed systems should be proven during system validation to meet the expectations mentioned above. | – Validation package provided – OQ testing ensures full compliance |
| The confidentiality of data that could identify trial participants should be protected, respecting privacy and confidentiality rules in accordance with the applicable regulatory requirement(s). | – Controlled access to the system – User rights depends on their role |
| In accordance with EU data protection legislation, if personal data of trial participants from an EU Member State are processed (at rest or in transit) or transferred to a third country or international organisation, such data transfer must comply with applicable Union data protection. | GDPR compliance documented and proven |
| Computerised systems used within a clinical trial should be subject to processes that confirm that the specified requirements of a computerised system are consistently fulfilled, and that the system is fit for purpose. Validation should ensure accuracy, reliability, and consistent intended performance, from the design until the decommissioning of the system or transition to a new system | Lots of audits passed, validation packages supported our Clients during their inspections |
| Each individual involved in conducting a clinical trial should be qualified by education, training, and experience to perform their respective task(s). This also applies to training on computerised systems. Systems and training should be designed to meet the specific needs of the system users (e.g. sponsor, investigator or service provider). Special consideration should be given to the training of trial participants when they are users | – Our employees are trained in the applicable regulations. Training files are audit-ready – Our Clients (end-users) receive the training in the system – Current version of user manual is always available in the system |
| To maintain data integrity and the protection of the rights of trial participants, computerised systems used in clinical trials should have security processes and features to prevent unauthorised access and unwarranted data changes and should maintain blinding of the treatment allocation where applicable. | IT Security is our main priority. The Flex Databases applications do not just provide the end-users with the ability to access data, the system controls all security parameters of each system’s user according to the client-specific model. Architecture relies on a centralized authentication and authorization security framework to control access to services. Passwords are to be complicated and fulfill a number of requirements, including number and type or of symbols. |
| An audit trail should be enabled for the original creation and subsequent modification of all electronic data. In computerised systems, the audit trail should be secure, computer generated and timestamped. | – Audit trail captures information about all actions in the system – Is available for review |
| Data stored in a computerised system are susceptible to system malfunction, intended or unintended attempts to alter or destroy data and physical destruction of media and infrastructure and are therefore at risk of loss. Data and configurations should be regularly backed up | To maintain a robust disaster recovery strategy, backups are retained at separate Flex Databases data centers at a geographically different location within the same region as the primary data center, with the same level of physical and infrastructure security described above, to maintain a robust disaster recovery strategy. All backups are encrypted-in-transit to the separate data center and are encrypted-at-rest while stored at that location. |
| In the course of the design or purchase of a new system and of subsequent data migration from an old system, validation of the data migration process should have no less focus than the validation of the system itself. The validation of data migration should take into consideration the complexity of the task and any foreseen possibilities that may exist to verify the migrated data (e.g. checksum, case counts, quality control of records). | We have the data migration workflow and the standard documents that are prepared before, during and after the data migration, providing evidence of testing. The flow is agreed with the Client |
| After the finalisation of the trial, database(s) might be decommissioned. | Our standard process of system decommissioning allows us to provide all the necessary data and documents to the Client, including the audit trails and metadata |
To read the full guideline, click
