Posted on Lab Compliance. 28 September, 2017
The digital age is upon us. The FDA has acknowledged the increasing use of computerized systems to manage electronic records generated in the production of FDA-regulated products with applicable regulations and several guidance documents that strive to protect public health by securing digital data integrity. In March of 1997, the FDA released 21 CFR Part 11 – the final rule on Electronic Records and Electronic Signatures. This regulation defined the criteria that must be met when a record required by a predicate rule is created, modified, maintained, archived, retrieved or transmitted in an electronic format in place of a paper record. Additionally, Part 11 established criteria by which electronic signatures may be considered to be trustworthy, reliable and equivalent to traditional handwritten signatures.
In the years following the creation of Part 11, there was much discussion and confusion in the pharmaceutical industry regarding what it meant and how it would be enforced. Additionally, concerns were raised by many in the industry that the new regulation would significantly increase the cost of compliance and discourage innovation and technological advances. In response to these issues, the FDA released a guidance document in 2003 entitled “Part 11, Electronic Records; Electronic Signatures – Scope and Application,” which was intended to provide a practical interpretation of Part 11 and clear up industry confusion around its interpretation and enforcement. This guidance document clarified that the Agency intended to interpret the scope of part 11 narrowly and exercise enforcement discretion with regard to part 11 requirements for validation, audit trails, record retention, and record copying.
In the years since the 2003 guidance document was issued, there has been significant technological advances (e.g., cloud computing, mobile devices, etc.), and a proliferation of third-party vendors offering services for electronic systems. In order to address some of the questions that have arisen regarding Part 11 regulations due to the ongoing digitization of data in clinical trials, the FDA issued a draft guidance for industry titled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers” in June of 2017.
This most recent draft guidance on electronic records and signatures clarifies, updates and expands upon the recommendations related to clinical trials in the 2003 guidance, and provides information to sponsors, institutional review boards (IRBs), clinical investigators, and clinical research organizations (CROs) on the use of electronic records and signatures in clinical trials conducted under 21 CFR parts 312 and 812. Let’s examine this new guidance document in detail in order to determine what it means for those involved in generating and signing electronic records in clinical investigations.
Scope of the FDA Guidance
In this new guidance document, the FDA affirms that it will continue to support a narrow and practical interpretation of Part 11, while at the same time reminding sponsors that electronic records must be maintained or submitted in a manner which satisfies all predicate rules. Additionally, this guidance clarifies and expands upon the policy announced in the 2003 part 11 guidance that encourages a “risk-based approach to the validation of electronic systems, implementation of electronic audit trails, and archiving of electronic records.”
This guidance document applies to electronic records and signatures in the following categories:
The following electronic systems used in clinical investigations are addressed by the guidance in terms of their applicability to Part 11 requirements:
Overview of the FDA Guidance
The information communicated in this guidance document is extensive. The guidance provides 28 questions and answers (Q&A) detailing how sponsors, IRBs, clinical investigators, and CROs can ensure that electronic records and signatures are equivalent to paper ones and thus meet agency requirements. The bulk (24) of these Q&A cover the scope and application of Part 11 requirements in clinical investigations and are organized into 5 topics – Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities, Outsourced Electronic Services, Electronic Systems Primarily Used in the Provision of Medical Care, Mobile Technology, Telecommunication Systems. A final section contains 4 Q&A that are dedicated to clarifying the appropriate use of Electronic Signatures.
Let’s look at some of the key expectations communicated by the guidance:
Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities
The FDA lists a number of electronic systems used in clinical investigations that are owned or managed by sponsors or other regulated entities (e.g., CROs, IRBs) include: electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master forms (eTMFs), electronic Clinical Data Management System (eCDMS), and others. Requirements and recommendations specified in this guidance for these systems include:
Outsourced Electronic Services
When outsourcing electronic services (e.g., data management services, cloud computing services), sponsors and other regulated entities are ultimately responsible for ensuring that all regulatory requirements are met. As such, sponsors and other regulated entities need to ensure:
Sponsors and other regulated entities should form service agreements with any outsourced electronic service vendor, but before entering into such an agreement, the sponsor or other regulated entity should evaluate and select an electronic service vendor based on their ability to meet part 11 requirements and data security safeguards.
Sponsors and other regulated entities should be able to provide the following information to the FDA upon request at each of their regulated facilities that utilize outsourced electronic services:
The guidance document addresses the use of mobile devices in clinical trials, whether the device is provided by the sponsor or brought by the study participant. Mobile technology in this guidance document refers to portable electronic technology used in clinical trials that enables off-site, remote data capture from study participants – mobile platforms, mobile applications, wearable biosensors, and other portable, implantable and ingestible electronic devices. Requirements and recommendations specified in this guidance for mobile technology include:
To be considered the equivalent of handwritten signatures, electronic signatures must comply with Part 11 requirements. Nevertheless, in this guidance document, the FDA communicates flexibility in terms of the methods it will accept for the creation and verification of electronic signatures and biometrics.
In addition, the FDA provides important guidance regarding electronic signatures by an individual during a period of controlled system access: “When an individual logs into an electronic system using a username and password, it is not necessary to re-enter the username when an individual executes a series of signings during a single, continuous period of controlled system access. After a user has logged into a system using a unique username and password, all signatures during the period of controlled system access can be performed using the password alone.”
The information contained in the FDA’s new guidance document on electronic records and signatures is extensive, and signifies that the Agency is increasingly focused on data integrity in the electronic records submitted in support of new drug approvals. While this guidance is focused on electronic records and signatures in clinical trial documents, the concepts and recommendations outlined are applicable for any operational system that must conform to Part 11 requirements. Organizations would therefore be wise to consider the information communicated in this guidance document when implementing electronic records and signatures across the product lifecycle.
Additionally, partnering with a quality informatics consulting firm that specializes in data integrity and computer system validation in order to assess the status of your organization’s 21 CFR Part 11 compliance may be an effective path forward. Such a firm can help you define your needs/requirements, and then determine the best business solution(s) that will bring your organization into regulatory compliance.
Copyright (C) 2019