September 28, 2022
The digital age is upon us. The FDA has acknowledged the increasing use of computerized systems to manage electronic records generated in the production of FDA-regulated products with applicable regulations and several guidance documents that strive to protect public health by securing digital data integrity. In March of 1997, the FDA released 21 CFR Part 11 – the final rule on Electronic Records and Electronic Signatures. This regulation defined the criteria that must be met when a record required by a predicate rule is created, modified, maintained, archived, retrieved or transmitted in an electronic format in place of a paper record. Additionally, Part 11 established criteria by which electronic signatures may be considered to be trustworthy, reliable and equivalent to traditional handwritten signatures.
In the years following the creation of Part 11, there was much discussion and confusion in the pharmaceutical industry regarding what it meant and how it would be enforced. Additionally, concerns were raised by many in the industry that the new regulation would significantly increase the cost of compliance and discourage innovation and technological advances. In response to these issues, the FDA released a guidance document in 2003 entitled “Part 11, Electronic Records; Electronic Signatures – Scope and Application,” which was intended to provide a practical interpretation of Part 11 and clear up industry confusion around its interpretation and enforcement. This guidance document clarified that the Agency intended to interpret the scope of part 11 narrowly and exercise enforcement discretion with regard to part 11 requirements for validation, audit trails, record retention, and record copying.
In the years since the 2003 guidance document was issued, there has been significant technological advances (e.g., cloud computing, mobile devices, etc.), and a proliferation of third-party vendors offering services for electronic systems. In order to address some of the questions that have arisen regarding Part 11 regulations due to the ongoing digitization of data in clinical trials, the FDA issued a draft guidance for industry titled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers” in June of 2017.
This most recent draft guidance on electronic records and signatures clarifies, updates and expands upon the recommendations related to clinical trials in the 2003 guidance, and provides information to sponsors, institutional review boards (IRBs), clinical investigators, and clinical research organizations (CROs) on the use of electronic records and signatures in clinical trials conducted under 21 CFR parts 312 and 812. Let’s examine this new guidance document in detail in order to determine what it means for those involved in generating and signing electronic records in clinical investigations.
Scope of the FDA Guidance
In this new guidance document, the FDA affirms that it will continue to support a narrow and practical interpretation of Part 11, while at the same time reminding sponsors that electronic records must be maintained or submitted in a manner which satisfies all predicate rules. Additionally, this guidance clarifies and expands upon the policy announced in the 2003 part 11 guidance that encourages a “risk-based approach to the validation of electronic systems, implementation of electronic audit trails, and archiving of electronic records.”
This guidance document applies to electronic records and signatures in the following categories:
- Records kept in electronic format in lieu of paper that are required for clinical investigations of medical products. This includes all records that would be necessary for the FDA to reconstruct a study.
- Electronic records that are relied on to perform regulated clinical study activities.
- Records pertaining to clinical investigations that are submitted to FDA in electronic format under predicate rules, even if these records are not explicitly identified in FDA regulations.
- Electronic signatures required for clinical investigations that are intended to be the equivalent of handwritten signatures executed on paper.
The following electronic systems used in clinical investigations are addressed by the guidance in terms of their applicability to Part 11 requirements:
- Electronic systems, whether commercial off-the-shelf (COTS) or customized, that are owned or managed by sponsors and other regulated entities
- Electronic services that are outsourced by the sponsor or other regulated entities
- Electronic systems that are primarily used in the delivery of medical care
- Mobile technology and telecommunications systems
Overview of the FDA Guidance
The information communicated in this guidance document is extensive. The guidance provides 28 questions and answers (Q&A) detailing how sponsors, IRBs, clinical investigators, and CROs can ensure that electronic records and signatures are equivalent to paper ones and thus meet agency requirements. The bulk (24) of these Q&A cover the scope and application of Part 11 requirements in clinical investigations and are organized into 5 topics – Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities, Outsourced Electronic Services, Electronic Systems Primarily Used in the Provision of Medical Care, Mobile Technology, Telecommunication Systems. A final section contains 4 Q&A that are dedicated to clarifying the appropriate use of Electronic Signatures.
Let’s look at some of the key expectations communicated by the guidance:
Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities
The FDA lists a number of electronic systems used in clinical investigations that are owned or managed by sponsors or other regulated entities (e.g., CROs, IRBs) include: electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master forms (eTMFs), electronic Clinical Data Management System (eCDMS), and others. Requirements and recommendations specified in this guidance for these systems include:
- Risk-Based Approach to Validation – Electronic systems should be validated if they are used to process/produce critical records that are submitted to the FDA. The FDA suggests a risk-based approach to validation, where the extent of validation varies from that which is defined by “internal business practice and needs” for off-the-shelf business tools in general use (e.g., word processors, spreadsheets, etc.), to “user acceptance testing, dynamic testing, and stress testing” for customized tools that have been developed to meet a unique business need. When determining the level of validation for a given system, sponsors and other regulated entities should consider the purpose and significance of the record (i.e., the extent of error that can be tolerated in the record without compromising its reliability and utility), and the attributes and intended use of the electronic system used to produce the record.
- FDA Inspections of Electronic Systems – The FDA will focus on documentation of system validation for both the implementation of these electronic systems, as well as any changes made (e.g., upgrades, security patches, new instrumentation, etc.) to the system once in use. Migrations of source data to other systems or formats will be checked to ensure that the data is not altered in value or meaning in the process. Additionally, the FDA will review standard operation procedures (SOPs) and support mechanisms (e.g., training, technical support, audits, etc.) to ensure that the system is being used and functioning in the manner intended.
- Vendor Audits – Sponsors and other regulated entities should use a risk-based approach in determining whether or not to perform vendor audits. To minimize time and cost burdens, the FDA suggests sponsors and other regulated entities consider “periodic, but shared audits conducted by trusted third parties.”
- Security Safeguards – In order to assure compliance with 21 CFR Part 11.10 and 11.30, sponsors and other regulated entities must ensure that procedures and processes are in place to limit access to the electronic systems utilized in clinical investigation to appropriate, authorized users. Additionally, external security safeguards (e.g., firewalls, anti-spyware, antivirus, etc.), need to be in place to prevent, detect and mitigate the effects of computer viruses, worms and other harmful software code on study data and software.
- Electronic Storage for Archiving Study-Related Records – Using a durable electronic storage device to archive a study-related record at the end of a clinical study is acceptable. Sponsors and other regulated entities should ensure that the content and meaning of the record and the integrity of the original data are preserved. If these records are archived in such a way that they can be searched, sorted, or analyzed, sponsors should provide electronic copies with the same capability to the FDA during an inspection if it is reasonable and technically feasible.
- Investigative Sites Outside the United States – The FDA states that if a non-U.S. site is conducting a clinical trial under an investigational new drug application (IND, then both the sponsor and the site must follow FDA regulations – Part 11 requirements will apply to any required records kept in electronic format.
Outsourced Electronic Services
When outsourcing electronic services (e.g., data management services, cloud computing services), sponsors and other regulated entities are ultimately responsible for ensuring that all regulatory requirements are met. As such, sponsors and other regulated entities need to ensure:
- the authenticity, reliability and security of any data used to support a marketing application for a medicinal product.
- that regulated records and data are available to FDA during an investigation or an inspection.
- that outsourced electronic services are validated when appropriate – documentation of SOPs and results for validation testing should be obtained from the outsourced electronic service vendor.
Sponsors and other regulated entities should form service agreements with any outsourced electronic service vendor, but before entering into such an agreement, the sponsor or other regulated entity should evaluate and select an electronic service vendor based on their ability to meet part 11 requirements and data security safeguards.
Sponsors and other regulated entities should be able to provide the following information to the FDA upon request at each of their regulated facilities that utilize outsourced electronic services:
- Specified requirements of the outsourced electronic service
- A service agreement defining what is expected from the electronic service vendor
- Procedures for the electronic service vendor to notify the sponsor or other regulated entity of changes and incidents with the service
The guidance document addresses the use of mobile devices in clinical trials, whether the device is provided by the sponsor or brought by the study participant. Mobile technology in this guidance document refers to portable electronic technology used in clinical trials that enables off-site, remote data capture from study participants – mobile platforms, mobile applications, wearable biosensors, and other portable, implantable and ingestible electronic devices. Requirements and recommendations specified in this guidance for mobile technology include:
- Access Controls – Sponsors should implement user access controls (e.g., ID code, username and password, electronic thumbprints, other biometrics) for mobile technology used by study participants in clinical trials to ensure that data entrees come from study participants. In cases where these controls are not practical, sponsors should obtain a signed declaration from study participants confirming that they will be the only ones using the device.
- Source Data – As mobile technology typically only stores data collected from study participants for a very short period of time before being transmitted to the sponsor, the FDA indicates that “…the first permanent record is located in the sponsor’s EDC system or the HER, and not in the mobile technology.”
- Validation of Mobile Technology – The guidance suggests a risk-based approach to validation of mobile technology. Sponsors should validate mobile technology before use in a clinical trial to ensure that a measured value is reliably captured, transmitted and recorded in the sponsor’s EDC system. Note that validation is specific to Part 11 and does not address performance of the mobile technology, which should follow standard medical device validation requirements.
- Audit Trails – When mobile technology is used to transfer data to the sponsor’s EDC system (or to the EHR and then the sponsor’s EDC), the audit trail begins at the time the data enters the sponsor’s EDC system. The EDC system should capture the date and time the data entered, as well as the data originator (study participant, mobile technology or EHR).
- Security Safeguards – Data transmitted wirelessly from a mobile device to a sponsor’s EDC must be encrypted both at rest and in transit to ensure confidentiality and prevent access by malicious parties. In addition to encryption and user access controls, sponsors should implement remote wiping and disabling of devices, firewalls, and procedures for wiping all stored health information on mobile devices before reusing or discarding to ensure confidentiality.
- Training – The FDA expects sponsors, clinical investigators, study personnel, and study participants to be adequately trained on the use of any mobile technology that is used in a clinical trial.
To be considered the equivalent of handwritten signatures, electronic signatures must comply with Part 11 requirements. Nevertheless, in this guidance document, the FDA communicates flexibility in terms of the methods it will accept for the creation and verification of electronic signatures and biometrics.
- Methods of Creating Electronic Signatures – The Agency states that Part 11 allows for a wide variety of methods for creating electronic signatures – computer-readable ID cards, biometrics, digital signatures, and username/password combinations. All signatures on electronically signed documents need to be accompanied by a computer-generated, time-stamped audit trail.
- Verification of Identity of Those Who Create Electronic Signatures – Part 11 requires that organizations “verify the identity of an individual before the organization establishes, assigns, or otherwise sanctions an individual’s electronic signature or any element of such electronic signature.” However, the FDA does not specify any particular method for verifying the identity of an individual. Methods suggested include: birth certificate, government-issued passport, driver’s license, security questions.
- Biometrics – The FDA defines biometrics as “a method of verifying an individual’s identity based on measurements of the individual’s physical features or repeatable actions where those features and/or actions are both unique to that individual and measurable.” The FDA does not specify any particular biometric method upon which an individual’s signature should be based. Examples given as possible options include: fingerprints, hand geometry (i.e., finger lengths and palm size), iris patterns, retinal patterns, or voice prints.
In addition, the FDA provides important guidance regarding electronic signatures by an individual during a period of controlled system access: “When an individual logs into an electronic system using a username and password, it is not necessary to re-enter the username when an individual executes a series of signings during a single, continuous period of controlled system access. After a user has logged into a system using a unique username and password, all signatures during the period of controlled system access can be performed using the password alone.”
The information contained in the FDA’s new guidance document on electronic records and signatures is extensive, and signifies that the Agency is increasingly focused on data integrity in the electronic records submitted in support of new drug approvals. While this guidance is focused on electronic records and signatures in clinical trial documents, the concepts and recommendations outlined are applicable for any operational system that must conform to Part 11 requirements. Organizations would therefore be wise to consider the information communicated in this guidance document when implementing electronic records and signatures across the product lifecycle.
Additionally, partnering with a quality informatics consulting firm that specializes in data integrity and computer system validation in order to assess the status of your organization’s 21 CFR Part 11 compliance may be an effective path forward. Such a firm can help you define your needs/requirements, and then determine the best business solution(s) that will bring your organization into regulatory compliance.