未分類

FDA Finalizes Comprehensive Guidance on Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations

FDA Finalizes Comprehensive Guidance on Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations

Background and Timeline

On October 2, 2024, the U.S. Food and Drug Administration (FDA) announced the finalization of its comprehensive guidance document titled “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers.” This represents a significant milestone in the evolution of FDA’s regulatory approach to electronic records in clinical research.

The journey to this final guidance began in June 2017 when the Center for Drug Evaluation and Research (CDER), in collaboration with the Center for Biologics Evaluation and Research (CBER) and the Center for Devices and Radiological Health (CDRH), issued a draft guidance entitled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11—Questions and Answers.” Following extensive industry feedback and rapid technological advancement, particularly accelerated by the COVID-19 pandemic’s reliance on remote and digital clinical trial technologies, FDA issued a revised draft guidance in March 2023.

The October 2024 final guidance reflects FDA’s recognition that the landscape of clinical investigations has fundamentally transformed from traditional paper-based systems to comprehensive digital enterprises. This transformation necessitated updated regulatory guidance that addresses contemporary technologies including cloud computing services, digital health technologies (DHTs), real-world data (RWD) sources, and remote data acquisition systems.

Expanded Scope and Applicability

The final guidance significantly broadens its scope compared to earlier versions. While the original 2017 draft was issued solely by CDER, the 2024 final guidance represents a collaborative effort across multiple FDA centers including CDER, CBER, CDRH, the Center for Food Safety and Applied Nutrition (CFSAN), the Center for Tobacco Products (CTP), the Center for Veterinary Medicine (CVM), the Office of Regulatory Affairs (ORA), and the Office of Clinical Policy (OCLiP). This expansion reflects the guidance’s applicability across a wider spectrum of product categories beyond human drugs, encompassing biologics, medical devices, foods, tobacco products, and veterinary drugs.

The guidance applies to sponsors, clinical investigators, institutional review boards (IRBs), contract research organizations (CROs), and other stakeholders involved in clinical investigations. Critically, it addresses electronic systems “deployed by” regulated entities—a deliberate broadening from the draft’s narrower language of systems “owned or controlled by” such entities. This change acknowledges the modern reality where organizations increasingly rely on outsourced IT services and cloud-based platforms rather than maintaining proprietary systems.

Fundamental Requirements Under 21 CFR Part 11

At its core, the guidance provides recommendations on compliance with 21 CFR Part 11, the federal regulation governing electronic records and electronic signatures. Part 11 applies to electronic records that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in FDA regulations (known as “predicate rules”). For clinical investigations, this encompasses two primary categories:

First, records necessary to reconstruct a clinical investigation that must be maintained and archived under applicable regulations. These include case report forms (CRFs), source documents, informed consent forms, investigator site files, and study protocols—essentially all documentation needed for FDA to verify the conduct and findings of a clinical trial.

Second, records submitted to FDA in electronic format under predicate rules, even when such records are not specifically identified in the regulations. This includes submissions supporting investigational new drug (IND) applications, investigational device exemption (IDE) applications, and marketing applications.

The guidance emphasizes that Part 11 requirements do not exist in isolation but work in conjunction with Good Clinical Practice (GCP) standards, which provide the ethical and scientific quality framework for designing, conducting, recording, and reporting clinical investigations involving human subjects. GCP standards prioritize the rights, safety, and well-being of trial participants while ensuring the integrity and reliability of clinical trial data.

Key Clarifications and Recommendations

Risk-Based Validation Approach

The guidance strongly advocates for a risk-based approach to validating electronic systems used in clinical investigations. Rather than applying uniform validation requirements across all systems regardless of their function or criticality, regulated entities should assess validation needs based on several factors:

  • The purpose and importance of the data or records collected, generated, maintained, or retained in the system
  • The potential impact of the system on participants’ rights, safety, and welfare
  • The potential effect on the reliability of trial results
  • The complexity of the system and degree of customization

Validation should encompass system functionality, configurations specific to the clinical trial protocol, customizations, data transfers, and interfaces between systems (interoperability and communication). This risk-based paradigm allows organizations to allocate validation resources more efficiently, focusing intensive efforts on high-risk, high-impact systems while applying lighter-touch validation to lower-risk applications.

The FDA references established methodologies that can guide risk assessment, including ICH Q9(R1) Quality Risk Management (revised May 2023) and ISO 31010:2019 Risk management – Risk assessment techniques. Organizations have flexibility in selecting risk management frameworks appropriate to their specific circumstances.

Real-World Data and Electronic Health Records

One of the most significant clarifications in the final guidance addresses the treatment of real-world data (RWD) sources, particularly electronic health record (EHR) systems. FDA explicitly states that Part 11 compliance requirements do not apply to EHR systems or other electronic systems that serve as sources of real-world data.

Instead, FDA will assess Part 11 compliance only once an electronic record from such sources is entered into a sponsor’s electronic data capture (EDC) system or other trial management system under the sponsor’s control. This distinction recognizes the impracticality of requiring healthcare providers and their EHR systems to comply with Part 11 when they are merely providing source data, rather than serving as regulated entities in the clinical investigation.

This clarification has profound practical implications for trials utilizing RWD, which have become increasingly common as the industry seeks to leverage existing healthcare data to supplement or replace traditional prospective data collection. Sponsors can now integrate RWD into their trials with greater clarity regarding where their Part 11 compliance obligations begin.

International Application

The guidance definitively addresses a question of critical importance to multinational pharmaceutical companies, including those based in Japan: Does Part 11 apply to clinical investigations conducted outside the United States?

The answer is unequivocally yes, when the investigation’s data will support an IND, IDE, investigational new animal drug (INAD) file, or marketing application submitted to FDA. Part 11 requirements apply to any records required to be maintained in electronic format for such investigations, regardless of the geographic location where the trial is conducted. This means that a clinical trial conducted entirely in Japan, if intended to support a U.S. regulatory submission, must comply with Part 11 requirements for electronic records and signatures.

This extraterritorial application underscores the importance of ensuring that global clinical trial systems, whether managed by the sponsor, a CRO, or local site investigators, meet FDA’s expectations for electronic records management. Japanese pharmaceutical companies must therefore implement Part 11-compliant systems and processes for all U.S.-destined clinical programs, regardless of where the studies are performed.

Audit Trails and Data Integrity Controls

The guidance provides detailed recommendations on audit trails, which serve as a critical control for ensuring the authenticity, integrity, and reliability of electronic records. Audit trails must capture comprehensive information about electronic record activities, including:

  • All changes made to the electronic record (what was changed)
  • The identity of individuals making changes (who made the change)
  • The date and time of changes (when the change occurred)
  • The reason for changes (why the change was made)

Audit trails themselves must be protected from modification or being disabled, and they should be retained in a format that is searchable and sortable to facilitate review during inspections. The guidance recommends that the decision to review audit trails and the frequency of such reviews should be based on a risk assessment considering the specific investigation, systems, procedures, and controls in place.

Beyond audit trails, the guidance addresses broader data integrity and security controls. These include:

  • Procedures to limit system access to authorized users only
  • Strong authentication mechanisms to verify user identity
  • External security safeguards (firewalls, antivirus software, intrusion detection systems)
  • Data backup and recovery procedures to protect against data loss
  • Controls to prevent unauthorized modification of time stamps and metadata
  • System validation documentation demonstrating fitness for intended use

Digital Health Technologies and Remote Data Acquisition

Recognizing the accelerating adoption of digital health technologies, the final guidance dedicates substantial attention to DHTs used for remote data acquisition in clinical investigations. DHTs are defined as systems that use computing platforms, connectivity, software, and/or sensors for healthcare and related uses. This encompasses a wide range of technologies including wearable devices, mobile applications, biosensors, and other connected health devices.

When DHTs are used to record data from participants in clinical investigations, sponsors face unique challenges in ensuring data attribution (identifying the data originator) and maintaining data integrity. The guidance emphasizes that data obtained from DHTs should be correctly attributed to the originator, whether that is the participant, a healthcare provider, or the device itself.

DHTs should be designed with access controls to prevent unauthorized changes to data. However, FDA acknowledges that implementing robust access controls may be technically challenging for certain consumer-grade DHTs, such as wearable fitness trackers. Nevertheless, sponsors must address authentication and data attribution, particularly when DHT data will be used to support clinical investigation endpoints.

The guidance incorporates principles from FDA’s January 2022 draft guidance titled “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations,” emphasizing that the same fundamental data integrity principles apply regardless of whether data is collected in-person at a clinical site or remotely through DHTs.

Information Technology Service Providers

Modern clinical trials increasingly rely on outsourced IT services and cloud computing platforms. The guidance addresses the responsibilities of both regulated entities and their IT service providers in this context.

Regulated entities bear ultimate responsibility for ensuring that IT services meet FDA requirements, even when those services are provided by third parties. Before contracting with an IT service provider, regulated entities should:

  • Evaluate the provider’s ability to ensure the authenticity, integrity, and confidentiality of clinical investigation records and data
  • Assess the provider’s validation processes and procedures for IT systems and services
  • Verify the provider’s ability to generate accurate and complete copies of records
  • Confirm the provider’s capacity to provide data access for as long as records must be retained under applicable regulations

FDA recommends that regulated entities maintain written agreements with IT service providers (such as master service agreements with associated service level agreements or quality agreements) that clearly describe how the services will meet regulatory requirements. These agreements should delineate responsibilities, define performance expectations, and establish mechanisms for oversight and audit.

Importantly, FDA may inspect IT service providers who have assumed regulatory responsibilities as part of a clinical investigation. This means that cloud service providers, EDC system vendors, and other IT service providers may find themselves subject to FDA inspection if they perform functions that affect the integrity of clinical trial data.

Electronic Signatures

The guidance addresses various methods for creating valid electronic signatures and verifying the identity of individuals who electronically sign records. Electronic signatures based on biometric identifiers (fingerprints, facial recognition, etc.) must be designed to ensure that only the genuine individual can execute the signature.

One notable clarification addresses a common point of confusion: signatures drawn with a finger or electronic stylus on a touchscreen are not considered handwritten signatures executed on paper for purposes of Part 11. Rather, these are electronic signatures that must comply with Part 11 requirements, including establishing the signed record’s authenticity, integrity, and preventing repudiation of the signature.

Electronic signatures must be linked to their respective electronic records to prevent them from being excised, copied, or otherwise transferred to falsify an electronic record. The guidance discusses various signature methods including username/password combinations, biometric-based systems, and cryptographic techniques, noting that each method must be implemented with appropriate controls to ensure security and non-repudiation.

Records Retention and Certified Copies

The guidance clarifies FDA’s expectations regarding retention of electronic records. FDA does not draw a distinction between electronic and other forms of records when it comes to retention requirements—the same retention periods mandated by predicate rules apply regardless of record format.

During inspections, regulated entities must provide all records and data needed to reconstruct a clinical investigation, including metadata (such as date and time stamps for when data were originally acquired and subsequently changed) and audit trails. For records that exist only in electronic form, backup and recovery procedures must be in place to prevent data loss.

If a regulated entity intends to maintain a copy of an electronic record in place of the original (whether that original was paper or electronic), a “certified copy” is required. A certified copy is one that has been verified to contain the same information, including metadata, as the original record. Once a certified copy is created and verified, the original record may be discarded.

Electronic records can be retained using various methods including electronic storage devices (hard drives, servers, tape systems) and cloud computing services. Regardless of the retention method chosen, regulated entities must ensure that records remain accessible, readable, and usable throughout the required retention period, which may extend for years or even decades after a clinical investigation concludes.

FDA Inspection Focus

The guidance provides insight into what FDA will focus on during inspections of electronic systems used in clinical investigations. For systems owned or managed by sponsors and other regulated entities that fall under Part 11 scope, FDA’s focus areas include:

  • Whether the system is fit for its intended purpose in the clinical investigation
  • Implementation of appropriate controls to ensure data integrity and security
  • System validation documentation and records
  • User access controls and authentication mechanisms
  • Audit trail functionality, protection, and review procedures
  • Data backup and disaster recovery capabilities
  • Procedures for handling system changes and updates
  • Documentation of IT service provider relationships and oversight
  • Training records for system users

For clinical investigators who deploy their own electronic systems under Part 11 scope, FDA expects investigators to retain documentation related to those systems and make it available during inspections. This might include, for example, an investigator’s use of a local electronic medical record system or laboratory information management system that directly interfaces with the sponsor’s EDC system.

FDA will also assess whether electronic systems maintain the authenticity, integrity, and confidentiality of electronic records—fundamental requirements that transcend specific technical implementations and apply regardless of the technologies employed.

Implementation Recommendations

The final guidance, while representing FDA’s current thinking and recommendations rather than legally binding requirements, should be viewed as essential reading for any organization conducting or planning clinical investigations subject to FDA oversight. Organizations should undertake several steps to align their practices with the guidance:

First, conduct a comprehensive review of existing standard operating procedures (SOPs) related to electronic systems, electronic records, and electronic signatures. Update these SOPs to reflect the principles and recommendations in the guidance, particularly regarding risk-based validation, audit trail management, and IT service provider oversight.

Second, implement or enhance risk assessment processes for electronic systems validation. This may require developing new risk assessment methodologies or templates that explicitly consider the factors identified in the guidance: data importance, participant safety impact, trial result reliability, and system complexity.

Third, review and strengthen agreements with IT service providers and cloud platform vendors. Ensure these agreements clearly delineate responsibilities for data integrity, security, validation, and regulatory compliance. Consider conducting audits of key service providers to verify their capabilities and compliance.

Fourth, enhance training programs for personnel involved in clinical investigations to address the requirements and expectations detailed in the guidance. This includes not only IT and quality assurance staff but also clinical research associates, data managers, and site personnel who interact with electronic systems.

Fifth, evaluate current audit trail review practices. Implement risk-based approaches to audit trail review that focus resources on high-risk systems and critical data points while potentially reducing review frequency for lower-risk applications.

Relevance to Japanese Pharmaceutical Companies

For Japanese pharmaceutical companies conducting global clinical development programs, this guidance has particular relevance. As many Japanese companies increasingly submit marketing applications to FDA for the U.S. market, ensuring compliance with Part 11 requirements is essential not only for U.S.-based trials but for any trial worldwide whose data will support U.S. regulatory submissions.

The questions addressed in the guidance, including Q2 regarding FDA’s inspection focus for systems owned by sponsors and Q10 regarding applicability to non-U.S. sites, directly impact Japanese companies’ operations. Companies must ensure that their global clinical trial infrastructure—whether managed from Japan, through regional CROs, or at local investigator sites—meets FDA’s expectations.

This may require significant coordination between Japanese headquarters, regional affiliates, CROs, and technology vendors to implement consistent Part 11-compliant systems and processes across geographically dispersed operations. The investment in compliant infrastructure and processes, while substantial, is necessary to support successful U.S. regulatory submissions and avoid delays or deficiencies related to electronic records integrity.

Conclusion and Future Outlook

FDA’s October 2024 final guidance on electronic systems, electronic records, and electronic signatures in clinical investigations represents the culmination of years of regulatory evolution responding to rapid technological change. By providing 29 detailed questions and answers spanning electronic records, electronic systems, IT service providers, digital health technologies, and electronic signatures, the guidance offers comprehensive direction for the modern, digitized clinical trial environment.

The guidance’s emphasis on risk-based approaches, its recognition of contemporary technologies like DHTs and cloud services, and its pragmatic treatment of real-world data sources demonstrate FDA’s commitment to fostering innovation while maintaining rigorous data integrity standards. For global pharmaceutical companies, including those based in Japan, successful implementation of these principles is not merely a regulatory compliance exercise but a foundation for conducting high-quality clinical research that can reliably support regulatory decision-making.

As technology continues to evolve and new modalities emerge—from artificial intelligence-assisted data collection to decentralized trial platforms to novel biosensing technologies—FDA’s guidance provides a flexible framework grounded in fundamental principles of data integrity, security, and authenticity. Organizations that embrace these principles and implement robust, risk-based approaches to electronic records management will be well-positioned to navigate both current requirements and future regulatory expectations in an increasingly digital clinical research landscape.

Reference Materials

For readers seeking additional information, the following resources are recommended:

  • FDA Final Guidance: “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers” (October 2024) – Available at www.fda.gov
  • FDA Guidance: “Part 11, Electronic Records; Electronic Signatures — Scope and Application” (August 2003)
  • ICH Guidance: “Q9(R1) Quality Risk Management” (May 2023)
  • ISO Standard: “ISO 31010:2019 Risk management – Risk assessment techniques”
  • FDA Draft Guidance: “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations” (January 2022)

These documents collectively provide a comprehensive framework for understanding and implementing FDA’s expectations for electronic systems in clinical research.

Public Comment Period for Revised Guideline on Quality Risk Management Previous post AI IQ Scores Range from 120 to 136, Exceeding the Human Average of 100 Next post

Related post

Comment

There are no comment yet.