The guidance provides 28 questions and answers detailing how drugmakers, clinical investigators, clinical research organizations (CROs) and institutional review boards (IRBs) can ensure such electronic systems meet the agency's requirements and are equivalent to paper ones. The guidance also updates past guidance detailing how those parties can take a risk-based approach to validating such systems and implement audit trails for electronic records.
In FDA's earlier guidance from 2003, Part 11, Electronic Records; Electronic Signatures – Scope and Application, the agency provided a "narrow approach and interpretation of part 11 requirements" and explained it would exercise enforcement discretion for certain requirements for validation, audit trails, record retention and record copying.
While FDA says it still intends to exercise enforcement discretion for those provisions, the agency says this guidance will clarify the part 11 "controls that sponsors and other regulated entities must implement as appropriate, in the current technological environment" as they relate to:
- Electronic systems, including commercial off-the-shelf (COTS) and customized electronic systems owned or managed by sponsors and other regulated entities;
- Electronic services, outsourced by the sponsor or other regulated entities;
- Electronic systems primarily used in the provision of medical care;
- Mobile technology; and
- Telecommunication systems
In general, FDA says companies will need to validate electronic systems "if those systems process critical records … that are submitted to FDA," though the extent of the validation will depend on the system and its intended use.
FDA also notes that the distinction in the regulations between closed and open systems is "seldom relevant" due to the use of online, web-based systems, and says that sponsors should implement additional security measures for those systems, such as document encryption, to offset the physical security that may be lost with online systems.
In addition to taking measures to ensure access to electronic systems is limited to authorized users, FDA says there should be other security measures in place such as firewalls, and antivirus and anti-spyware software.
For outsourced services, such as data management and cloud computer services, FDA says companies are responsible for ensuring those services "have adequate controls in place to ensure the reliability and confidentiality" of the records they process or store.
The guidance also addresses the use of mobile technology in clinical investigations, whether the technology is provided by the sponsor or brought by the study participant, including smart phones and tablets, mobile apps and wearable sensors.
According to FDA, sponsors should ensure there are controls in place, such as thumbprint sensors or username and password logins, to ensure the mobile technology is being used by the study participant.
When capturing data from mobile technologies, FDA says sponsors should also make sure that each data element in a study is tied to a specific data originator, such as a particular person, device or instrument.
FDA also says it does not intend to inspect individual mobile devices used in a clinical trial, as the data generated by those devices will ultimately be transmitted to a sponsor's electronic systems and because the access controls, audit trails and validation detailed in the guidance "help ensure the reliability of the data."