Context. This guidance is a revision of the 2017 draft guidance titled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers.” When finalized, it will completely supersede 2007’s guidance titled “Computerized Systems Used in Clinical Investigations,” which in turn was an update of the 2004 guidance titled “Computerized Systems Used in Clinical Trials.” We find it a bit confusing when these guidances change names with each update. Perhaps we could introduce FDA to the concept known as a “revision history”?
Real-world data. Real-world data sources submitted as part of a marketing application are subject to Part 11 just like other data sources. The agency acknowledges that real-world data may have originally been collected in non-compliant systems back when the idea of submission was just a gleam in the sponsor’s eye. In that case, sponsors should “ensure the quality and integrity” of these records before submission.
Electronic copies. Sponsors, investigators, and other providers should maintain original electronic records from a clinical investigation or certified copies, produced according to a written SOP to ensure consistency. Records may be maintained on durable media or via a cloud computing provider, but requirements for retention and availability still apply (Questions 3 and 5). Copies of medical records from providers not directly involved in a clinical trial do not have to be certified.
Email and texts to transmit records. FDA doesn’t directly answer the question of whether email or text messages can be used to transmit electronic records under Part 11, but states that the sender must ensure the integrity of the transferred method, and the audit trail for any transfer method should capture the date and time of transfer and the originator. Clearly, texts don’t meet that standard, but we expect sponsors and CROs will continue to use email to send TMF documents to and fro, although this might be the push they need to find alternative methods for transferring datasets.
Validation of data capture systems. FDA continues to recommend a risk-based approach that considers the “significance of the record…criticality of the data…intended use of the system…[and] nature of the system,” with a note that customized systems and systems that capture data are higher risk than word processing tools (is anyone out there still validating Microsoft Word?). For custom or customized electronic systems, sponsors should review vendor SOPs and validation documentation to verify that the system is adequately validated and either perform user acceptance testing to verify that the system meets the business requirements, or review the vendor’s User Acceptance Testing documentation. We anticipate that a lot of sponsors will be happy to get a pass on performing UAT, but caveat emptor – performing a simple UAT is the best way for the sponsor to verify that the system behaves the way they think it does, thus avoiding unhappy surprises in production.
Sponsor inspection focus. FDA intends to focus on data collection, data handling, and data management plans and procedures system lifecycle, data integrity procedures, authority checks, change control processes, vendor contracts, and CAPAs, listed in this order in the guidance. Inspectors will typically not review audit reports of system vendors. The guidance states that “System administrators should not be involved in data collection or clinical investigation assessments,” which may have implications for data managers who also administer EDC systems. If the sponsor utilizes IT vendors, they should be prepared to share agreements that define the sponsor’s expectations of the vendor (e.g., scope, roles and responsibilities, record retention, and access); all quality or risk management procedures related to the service; and evidence of oversight.
Vendor inspections. FDA might inspect IT or systems vendors to whom regulatory responsibilities are transferred, or even to vendors who have not documented transfer of responsibilities, if there is a data integrity concern.
Clinical site inspection focus. During site inspections, FDA intends to focus on staff training, procedures for accessing systems and creating/changing data, and documentation of data creation, change, transmission, and archival. The guidance suggests that “a cumulative record should be maintained of all clinical investigation personnel who are
433 authorized to access the electronic system as well as a description of their access privileges.” (In our experience, there is often focus on when/whether investigators obtained access to the Electronic Data Capture and Randomization and Trial Supply Management systems – sponsors should consider whether they want to activate sites where the PI never logs in to these systems.)
Security. Measures should include access control procedures, policies that require or programmatically enforce log-off when personnel leave their workstations, firewalls, anti-virus, -spyware, and -malware, monitoring, and encryption. The guidance specifies that security breaches that could affect the safety or privacy of study subjects should be reported to the IRB or FDA PDQ.
Audit trails. Audit trails must capture all entries and changes, including who made the change, what was changed, the date and time, and reasons for change. (Note that most EDC and IRT audit trails meet this standard for regular data entry operations; however, “back end” and system operations, like invalidating unused forms or making bulk updates, are not always captured in the audit trail, or components like the user name or reason for change may be missing.) The agency suggests that “Periodic review of the audit trail may be helpful for sponsors to ensure data quality, authenticity, and integrity.” Audit trail review is a more common practice in GLP and GMP settings, but most clinical study teams do not routinely review thousands of pages of EDC audit trails to detect unauthorized changes; luckily the guidance tells us that the decision to do so “should be based on a risk assessment of the clinical investigation.” Ideally, audit trails should be maintained as a “dynamic file” (i.e., in the original software); if that’s not possible, the .pdf representation of the audit trail should be a certified copy (which means that the method that the vendor uses to produce the representation must be validated.
There’s also a lengthy section on digital health technologies that we’ll cover in a separate post.