Viedoc Technical Description

  • Published by Viedoc System 2024-01-12
  • Print

Overview

Purpose

The primary purpose of Viedoc is to collect research data from research sites in a clinical trial. In addition to data collection, Viedoc contains several supporting features used to perform data verification, site monitoring, randomization, supply management, medical coding, adverse event reporting, user training, and certification.

Customer

The customer can either be a so-called sponsor—the financer of the project—or a subcontractor of the project sponsor. A sponsor is typically a pharmaceutical company, a biotechnology or medical device company, or an academic institution. A subcontractor is typically a Contract Research Organization (CRO).

Users

The users of Viedoc include a diverse set of actors: personnel at Viedoc Technologies, personnel at the sponsor, personnel at the CRO personnel at the research sites or laboratories, research subjects, customer auditors, regulatory inspectors, and the sponsor contracted experts in various research areas.

Delivery

Viedoc is a Software-as-a-Service (SaaS) solution delivered using a multi-tenant model deployed on the Microsoft Azure platform with one instance in each of the three regions US, Europe, Japan, and mainland China. All operations are performed by an in-house operations team that uses a mix of Microsoft Azure IaaS and PaaS components.

Customization

All customers are offered all features of the platform—only to be restricted by the license purchased. There are no customer-specific requirements built into the platform. All customization required for the platform to suite the clinical trial protocol and project-specific procedures is performed by run-time configuration using the designer and administrative tools, both available to, and controlled by, the customer or its third-party affiliates.

Development

Viedoc is designed and developed in-house using an agile methodology (SCRUM) that Viedoc Technologies have extended with the risk-based approaches and documentation requirements defined by GAMP5. We use the Microsoft platform for development tools and frameworks, Oracle MySQL, and Redis as databases and several third-party libraries.

Quality and Information Security

Viedoc Technologies have an integrated management system for quality (QMS) and information security (ISMS) with a scope that includes all aspects of the business, including product management, development, and operations.

Requirements

Genericity

The general architecture of Viedoc is not comprised of any customer-specific requirements and new features are offered to all customers. Every feature request is treated as a possible system enhancement and is prioritized accordingly. Viedoc is designed to be used world-wide without restrictions on encoding of collected data which is stored in Unicode. The user-interface of Viedoc Clinic, Admin and Designer is currently translated into eight languages, and ViedocMe to 30 languages (of which one with right-to-left script). All system timestamps are stored in UTC but are translated and presented to users in their local time when time-zone information is applicable and available. All common combinations of devices, operating systems and web-browsers are tested for and supported according to our Service-Level-Agreement (SLA).

Maintainability

To provide a cost-efficient product that is always up to date with the rapidly changing information security landscape, we do not fork or freeze the product codebase for specific instances. Instead, new versions are pushed out to all instances and thus only one codebase is maintained. This in turn requires the product to always be backwards compatible. All new, and changes to existing, features, and in some cases even changes to GUI, are opt-in through settings on a project level.

Traceability

All features that directly or indirectly have an impact on customer data are captured in an immutable audit-trail. Key decision and approval steps are recorded using electronic signatures.

Information security

Fancy features galore, but Viedoc at core is about confidentiality, integrity and availability of clinical data. We strive to always deliver secure-by-design features and to foster a security-aware company culture. Data isolation is by design through a role-based permission system. Roles are highly configurable to enable a project that follows the principle of least privilege. Encryption is applied both in-transit and at-rest. Multi-factor-authentication can be enforced on project level but can also be enabled at-will on user-level. Viedoc features encourages a delegated access management approach which makes recognizing incorrect/outdated access authorization possible.

Privacy

Viedoc complies with GDPR, HIPAA, APPI and GB/T 35273-2017 legislations. User enrollment is opt-in at all levels and there is a sophisticated self-service decommissioning feature to remove your own personal data (user account) and your project data (customer clinical data). We strive to always deliver features that have privacy-by-design.

Regulations

In addition to Good Clinical Practice (GCP), and in particular that Viedoc features must enable work according to GCP to be relevant, and FDA 21 CFR part 11 that set the baseline for electronic signatures, audit-trail, and information security in electronic records, there are a number of industry regulations that Viedoc must adhere to. The most prominent being the following:

  • CSUCI
  • FDA eSource Guidance
  • EMA eSource Reflection Paper
  • GMP Annex 11
  • Japanese ERES Guideline and EDC Guidance.

Standards

Viedoc has a special allegiance to the industry standards consortium CDISC, and its ODM and SDM standards in particular. Development procedures are evolved from GAMP5.

Architecture

Functional

Viedoc is an e-clinical suite comprised of seven main functional areas: Viedoc Clinic, Viedoc Admin, Viedoc Designer, Viedoc Me, Viedoc Connect, Viedoc Logistics, Vieodc Reports, and Viedoc eTMF. The functionality of each area is summarized here:

  • Viedoc Clinic (including Medical Coding, Randomization, Viedoc Connect, and the API) is essentially the eCRF where the actual study work is being performed. This is the end-user endpoint for data collection, data verification, monitoring, adverse event reporting, user training and certification, and so on.
  • Viedoc Admin is as the name suggests the administrative endpoint where the Study Manager is able to have full control over the study and manage sites and users. This is where new studies are created, settings are configured including what study designs to be in effect when, sites are created, accounts and permissions are provisioned and de-provisioned, and finally where the study is decommissioned.
  • Viedoc Designer is the customization endpoint where certified Viedoc designers configure their studies. It includes ready-to-use templates and no prior programming skills are required to create professional input fields and questionnaires tailored to your study. New studies are easy to set up with drag-and-drop technology and the templates add simplicity for reusing forms (assessments).
  • Viedoc Me is the ePRO and fully integrated part of Clinic. It is a bring-your-own-device solution, meaning that the subjects can use their own smartphone, tablet, or computer and need nothing more than an internet connection to input their required diary information and report events. Viedoc Me makes it is easier for the subjects to comply with the study and Investigators can review their compliance in real-time. Sites no longer have to enter data manually from paper diaries.
  • Viedoc Connect is an application in Viedoc eClinical suite that enables meetings between Clinic and Viedoc Me users through video calls. Site staff can conduct visits and make follow up calls with the subjects remotely. The video calls are started from Clinic, once the call is initiated/ongoing from Clinic, subjects can join the video call through the Viedoc Connect module available in Viedoc Me. Viedoc Connect offers flexibility during the call for both Clinic and subjects. Clinic users can navigate to other pages and/or studies during a call, and subjects can navigate within Viedoc Me and also submit data during the call.
  • Viedoc Logistics is the Trial Supply Management system, fully integrated with randomization and advanced allocation, designed to optimize and secure the inventory of your trial. The feature gives real-time visibility of allocated IP in Clinic as well as alert settings when supply is running low. Our customers no longer need to use outdated IWRS or separate logistics tools. Everything happens in Viedoc.
  • Viedoc Reports is a fully integrated application for viewing and analyzing study progress and performance. Viedoc Reports allows you to easily browse your data and illustrate it in reports and graphs. The data is collected from your Viedoc study according to your design, and the information is updated every 24 hours.
  • Viedoc eTMF is a digital repository for capturing, managing, sharing, and storing essential documents for your clinical trial. Viedoc eTMF is based on the TMF Reference Model by the Drug Information Association (DIA). The TMF Reference Model categorizes documents in zones, sections, and artifacts in a hierarchical structure and includes documents in all different phases of a clinical trial.

Features in Admin and Designer are depending on fixed system roles such as Organization Manager, Study Manager, Site Manager, Study designer, and so on, whereas Clinic and Logistics depends on and appears as designed by the custom roles created in Designer and then deployed in Admin.

Getting started with Viedoc

The following figure describes the workflow of getting started with a study:

Use of multiple project designs

Multiple project designs can be in effect simultaneously for the same project, even for the same research subject, depending on data collection timepoint, which in its unique implementation and execution is one of the more competitive features of Viedoc:

Principles

The Viedoc architectural principles are

  • Security-by-design

  • Traceability and accountability

  • Privacy-by-design

  • Standards-focused and integration-friendly

  • Domain-driven

  • Stateless, scalable and responsive

Security

The role-based permission system, in combination with multi-factor authentication, and sophisticated system for delegated provisioning / deprovisioning of user access, is the core of Viedoc information security and supports the principle of least privilege.

In addition to encryption-measures in operations environment (only encrypted endpoints served, encryption-at-rest on disk), encryption-in-transit is enforced through strict-transport-security headers for public endpoints, and sensitive data is encrypted-at-rest in database. The system is also designed to use encryption-in-transit internally between sub-systems.

Viedoc data communication between client and public endpoint is tuned to standards which in turn allows web-application-firewalls to inspect all traffic in prevent mode. Content delivery networks (CDN) are not used - all content and client-side code libraries are distributed directly from Viedoc servers, which is also enforced through content-security-policy headers, to ensure authenticity and prevent man-in-the-middle tampering.

Binary uploads inside the system, where allowed through features, are scanned for malicious code inside a sandbox to prevent accidental distribution of malware through Viedoc.

Standards

Viedoc shall set new standards through innovation, though existing satisfactory standards shall be followed and not reinvented. The internal object model is derived from the industry standard CDISC ODM with SDM extensions. Several defacto standards for the industry, for example MedDRA, WHO-DRUG and IDF for medical coding, are supported and where applicable, certified.

Integrations

The EDC-system is a natural hub for activities in the highly data-driven execution phase of the projects of our clients. Viedoc currently have two APIs that allow for integration: one for individual research subject-oriented activities and one for all other integrations with emphasis on input and output of data. The service-oriented architecture allows for adding new integration interfaces with low effort.

Dataflow

Viedoc exposes three types of public, all encrypted, HTTP-protocol endpoints:

1. ViedocMe uses a Single-Page Application (SPA) approach that communicates with a public WebAPI.

2. The mainstream API which is a structured Windows Communication Foundation (WCF) endpoint.

3. Clinic/Admin/Designer which is a traditional (MVC) web endpoint.

From these endpoints, data flows through the following logical layers:

System

The system is implemented using a domain-driven approach on the Microsoft .NET framework. The primary programming languages are C# and JavaScript.

The architectural style is a combination of Web-Queue-Worker architecture and Microservices architecture.

Viedoc is stateless which contributes to scalability on cloud infrastructure. Data is denormalized where suitable for responsiveness.

* for session management and worker task scheduling
** for file CRF binary uploads and investigator contemporaneous independent CRF copies (PDF)

Development

History

The development of Viedoc version 4 started in 2012. This was a complete reboot of the first generation of the platform, now referred to as Viedoc version 3, of which development started in 2003. This rewrite-from-scratch was initiated for a few reasons:

  • Change of both company focus and business model

  • Change of the technology landscape

  • Need for better scalability both in development and product performance

  • Need for stronger focus on security and privacy

Methodology

Viedoc is developed using an agile development methodology called SCRUM. The methodology is followed quite strictly but slightly evolved to become risk-based and with added documentation requirements derived from GAMP5. This methodology minimize risk of impact from incorrect interpretation of requirements, keeps prioritization up to date through continuous feedback and produces a secure product that is fit-for-use through continuous review.

Procedure

The development operations are mature and highly effective. Working procedures are formalized in Standard Operating Procedures (SOP). All features and changes to the product are thoroughly documented and stored along with source code in Team Foundation Server. The sprint-length is three weeks and every other sprint produces a release-candidate.

Release and deployment

Release and deployment procedures are documented as SOP and is a collaboration between the Product Management team and the Operations team, with a strict separation of duties. The procedures are risk-based and evolved from GAMP5, with a traditional qualification process using Installation Qualification (IQ), Operational Qualification (OQ) and Performance Qualification (PQ).

There is no interruption to service during deployment.

Operations

Infrastructure

A mix of Microsoft Azure services (application gateway, storage, MySQL, and Redis databases) and Microsoft Windows VM:s (application, worker/task-runner) are used to operate Viedoc. All services / components are redundant.

Localization

The four instances,USA, Europe, Japan, and mainland China, are served out of two Microsoft Azure regions each. These locations are chosen for connectivity and privacy regulation purposes. The European instance uses France Central (Paris) and France South (Marseille), the Japanese instance uses Japan East (Tokyo) and Japan West (Osaka), the USA instance uses Central US (Iowa) and East US (Virginia), and the mainland China instance uses China North (Beijing) and China South (Shanghai).

Security

Anti-virus and Anti-malware signatures are updated in real-time as released by vendor.

Web application firewalls are configured with OWASP 3.0 rules in prevent mode. All network segments are protected with firewalls that have block-all by default and only allow whitelisted traffic.

Only encrypted endpoints are exposed. All data is encrypted-at-rest.

The principle of least privilege is exercised within the operations team. Multi-factor-authentication is mandatory for administrative actions and all activity is audited.

There is a daily review of security bulletins. Internal vulnerability scanning tools are used that provide input for patching and updates.

A third party provided Penetration as a Service is used for continuous automatic testing of Viedoc applications. Each finding is then manually re-tested and confirmed by the third-party security team and presented to Viedoc’s security team.

In addition to that, 4 times per year the third-party provider executes a more robust application penetration testing.

All externally exposed assets/IPs are subject to weekly security scanning that creates the external footprint report.

A security meeting is held once a month to discuss the current security landscape and review the past month's activity and the plans for the upcoming month.

As needed, we also perform ad-hoc penetration testing in case of big changes in infrastructure or in the application.

Backup

Backups are taken, encrypted and replicated to the paired Microsoft Azure region every five minutes. One full backup for each instance is encrypted and transferred to cold storage in a third location, read back, restored and tested for integrity every 24 hours.

Monitoring

Monitoring of the Viedoc instances is automated. Health-checks that includes a full application OQ are carried out every 5 minutes from different locations around the world, with real-time alerts to the Operations team. Current and historic service status is made available to customers through an online service status page.

Service window

There is a one-hour service window reserved every weekend—though seldom requiring downtime of service.

Technical roadmap considerations

The following high-level backlog items are considered and/or researched for the technical and/or non-functional development roadmap of the product.

  • Improved user access monitoring with weekly/monthly reports to users and supervising users, and improved inactive accounts management.

  • Enhanced integrations using webhooks, REST-API and enhanced data mapping functionality.

  • Customer-level encryption using a Bring-Your-Own-Keys (BYOK) approach.

  • Blockchain integration of audit-trail.

  • Customer self-service backup feature for dumping data to AWS S3 buckets.

  • Automatic medical coding using neural network algorithms/deep learning/AI.

  • Replace Virtual Machines with Microsoft Azure App Services and Function Apps for better cost-efficiency and agility in scaling operations.

  • Project/customer-level sender email address and SMTP server configuration.

  • Customer-specific instances through Microsoft Azure marketplace offering.