Study sponsors now have more options for electronic data capture (EDC) systems than ever. Though paper is still used in some cases, the accuracy, efficiency, and security of electronic systems make them an objectively better option in clinical trials.
That increase in the use of EDC systems and other electronic tools in clinical investigations is the backdrop for the FDA’s new guidance, Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers.
The guidance document provides an updated set of recommendations for “regulated entities,” (meaning sponsors, clinical investigators, CROs, and IRBs) to comply with 21 CFR Part 11 while carrying out clinical investigations.
The guidance covers a lot of ground, so in this article, we’re going to provide a high-level review of its purpose, as well as dig into some of the most important points.
21 CFR Part 11 is the regulation that describes the circumstances under which electronic systems, signatures, and records are considered as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures.
Almost immediately upon publication in 1997, Part 11 began causing confusion among MedTech companies and other professionals that use electronic records. So, in August of 2003, FDA published a guidance document to clarify the scope and implications of various parts of the regulations.
This document helped explain the requirements for software validation, audit trails, managing legacy systems, keeping copies of records, and record retention. It also contained helpful information about what companies need to do in order to comply with its 21 CFR Part 11 requirements.
While the agency continues to apply the interpretation of Part 11 regulations as described in the 2003 guidance, they acknowledge that advances in technology have expanded the uses and capabilities of electronic systems in clinical investigations. As those uses continue to grow, the agency wants to provide additional recommendations for all parties involved in clinical investigations.
This guidance document is meant to help all regulated entities (but sponsors, especially) ensure that they are complying with the requirements of 21 CFR Part 11 during clinical investigations.
Perhaps the biggest takeaway from the guidance for sponsors is that they are ultimately responsible for the data from their investigation, even if it is collected and stored in a third-party system.
FDA makes it clear that they are not in the business of assessing the capabilities of EDC systems or “approving” any electronic systems for use with regards to Part 11. It is the sponsor’s job to ensure that the tools they are using meet the requirements of Part 11. As the agency states:
Once the electronic record enters the sponsor’s electronic data capture (EDC) system, FDA intends to assess compliance with Part 11. Regardless of how the data were originally generated, maintained, or retained, sponsors are responsible for ensuring the quality and integrity of the data they submit in support of marketing applications and other submissions.
In fact, FDA repeatedly emphasizes that it is the job of sponsors to ensure all requirements around authenticity, integrity, and confidentiality are met. This is not to say that you can’t use an external provider for your EDC system. It simply means that it’s up to you to properly vet them and ensure their product and services are validated per the requirements of 21 CFR Part 11.
In the guidance document, FDA defines validation as “a process to establish and document that the specified requirements of a computerized system can be consistently fulfilled from design until decommissioning of the system or transitioning to a new system.”
Because electronic systems vary in how much configuration is needed to use them, the agency states that the level of validation will depend on the nature of the system, and regulated entities should use a risk-based approach to validating their electronic systems. But the agency also recognizes that many EDC providers, like Greenlight Guru Clinical, will perform validation for their customers. In these circumstances, the agency notes that sponsors may want to review their provider’s validation documentation. In particular, they should look at:
Processes for developing and managing the system
Validation processes
Functional testing of the electronic system
Change control procedures and tracking logs
At Greenlight Guru, our EDC system comes validated for MedTech data collection requirements, including Part 11 and ISO 14155:2020 requirements. Our software comes optimized for medical device studies, which means no coding, no stressful setup, and no pharma-centric features you’ll never use. And our validation, security, and privacy policies are always available for review.
Another point of emphasis in the guidance is the audit trail within an electronic system. An audit trail provides “a means to verify the quality, authenticity, and integrity of data, allowing reconstruction of significant details about the clinical investigation conduct and source data collection.”
FDA states that audit trails must be time-stamped and capture information regarding the creation, modification, or deletion of electronic records (among other security measures). They must also ensure that changes to a record do not obscure previously recorded information.
In other words, your audit trail should be able to show all changes made to data, who made them, when they were made, and the reason for the change. Audit trails must also be protected from being disabled or modified, and all audit trails must be available for FDA inspection.
Toward the end of the guidance document, FDA has included a section to help sponsors understand what they should be looking for as they vet EDC systems. In a sense, the following considerations restate what the agency has laid out earlier in the guidance, but in a more succinct form.
These are the considerations FDA recommends sponsors take into account:
Policies the IT service provider has in place to allow the regulated entity to perform oversight of the clinical investigation activities provided by the IT service provider.
Processes and procedures the IT service provider has in place for validation of specific IT services to be used in the clinical investigation.
Ability of the IT service provider to generate accurate and complete copies of records and to provide access to data for as long as the records are required to be retained by applicable regulations.
Processes and procedures the IT service provider has for data migration, data backup, recovery, contingency plans, and retaining records and making them available for FDA inspection for as long as the records are required to be retained by applicable regulations.
Access controls used by the IT service provider for specific IT services used in the clinical investigation, including SOPs for granting and revoking access.
Ability to provide secure, computer-generated, time-stamped audit trails of users’ actions and changes to data.
Ability to secure and protect the confidentiality of data at rest and in transit (as appropriate for the content and nature of the record).
Processes and procedures the IT service provider has in place related to electronic signature controls.
Relevant experience of the IT service provider.
It may seem like a long list, but these are all items that your EDC provider should be capable of demonstrating for you before you begin using their software. For instance, at Greenlight Guru, our EDC system meets all of the FDA’s recommendations because it’s purpose-built for medical devices, offering unmatched ease of use, seamless validation for 21 CFR Part 11 and ISO 14155:2020, and a secure and compliant audit trial.
FDA also gives space in the guidance to Q&As devoted to the use of digital health technologies in clinical trials. DHTs can include wearable devices, environmental sensors, or mobile applications and are being used more often in clinical investigations because of their ability to transmit data directly from the source—giving them an important role in decentralized clinical trials (DCT).
The biggest point FDA wants to make here is that their previous recommendations regarding electronic systems also apply to DHT. The guidance states, “The principles previously discussed in sections III. A through C of this guidance regarding electronic systems are applicable when DHTs are used to record data in a clinical investigation.”
It may seem like FDA is asking for a lot when it comes to compliance with Part 11, but the truth is that it’s only a big undertaking if you’re doing it alone. With the right EDC system, there’s no reason to worry about using electronic signatures or storing your records securely.
At Greenlight Guru, our EDC software has been rigorously designed and validated to comply with the requirements of 21 CFR Part 11, so that you can focus on designing and carrying out the most effective clinical investigation of your device. And because our EDC system is built specifically for MedTech clinical trials, there’s no complex customization involved (which requires more validation). You get the best of both worlds: validated and compliant software that makes setting up and monitoring clinical trials a breeze.
If you’re ready to see how a modern, compliant EDC solution can simplify your next clinical study, then get your free demo of Greenlight Guru Clinical today!