Just about everyone in the drug development industry has cited 21 CFR Part 11 at one time or another. Fondly referred to as “Part 11,” the August 1997 regulation was last referenced by the FDA in 2003 with the release of a Guidance for Industry - Part 11, Electronic Records; Electronic Signatures — Scope and Application.1 Since then, the centralized research team has significantly changed from only a few stakeholders into a system of many globally distributed contributors. The industry’s documentation has transitioned from paper files to dynamic, integrated systems supporting digital records spanning the bedside to the research clinic. The delivery of healthcare has evolved from the confines of brick and mortar to cloud-based platforms that could only be dreamed of a few years ago.
Now, over a decade since the last Food and Drug Administration (FDA) formal update, the FDA has released a related Draft Guidance titled Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers.2 Certainly, the development of this draft guidance was driven by the repetitious questions the FDA has received from industry stakeholders as well as the extensive technology advancements. Personally, I might also suggest that the FDA has recognized potential, and perhaps actual, situations during inspections as needing clarification. Several key points have also been identified by other regulatory bodies. Incentives for electronic medical records and mandates for fully electronic FDA submissions3 have likely driven the need for digitized information to guide those delivering and documenting medical care. Taking this step demonstrates the FDA’s intention to assure compliant electronic systems.
The draft guidance covers 28 questions and answers in several categories, including:
The following are some observations on selected areas, including comments on a separate section of draft guidance that focuses on electronic signatures.
As the handling of programs, clinical trials, and services is outsourced to partners, the business community has been keen on defining what oversight of those partners looks like. As technology efforts are no different, the creation and management of plans to ensure accountability will also apply to electronic systems. This guidance reflects the FDA’s expectations and what defines compliance.
One significant clarification redefined in the guidance is the exclusion of the systems managing electronic health records (EHRs) from Part 11 expectations. Previously defined in other guidance documents, reiterating the expectation reinforces the point.4, 5 Comments posted reflect that the interpretation continues to be inconsistent among industry stakeholders. The final guidances will need to align and provide a clear description of whether or not EHRs fall under Part 11 … or not.
Cloud-based platform access is managed by the controlling entity, perhaps a sponsor or CRO. It isn’t typically complicated to develop, execute, and document. However, at the clinical research site, where personal devices are being used for data collection (aka BYOD — bring your own device), there are additional complications. Managing and documenting that the device access has been restricted to that patient is nearly impossible. As noted by Christine Pierre, president of the Society for Clinical Research Sites, “We do not believe that the FDA is prepared to reject the data if the attestation is not signed by the study participant.” Consistent with current practice, signed or not, it is expected that the data will be considered valid and accepted for analyses. Is the value of an affidavit worth the burden of continual patient education and attestation collection? One must wonder if inspection findings have revealed concerns that this has been happening. I expect electronically captured patient reported outcomes (ePROS) have been using this model for years. Why start now?
Another key aspect of the draft guidance addresses electronic signatures (of all types). Electronic signatures are key tools for global participation and timeliness of transactions, and are the single most critical factor in moving to a paperless process. Where validation of electronic signatures may not have been focused on as a factor up to now, it appears that may be changing going forward. The Q&A reveals how FDA inspectors can be expected to approach an organization to assure compliance is addressed. The use and validation of electronic signatures in documents intended for the FDA has long been a point of lively discussion by experts in essential document management. I’m sure this will bring a new angle to the conversations.
Organizations that establish standard practices for the management of digital credentials, such as the SAFE-BioPharma Association,6 have developed policies that align with the FDA’s expectations detailed in the draft guidance. Members of SAFE-BioPharma are already assured of compliance and inspection readiness if they adhere to these polices.
Throughout the draft guidance, references to security make it clear that it is a priority topic. Recent cybersecurity breaches, as well as HIPAA violations, have raised concerns across healthcare. Expectations related to security are defined in several sections. Collecting and storing financial information, personally identifiable information (PII), and protected health information (PHI) has the added risk of identity theft, privacy invasion, and other unpleasant opportunities. These involve legal as well as moral concerns. The FDA is expecting steps have been taken to mitigate the risk of inadvertent sharing or access, as well as inappropriate access and data entry.
Mirroring other areas of research, the concept of a risk-based approach is recommended to be a consideration in the technical systems. Not all parts of every system carry the same importance, and time should be dedicated to the most critical aspects. There used to be the belief that every aspect had to be 100 percent perfect all the time. Thankfully, assigning resources to the most important systems, processes, and services would place greater focus on delivering excellent patient care and quality trial results.
This is a very significant road map on which to overlay the technological innovations developed in the last 17 years. The Q&A will provide clear concepts of the FDA’s expectation of evidence anticipated to be produced at an inspection. Now that the FDA has proposed this guidance, some consistency on the individual inspectors’ interpretations might be anticipated. On the other hand, the technology advances since the last guidance on electronic records have been significant. In that interim, interpretations have diverged and overlapped, sometimes simultaneously. This is a challenge, and while industry will be referencing this draft guidance, there will be anticipation for an unambiguous final guidance. I’ll be waiting.
This article originally appeared on Clinical Leader on October 26, 2017. Reprinted with author’s permission.
Betsy Fallen is an authority on the business processes and associated use of information technology in drug development. A passionate advocate for moving life sciences business online, Betsy is an expert on in many areas of drug development.
After over two decades of contributions at Merck, she is now consulting to support sponsors, vendors, and clinical sites in their journey to innovation while ensuring compliance. She continues to share her knowledge in technical innovation, process efficiency, and ability to assess and assure compliance in documentation, execution, and oversight.
Trained as an RN, Betsy is dedicated to ensuring the voice of the patient is heard as the drug development process continues the progression towards innovation and efficiency. You can reach her at firstname.lastname@example.org.