Good Clinical Practice in Castor EDC
Castor EDC was externally audited by Trevalco in November 2017, for GCP compliance. In order to help researchers determine how GCP regulations operate, we provide an outline of the regulations and which organisations are involved. Further, explaining the requirements the implications of data management for the researcher. Interested in the background of GCP? Read about it on the International Conference on Harmonisation (ICH) website.
When does your study have to meet GCP criteria?
Strictly speaking, only intervention studies in which medicine is administered must meet GCP criteria. Regardless, it is advisable to follow GCP guidelines for all intervention studies. The GCP guidelines are applicable to the sponsor and the executing researcher.
In terms of data management, what should you pay attention to?
The sponsor is in charge for the GCP data management requirements. The researcher is required to abide by the rules set by the sponsor. When electronic systems are being used for entering research data, the sponsor must make sure that:
1. A “validated” system is being used. This is a system that meets the demands of the sponsor in terms of completeness, accuracy, reliability, and consistent intended performance:
We execute the validation process for our users through manual and automated tests in order to guarantee the validity and performance of the application. Our quality checks have been audited and certified by an external auditor (Trevalco).
2. Standard Operating Procedures (SOPs) for the use of the systems are maintained:
The sponsor or researcher is expected to draft these documents to provide instruction on the intended use of Castor EDC. Material made available by Castor can be used for this purpose e.g. the online workshop, manual, etc.
3. All entered data and any subsequent changes are saved (audit trail, data trail and edit trail):
All actions that can be carried out in Castor are documented in the audit trail. This includes edits and changes in the study structure, data collection, and study management. Data can only be archived, never deleted.
4. There is a security system in place that prevents unauthorised access to the data:
The study admin invites everyone involved in the study, and gives them proper rights. Every user has their own account and account sharing is not permitted. Strong passwords are enforced, SSL is used to log in, and account information is encrypted. The study admin is responsible for authorising access to data, which is always set on an individual basis, per institute. This ensures that study data cannot be accessed by unauthorised people. Our security statement offers more information about the safety of the application and system.
5. A list is maintained of all individuals who are authorised to make data changes:
A current user rights overview is available in the system, and all alterations of user rights are logged in the audit trail. You can always reconstruct the rights assigned to each user at any timepoint.
6. Data are adequately backed up and can be retrieved from the archive:
All changes and data are documented in the audit trail. This means we can always retrieve what the status of a particular record was at a particular moment in time.
7. The randomization blinding is safeguarded:
Only users with randomization rights can randomize a patient, and only users with randomization view rights can see which group the patient ended up in.
8. An unambiguous identification code is used for subjects:
Castor creates unambiguous identification codes for patients, the format of which can be defined by the user. IDs are anonymous and unalterable. They can also be automatically generated when a new patient is included.
9. A reason is always indicated when changes are made in a patient’s CRF:
Users can enable the 'confirm change' feature, which makes sure that an explicit reason is provided for each data change.
10. The data is stored for at least 25 years (depending on local laws).
Our policy is to always match relevant, local regulations. In this case, the new Clinical Trial Regulation will require the Clinical Trial Master File to be stored for 25 years. Castor will ensure that we support storage of data (including the original audit trail) for that time period unless our customers explicitly do not require us to (as they might archive it elsewhere).
TRUE Datacenter where Castor’s data is stored in the Netherlands
Frequently Asked Questions (FAQs)
Many research institutions have other rules besides the GCP guidelines. Moreover, it is not always entirely clear what GCP means and what its consequences are for data management. To make the various rules and regulations as transparent as possible, some Frequently Asked Questions (FAQs) are addressed below.
FAQ 1: can personal details be stored 'with' medical data?
There is no requirement to separate medical and personal data, as long as they are properly secured. In principal, Castor EDC advises against the storage of personal details. It is the researcher’s responsibility to keep a record of the study IDs linked to personal data. In Castor, you can send surveys to patients via their provided email address. The email addresses are encrypted before storage, so they are properly protected and are not accessible to unauthorised persons.
FAQ 2: do the data have to be saved ‘within the walls’ of the institution?
GCP does not prescribe where data should be stored. Most importantly is that the data are properly protected. The Castor EDC servers are managed by ISO 27001 and ISO 9001 certified data centres. If your institution requires data to be stored onsite at the research institute, contact us with your requirements to discuss setting this up.
FAQ 3: can a data collection system, which is renewed as often as Castor EDC, continuously meet the GCP validation requirements?
The sponsor does not need to validate every updated version of an electronic system. However, the sponsor must be satisfied with the supplier’s quality processes. Trevalco has audited Castor for GCP, and verified that all applicable processes are in order. We perform the validation for our users, using both manual and automated tests.
FAQ 4: can an eCRF be used as a source document?
If the research findings were initially recorded in an eCRF, the eCRF can be used as source document. A certified copy of the eCRF can be electronically signed and locked by the researcher, including the date, saving researchers from typing the eCRF data in the patient status later.
What if I want more information?
For more information, read the complete GCP guidelines here. We will keep you up to date with the latest changes for researchers on our website.