Introduction
On October 2, 2024, the Food and Drug Administration (FDA) released the guidance, Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers. The guidance expands on the part 11 guidance from 2003, which is narrowly interpreted by the FDA. Since technology capability and uses have expanded, this guidance provides additional recommendations to the still applied 2003 guidance for current technology. Together, the purpose of the two guidances is to ensure the authenticity, integrity, and confidentiality of electronic data and records for clinical investigations when they are created, modified, maintained, archived, retrieved, or transmitted. This 2024 guidance question and answer format goes into greater detail, organized by section: electronic records, electronic systems, information technology service providers and services, digital health technologies, and electronic signatures. This blog post aims to provide an overview of the key updates and implications of the new guidance for clinical investigations.
Electronic Records
The electronic records section is for those records needed by the FDA to reconstruct a clinical investigation, including at non-United States sites, and records submitted to the FDA in electronic form under predicate rules. The compliance of electronic health record (EHR) systems or other electronic systems that are sources of real-world data (RWD) are not included in part 11 regulation compliance considerations. However, once the electronic record enters the sponsor’s electronic data capture (EDC) system, compliance with part 11 will be assessed.
Regulated entities should maintain and retain certified copies of clinical investigation electronic records. A certified copy is a copy of the original record that has been verified to have the same information, including data that describe the context, content, and structure of the original. Once the copy is made, the original can be discarded.
Various ways to retain electronic records are acceptable, such as in electronic storage devices and using cloud computing services. Regulated entities must ensure the authenticity, integrity, and confidentiality of the data—including metadata and audit trails—and that the meaning of the record is preserved. Notably, part 11 regulations do not address electronic communication methods like email or text messages. Determining if the electronic communication method is appropriately secure is the responsibility of the regulated entity.
Electronic Systems
The electronic systems section relates to those systems deployed in clinical investigations to create, modify, maintain, archive, retrieve, or transmit clinical investigation records. Regulated entities can deploy their own electronic systems or use an Information Technology (IT) service provider for activities, such as randomization, data collection, collection and processing of adverse event reports, documenting informed consent, maintaining and retaining clinical investigation records, and medical product dispensation, administration, and accountability.
It is important to emphasize the use of a risk-based method. The approach should be based on a justified and documented risk assessment considering the intended use of the system, the purpose and importance of the data or records collected, and the potential impact on participant safety and trial results. System functionality, configurations specific to the clinical trial protocol, customizations, data transfers, and interfaces between systems all need validation. Changes to electronic systems need to be evaluated and validated throughout the system’s lifecycle to ensure they do not adversely affect data traceability, authenticity, or integrity.
Information Technology Service Providers and Services
In the information technology service providers and services section, the FDA emphasizes that entities can use their own electronic systems or use those provided by IT service providers and that entities should use a risk-based approach validating electronic systems deployed in clinical investigations with the same considerations. Validation should be applied to system functionality, configurations, customizations, data transfers, and interfaces between systems. The guidance in this section reinforces that sponsors should document the electronic systems used in clinical investigations, changes to electronic systems should be evaluated and validated throughout the system’s lifecycle and ensure only authorized individuals have appropriate access. Regulated entities must implement security safeguards, including access controls and audit trails, to protect data authenticity, integrity, and confidentiality.
For this and the previous section, FDA inspections will focus on data collection, handling, security, and management plans, as well as system validation and change control procedures. They generally will not review audits from other entities. It is necessary to document that only the appropriately authorized individuals are allowed access to the electronic systems used in clinical investigations.
Digital Health Technologies
The digital health technologies (DHTs) section emphasizes the importance of identifying the data originator, which could be the participant, an EHR, a wearable, or other data capturing system. To identify the data originator, the sponsor should have a list of authorized data originators. Data originators would have access controls as appropriate with other measures for secure data transfer and proper data attribution when using DHTs. To maintain the accuracy and reliability of the data, it must be properly attributed to the correct source.
Electronic Signatures
Under this new guidance, electronic signatures are equivalent to handwritten signatures when they meet the requirements under part 11. They must include identity verification to ensure that the individual signing the document is who they claim to be. Signed electronic records must contain the printed name of the signer, the date and time when the signature was executed, and the meaning associated with the signature. When an individual executes a series of signings during a period of single, continuous controlled system access, the first signing must be executed using all electronic signature components, but repeated (subsequent) signings may be executed using one electronic signature component that is only executable by and designed to be used only by the individual. A secure linkage must exist between the electronic signature and the electronic record to prevent tampering or alteration. Users, or organizations on behalf of its users, must send a letter of non-repudiation to the FDA to certify the electronic signature is intended to be the legally binding equivalent.
Conclusion
This updated guidance is timely, considering the significant advancements in electronic technology since the 2003 version. It emphasizes a risk-based approach to ensure the authenticity, integrity, and confidentiality of electronic data and records in clinical investigations. By addressing various aspects, such as electronic records, systems, IT service providers, digital health technologies, and electronic signatures, the guidance provides comprehensive recommendations to adapt to current technological capabilities. The overlapping sections reinforce the core principles, ensuring that regulated entities maintain robust data management practices to meet FDA requirements.
Do you have additional questions about this new FDA guidance’s implications on your studies or any other IRB-related questions? Reach out to WCG’s IRB experts to help you navigate these changes and ensure your trial meets all necessary requirements by completing the form below.
Don't trust your study to just anyone.
WCG's IRB experts are standing by to handle your study with the utmost urgency and care. Contact us today to find out the WCG difference!