Use of Electronic Records and Electronic Signatures in Clinical Investigations Under Part 11 — Questions and Answers." The draft guidance is intended to assist sponsors and other FDA-regulated entities – such as contract research organizations (CROs) and institutional review boards (IRBs) – in meeting the regulatory requirements under 21 CFR Part 11 as they apply to the review and conduct of clinical investigations. FDA states that the draft guidance “clarifies, updates, and expands upon” the recommendations related to clinical trials in its 2003 guidance, Part 11, Electronic Records; Electronic Signatures — Scope and Application.
We think this new draft guidance is a significant development because it signals that FDA may be preparing to place greater scrutiny on electronic systems used in clinical trials to ensure that those systems meet Part 11 standards. More broadly, we think this is another clear indication that the agency is increasingly focused on the integrity of data submitted in support of new drug approvals.
In the nearly 15 years since FDA issued its 2003 Part 11 guidance, there has been a substantial advance in electronic systems technology (such as with cloud computing services and mobile devices), as well as a proliferation of third-party vendors offering electronic systems services. FDA recognizes these changes, and they are an important focus of the new draft guidance. Interestingly, FDA contends that the distinction between closed and open systems – which is a defining aspect of how the Part 11 regulations are structured and organized – is now “seldom relevant” due to the prevalence of internet and web-based systems.
The new draft guidance is structured in a question and answer format, broken down across multiple topics. We provide a general overview of four of the main topics covered by the draft guidance below.
Electronic systems owned or managed by sponsors, CROs, and IRBs
FDA addresses a number of issues on the scope and application of Part 11 requirements to electronic systems used in clinical investigations that are owned or managed by sponsors and other regulated entities. Examples of these electronic systems are electronic case report forms, electronic data capture systems, and electronic trial master files, among others.
Particularly useful may be the draft guidance’s enumeration of the areas of focus for FDA Part 11 inspections of sponsors and other regulated entities. The specific issues discussed in the draft guidance include the following:
— For validating electronic systems, sponsors and other regulated entities should use the risk-based approach described by FDA in its related 2003 guidance – Part 11, Electronic Records; Electronic Signatures — Scope and Application. For validation of electronic records systems, sponsors and other regulated entities should consider (1) the purpose and significance of the record, including the extent of error that can be tolerated without compromising the reliability and utility of the record for its regulatory purpose, and (2) the attributes and intended use of the electronic system used to produce the record. In general, electronic systems should be validated if they process critical records, such as laboratory and study endpoint data, information on serious adverse events and study participant deaths, and information on drug and device accountability and administration.
— Sponsors and other regulated entities should consider “periodic, but shared audits conducted by trusted third parties” of the vendors of their electronic systems.
— Internal and external security safeguards should be implemented that are consistent with the standards established by 21 CFR 11.10 and 11.30. These safeguards include logical and physical access controls to electronic systems, as well as procedures and processes to limit access to authorized users. For external safeguards, protections should be in place against computer viruses, worms, and other harmful software.
Finally, FDA states that for clinical investigations conducted outside of the United States under an investigational new drug application (IND), Part 11 regulations would still apply. For clinical investigations conducted outside of the United States that are not under an IND, good clinical practice standards would apply.
Outsourced electronic services
It is common for sponsors and other regulated entities to engage with vendors to outsource electronic services, such as data management and cloud computing services. In the draft guidance, FDA offers recommendations on the use of outsourced electronic services, but also reminds us that it is the sponsors and other regulated entities – and not the third-party vendors – that are ultimately responsible for compliance with the requirements of Part 11. In the draft guidance, FDA addresses the following specific issues related to outsourced electronic services:
— Sponsors and other regulated entities should consider the following items when evaluating outsourced electronic services:
- validation documentation;
- ability to generate accurate and complete copies of records;
- availability and retention of records for FDA inspection for as long as the records are required by applicable regulations;
- archiving capabilities;
- access controls and authorization checks for users’ actions;
- secure, computer-generated, time-stamped audit trails of users’ actions and changes to data;
- encryption of data at rest and in transit;
- electronic signature controls;
- performance record of the electronic service vendor and the electronic service provided; and
- ability to monitor the electronic service vendor’s compliance with electronic service security and the data integrity controls.
— FDA considers cloud computing services to be acceptable, even though these services can distribute data at several geographic locations at the same time. However, sponsors and other regulated entities should have an understanding of the data flow and the location of the cloud computing service’s hardware, and should ensure that data residing in remote locations can be retrieved and accessed during FDA inspections.
— To demonstrate that vendors are providing electronic services in accordance with FDA’s regulatory requirements, the following information should be available to FDA upon request:
- specified requirements of the outsourced electronic service;
- a service agreement defining what is expected from the electronic service vendor; and
- procedures for the electronic service vendor to notify the sponsor or other regulated entity of changes and incidents with the service.
Since the issuance of FDA’s 2003 guidance, mobile technology has advanced substantially in its sophistication and prevalence, such that it can play a significant role in the conduct of clinical trials. In particular, sponsors and other regulated entities may use mobile technology during a clinical investigation to capture, record, and transmit data from study participants. Examples of mobile technology include mobile platforms, mobile applications, mobile apps, wearable biosensors, remote and ingestible sensors, and other portable and implantable electronic devices. The issues on mobile technology addressed by FDA include:
— Where possible, access controls – such as an ID code, username and password combinations, electronic thumbprints, and other biometrics – should be used to ensure that data entries come from the study participant.
— Wirelessly transmitted data from the mobile technology to the sponsor’s electronic data capture system must be encrypted. In addition, sponsors should consider the following additional safeguards:
- remote wiping and remote disabling
- disable function for installing and using file-sharing applications
- procedures and processes to delete all stored health information before discarding or reusing the mobile device
— Sponsors, clinical investigators, study personnel, and study participants must be trained on the use of any mobile technology that is used in a clinical investigation.
In the draft guidance, FDA also addresses the question of whether mobile technology may contain source data from a clinical trial. In particular, the Agency states: Notably, the Agency also states that it does not intend to inspect each individual mobile technology used in a clinical investigation because access controls, audit trails, and validation should help ensure the reliability of the data.
A significant portion of Part 11 is dedicated to the appropriate use of electronic signatures, and FDA reaffirms the regulatory principles of those requirements in the new draft guidance. Nevertheless, FDA does express its flexibility in the methods it permits for the creation and verification of electronic signatures, as well as on the use of biometrics. In particular:
— FDA says it does not mandate or specify that particular methods be used to create electronic signatures; rather, the Agency’s position is that Part 11 permits a wide variety of methods to be used. These methods include computer-readable ID cards, biometrics, digital signatures, and username and password combinations.
— Likewise, FDA says it does not specify any particular method for verifying the identity of an individual, but will accept a variety of methods. These methods include verification of identify through official documentation, such as a birth certificate, government-issued passport, or driver’s license, and use of security questions.
— Biometrics must be uniquely identified with an individual and should not change over time. FDA also says it does not specify any particular biometric method upon which an electronic signature is based; rather, biometrics will be accepted so long as they meet Part 11 requirements. Examples of biometric methods include fingerprints, hand geometry (such as finger lengths and palm size), iris patterns, retinal patterns, and voice prints.
— FDA does not certify individual electronic systems and methods used to obtain electronic signatures.