On March 15, the U.S. Food and Drug Administration (FDA) issued revised draft guidance summarizing how it intends regulate the use of electronic systems, records, and signatures in clinical investigations to account for advances in digital health technologies. The guidance applies to clinical trial sponsors, investigators, Institutional Review Boards (IRBs), and Contract Research Organizations (CROs), and it provides advice on implementing data integrity and data security controls, including the use of audit trails and the protection of electronic records. We have analyzed below how the new version of the agency’s guidance: highlights the importance of compliance with Good Clinical Practice (GCP) standards; warns that electronic records from Real-World Data (RWD) sources are subject to part 11 regulations; prioritizes oversight of Digital Health Technology (DHT) and remote data acquisition; and emphasizes the need to carefully document audit trails, including metadata.
FDA is accepting comments on the guidance through May 15.
Importantly, this revised draft guidance is a clear illustration that FDA is increasingly focused on the integrity of electronic data generated in clinical trials. As one specific example of this, the draft guidance emphasizes the need for “audit trails” in electronic systems, which capture details such as additions, deletions, or alterations of information in an electronic record. Clinical study sponsors should recognize that FDA will likely place electronic systems used in clinical research under greater scrutiny during future GCP inspections, especially considering the agency’s recently-enhanced bioresearch monitoring inspection authority, which we recently summarized online here.
Earlier this month, FDA issued a revised version of the draft guidance, “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers,” updating the June 2017 draft guidance to keep pace with the evolving use of electronic systems in clinical investigations.
Electronic records used in clinical investigations that fall under the scope of part 11 include (a) records needed to reconstruct a clinical investigation that are maintained and archived under agency requirements referred to as “predicate rules,” and (b) records submitted to FDA in electronic format under predicate rules, even if such records are not specifically identified in FDA regulations.
The updated draft guidance applies to sponsors, clinical investigators, IRBs, and CROs. It offers advice on applying and implementing data integrity and data security controls, including the use of audit trails and the protection of records in the current environment of electronic systems used in clinical investigations. The guidance focuses on compliance with 21 CFR part 11 regarding electronic records and electronic signatures, and on FDA’s risk-based approach to validation of electronic systems.
Though much of the content in the revised version of the draft guidance has been reorganized, most of the substance of the guidance remains the same as the advice offered by FDA in 2017. Yet, there are certain areas where FDA has significantly modified its recommendations regarding part 11 compliance and electronic systems. We have summarized these updates below.
Good Clinical Practice
Good clinical practice is an international ethical and scientific standard for designing, conducting, recording, and reporting clinical investigations that involve the participation of human subjects. Specific guidance on this standard did not appear in the 2017 version of the guidance, and FDA now states that “The appropriate use of electronic records is an important component of GCP, and part 11 regulations help ensure that the electronic records and data for a clinical investigation are trustworthy and reliable.” FDA’s new advice emphasizing the importance of GCP draws from the International Council for Harmonisation (ICH) guideline, “E6(R2) Good Clinical Practice: Integrated Addendum to ICH E6(R1).”
Real-World Data is that which relates to individual patient health status, or the delivery of health care routinely collected from a variety of sources. Examples of RWD include data from electronic health records (EHR); medical claims data; data from product and disease registries; patient-generated data (including data from in-home use settings); and data gathered from other sources that can inform on health status, such as digital health technology.
The new revised draft guidance clarifies that electronic records from RWD sources submitted to FDA as part of a marketing application or maintained under predicate rules are subject to part 11 requirements. This means that sponsors that intend to rely on RWD in support of a marketing application must ensure the quality and integrity of such electronic records. FDA also added the definition of “Real-World Data” to the Glossary in the revised draft guidance, signaling the importance of this recommendation.
FDA’s new clarifications regarding use of RWD draws from the agency’s November 2021 draft guidance, “Real-World Data: Assessing Registries to Support Regulatory Decision-Making for Drug and Biological Products,” and the July 2018 guidance, “Use of Electronic Health Records Data in Clinical Investigations.” Notably, the latter document clarifies that FDA does not intend to assess compliance of an EHR system with part 11 regulations because, in general, they are under the control of organizations not regulated by FDA (e.g., health care providers, health care organizations, and health care institutions). Even so, the agency stresses that its acceptance of data in support of a marketing application depends on FDA’s ability to verify the quality and integrity of the data during inspections, even if that data originates in an EHR.
Digital Health Technology & remote data acquisition
In the new revised draft guidance, FDA reorganized its 2017 discussion of “mobile technology” around the term “Digital Health Technology,” which it defines as “a system that uses computing platforms, connectivity, software, and/or sensors for health care and related uses.” The term “remote data acquisition” is also novel in the 2023 version of the guidance, and its inclusion in the Glossary reflects FDA’s increasing focus on permitting (while carefully overseeing) the “collection of data from locations that are distant from the investigator or trial personnel.”
Although these terms are new, the principles that the agency previously applied in its regulation of mobile technology are similarly being asserted in the revised draft guidance. FDA’s new guidance relies on recommendations from FDA’s January 2022 draft guidance titled, “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations.”
Further reflecting the agency’s heightened focus on DHT regulation, last week, FDA also issued the policy document “Framework for the Use of Digital Health Technologies in Drug and Biological Product Development,” which FDA said it intends to guide the use of DHT-derived data in regulatory decision-making for drugs and biological products. Later this week, FDA will hold a public workshop on that framework, and we will keep you apprised of any important developments stemming from this discussion.
IT service providers & SLAs
The revised draft guidance clarifies that FDA will generally not review audit reports of IT service providers’ electronic systems, products, and services. However, sponsors are required to ensure that electronic records submitted through IT provider they use conform to regulatory standards, and to ensure the suitability of each IT provider by considering the IT provider’s policies that may affect their clinical oversight abilities, processes, and procedures that allow the user to validate the data and their ability to generate accurate and complete copies of records.
FDA recommends that sponsors and other regulated entities execute written service level agreements (SLAs) with IT service providers that define the IT provider’s responsibilities, quality and risk management procedures, and documentation of the sponsor’s ongoing oversight of the IT provider. The revised draft guidance further states that FDA may inspect IT service vendors who have assumed obligations in an IND set forth in writing in a transfer of regulatory obligation.
Metadata, audit trails, and documentation
Novel in the revised version of the draft guidance is FDA’s recommendation that, when providing certified electronic or paper copies of electronic records, the associated metadata should be included. Metadata is defined as the “contextual information required to understand the data,” and this includes units of the data (e.g., mg); a date and time stamp for when the data were acquired; the size of the file; the number of total files; and the individual responsible for creating the copies. The agency states: “Additional metadata are important for establishing authenticity or integrity for certain record types, such as digital photographs and audiovisual files.” The revised draft guidance emphasizes in several places that “all associated metadata” should be preserved in a secure and traceable manner.
FDA’s new recommendations suggest the agency is increasingly prioritizing oversight of documentation requirements and “audit trails” as well, with the latter defined as “processes that capture details such as additions, deletions, or alterations of information in an electronic record without obscuring the original record.” The revised draft guidance adds clarification that although audit trails need not record every key stroke, controls must be in place to ensure that the system’s date and time are correct.
FDA provides additional considerations on the risk-based approach sponsors can take to validate electronic systems to ensure they are correctly performing as intended, and the revised guidance addresses the significance of risk assessments for changes to electronic systems such as software upgrades, security or performance patches, equipment replacements, and new instrumentation. All changes to the systems should be documented as system validation documentation may be requested during an FDA inspection.
In addition to the changes summarized above, FDA made a few other minor revisions in the March 2023 version of the guidance:
- Electronic stylus. In a new question regarding the “electronic stylus,” FDA clarifies that “signatures drawn with a finger or an electronic stylus are considered handwritten signatures.”
- Unattended workstations. FDA’s revised draft guidance stresses that companies must ensure their employees log off their system when leaving their workstations unattended.