未分類

FDA Guidance Revision for Computer Systems Used in Clinical Investigations

FDA Guidance Revision for Computer Systems Used in Clinical Investigations

Introduction

In October 2024, the U.S. Food and Drug Administration (FDA) issued final guidance entitled “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers.” This comprehensive guidance was published in the Federal Register on October 2, 2024, and represents a significant update to FDA’s thinking on the use of electronic systems in clinical trials.

This final guidance supersedes the May 2007 guidance “Computerized Systems Used in Clinical Investigations” and finalizes the draft guidance of the same title that was issued in March 2023 (following an earlier draft in June 2017). The revision reflects the substantial technological advances that have occurred since 2007, particularly the proliferation of cloud computing services, digital health technologies (DHTs), and sophisticated electronic data capture systems.

Background and Evolution of Electronic Records Regulations

The regulatory framework for electronic records and signatures has evolved considerably over the past three decades. In March 1997, FDA established 21 CFR Part 11, which set forth criteria under which electronic records, electronic signatures, and handwritten signatures executed to electronic records would be considered trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. This regulation became effective in August 1997 and applies to all FDA program areas.

In August 2003, FDA issued the guidance “Part 11, Electronic Records; Electronic Signatures – Scope and Application,” which clarified the agency’s narrowed interpretation of Part 11 and announced the exercise of enforcement discretion for certain requirements. This 2003 guidance has remained the foundational document for understanding FDA’s approach to electronic records and signatures, and it continues to apply alongside the new 2024 guidance.

The May 2007 “Computerized Systems Used in Clinical Investigations” guidance built upon the 2003 Part 11 guidance by providing specific recommendations for clinical trial contexts. However, given the rapid pace of technological change—particularly the rise of cloud computing, mobile devices, wearables, and sophisticated digital health technologies—FDA recognized the need for updated guidance that addresses contemporary electronic systems while maintaining the core principles established in Part 11.

Purpose and Scope of the 2024 Guidance

The October 2024 guidance provides updated recommendations for sponsors, clinical investigators, institutional review boards (IRBs), contract research organizations (CROs), and other interested parties on the use of electronic systems, electronic records, and electronic signatures in clinical investigations of foods, medical products (including drugs, biologics, and devices), tobacco products, and new animal drugs.

The guidance is structured in a question-and-answer format comprising 29 questions organized into the following major sections:

I. Electronic Records

This section addresses fundamental questions about creating, maintaining, and retaining electronic records in compliance with applicable regulations. It covers topics such as:

  • Definition and characteristics of electronic records in clinical investigations
  • Requirements for maintaining certified copies of electronic records
  • Retention requirements and acceptable storage methods (including cloud-based solutions)
  • Ensuring authenticity, integrity, and confidentiality of electronic records, including associated metadata and audit trails
  • Clarification that Part 11 does not specifically address electronic communication methods such as email or text messages, leaving security determinations to the regulated entity’s discretion

An important clarification in the final guidance concerns real-world data (RWD) sources. FDA specified that it does not intend to apply Part 11 requirements to electronic health record (EHR) systems and other electronic systems that serve as sources of real-world data until such data are entered into a sponsor’s electronic data management system (such as an electronic data capture (EDC) system) for submission to FDA. This pragmatic approach recognizes the complexity of healthcare IT systems while maintaining data integrity expectations once data enter the regulatory pathway.

II. Electronic Systems Deployed by Regulated Entities

This section focuses on electronic systems used to create, modify, maintain, archive, retrieve, or transmit clinical investigation records. Key topics include:

  • Application of risk-based approaches to system validation
  • Requirements for documentation of electronic systems throughout their lifecycle
  • Implementation of security safeguards, including access controls and audit trails
  • Validation approaches proportionate to the system’s intended use, data importance, and potential impact on participant safety and trial results
  • System functionality, configurations, customizations, data transfers, and interfaces between systems
  • Change control procedures to evaluate and validate modifications throughout the system lifecycle
  • Ensuring that only authorized individuals have appropriate access to systems and data

The guidance emphasizes that regulated entities can deploy their own electronic systems or utilize systems provided by IT service providers. Regardless of the deployment model, the same risk-based validation principles apply. The extent and rigor of validation should be commensurate with the system’s role in the clinical investigation and the criticality of the data it handles.

III. Information Technology Service Providers and Services

This section represents one of the most significant expansions from the 2007 guidance, reflecting the widespread adoption of cloud computing and external IT services in clinical research. Key considerations include:

Determining IT Service Provider Suitability: Regulated entities must assess an IT service provider’s capability to ensure the authenticity, integrity, and confidentiality of clinical investigation records and data. This assessment should consider:

  • The provider’s quality management system and data integrity controls
  • Security measures and incident response capabilities
  • Business continuity and disaster recovery plans
  • Data retention and retrieval capabilities
  • Track record and reputation in the industry

Contractual Agreements: The guidance recommends that regulated entities establish clear written agreements with IT service providers that specify:

  • Respective responsibilities for data integrity, security, and retention
  • Access rights for audits and inspections
  • Procedures for data export and retrieval
  • Notification requirements for security incidents or system changes
  • Compliance with applicable FDA regulations, including Part 11

Cloud Computing Considerations: Given the prevalence of cloud-based solutions in modern clinical trials, the guidance acknowledges that various methods of retaining electronic records are acceptable, including cloud computing services, provided that data authenticity, integrity, and confidentiality are maintained.

Inspection Readiness: Sponsors and CROs must be prepared for FDA inspections when electronic systems are owned, controlled, or outsourced by these entities. This includes having appropriate documentation available and ensuring that IT service providers will cooperate with FDA requests for information.

IV. Digital Health Technologies (DHTs)

The section on DHTs reflects the growing use of mobile devices, wearables, sensors, and other technologies for remote data acquisition in clinical investigations. The guidance addresses:

Data Attribution: When DHTs are used to record and transmit data, proper attribution must be ensured. The guidance discusses mechanisms to link recorded data to specific participants and to document when and how data were captured.

Source Data Location: For inspection purposes, FDA considers the source data recorded by a DHT to be located at the durable electronic data repository (e.g., EDC system, clinical investigation site database, cloud-based digital platform) into which the DHT data are transmitted via direct, uninterruptable, and secure connection according to the sponsor’s pre-specified plan.

Data Transfer and Integrity: Data recorded by DHTs should be transferred using a validated process to a durable electronic data repository according to the sponsor’s pre-specified plan. Transmission should occur contemporaneously or as soon as possible after data are recorded. The date and time of data transfer should be included in the audit trail.

Protection and Retention: DHT-recorded data must be protected and retained in accordance with applicable regulatory requirements. This includes ensuring that all metadata associated with the original data capture are preserved.

Risk-Based Planning: Sponsors should implement risk-based approaches when incorporating DHTs into clinical investigations, considering factors such as the criticality of the data being collected, the participant population, and the complexity of the DHT system.

V. Electronic Signatures

The guidance provides detailed recommendations on the use and implementation of electronic signatures in clinical investigations:

Methods of Creating Electronic Signatures: While Part 11 establishes criteria for trustworthy electronic signatures, it does not mandate specific technological methods. Acceptable methods may include:

  • Computer-readable ID cards
  • Biometric authentication (fingerprint, iris scan, facial recognition)
  • Digital signatures based on cryptographic techniques
  • Username and password combinations
  • Two-factor or multi-factor authentication approaches

Important Distinction: FDA clarifies that signatures drawn with a finger or electronic stylus on a mobile device or other electronic system are NOT considered electronic signatures under Part 11. Rather, they are considered handwritten signatures executed to electronic records and must meet the requirements for such signatures under Part 11.

Biometric Requirements: Electronic signatures based on biometrics must be designed to ensure that they cannot be used by anyone other than the genuine individual. This typically involves liveness detection, anti-spoofing measures, and robust enrollment procedures.

Letters of Non-Repudiation: The guidance clarifies requirements regarding letters of non-repudiation. Each person using an electronic signature must certify to FDA that the electronic signature is intended to be the legally binding equivalent of their traditional handwritten signature. This certification must be signed with a traditional handwritten signature and submitted in paper or electronic form. Information on where to submit these certifications is available on FDA’s website.

Signature Components: Electronic signatures must contain:

  • The printed name of the signer
  • The date and time of signing
  • The meaning associated with the signature (e.g., review, approval, authorship, responsibility)

These components must be linked to the electronic record to ensure that signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record.

Key Principles and Recommendations

Risk-Based Approach

Throughout the guidance, FDA emphasizes the importance of a risk-based approach to implementing and validating electronic systems. The level of control and validation should be proportionate to:

  • The intended use of the system
  • The purpose and importance of the data or records collected
  • The potential impact on participant safety
  • The potential impact on trial results
  • The criticality of data integrity for regulatory decision-making

This risk-based framework allows for flexibility while ensuring appropriate controls are in place where they matter most.

Data Integrity Principles

The guidance reinforces fundamental data integrity principles, often referred to as ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available). These principles ensure that data are:

  • Attributable: Clearly linked to the person or system that generated them
  • Legible: Readable and understandable throughout the data lifecycle
  • Contemporaneous: Recorded at the time of the activity
  • Original: The first recording or a certified true copy
  • Accurate: Free from errors and truly reflective of observed values
  • Complete: All relevant data are captured and retained
  • Consistent: Data are internally coherent across related records
  • Enduring: Data remain accessible throughout their required retention period
  • Available: Data can be retrieved and reviewed when needed

Audit Trails

Audit trails remain a critical component of electronic record systems. The guidance emphasizes that audit trails must:

  • Be secure, computer-generated, and time-stamped
  • Independently record the date and time of operator entries and actions that create, modify, or delete electronic records
  • Document who made changes, when changes were made, and why changes were made
  • Be retained for at least as long as the electronic records they pertain to
  • Be available for agency review and copying
  • Be protected from modification by users who create, modify, or delete electronic records

Validation and Documentation

Electronic systems must be validated to ensure they perform as intended. Validation activities should include:

  • Design qualification (DQ) – ensuring the system design meets requirements
  • Installation qualification (IQ) – verifying correct system installation
  • Operational qualification (OQ) – confirming the system operates according to specifications
  • Performance qualification (PQ) – demonstrating the system consistently performs in actual use conditions

Validation documentation should be comprehensive, current, and readily available for FDA inspection. This includes documentation of:

  • System architecture and technical specifications
  • Standard operating procedures (SOPs) for system use
  • User training and competency records
  • Change control procedures and records
  • Security controls and access management
  • Backup and recovery procedures
  • Periodic review and revalidation activities

Security Measures

Robust security controls are essential for protecting the authenticity, integrity, and confidentiality of electronic records. The guidance recommends:

  • Role-based access controls with unique user IDs
  • Strong authentication mechanisms (passwords, multi-factor authentication, biometrics)
  • Regular access reviews and timely deactivation of accounts for departed personnel
  • Data encryption for sensitive information, both at rest and in transit
  • Network security controls (firewalls, intrusion detection systems)
  • Physical security for systems and data centers
  • Incident response and breach notification procedures
  • Regular security assessments and vulnerability testing

Inspection Considerations

The guidance outlines expectations for FDA inspections involving electronic systems. Regulated entities should be prepared to:

  • Provide access to electronic records in both human-readable and electronic formats
  • Demonstrate system functionality and controls during inspections
  • Make available validation documentation, SOPs, and training records
  • Show audit trail information and metadata
  • Explain data flows and system architectures
  • Provide information about IT service provider relationships and oversight
  • Demonstrate compliance with contractual obligations to IT service providers

When IT service providers control electronic systems or data, sponsors and CROs must ensure that FDA can access necessary information and documentation during inspections. This may require coordination with the service provider and appropriate contractual provisions.

Relationship to Other FDA Guidance Documents

The October 2024 guidance should be read in conjunction with several other FDA guidance documents:

Current and Related Guidances:

  • “Part 11, Electronic Records; Electronic Signatures – Scope and Application” (August 2003): This foundational guidance remains in effect and establishes FDA’s narrowed interpretation of Part 11 and areas of enforcement discretion. The 2024 guidance expands upon, but does not replace, the 2003 guidance.
  • “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations” (various dates): Provides specific recommendations for using DHTs, including mobile apps, wearables, and other connected devices for data collection in clinical trials.
  • “Use of Real-World Data to Support Regulatory Decision-Making for Medical Products” (July 2024): Addresses the use of real-world data, including data from electronic health records, which intersects with the scope of the electronic records guidance.
  • “Use of Electronic Informed Consent Questions and Answers” (various dates): Covers specific considerations for obtaining informed consent electronically.
  • “Data Integrity and Compliance With Drug CGMP Questions and Answers” (December 2018): While focused on manufacturing, this guidance articulates data integrity principles applicable across FDA-regulated activities, including clinical investigations.

International Harmonization:

The guidance also aligns with international standards and guidelines, including:

  • ICH E6(R3) Good Clinical Practice guideline (in development/finalized)
  • ICH E8(R1) General Considerations for Clinical Studies
  • ISO 14971 (risk management)
  • ISO/IEC 27001 (information security management)
  • ISO 9001 (quality management systems)

Practical Implications and Implementation Considerations

For Sponsors:

Sponsors should:

  1. Review and update validation approaches for electronic systems using risk-based principles
  2. Strengthen agreements with IT service providers and CROs to clearly delineate responsibilities
  3. Implement robust data governance frameworks that address the entire data lifecycle
  4. Enhance training programs for personnel using electronic systems and signatures
  5. Establish comprehensive documentation practices that will facilitate FDA inspections
  6. Conduct gap analyses to identify areas where current practices may not align with the guidance
  7. Develop or update SOPs for electronic records management, including backup, archiving, and retrieval
  8. Implement appropriate controls for DHTs when used in clinical investigations

For Clinical Investigators:

Clinical investigators should:

  1. Ensure understanding of their responsibilities for electronic records maintained at their sites
  2. Work with sponsors to understand how electronic systems function and how to use them properly
  3. Maintain appropriate oversight of source data recorded in electronic form
  4. Ensure that required training on electronic systems is completed and documented
  5. Participate in validation activities as appropriate
  6. Understand procedures for data query resolution in electronic systems
  7. Maintain certified copies of electronic records as required

For IRBs:

IRBs should:

  1. Review electronic systems used in protocols under their oversight
  2. Consider data protection and participant privacy implications of electronic systems
  3. Evaluate electronic informed consent processes when applicable
  4. Ensure that their own electronic records systems comply with Part 11 requirements
  5. Understand how electronic records will be retained for the duration required by regulations

For CROs:

CROs should:

  1. Ensure their electronic systems are appropriately validated and maintained
  2. Establish clear agreements with sponsors regarding system oversight and data management responsibilities
  3. Maintain robust quality management systems that address electronic records and signatures
  4. Be prepared to facilitate FDA inspections, including providing access to systems and documentation
  5. Implement appropriate controls when using or providing IT services

For IT Service Providers:

IT service providers supporting clinical investigations should:

  1. Understand FDA requirements and expectations for electronic systems
  2. Implement appropriate quality management and security controls
  3. Maintain documentation that supports their customers’ validation activities
  4. Establish processes for supporting customer audits and FDA inspections
  5. Provide appropriate service level agreements that address availability, security, and data retention
  6. Notify customers promptly of security incidents, system changes, or other events that could impact data integrity

Technical Considerations for Modern Electronic Systems

Cloud Computing Architecture:

When implementing cloud-based systems, organizations should consider:

  • Infrastructure as a Service (IaaS): Understanding the shared responsibility model and what controls the customer must implement versus those provided by the cloud provider
  • Platform as a Service (PaaS): Ensuring that application-level controls are appropriately implemented
  • Software as a Service (SaaS): Evaluating vendor controls and obtaining appropriate documentation for validation
  • Hybrid and Multi-Cloud Environments: Managing data integrity and security across complex architectures
  • Data Residency: Understanding where data are physically stored and any regulatory implications

Application Programming Interfaces (APIs):

Many modern systems integrate via APIs, requiring attention to:

  • Authentication and authorization for API access
  • Data validation at system boundaries
  • Logging and audit trails for API transactions
  • Error handling and data integrity in case of API failures
  • Version management and backward compatibility

Mobile and Distributed Computing:

With increasing use of mobile devices and distributed systems:

  • Synchronization mechanisms must maintain data integrity
  • Offline data collection requires robust reconciliation processes
  • Device security (encryption, remote wipe capabilities)
  • User authentication on mobile platforms
  • Network security for data transmission

Artificial Intelligence and Machine Learning:

While not explicitly addressed in the 2024 guidance, AI/ML systems are increasingly used in clinical investigations. Organizations implementing such systems should consider:

  • Validation approaches for AI/ML algorithms
  • Documentation of algorithm training and performance
  • Monitoring for algorithm drift or performance degradation
  • Explainability and auditability of AI/ML decisions
  • Handling of algorithm updates and changes

Industry Best Practices and Recommendations

Based on the guidance and industry experience, several best practices have emerged:

1. Early Planning and Design:

Incorporate data integrity and compliance requirements into system design from the outset (quality by design, compliance by design). This is more efficient and effective than retrofitting controls after implementation.

2. Thorough Documentation:

Maintain comprehensive, current documentation including:

  • System descriptions and data flow diagrams
  • Risk assessments supporting validation approaches
  • Validation plans and protocols
  • Validation reports summarizing test results
  • SOPs for system operation and administration
  • Training materials and competency assessments
  • Change control records
  • Audit trail review procedures
  • Business continuity and disaster recovery plans

3. Periodic Review:

Conduct regular reviews of electronic systems to ensure:

  • Controls remain effective and appropriate
  • Systems continue to meet their intended use
  • Changes have been properly evaluated and validated
  • User access remains appropriate
  • Security measures are current
  • Documentation is up to date

4. Culture of Quality:

Foster an organizational culture that values data integrity, including:

  • Leadership commitment to quality and compliance
  • Clear policies and procedures
  • Adequate resources for compliance activities
  • Open communication about data integrity issues
  • Non-punitive approaches to error reporting
  • Continuous improvement mindset

5. Vendor Management:

Develop robust vendor management programs that include:

  • Due diligence during vendor selection
  • Clear contracts with defined responsibilities
  • Regular vendor audits or assessments
  • Performance monitoring against service level agreements
  • Communication and escalation procedures
  • Contingency planning for vendor changes or failures

6. Training and Competency:

Implement comprehensive training programs that ensure:

  • Initial training before system access is granted
  • Role-appropriate training based on system use
  • Regular refresher training
  • Training on data integrity principles
  • Documentation of training completion
  • Assessment of competency where appropriate
  • Just-in-time training resources for reference

Transition and Implementation Timeline

While the guidance was issued in October 2024, FDA recognizes that implementation of recommended practices may require time, particularly for complex systems or when significant changes to existing processes are needed.

Organizations should:

  1. Conduct gap analyses to identify areas where current practices differ from guidance recommendations
  2. Prioritize remediation efforts based on risk (focusing first on areas with greatest potential impact on data integrity or participant safety)
  3. Develop implementation plans with realistic timelines
  4. Document rationale for implementation approaches and timelines
  5. Communicate with FDA through appropriate channels if significant concerns or challenges arise

For new clinical investigations, sponsors should strive to implement practices consistent with the guidance from the outset. For ongoing investigations, sponsors should evaluate whether changes are needed and implement them in a controlled manner that does not compromise existing data or trial conduct.

Conclusion

The October 2024 FDA guidance “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers” represents an important update that reflects the evolution of technology in clinical research. By superseding the 2007 guidance and expanding on the foundational 2003 Part 11 guidance, it provides contemporary recommendations that address cloud computing, digital health technologies, and modern IT service models while maintaining core principles of data integrity, authenticity, and reliability.

The guidance’s risk-based approach provides flexibility for organizations to implement controls appropriate to their systems and data while ensuring that critical protections remain in place. The detailed Q&A format offers practical guidance on a wide range of topics, from electronic signature methods to DHT data handling to IT service provider relationships.

Successful implementation of the guidance requires collaboration among sponsors, investigators, IRBs, CROs, IT service providers, and other stakeholders. It also requires ongoing attention to emerging technologies and evolving best practices. Organizations that invest in robust electronic systems, comprehensive documentation, effective training, and a culture of quality will be well-positioned to leverage technology to improve the efficiency and quality of clinical investigations while maintaining compliance with FDA expectations.

As technology continues to advance, FDA may issue additional guidance or revisions to address new challenges and opportunities. Organizations should monitor FDA communications, participate in public consultations, and engage with industry groups to stay current with regulatory expectations and emerging best practices in this dynamic area.

Appendix: Key Definitions (from the Guidance)

Audit trail: A secure, computer-generated, time-stamped electronic record that allows reconstruction of events relating to the creation, modification, or deletion of an electronic record.

Certified copy: A copy (irrespective of the type of media used) of original information that has been verified to have the same information, including data that describe the context, content, and structure, as the original.

Digital Health Technology (DHT): A system that uses computing platforms, connectivity, software, and/or sensors for healthcare and related uses. These technologies span a wide range of uses, from applications in general wellness to applications as a medical device.

Durable Electronic Data Repository: A data storage system in which data (including metadata) are intended to be retained contemporaneously in an enduring and secure manner.

Electronic Record: Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or transmitted by a computer system.

Electronic Signature: A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

Information Technology Service Provider: An entity that provides information technology services used in clinical investigations, such as cloud computing platforms, electronic data capture systems, or data storage services.

Metadata: Contextual information required to understand data. This information includes structural and descriptive information about data such as data attributes (name, type, range), data relationships, timestamps, version information, and any other information that provides context needed to interpret the data.

Source Data: All information in original records and certified copies of original records of clinical findings, observations, or other activities in a clinical trial necessary for the reconstruction and evaluation of the trial.

Validation: Establishing documented evidence that provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes.

This article reflects current guidance as of January 2026. Readers should verify that they are referencing the most current FDA guidance documents and should consult with regulatory professionals when making compliance decisions.

The Origins of GMP (Good Manufacturing Practice) Previous post FDA Inspection Process: From Implementation to Completion Next post

Related post

Comment

There are no comment yet.