Validated REDCap

The Women & Children's Health Research Institute maintains a special installation of REDCap in order to support investigators who are performing clinical trials under a Health Canada clinical trials agreement (CTA). This system is not intended for commercial use (commercial sponsors should be using their own systems) but is intended to help academic researchers comply with the GCP requirement to use validated systems.

If you need to know if your study may require a CTA take a look at this page.

What are the implications of using the validated installation?

Users of our Validated Installation should note the following:

Our Approach to Validation

ICH GCP states:

5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should:

(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation).

The sponsor should base their approach to validation of such systems on a risk assessment that takes into consideration the intended use of the system and the potential of the system to affect human subject protection and reliability of trial results.

(b) Maintains SOPs for using these systems. The SOPs should cover system setup, installation, and use. The SOPs should describe system validation and functionality testing, data collection and handling, system maintenance, system security measures, change control, data backup, recovery, contingency planning, and decommissioning. The responsibilities of the sponsor, investigator, and other parties with respect to the use of these computerized systems should be clear, and the users should be provided with training in their use.

(c) Ensure that the systems are designed to permit data changes in such a way that the data changes are documented and that there is no deletion of entered data (i.e. maintain an audit trail, data trail, edit trail).

(d) Maintain a security system that prevents unauthorized access to the data.

(e) Maintain a list of the individuals who are authorized to make data changes (see 4.1.5 and 4.9.3).

(f) Maintain adequate backup of the data. (g) Safeguard the blinding, if any (e.g. maintain the blinding during data entry and processing). 

h) Ensure the integrity of the data including any data that describe the context, content, and structure. This is particularly important when making changes to the computerized systems, such as software upgrades or migration of data.

Health Canada may inspect electronic systems during the course of a site inspection in which case the system will be inspected in the context of that clinical trial and the SOPs in use at the site.

WCHRI's approach to validation is to maintain a separate LTS (long term support) installation of REDCap, and to validate it using the testing scripts originally provided by the REDCap Consortium's Regulatory (21 CFR Part 11, HIPAA) and Software Validation Committee and which have subsequently been kept up to date by WCHRI's REDCap team. It is our intention that this is adequate documentation to satisfy the requirements of GCP however, the system has not been inspected and we offer no guarantees. Investigators and institutional sponsors should take steps to ensure that the available documentation meets their requirements.

Project Validation

In addition to validating the REDCap application at the system level, project teams must be able to demonstrate that project configurations meet study requirements. Teams must be able to demonstrate that they have tested the REDCap project and a senior member of the study team has approved the project build. For additional information see our "maintaining compliance" page.

Validation Documentation

The files listed below contain the validation output for the initial installation and each subsequent upgrade.

Validation Documents

System Security

Our privacy policy document contains information relating to application-level privacy and security features.

This document includes additional technical information regarding system security.

21CFR11 Compliance

We are occasionally asked if REDCap is 21CFR11 compliant.

21CFR11 is Title 21, Part 11, of the United States Code of Federal Regulations. It is the Food and Drug Administration (FDA) legislation that sets forth the criteria under which the Agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. There is no Canadian equivalent.

REDCap has the features necessary to serve as the database component of a 21 CFR Part 11 compliant study. However, the software must be placed in an environment with servers, security, personnel, policies, procedures, training, validation and documentation that meet the requirements of Part 11 and the predicate rules for the underlying legislation. At best, REDCap can offer an application containing the required technical requirements of a compliant system but compliance is assessed at the study level. The system cannot be compliant in isolation from the study policies and procedures.

The University of Alberta's validated REDCap installation can be used as a component of a 21CFR11 project, but if compliance is required, it is up to the project team to implement the necessary policy and procedure and to demonstrate compliance.

LTS Release History

The following is a list of REDCap LTS versions that have been installed. Each upgrade was performed in order to bring our installation up to the most recently validated LTS version. In each case this included new functionality, bug fixes and security patches. Installation. upgrades and validation were performed by staff at the Women & Children's Health Research Institute, University of Alberta.