REDCap (Research Electronic Data Capture) Part 11 Process & Training

DISCLAIMER: This webpage is provided as a guideline for the Boston University and Boston Medical Center research community and is specific to the BU REDCap instance.

REDCap (Research Electronic Data Capture) is a secure web-based application for electronic data capture (EDC) and data management. REDCap was created at Vanderbilt University and is primarily used for research and quality improvement studies. REDCap is a BU-reviewed and cleared application and is HIPAA-compliant for both BU and BMC.

BU offers step-by-step guidance on how to build your e-consent in REDCap from the IRB-approved stamped consent form.

Learn More

If you are conducting a drug or device study under an IND/IDE or plan to submit your data to FDA, and you are seeking to use BU REDCap for any data collection, including e-consent, you must comply with FDA 21 CFR Part 11 requirements for electronic records and signaturesAn FDA 21 CFR Part 11 compliant system requires two components: 1) technical software specifications, procedures, and documentation as described in the Part 11 regulations, and 2) essential processes, such as procedures, training, validation, and documentation that are put in place at the project level, by the clinical investigation team, to meet Part 11 requirements.

In addition to REDCap’s built-in features (e.g., audit trails, user authentication, and user access control), a BU REDCap validation master plan, security controls, and procedures have been implemented at the system level to address the technical component requirements. The BU REDCap server has security features required to allow the system to collect, process, and store data classified as Restricted Use. We have also established regulation-compliant policies and procedures specific to the BU instance of REDCap for BU and BMC clinical investigation teams to follow throughout their project-specific validation process and REDCap project life cycle. The clinical investigation team must implement these policies and templates to meet FDA Part 11 compliance requirements when using REDCap for FDA-regulated research.

Here is an overview of the process the clinical investigation team must follow:

  1. First, the PI or lead clinical investigation team member will need to submit the BU REDCap Part 11 Request Form. This is a simple REDCap form to request access to the REDCap Part 11 process and list clinical investigation team members who will need access to REDCap. It should just be submitted once per project.
  2. Once submitted, a ServiceNow ticket will be generated, alerting the REDCap administrator to invite the listed team members to complete the BU REDCap Part 11 Training Modules.
    • The PI and research team members whose roles include accessing REDCap will need to complete these training modules.
    • The PI will attest to compliance to BU REDCap Part 11 training and requirements for all team members who will access REDCap in their delegated roles.
  3. These BU-specific REDCap Part 11 training modules walk each team member through the applicable Part 11 regulations, what actions are required to comply with each regulation, and best practices for REDCap database and user access management. Some examples of clinical investigator responsibilities include identity verification, change management, and record retention.
    • Estimated training duration is 80 minutes, based on the current completion average.
  4. Once the clinical investigation team members attest to reviewing all modules, a BU REDCap Part 11 team member will share a SharePoint link to a restricted project folder to designated team members. This SharePoint project folder will contain the templates the clinical investigation team is required to complete for validation and the User Access Management SOP. The BU REDCap Part 11 team may add helpful documents to the project folder as needed. Updated templates will be placed in the SharePoint project folder if revisions are implemented. These required templates include:
    • Project Specifications template
    • Project Test Plan template
    • Test Case template
    • e-Consent Operation & Testing (if applicable)
  5. Designated members of the clinical investigation team will build and validate their REDCap project database in concurrence with customizing the templates listed above and following established policies and procedures.
  6. Designated members of the clinical investigation team will sign completed templates, including a validation summary report, stating that their REDCap project database is functioning as intended and is ready for use. These signed templates should then be uploaded to the SharePoint project folder.
    • As part of change management, new template versions should be uploaded to the project folder after any project database revisions are made throughout the project life cycle.
  7. The clinical investigation team will move their REDCap project database into production and start real data collection.
  8. The PI or project administrator will ensure new team members complete the REDCap Part 11 training and manage the appropriate access to REDCap and SharePoint for onboarding/offboarding team members. Designated team members may submit requests to revoke REDCap and SharePoint site access or change the PI via the REDCap Part 11 request form (step 1).
  9. The clinical investigation team will maintain a change management document to track changes made to their REDCap project database and execute new test cases for the implemented changes. Updated test results should be documented in this change management documentation.
  10. The BU REDCap Application Service plans for two major upgrades per year, with minor upgrades as needed to address security issues and critical bugs.
    • An upgrade and change log notification will be posted on the BU REDCap homepage.
    • Clinical investigation teams will have the opportunity to determine if the pending update impacts their project workflow and perform User Acceptance Testing (UAT) on their project database.
    • Clinical investigation teams with a live FDA-regulated REDCap project will be able to test their project database in the updated version released on the REDCap DEV Testing instance at least two weeks before updating the REDCap Production instance, pending security criticality.
    • Confirmation of test completion for FDA-regulated studies will be required from the clinical investigation team.
  11. The clinical investigation team should follow their data/record retention protocol and REDCap project closure procedures.

This process applies to each REDCap FDA-regulated project.

To get started, complete the BU REDCap Part 11 Request Form. For information regarding BU REDCap user access and support, please email REDCap support at

BU REDCap Part 11 Team

David Corbett (Data Security), BUMC Information Security Officer, BUMC Information Security
Tasha Coughlin (REDCap Application Administration), Research & Instructional Applications Manager, BU Medical Campus Information Technology (BUMC IT)
Mary-Tara Roth (Regulatory), Director, Clinical Research Resources Office (CRRO)

Information For...

Back to Top