Castor complies with all applicable laws and regulations, including ICH E6 Good Clinical Practice (GCP), 21 CFR Part 11, EU Annex 11, General Data Protection Regulation (GDPR), HIPAA (US), ISO 9001 and ISO 27001. By using Castor, researchers are enabled to comply with these laws and regulations. Castor is a validated system, and approved by external auditors.
ICH E6(R1) on Good Clinical Practice (GCP) has been amended to encourage implementation of improved and more efficient approaches to clinical trials design, conduct, oversight, recording and reporting while continuing to ensure human subject protection and reliability of trial results.
Castor achieves compliance through a combination of risk assessment, SOP adherence, and by establishing a structured validated system.
On this page you can read about how we ensure GCP compliance from our side, what is required from the investigator and/or sponsor in order to be GCP compliant, and at the end, we will answer some Frequently Asked Questions about GCP.
In terms of data management, what should you pay attention to?
The sponsor is in charge for the GCP data management requirements. The researcher is required to abide by the rules set by the sponsor. When electronic systems are being used for entering research data, the sponsor must make sure that:
1. A “validated” system is being used. This is a system that meets the demands of the sponsor in terms of completeness, accuracy, reliability, and consistent intended performance;
We execute the validation process for our users through manual and automated tests in order to guarantee the validity of the application. Our Software Development Life Cycle ensures that the specified requirements of our software can be consistently fulfilled from design until decommissioning of the systems or transition to a new system. During the system Risk Assessment phase documentation is completed by the Subject Matter Expert. This document is used to assess the regulatory risks involved with the implementation of the system and/or the needs of the system to comply with GxP and 21 CFR Part 11 requirements.
2. Standard Operating Procedures (SOPs) for the use of the systems are maintained;
The sponsor or researcher is expected to draft these documents in order to demonstrate how the use of Castor EDC is intended. Material made available by us can be used for this purpose (e.g. the workshop, manual, etc).
Castor also ensures the appropriate recording, handling, storing, and archiving of all clinical trial documentation through its own internal procedures and work instructions.
We work together with the sponsors in their activities to re-assure the quality of the trials through a risk-based approach in Quality Assurance, UAT and the Study Development Lifecycle, in which there is close communication during the study build between the sponsor, CRO, third parties and Castor’s Customer Success Team.
3. All initially entered data and all the changes are saved (audit trail, data trail and edit trail);
Where these items are related to data capture and management, Castor technology supports the sponsor to ensure data quality and integrity through the life of the trial, from startup through close-out.
All actions that can be carried out in Castor are saved in the audit trail. This means all edits and changes in the study structure, data collection, and study management. Data can only be archived, not deleted.
4. There is a security system in place that prevents unauthorised access to the data;
Castor applications enable sponsors and CROs to comply to ICH-E6 (R2) through systems that facilitate process-driven compliance to ICH-E6 (R2).
The study admin invites everyone involved in the study, and gives them proper rights. Every user has their own account and sharing of accounts is not permitted. Strong passwords are enforced, SSL is used to log in, and account information is encrypted. The study admin is in charge of authorising access to data, which always happens on an individual basis, per study. This ensures that study data cannot be accessed by unauthorised people. Our security statement offers more information about the safety of the application and system.
5. A list is maintained of all individuals who are authorised to make data changes;
An up-to-date user rights overview is available in the system, and all alterations of user rights are logged in the audit trail. You can always reconstruct which person possessed which rights when.
6. Data are adequately backed up and can be retrieved;
All changes and data are kept track of in the audit trail. This means we can always retrieve what the status of a particular record was at a particular moment in time.
Clients may restore a previous backup of a study from the server if needed.The backup- and restore mechanisms are documented in the private infrastructure Business Continuity documentation.
7. The randomisation blinding is safeguarded;
Only users with randomization rights can randomise a patient, and only users with randomization view rights can see which group the patient ended up in.
8. An unambiguous identification code is used for subjects;
Castor creates unambiguous identification codes for patients, which can be defined by the user. IDs are anonymous and unalterable. They can also be automatically generated when a new patient is included.
9. A reason is always indicated when changes are made in a patient’s CRF;
Castor uses the reason for change feature, which makes sure that an explicit reason is provided for each data change.
10. Essential documents for the conduct of a clinical trial.
All clinical trial essential documents are stored in a secure location in electronic, and/or other digital format as dictated by the process under which the document is produced. Clinical Trial Data/Clinical Trial Essential Documents are provided to the sponsor and to the sites at the time of study and after closure. Archival is processed as agreed upon in the contract.
Castor manages retention periods through its “Document management and retention policy”. Clinical Trial documents as defined by ICH-GCP E6 (R2): Good Clinical Practices Consolidated Guideline, FDA’s 21 CFR Part 11, or local/regional regulations are retained throughout the life cycle of the trial.
Technical information about the security and development of our products such as Validation Documents is stored for a minimum of 25 years.
Frequently Asked Questions (FAQs)
To make the various rules and regulations as transparent as possible, we will answer some Frequently Asked Questions (FAQs).
FAQ 1: can personal details be stored ‘with’ medical data?
Officially, these data do not have to be separated, as long as they are properly secured. In principle, Castor EDC does not save personal details. It is the researcher’s responsibility to keep a record of the study IDs linked to personal data. In Castor you can send out surveys through patients’ email addresses, however, these are encrypted before storage, so they are properly protected and inaccessible to unauthorised persons.
FAQ 2: do the data have to be saved ‘within the walls’ of the sponsor or institution?
GCP does not prescribe where data should be stored. Most importantly is that the data are properly protected. The Castor EDC servers are managed by ISO 27001 and ISO 9001 certified data centres.
FAQ 3: can a data collection system, which is renewed as often as Castor EDC, continuously meet the GCP validation requirements?
Castor performs QISMS and system audits. Customers who wish to audit Castor to verify compliance with regulatory requirements may contact [email protected].
FAQ 4: can an eCRF be used as a source document?
If the research findings were initially recorded in an eCRF, the eCRF can be used as source document. A certified copy of the eCRF can be electronically signed and locked by the researcher, including the date, saving researchers from typing the eCRF data in the patient status later.
What if I want more information?
For more information, read the complete GCP guidelines here. We will keep you up to date with the latest changes for researchers on our website.