The FDA has released a new draft guidance that clarifies the Part 11 regulations for electronic records and signatures as they apply to clinical trials, including validation of mobile and wearable technology and the use of outsourcing and contracting.
In a question-and-answer format, the guidance builds on the FDA’s 2003 Part 11 guidance, explaining how drug sponsors, contract research organizations, institutional review boards and other clinical trial entities must validate systems and audit trails to ensure data integrity.
The guidance suggests using a risk-based approach to validating individual technologies and calls on sponsors to thoroughly examine any product that provides clinical data, such as a wearable sensor that measures blood glucose levels.
Mobile technology used to capture, record and transmit data directly from clinical study participants must include access controls and biometrics to ensure entries come directly from the patient, the guidance said. For apps and other programs that may house data temporarily before being transmitted to the sponsor, the FDA will consider the source data recorded in the patient’s electronic health record in the sponsor’s system as the first permanent record.
When outsourcing electronic systems, sponsors should consider whether adequate controls and data safeguards are in place, the guidance says, and confirm that outsourced services can:
- Properly validate documentation;
- Generate accurate and complete copies of records and retain them as long as required for agency inspections;
- Include secure, time-stamped audit trails of users’ actions; and
- Provide encryption of all relevant data.
Companies should also be able to monitor the vendor’s compliance with security and data integrity controls.
According to the draft, FDA investigators will focus on the implementation of the electronic system, including any changes made once in use. The agency will also evaluate whether any critical data were altered during transfers between formats or systems.
Upon request, sponsors should be able to deliver specified requirements of any outsourced electronic service and vendor agreements, as well as notification procedures following changes or incidents within the system. The FDA may choose to inspect vendors if the needed records are not available from the sponsor or clinical investigation site.
Sponsors should also consider implementing remote wiping and disabling of devices, firewalls, and procedures for wiping all stored health information to ensure confidentiality. In addition, clinical investigators and study personnel should be trained on any specific technology used in a clinical trial, the guidance said.
The full draft guidance is open to public comment through late-August.