[D155.0000] E-IRB Operations

The University of Kentucky department with a devoted team of programmers responsible for E-IRB design, development of programming, and implementation of code. 

RIS maintains server security and integrity; system upgrades; and follows the University’s Administrative Regulations for 10:7 – Security of Data and 10:8 – Security of Information Technology Resources.

A “system administrator” position held within the Office of Research Integrity delegated to (including but not limited to):

• Access back-end features restricted to the administrator role;
• Facilitate further design and development of features;
• Ensure the E-IRB system continues to function appropriately; 
• Manage the discovery of issues and bugs (via user feedback and review of the system’s web-based error log); 
• Train and educate end-users; 
• Update IRB reviewer documentation in the database (as deemed appropriate with proper concurrence from the corresponding reviewer), and
• Submit linkblue account requests to campus IT. 

Employees of the Office of Research Integrity are responsible for facilitating all aspects of review and approval of human research. For more details, see “About ORI” on ORI’s home web page.

RIS and the ORI E-IRB System Administrator control who is given access to the E-IRB system in an ORI role.

The ORI role permits a user to (including but not limited to):

• Access the E-IRB database; 
• Access submitted, approved, and inactive applications and each one’s history, including IRB determinations and Quality Improvement materials; 
• Insert comments and view PI, ORI, and IRB comments about the submission; 
• Insert and view additional protocol-specific data in the “ORI Flags” tool;
• Route applications to the PI and the IRB;
• Select IRB meeting dates and adjust agendas; 
• Select IRB reviewers;
• Change protocol process type (Full to Expedited and vice versa) and IRB teams;
• Generate IRB correspondence; 
• Manage and view human subject protection (HSP) training records and 
• Retain other documentation pertinent to the research application. 

ORI staff also have the capability to edit an application on behalf of the researcher. At the discretion of ORI staff, edits may be made to the application, but it is only generally accepted to do so with permission from the researcher in writing. 

An individual appointed by the Vice President for Research to provide reviews of proposed research activities. For more details, see the “Nuts and Bolts of IRB Membership” section on the IRB Membership web page, as well as the IRB Membership SOP.

RIS and the ORI E-IRB System Administrator control who is given access to the E-IRB system in an IRB role. 

The IRB role permits a user to (including but not limited to):

• Access the E-IRB database;
• Access submitted and approved applications and each one’s history, including determinations and Quality Improvement materials;
• Insert comments and view PI, ORI, and IRB comments about the submission; 
• Review agendas; and
• Complete assigned “IRB Review” tasks. 

The application is in read-only view for IRB members. A submission for which IRB review has been completed can only be routed to ORI. 

As established by this policy/guidance document and federal regulations, there is no requirement for a UK Institutional Review Board (IRB) Chair/designee to hand-sign or e-sign approval letters; the security of the linkblue process suffices to validate determinations. Documents generated electronically within E-IRB as a result of IRB review are clearly identified by Document Type and are secured in the E-IRB system. 

A non-IRB member, with expertise not otherwise held by an IRB member, who is chosen by ORI staff to provide review for appropriateness of a research proposal (e.g., a cultural consultant). 

Consultants access the E-IRB system in the Researcher role and click on the "Consultant Reviews" tab on their Dashboard to see assigned reviews. A consultant’s access to an application is equivalent to the IRB role (but consultants do not get the IRB role, so they don't have access to the entire IRB database), as is the “IRB Review” task button. 

An individual charged with reviewing some aspect of UK’s human research protection program and who should have limited access to the E-IRB system to perform their auditing responsibilities (e.g., AAHRPP site visitor).

RIS and the ORI E-IRB System Administrator control who is given access to the E-IRB system in an “Auditor” role. For non-UK individuals, a linkblue account is established prior to the auditor’s arrival.

The “Auditor” role permits a user to (including but not limited to):

• Access approved applications in read-only view by protocol number;
• View PI, ORI, and IRB comments about the submission;
• Access protocol history of approved applications, including IRB determinations and Quality Improvement materials.

An individual engaging in a human research activity. 

The default role assigned to an individual logging into E-IRB is the “Researcher” role unless the user has been designated an additional role (e.g., IRB role) by RIS or the ORI E-IRB System Administrator. There are different levels of access offered within the researcher role.

It is IRB policy that the Principal Investigator (PI), identified as such in the PI Contact Information section of an E-IRB application, holds primary responsibility for the research project and is the only individual with permissions to sign the PI Assurance Statement. The PI is authorized to create, edit, and submit an initial review (IR) application, continuation review (CR) application, final review (FR) application, or a modification request (MR) application as well as “Other Reviews” (Unanticipated Problems (UPs) involving risk to subjects or others; Protocol Violations (PVs); Deviation/Exception requests (DEV/EXC); and, if certain circumstances are met, an Administrative Study Closure (IRB review for this kind of “Other Review” is not required)).

Additionally, having a designation of PI permits the user to (this is not an all-inclusive list):

• Access submitted, approved, and inactive applications and each one’s history; 
• Create a record for Non-UK Personnel;
• Insert comments* and view PI and ORI comments about the submission (*comments feature is not available on a draft application).

"Role for E-IRB access" – the user’s selection will determine what kind of access the researcher will have to the E-IRB application created: 

• Editor (“DP” role) - individuals given edit authorization have all the capabilities as the PI for creating, editing, and submitting (applications and Other Reviews), with the exceptions of submitting an administrative study closure and signing the PI Assurance Statement.  Per the PI’s Assurance Statement, when the DP submits on behalf of the PI, it is with the understanding that the PI has reviewed the materials for accuracy.
• Reader (“SP” role) - individuals assigned the “SP” role can view the currently approved application in read-only mode, and access protocol history.
• "Is Contact" – regardless of access assignment (DP or SP), individuals designated as a contact will, in addition to the PI, receive notifications about the application (e.g., requests for minor revisions, Continuation Review requests, etc.).

An individual serving in a leadership role to the PI and who has been assigned to complete an Assurance Statement for the proposed research per IRB policy. This responsibility typically falls on the shoulders of the PI’s Department Chair. The role of such a person has been dubbed “Department Authorization” (DA), although someone serving in an equivalent position could serve as DA. 

Other Designated Signees: Under IRB policy, an Assurance Statement is also required from the PI’s Faculty Advisor if the PI is a UK student. A third signee role is available for PIs who need to send the application for “Review by Other” per their department policy.

In the Signatures (Assurances) section of the E-IRB application, the researcher identifies the individual(s) (e.g., Department Chairperson, Faculty Advisor, Other) within their unit responsible for completing an assurance statement. For additional details on the IRB policy governing this process, see the ORI guidance, “Department Chairperson or Designee Assurance Statement.” 

Once an assignment to complete an Assurance Statement has been saved in the Signatures (Assurances) section and the application has been “sent for signatures,” the assigned individual has access to the E-IRB application for review and is required to “sign” the assurance statement (using linkblue ID and password) before the PI’s application is eligible for submission to the IRB. 

Should a Signee require changes to the application prior to signing, communication with the PI will need to occur external to the system; the PI has access to edit the application while awaiting Assurance signatures.

Only ORI staff can select the audience for each Comment (C) & Review Note (RN) inserted: PI-only; IRB-only; or both PI and IRB.  

• The PI/researcher role can only see the researcher and ORI’s C & RN.
• The IRB role and Auditor role can only see researcher C & RN and C & RN inserted by ORI, where IRB is the audience.
• ORI role can see all C & RN.

Comments and Review Notes can be reviewed in an application’s "Protocol History" in accordance with the rules described above. 

Tip: Be aware of which role you are in when viewing an application.

The "Document Type" of an attachment dictates which users can access and upload the attachment, and whether the document is available from the time of attachment going forward, or only to the phase to which it was attached. Special attachment rules are listed below; otherwise, the attachment is available to all users.

• ORI Documentation/ORI Doc - attached to applicable phase for users in ORI role;
• Miscellaneous IRB Documentation (IRB Doc) - attached to applicable phase for users in the ORI role, IRB role, and Auditor role;
• QI Documentation (QI Doc) - available from the time of attachment on for users in the ORI role, IRB role, and Auditor role; 
• COI Management Plan – available from the time of attachment on for users in the ORI role, IRB role, Auditor role, and users accessing the protocol via the OSPA group Dashboard.

Only ORI can see and edit the entire contents of ORI Flags; all edited fields and attachments are reflected on the phase of the application to which they were added, unless otherwise specified in ORI Flags (e.g., When “ORI Notes” and COI Management Plans are added, they will be available on the current phase and then carried forward to the next phase of the application). 

Applications accessed through the OSPA group (“External”) Dashboard permit the user to see the SFI section and ORI Flags History. 

Group Dashboards were created to enable select individuals logged into E-IRB to acquire information and materials from submissions that fall under the applicable unit’s purview, without giving access to the entire IRB database.

The ORI E-IRB System Administrator (and RIS) controls who is given access to specific group Dashboards; the group Dashboard is in addition to the default Researcher Dashboard.

E-IRB automatically flags applications to fit into specific groups based on established criteria for the Markey Cancer Center (MCC), Office of Sponsored Projects Administration (OSPA), the Center for Clinical and Translational Sciences (CCTS), COVID-related research, Investigational Drug Service (IDS), and ONCORE (limited interface between E-IRB and the ONCORE clinical trial management system). Each group’s Dashboard only lists applications that meet the criteria for that group.

For example, MCC representatives have the option to toggle from their Researcher Dashboard to a Dashboard (under “External” role) that displays approved applications involving only cancer research; CCTS representatives have the option to toggle from their Researcher Dashboard to a Dashboard that displays only approved applications that are clinical research and clinical trials.

Individuals with an assignment to a specific group dashboard will be able to click on the IRB number in that group and:

• Access applications in read-only view;
• View PI and ORI comments about the submission; and
• Access protocol history of approved applications, including attachments, completed Other Reviews, All Events, and Cancelled Submissions.

The University of Kentucky Information Technology Services (ITS) created the term "linkblue" to define a directory account (a unique user id and password) that can be used by employees and students to securely connect to many campus-wide systems. 

Users of the E-IRB system apply the term linkblue as the equivalent of “electronic signatures,” with the understanding that the linkblue ID and password are the legal equivalent of a personal handwritten signature. When a user accesses E-IRB with their linkblue, all actions performed thereafter are considered to be taken by the individual associated with that linkblue account. 

Linkblue accounts are meant to be used according to the University of Kentucky (UK) policy (Administrative Regulation (AR) 10:1 – Use of Technology Resources; 10:5 – Electronic Signatures Policies and Procedures.

Employees applying an electronic signature on documents attached to E-IRB applications are expected to abide by UK policy and guidance as outlined in Administrative Regulation (AR) 10:5 – Electronic Signatures Policies and Procedures and Business Procedure Q-1-6 Electronic Signatures outlining the University’s policies on e-signatures.

Record archiving is facilitated by the comprehensive logging of every action taken within the E-IRB system, including changes to existing records. These logs record each action, the identity of the individual performing the action per linkblue ID, and the action's date and time. To streamline the user’s experience, not every action logged is visible in the E-IRB interface, but it can be retrieved upon request. 

The researcher must re-enter his or her own unique linkblue in order to verify identity before performing key functions within the electronic workflow (e.g., a PI Assurance Statement can only be completed by entering the PI’s linkblue). The signee’s name and date/time the action was completed are recorded under the Signature/Assurances section of the E-IRB application.

Actions permissible only by users in the IRB role (“IRB Review task”) are recorded with the user’s name and date/time the action was completed under the Protocol History Determinations tab, which is accessible only to individuals assigned the ORI, IRB, or Auditor role. Official IRB correspondence (e.g., PDF letters on letterhead) includes all relevant dates in headers or in the body of the document and is issued by ORI only upon documentation of a determination by the IRB.

Furthermore, a unique file hash (SHA-256) is added to attachments at the time of upload and stored alongside the file metadata in the system database to ensure data integrity and traceability. This enhancement allows for verification that files have not been altered post-submission, supports non-repudiation, and aligns with best practices for regulatory compliance and secure recordkeeping.

The E-IRB system addresses the security requirements by including:

• Controls for identification: UK maintains identifying information about each employee/student in association with a linkblue account. The E-IRB system uses linkblue to verify the individual’s identity. 
• System access is limited to authorized individuals: Every E-IRB user must have an active University of Kentucky linkblue account with a unique name and password in order to log in to the E-IRB system. If an individual is no longer affiliated with the University of Kentucky, their linkblue account is deactivated, and access to E-IRB will be denied.
• Individuals are held accountable and responsible for actions initiated under their electronic signatures: Assurances of compliance by designated signees (e.g., Department Authorization (DA)) are recorded in the E-IRB system. The University of Kentucky follows standard operating procedures for its Quality Improvement Program aimed at identifying issues or verifying compliance with responsibilities delineated to PIs and study personnel on IRB-approved applications.
• Controls for a closed system: E-IRB is a closed system (a valid linkblue account is required for access to the network). UK has written Administrative Regulations (AR) that prohibit employees/students from obtaining or using another’s login credentials or otherwise accessing technology resources to which authorization has not been expressly given (10:1 – Use of Technology Resources; IV.J.c.i.). E-IRB system privileges vary depending on assigned roles (e.g., Researcher, ORI, IRB, Department Authorization (DA)). The linkblue identifies which predetermined roles a user may hold, and each role controls which responsibilities and permissions a user has. For example, only users authorized in an IRB role can perform IRB actions, and only an individual serving as a Principal Investigator (PI) can sign a PI Assurance Statement. UK maintains all information associated with research proposals and reviews, and this information is governed by UK policies and procedures for data security (Administrative Regulations 10:7 – Security of Data and 10:8 – Security of Information Technology Resources).