The new article emphasizes specific focus areas the authority will pay attention to when evaluating compliance in the context of electronic record-keeping procedures.
Table of content
The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to electronic systems, electronic records, and electronic signatures in clinical investigations. The document provides an overview of the applicable regulatory requirements, as well as additional clarifications and recommendations to be taken into consideration by medical device manufacturers, sponsors responsible for clinical investigations, and other parties involved.
At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations. Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach complies with the relevant regulatory requirements and has been agreed with the authority in advance.
In particular, the guidance focuses on key considerations for clinical investigators and sponsors regarding the use of electronic systems in clinical investigations. The document outlines what the FDA will examine during inspections, including security safeguards, audit trails, and user training for electronic systems.
The guidance also provides practical recommendations on managing electronic systems, ensuring data integrity, and maintaining proper documentation throughout the clinical investigation process.
FDA’s Focus During Inspections of Clinical Investigators Using Electronic Systems
According to the document, during inspections, the FDA will concentrate on several critical issues regarding electronic systems used in clinical investigations.
These include:
- Staff Training: Investigators must ensure that all staff members using electronic systems are adequately trained. Records of such training should be maintained.
- System Access and Controls: There must be robust procedures and controls in place for managing system access, as well as the creation, modification, and maintenance of data. Investigators should document system access for each user, ensure users have individual accounts, and revoke access when trial personnel changes occur. Backup and recovery plans for data must also be in place.
If clinical investigators deploy their own electronic systems (e.g., electronic data capture (EDC) systems or electronic investigator site files), they must retain the relevant system documentation, as described in Q8, and make it available during inspections.
FDA Review of Audit Reports from IT Service Providers
Sponsors and other regulated entities often conduct audits of IT service providers to evaluate the quality management plans and compliance with relevant SOPs. These audits assess the design, development, and maintenance of electronic systems used in clinical investigations.
However, the FDA generally does not review audit reports from IT service providers’ systems, products, or services during inspections.
Security Safeguards for Electronic Systems
As further explained by the authority, regulated entities must ensure that electronic systems used in clinical investigations are equipped with adequate security safeguards to protect the authenticity, integrity, and, when necessary, confidentiality of electronic records. These safeguards should include logical and physical access controls tailored to the risks associated with the data.
Access controls, such as multi factor authentication, strong login credentials, and biometrics (e.g., facial recognition or fingerprint scanning), can be employed to protect the system from unauthorized access. Additionally, records must be kept of all personnel authorized to access the system, documenting their access rights and any changes to those rights.
Systems should be designed to log unauthorized login attempts, and processes should be in place to detect and respond to security breaches. Entities should also use appropriate measures, such as firewalls, antivirus software, and encryption, to prevent and remedy security threats like malware and unauthorized data access.
In cases where security breaches affect data integrity or participant safety, entities must report these incidents to the FDA and Institutional Review Boards (IRBs) promptly.
Use of Audit Trails in Electronic Systems
Audit trails are essential for ensuring the authenticity and integrity of electronic records. These time-stamped, electronically generated logs record significant activities such as the creation, modification, or deletion of data.
Audit trails ensure that no information is obscured when records are altered and allow investigators to verify the trustworthiness of data.
Key requirements for audit trails include:
- Capturing Record Changes: Audit trails must document all changes made to electronic records, including the date and time of changes, the individuals responsible for the changes, and the reason for changes (where applicable).
- Preventing Modification: Audit trails should be protected from being altered or disabled, ensuring that the data remains intact throughout the investigation.
- Periodic Review: Sponsors should periodically review audit trails as part of data quality assurance. The decision to review audit trails should be based on a risk assessment of the clinical investigation.
Audit trail documentation must be made available for FDA inspection. The information should be complete, understandable, and searchable. The audit trail must capture the old and new values of data, as well as the reason for changes, and should be retained in a format that facilitates inspection.
Scope of Audit Trails
It is not necessary for audit trails to capture every keystroke. Instead, audit trails should record deliberate user actions such as creating, modifying, or deleting records.
Edits to completed fields should be documented in the audit trail, and any data changes prompted by an edit check should also be recorded.
Ensuring Correct System Date and Time
Controls must be implemented to ensure that an electronic system’s date and time are correct. Only authorized personnel, such as system administrators, should be able to adjust the system’s date or time, and any changes should be documented.
If a system discrepancy is detected, administrators must be notified immediately. For investigations conducted across different time zones, sponsors should clearly indicate the relevant time zone or use Greenwich Mean Time (GMT) for consistency.
Training for Users of Electronic Systems
All personnel involved in the development, maintenance, or use of electronic systems during clinical investigations must have the appropriate education, training, and experience for their roles. Training should cover system access, clinical documentation, and data integrity protocols.
Personnel should receive training before using the system and whenever significant changes to the system occur. Training must be documented, and current training materials should be accessible to both clinical trial personnel and participants during the investigation.
Conclusion
In summary, this section of the FDA guidance emphasizes the importance of managing electronic systems securely and effectively throughout clinical investigations. Sponsors, clinical investigators, and other regulated entities must implement robust security measures, ensure proper staff training, maintain audit trails, and use a risk-based approach to data management. Compliance with Part 11 of the CFR ensures that clinical data remains trustworthy, reliable, and accessible for FDA inspection, helping to protect the rights and safety of participants while maintaining the integrity of trial results.
How Can RegDesk Help?
RegDesk is an AI-powered Regulatory Information Management System that provides medical device companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Global expansion has never been this simple.
