On March 15, 2023, the U.S. Food and Drug Administration (FDA or the Agency) issued a draft guidance entitled Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers (2023 Draft Guidance). The 2023 Draft Guidance revises the draft guidance for industry the Agency issued in June 2017 entitled Use of Electronic Records and Electronic Signatures in Clinical Investigations under 21 CFR Part 11—Questions and Answers (2017 Draft Guidance). If finalized, the 2023 Draft Guidance will also supersede the May 2007 FDA guidance for industry entitled Computerized Systems Used in Clinical Investigations.
At a high level, the 2023 Draft Guidance clarifies that 21 CFR part 11 (Part 11) applies to new information technology (IT) services that create, modify, maintain, archive, retrieve, or transmit electronic records. It also imposes on sponsors the responsibility to ensure that the electronic records they submit through IT vendors conform to FDA’s regulatory requirements. In addition, the 2023 Draft Guidance introduces recommendations for implementing time-stamped audit trails to verify data.
Compared to the 2017 Draft Guidance, the 2023 Draft Guidance features revised recommendations regarding the risk-based approach for validation of electronic systems[1] and provides new definitions of key terms related to digital and electronic research infrastructure. It also applies to a broader range of regulated studies.[2]
Comments on the 2023 Draft Guidance must be submitted by May 15, 2023.
Background
Over the last few decades, recordkeeping practices in clinical investigations that were traditionally paper-based have transformed into digital enterprises. As part of this transformation, sponsors have had to grapple with the regulatory standards and requirements that apply to these digitized processes and records—in particular, the requirements under Part 11, which apply to digital records that are created, modified, maintained, archived, retrieved, or transmitted under any records requirement set forth in FDA regulations.
FDA has addressed the scope and applicability of Part 11 in several guidances over the years, including in the context of clinical trials.[3] Most recently, in the 2017 Draft Guidance, FDA affirmed a narrow and practical interpretation of Part 11 and encouraged a risk-based approach to the validation of electronic systems, implementation of electronic audit trails, and archiving of electronic records.
As technology has continued to evolve, and as sponsors have begun using and managing electronic systems in novel ways in the conduct of clinical investigations, questions about Part 11’s scope and applicability have continued to surface. The COVID-19 pandemic brought these issues to the forefront for many sponsors and investigators, as they were forced to rely heavily on digital technologies and remote processes to conduct clinical investigations. Recognizing that FDA’s ability to assess the authenticity, integrity, and reliability of data submitted in support of marketing applications and other submissions hinges on the industry’s alignment on electronic records, electronic systems, and electronic signatures, the Agency issued the 2023 Draft Guidance.
Major Provisions of the 2023 Draft Guidance
The 2023 Draft Guidance is formatted similarly to the 2017 Draft Guidance, and it includes twenty-eight questions and answers. FDA has grouped these questions and answers into five sections: (A) electronic records, (B) electronic systems owned or controlled by sponsors or other regulated entities, (C) information technology service providers and services, (D) digital health technologies, and (E) electronic signatures. FDA continues to take a narrow and practical interpretation of Part 11, but it has augmented its risk-based approach to validation through additional considerations and recommendations.
Section A: Electronic Records
Section A covers electronic records used in clinical investigations that fall under the scope of Part 11 requirements. In the 2023 Draft Guidance, FDA clarifies that Part 11 applies to electronically formatted records from clinical investigations with non-U.S. sites. The 2023 Draft Guidance also notes that Part 11 applies to electronic records from real-world data sources submitted to FDA as part of a marketing application, even if FDA regulations do not specifically identify such records.[4]
Like the 2017 Draft Guidance, the 2023 Draft Guidance requires that sponsors retain only certified copiesof electronic records. But the 2023 Draft Guidance defines this term with greater specificity than the 2017 Draft Guidance: a certified copy is a copy of an original paper or electronic record that has been verified by a dated signature or a validated process to have the same information, “including data that describe the context, content, and structure,” as the original.[5] Unlike the 2017 Draft Guidance, the 2023 Draft Guidance does not deem copies that lack important metadata to be incomplete; instead, it merely stresses the importance of metadata for establishing the authenticity or integrity of certain record types.
Section B: Electronic Systems Owned or Controlled by Sponsors or Other Regulated Entities
Section B of the 2023 Draft Guidance describes recommendations for electronic systems that are owned or controlled by sponsors or other regulated entities and are used to produce required records in clinical investigations. Such systems include electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master files (eTMFs), electronic clinical data and trial management systems (eCDMS, eCTMS), interactive response technology (IRT) systems, and electronic IRB management systems.
The 2023 Draft Guidance expands upon the 2017 Draft Guidance’s risk-based approach to validation of electronic systems used in clinical investigations. The 2023 Draft Guidance outlines three considerations when applying this risk-based approach based on the nature of the electronic system: (1) the purpose and significance of the record and the criticality of the data, i.e., how the record and data will be used to support the regulatory decision and/or ensure patient safety; (2) the intended use of the electronic system, e.g., whether the electronic system is used to process records that are essential to the clinical investigation; and (3) whether the electronic system is a commercial off-the-shelf (COTS) system or a new, custom-made system.
In conjunction with the third consideration, the 2023 Draft Guidance clarifies that the extent of validation for COTS office utility software should be guided by both the organization’s internal business practices and the intended use of the software in the clinical investigation. As a general matter, FDA does not anticipate that validation will be necessary for COTS office utility software used as intended by the manufacturer. Conversely, validation of new custom-made electronic systems should include a review of the vendor’s SOPs, the system and software development life cycle model, validation documentation, change control procedures, and change control tracking logs. In addition, regulated entities should perform user acceptance testing.
Although FDA states that it does not intend to review sponsors’ audit reports of IT service providers’ systems, products, and services, it also states that such documentation should be retained as part of the clinical investigation records and made available for inspection by FDA. The 2023 Draft Guidance broadly defines IT service providers to mean a vendor who provides data hosting and/or computing services—e.g., software as a service, platform as a service, and infrastructure as a service—to sponsors and other regulated entities.
With respect to inspections of sponsors, the 2023 Draft Guidance diverges from and elaborates on the 2017 Draft Guidance. Whereas the 2017 Draft Guidance outlined only three pieces of information that FDA would review during inspections of sponsors’ electronic systems to determine Part 11 compliance, the 2023 Draft Guidance spends over a full page detailing the precise documentation FDA intends to review. Such documentation includes audit trail information and interoperable data standards; procedures for data collection, handling, and management; systems for restricting access to electronic systems; change control procedures; vendor contracts; corrective and preventive actions; internal and external audits of electronic systems and of vendors that are performed or provided by the sponsor or independent consultants; and roles and responsibilities of sponsors, clinical sites, and other parties with respect to the use of electronic systems in the clinical investigation.
With respect to inspections of other regulated entities, such as CROs or investigators, the 2023 Draft Guidance encourages such entities to retain electronic systems information demonstrating that those systems comply with the requirements of Part 11. Such information includes policies and procedures related to the system account setup and management, access controls and user access privileges, system user manuals, and system training materials and records. During clinical site inspections, FDA will review records related to staff training on the use of electronic systems; procedures and controls in place for system access, data creation, data modification, and data maintenance; and the use of electronic systems at the clinical investigator site to generate, collect, transmit, and archive data.
Section C: Information Technology Service Providers and Services
Section C explores considerations for determining the suitability of information technology service providers and services. While the 2017 Draft Guidance posited that sponsors and other regulated entities would broadly use mobile technology during the course of clinical investigations, the 2023 Draft Guidance enumerates three types of IT services routinely provided for sponsors: data hosting, cloud computing software, and platform and infrastructure services.
The 2023 Draft Guidance recommends sponsors enter into written service level agreements with IT service providers that describe, at a minimum, the scope of the work and IT service being provided, the parties’ roles and responsibilities with respect to quality and risk management, and details regarding data access. In addition, the 2023 Draft Guidance clarifies that sponsors are responsible for any duties and functions related to the clinical investigation not specifically transferred to a service provider via a transfer of regulatory obligation (TORO).
Compared to the 2017 Draft Guidance, the 2023 Draft Guidance offers greater clarity regarding the circumstances under which FDA would choose to inspect IT service providers. For instance, the Agency notes it can request to conduct focused investigations of IT service providers irrespective of whether a TORO is established. Such an investigation could be triggered by a specific regulatory concern, such as a concern regarding the integrity of trial data. The Agency also clarifies that sponsors should have access to all study-related records maintained by IT service providers, since FDA may review those records during a sponsor inspection.
Section D: Digital Health Technologies[6]
Section D discusses the use of digital health technologies (DHTs) for remote data acquisition from participants in clinical investigations evaluating medical products. DHTs encompass a broader range of technologies than the mobile technologies discussed in the 2017 Draft Guidance. Mobile technologies included mobile platforms, mobile applications, wearable biosensors, other remote sensors, and portable and implantable electronic devices, while DHTs incorporate all computing platforms, connectivity, software, and sensors for health care and related uses.
In the 2023 Draft Guidance, FDA recommends that data originators transmit data captured from DHTs and any relevant associated metadata into a durable electronic data repository, such as a clinical investigation site database, a vendor database, or an EDC system. Transmission should occur as soon as possible after data generation, and the audit trail should include the date and time of such transmission.
Unlike the 2017 Draft Guidance, the 2023 Draft Guidance affirms that FDA may verify the data sponsors submit in support of applications or submissions against the electronic source data during inspections. FDA recommends that sponsors allow for the inspection, review, and copying of such records in human readable form.
Section E: Electronic Signatures
Section E examines methods for creating valid electronic signatures in connection with clinical investigations. The 2023 Draft Guidance’s discussion of electronic signatures largely echoes the 2017 Draft Guidance. However, the 2023 Draft Guidance acknowledges that a statement of testament suffices in situations where electronic signatures cannot be placed in a specified signature block. It also clarifies that FDA considers signatures drawn with a finger or an electronic stylus on a mobile platform or other electronic system to be a handwritten electronic signature, and that these types of signatures are valid only if placed on the electronic document exactly as they would appear on a printed document.
* * *
If you have any questions concerning the material discussed in this client alert, please contact the following members of our Food, Drug, and Device practice:
Wade Ackerman | +1 424 332 4763 | ackermanw@cov.com |
Scott Cunningham | +1 415 591 7089 | scunningham@cov.com |
Paula Katz | +1 202 662 5050 | pkatz@cov.com |
Julia Post | +1 202 662 5249 | jpost@cov.com |
Christina Kuhn | +1 202 662 5653 | ckuhn@cov.com |
Emily Statham | +1 202 662 5064 | estatham@cov.com |
[1] The 2023 Draft Guidance does not provide comprehensive detail on how to perform a risk assessment. However, the Agency notes there are many risk assessment methodologies from a variety of industries that can be applied, including the ICH guidance for industry entitled Q9(R1) Quality Risk Management (June 2022) and the International Organization for Standardization’s (ISO’s) standard ISO 31010:2019 Risk management – Risk assessment techniques.
[2] The 2023 Draft Guidance was issued by a broader range of Centers at FDA than prior guidance on this topic. Whereas the 2017 Draft Guidance was issued by the Center for Drug Evaluation and Research (CDER), the Center for Biologics Evaluation and Research (CBER), and the Center for Devices and Radiological Health (CDRH), the 2023 Draft Guidance was also issued by the Centers for Food Safety and Applied Nutrition (CFSAN), Tobacco Products (CTP), Veterinary Medicine (CVM), Office of Regulatory Affairs (ORA), and Office of Clinical Policy (OCLiP).
[3] See, e.g., FDA, Use of Electronic Health Record Data in Clinical Investigations (2018); FDA, Use of Electronic Records and Electronic Signatures in Clinical Investigations under 21 CFR Part 11 — Questions and Answers (2017); FDA, Electronic Source Data in Clinical Investigations (2013); FDA, Computerized Systems Used in Clinical Investigations (2007); FDA, Part 11, Electronic Records; Electronic Signatures — Scope and Application (2003).
[4] See, e.g., FDA 2023 Draft Guidance 4 n. 20 (2023); FDA, Use of Electronic Health Record Data in Clinical Investigations: Guidance for Industry (2018); FDA, Electronic Source Data in Clinical Investigations: Guidance for Industry (2013).
[5] The 2017 Draft Guidance described a certified copy as being a verified copy that has “all of the same attributes and information as the original.”
[6] In the 2023 Draft Guidance, FDA cross-references its January 2022 draft guidance for industry, investigators, and other stakeholders entitled Digital Health Technologies for Remote Data Acquisition in Clinical Investigations (2022 Draft DHT Guidance). The 2023 Draft Guidance reflects many of the DHT principles contained in the 2022 Draft DHT Guidance.