The new article explains the approach to be followed in the context of retention and management of electronic records.

FDA Guidance

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to electronic systems, electronic records, and electronic signatures in clinical investigations. The document provides an overview of the applicable regulatory requirements, as well as additional clarifications and recommendations to be taken into consideration by medical device manufacturers, sponsors responsible for clinical investigations, and other parties involved. 

At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations. Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach complies with the relevant regulatory requirements and has been agreed with the authority in advance. 

The relevant section of the FDA guidance offers recommendations and answers key questions regarding the retention, management, and validation of electronic records and systems used in clinical investigations. As technology evolves, sponsors, clinical investigators, and other regulated entities must ensure that electronic systems and records comply with regulatory standards to protect the integrity, authenticity, and security of clinical data. 

The guidance highlights methods for retaining electronic records, the importance of backup procedures, and the use of a risk-based approach to system validation.

Retaining Electronic Records in Clinical Investigations

Under the general rule, regulated entities, such as sponsors and clinical investigators, are responsible for ensuring the proper retention of electronic records generated during clinical investigations. These records can be stored using electronic devices or cloud-based services, but entities must ensure that data authenticity, integrity, and confidentiality are maintained throughout the storage process. 

It is essential that records, along with their associated metadata, be preserved securely and remain traceable for the entire retention period required by regulatory standards. Additionally, these records must be readily available for FDA inspection when necessary.

To prevent data loss, regulated entities must implement regular backup procedures. Backups should be stored in a secure location, separate from the original records, and follow protocols defined in the entity’s system documentation or standard operating procedures (SOPs). 

Maintaining detailed logs of backup and recovery processes is crucial to assessing the impact of any system failure. During inspections, the FDA may request access to all records, including metadata and audit trails, necessary to reconstruct a clinical investigation. 

When systems are decommissioned or a contract with a cloud service ends, sponsors must ensure that all relevant metadata are retained and can be linked to corresponding data elements. This process ensures the FDA can evaluate the accuracy and completeness of clinical investigation records.

FDA on clinical trials with decentralized elements (overview)

Applicability of Part 11 to Electronic Communication Methods

The guidance clarifies that Part 11 regulations do not directly address electronic communication methods, such as emails or text messages. However, regulated entities are responsible for determining whether these communication methods are sufficiently secure for transmitting sensitive clinical investigation data. 

Additional privacy and security regulations, particularly those related to participant confidentiality, should also be considered when using these communication methods in clinical investigations.

    Validation of Electronic Systems in Clinical Investigations

    The guidance also outlines recommendations for validating electronic systems deployed by regulated entities in clinical investigations. These systems may be used for a wide range of functions, such as data collection, adverse event reporting, informed consent documentation, and product dispensation. 

    Regardless of whether the systems are internally developed or provided by an external IT service, regulated entities must ensure that these systems are fit for purpose and implemented in a manner that mitigates risks to participant safety and the reliability of trial results.

    Risk-Based Approach to System Validation

    The FDA recommends a risk-based approach to validating electronic systems. This approach, introduced in the 2003 Part 11 guidance, allows entities to tailor their validation efforts based on a documented risk assessment of the system’s intended use, the importance of the data collected, and the potential impact on participant safety and trial outcomes. 

    The validation process ensures that a system can consistently meet specified requirements from its design phase to decommissioning or transition to a new system.

    Key factors to consider when applying a risk-based validation approach include:

    • System’s Intended Use: The system’s purpose in the context of the clinical trial.
    • Data’s Importance: The significance of the data generated, maintained, or retained.
    • Potential Risks: The system’s potential to affect participant safety, rights, and the reliability of trial results.

    Validation encompasses several aspects, including system functionality, protocol-specific configurations, data transfers, and system interoperability. If the validation is conducted by an external IT service provider, the sponsor should review the provider’s documentation to confirm that the system is suitable for use. 

    This includes evaluating processes for system development, validation, testing, and change control. All changes to electronic systems, such as software updates, security patches, or hardware replacements, should be evaluated based on their risk to data integrity. 

    Changes must be documented and should not compromise the traceability, authenticity, or integrity of the data. Sponsors are responsible for ensuring that all validation documentation is available for FDA inspection upon request.

    FDA Focus During Inspections

    According to the guidance, when inspecting a sponsor’s use of electronic systems, the FDA will focus on several areas to ensure compliance with Part 11:

    • Data Management Plans: How data are collected, handled, and secured.
    • System Life Cycle: From design and implementation to decommissioning or transition.
    • Data Integrity: Ensuring records can be reconstructed without loss of meaning.
    • Access Controls: Procedures that limit access to authorized individuals only.
    • Change Control: Documentation of system changes and their effects.
    • Contracts with IT Providers: Agreements detailing responsibilities and functions.
    • Corrective Actions: Procedures to address errors and ensure data protection.

    The FDA expects sponsors to document the use of electronic systems, including their flow of data from creation to final storage. This documentation should include a diagram that outlines how data moves through various systems and details validation processes, change control, user access, data backups, and contingency plans.

    Conclusion

    In summary, the present FDA guidance on retaining and managing electronic records in clinical investigations additionally emphasizes the importance of data integrity, security, and proper system validation. Regulated entities must carefully consider the systems they deploy and ensure that electronic records are backed up, stored securely, and available for FDA inspection. A risk-based approach to system validation helps entities focus their efforts on systems that have the highest potential impact on participant safety and trial outcomes.

    How Can RegDesk Help?

    RegDesk is an AI-powered Regulatory Information Management System that provides medical device companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Global expansion has never been this simple.

    RegDesk is recognized as a Regulatory Intelligence Representative Vendor! Learn more by reading the 2024 Gartner® Market Guide for Regulatory Intelligence Solutions.

    Get the report