GCP, CFR21 Part 11, and HIPAA Compliance Statement

Revision 4.0 - updated December 11th, 2018


SMART-TRIAL is developed to be used in medical research, which involves both clinical professionals, technical staff, and research subjects. To ensure all users of SMART-TRIAL that good clinical practice can be complied with by using the system, efforts have been implemented. This statement clarifies the specific measures which have been implemented in SMART-TRIAL.


This document applies to the usage of SMART-TRIAL in clinical research practice. Mainly, staff responsible for GCP, regulatory affairs, or QA for organisations that have either implemented, or are to implement SMART-TRIAL as a clinical research data collection tool. The information provided here within, are to assist organisations which are using SMART-TRIAL, to comply with GCP, and other international or country-specific standards and regulations - such as those from EU, FDA CFR-21 Part-11, HIPAA, etc.


  1. Security Statement
  2. 15005-ST-0021 SOP for using SMART-TRIAL

GCP Statement

1. Standard Operating Procedures

All users/customers of SMART-TRIAL can request access to a template for a standard operating procedure (SOP) template which shall assist study stakeholders to adhere to GCP. This template contains all procedures required by users to ensure GCP is fulfilled when using SMART-TRIAL to collect data.

2. Security and Backup Notice

It shall be noted that all aspects of security, quality control, hosting services, and backup procedures have already been described in [1] and are publicly available via [2] or by request from MEDEI ApS.

3. Audit Log/Trail

A full audit log (audit trail) is recorded and stored for every action within a specific project in SMART-TRIAL, i.e. viewing, creating, updating, deleting. Project owners, or those allowed access to the audit log, are able to both review these actions, specific attribute changes (e.g. subject information, or any form answers) and export the complete log.

4. Reason for Change and Reason for Exclusion

When a change is made to a form answer, a reason for change must be clarified by the editor. When a patient is excluded or discontinued, a reason must be defined by a user.

5. GCP Monitor Review Module

SMART-TRIAL has a special read-only module which can be used by monitors to review data in a simple yet structured manner. Monitors can gain access to both data collected by subjects and investigators, while also being able to review AE/SAE/SAR forms, audit logs, etc.

6. Query Feature

Users with specific query permissions, can create queries on individual form answers. This allows users to correct values/answers according to query comments etc. Notifications to queries are sent to users who are responsible for completing the query.

7. Direct Validation of Data

All input fields have dynamic input validation. Forms have both pre-defined input validation as well as user-specific validation. This means that subjects or users who are to fill out forms, are not able to complete input without complying to the form specific input rules.
This ensures that answers to forms are not only within the correct range, but guides participants in answering the forms as well.

8. Two-Factor Authorization

All users which might or might not have access to subject information, answers, or project design, can only log into SMART-TRIAL using two factor authentications. The system requires all users to authenticate with a strong password, a unique username, and unique one-time code sent to their mobile number. See more information about authentication and authorization in [1].

9. Subject Authentication

SMART-TRIAL supports individual subject authentication. The system ensures that all subjects receive unique links to the subject’s private e-mail address or mobile number, for an individual subject form response. In addition, the system also supports unique SMS code authentication with subjects for every unique response link – if requested, subjects will receive a unique code via SMS or e-mail which is required to complete their form response. This should ensure that all users authenticated within the system are indeed the owner of the user profile being used.

10. Permission Based Access

All access within a project is permission based. A project owner is responsible for defining which permissions other collaborating users have within a study. For every collaborator added to the study a set of permissions must be enabled/disabled. This should allow study owners to specify in detail what information/actions each study collaborator will have access to.

11. Adverse Event (AE or SAE) and Serious Adverse Reaction Reports

SMART-TRIAL supports full reporting for adverse event, serious adverse event, and serious adverse reaction reports. A collaborator will automatically receive a notification if a serious adverse event is registered. All users can submit an adverse event report. However, specific investigator permissions are required to fill out information requiring clinical evaluation, medical history, medication etc.

12. Automatic Subject Reminders

To improve compliance, automatic e-mail and SMS reminders can be specified for all data events. SMART-TRIAL will then handle sending out reminders to all subjects at specific time points defined by the process design.

13. Access to Raw Data

Project owners, or collaborators with sufficient permission, do always have access to a full raw dataset from a project. This means that at any time all form and subject data can be exported from the system. Export of a complete raw data set requires all users to input unique two factor SMS code before gaining access to the function.

14. Electronic Signature

Enterprise customers of SMART-TRIAL can choose to implement an electronic signature support for their project. This should allow collaborators to sign forms, or other critical actions within the system by providing their signature via password authentication.

15. System Validation and Verification

As noted in [1] and [2] SMART-TRIAL is developed in coherence with the IEC 62304 and 82304 medical device and health software standards. This means that SMART-TRIAL is a fully documented medical device software system, and has been validated and verified. This means that SMART-TRIAL clients do not have to perform any validation on the software. If required for regulatory purposes, enterprise customers can request a copy of the quality assurance declaration for SMART-TRIAL.

16. Answer Notes

Users responsible for inputting data into forms (eCRFs) can input custom notes for individual answers if required to clarify missing data or misleading answers.

17. User Acceptance Test (UAT)

SMART-TRIAL clients are responsible for performing and documenting UAT of their study setup in SMART-TRIAL. This can easily be done by testing the study setup by pressing "Test Study" in SMART-TRIAL. This enables study managers to test the study, just like in production, by enrolling up to 5 subjects.

Are we missing something?

If you have any questions regarding GCP, compliance, technical documentation, validation, or SOPs, you are always welcome to contact us via support