The attached short note explains the few requirements for access control.

1. QED Clinical Services
The Learning House, Winterhill, Snowdon drive, Milton Keynes – MK6 1BP, United Kingdom
www.qed-clinical.com
Regardless of advancement in technologies and procedures to effectively use computerised
systems in clinical trials, regulatory agencies continue to have their prime focus on data
integrity and assessment of organizational objectives to use computerised systems effectively
to avoid data integrity breaches.
The US Food and Drug Agency (FDA) 21 CFR part 11 requires having stringent procedures
to ensure secure access to computerised systems
11.10 Controls for closed systems.
(d) Limiting system access to authorized individuals.
Also, Guidance for Industry - Computerized Systems Used in Clinical Investigations states –
We recommend that each user of the system have an individual account. The user
should log into that account at the beginning of a data entry session, input information
(including changes) on the electronic record, and log out at the completion of data entry
session.
In order to comply with 21 CFR part 11 standards, apart from the technical controls for
computerised systems meeting all stated regulatory requirements, there should be procedural
controls, defined and followed appropriately in the organization.
Here are the few thoughts with respect to the access control for computerised systems in
clinical trials:
1. Access control procedures should be
appropriately defined in organizational
Standard Operating Procedures(SOPs).
In most companies, access control
permissions are managed by
administrators, however SOPs should
define the procedure authorising
administrators to perform access
changes. Administrators should be able
to make the access changes based on
the requests from an authorised person as mentioned in the SOPs.
2. Access control should be defined at multiple levels i.e. network level access, application
level access, project level access etc. There should be written procedures/instructions to
define the access level for all users including
the highest level access definition of each
activity that a user is allowed or restricted to
perform using the computerised system in
the clinical trial. The documentation
pertaining to access control should be
maintained and produced at the time of
audits and inspections.
Example of nonconformity:
“The organization does not have written
procedures defining how the access will be
granted and revoked by the administrator
and the administrator grants/revokes access
without authorisation from the appropriate
authorised person”
Example of nonconformity:
“The organization has written
procedures to define the access control
at network and application level,
however the user is able to access
multiple projects as further control on
access at project level is not applied”

2. QED Clinical Services
The Learning House, Winterhill, Snowdon drive, Milton Keynes – MK6 1BP, United Kingdom
www.qed-clinical.com
3. Role based access should be defined
within applications and documented e.g.
when a group of users is created, all
users of the group should have the same
access privileges. E.g. all data managers
should have same level of access in the
group. In case one data manager of the group requires some additional access; a new
group should be created to include all users of that group.
4. User should be trained and sensitised to keep their login credentials secure and in
case the password is compromised,
they should reset the password
OR should immediately notify the
administrator to disable the
password. There should be written
procedures to ensure that when
the user leaves the organization or
the project, all applicable accesses
are removed for the user.
5. Procedures should be defined for
changing the password at defined
intervals by the users. Password
policy should be defined enforcing
users to have the complex password
e.g. minimum 7 character,
combination of alpha-numeric and a
special character, password not
previously used etc. The users
should be asked to re-enter the
password if the system is idle for certain period of time etc.
Example of nonconformity:
“The organization has two users of the
same group with different access
privileges.
Example of nonconformity:
“The data manager from a centralized data
centre calls an investigator site to discuss
the data discrepancy and realizes that the
coordinator had left the clinical site and the
new coordinator has been using the login
credentials of the previous coordinator”
Example of nonconformity:
“The user leaves the system unlocked
while going for a meeting and the other
person can access the user account as the
system is not automatically locked when
the user is away”
Final Thoughts:
During audits and inspections, there will be meticulous review of the access control
mechanism imposed by the organization and hence it is very important to define the
SOPs for the access control of various levels as explained above, follow them
appropriately, maintain the documentation and audit trail of all access changes and
review the access control mechanism periodically to ensure integrity of clinical trial data.

3. QED Clinical Services
The Learning House, Winterhill, Snowdon drive, Milton Keynes – MK6 1BP, United Kingdom
www.qed-clinical.com
Contact Author:
Gajendrasinh Chanchu
Senior Manager Data Operations
Tel: +91 79 4032 4300 I Fax: +91 79 4032 4301
E-mail: gchanchu@qed-clinical.com
Quality, Efficiency: Delivered