Breaking Down The FDA's Latest Guidance On Electronic Systems In Clinical Investigations

By Randall Jacobs and Laurie Stone, Clarkston Consulting

On October 2, 2024, the U.S. Food and Drug Administration (FDA) took a significant step forward by releasing new guidance¹ in a question-and-answer format, clarifying for sponsors, clinical investigators, institutional review boards (IRBs), contract research organizations (CROs), and other interested parties the use of electronic systems, e-records, and e-signatures in clinical investigations across medical products, foods, tobacco products, and new animal drugs.

Recognizing the rapid advancements in technology, the FDA has continually adapted its approach. This latest guidance underscores the agency’s commitment to keeping pace with innovation and ensuring that electronic systems enhance the integrity and efficiency of clinical research. The recommendations are intended to boost the efficiency and quality of clinical investigations by ensuring that electronic systems uphold evolving regulatory standards, safeguard data accuracy, and maintain the integrity of clinical investigations.

The guidance covers several critical areas: reinforcing data integrity and security with enhanced controls like audit trails, refining the risk-based approach to electronic system validation, offering recommendations for collaborating with IT service providers, promoting the adoption of digital health technologies² for data collection, and simplifying the use of e-signatures.

In this article, we will cover some key highlights of the new guidance and what this means for your quality system.

Enhanced Data Integrity And Security

The FDA recommends strengthening controls, including audit trails, to ensure e-records are accurate, reliable, and tamper-proof. Regulated entities’ GxP systems should be fit for purpose and implemented in a way that is proportionate to the risks to participant safety and the reliability of trial results. If a clinical investigator deploys their own electronic system under the scope of Part 11, then investigators should retain the documentation related to that system and make it available during inspection.

To ensure the trustworthiness and reliability of e-records, audit trails must capture electronic record activities including all changes made to the electronic record, the individuals making the changes, the date and time of the changes, and the reasons for the changes. Audit trails should be protected from modification and from being disabled. The decision to review audit trails should be based on a risk assessment of the clinical investigation, considering the systems, procedures, and controls in place. The FDA recommends that the audit trail be retained in a format that is searchable and sortable.

With this new guidance, regulated entities should have a process to ensure that they are leveraging the recommendations from this new guidance. Your SOPs and practices may need to be adjusted to match the new paradigms. We recommend looking at your audit trail review timing and practices and ensuring your validation documents are available and audit ready. Further, your change control system should be appropriately reviewing and capturing information required to ensure your changes do not have unanticipated impacts.

Risk-Based System Validation

While the FDA recommends using a risk-based approach to validating electronic systems, in order to ensure compliance while optimizing efficiency, they do not recommend a specific risk management approach. However, here are a few considerations when applying a risk-based approach for validation of electronic systems:

• Intended use of the system
• Purpose and importance of the data or records that are collected, generated, maintained, or retained in the system
• Potential of the system to affect the rights, safety, and welfare of participants or the reliability of trial results

Validation should be applied to system functionality, configurations specific to the clinical trial protocol, customizations, data transfers, and interfaces between systems (e.g., interoperability and communication). The FDA is strongly encouraging this new validation paradigm so that proper focus can be applied to the most critical components of the system/software. The regulated entities need to ensure that they have the right expertise conducting these risk-based validations. This includes maintaining all records of system validation, user access controls, data backup and recovery procedures, and audit trails.

Maintenance of these GxP systems should continue through the life cycle of the system to protect against loss of traceability, authenticity, or integrity of new or existing data. This requires appropriate training of individuals who maintain or use electronic systems and maintenance of comprehensive documentation.

Collaboration With IT Service Providers

The FDA emphasizes clear documentation of roles and responsibilities when outsourcing IT services. When determining the suitability of the IT service and IT service provider, regulated entities should consider the following regarding the IT service provider’s ability to ensure the authenticity, integrity, and confidentiality of clinical investigation records and data:

• Oversight: Regulatory entities need to ensure policies are in place that allow oversight of the clinical investigation activities provided by the IT service provider
• Validation: Processes and procedures the IT service provider has in place for validation of IT systems/services to be used in the clinical investigation
• Documentation: Ability of the IT service provider to generate accurate and complete copies of records and to provide access to data for as long as the records are required to be retained by applicable regulations
• Data Maintenance: Processes and procedures the IT service provider has for data migration, data backup, recovery, contingency plans, and retaining records and making them available for FDA inspection for the required duration
• Security: Access controls used by the IT service provider for specific IT services in the clinical investigation, including SOPs for granting and revoking access; also includes the ability to secure and protect the confidentiality of data at rest and in transit
• Audit Trail: Ability to provide secure, computer-generated, time-stamped audit trails of users’ actions and changes to data
• E-Signature: Processes and procedures the IT service provider has in place related to electronic signature controls
• Expertise: Relevant experience of the IT service provider

The FDA also recommends that regulated entities have a written master service agreement with an associated service level agreement or quality agreement with IT service providers that describes how the IT services will meet the regulated entities’ requirements. This should include the scope of the work and IT service being provided; the roles and responsibilities of the regulated entity and the IT service provider, including those related to quality management; and sponsor access to all study-related data and records maintained by IT service providers.

Integration Of Digital Health Technologies

The FDA supports the use of innovative digital health technologies (DHT) to improve data collection and clinical trial efficiency. A DHT is a system that uses computing platforms, connectivity, software, and/or sensors for healthcare and related uses, such as remote data acquisition.

Sponsors should ensure that data obtained using DHTs are correctly attributed to the data originator. Approaches may include the use of access controls, participant education, and data monitoring. Data attribution concerns should also be addressed during clinical trial protocol development and at the time of DHT selection. It’s important that the sponsor develop and maintain a list of authorized data originators and have it available during an FDA inspection.

Data recorded by a DHT and related metadata should be transmitted by a validated process to a durable electronic data repository according to the sponsor’s prespecified plan. Transmission should occur contemporaneously or as soon as possible after data are recorded, and the date and time of the data transfer should be included in the audit trail.

Streamlined Electronic Signatures

With enhanced technology, additional electronic signature options are now available to provide robust security and assurance of validity of e-signatures, which are considered equivalent to handwritten signatures. E-signatures must be linked to the respective e-records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record. Some examples of methods used to create valid e-signatures include the use of computer-readable ID cards, biometrics, digital signatures, and username/password combinations.

E-signatures based on biometrics must be designed to ensure that they cannot be used by anyone other than their genuine owners, as they are considered trustworthy, reliable, and equivalent to handwritten signatures. Suitable biometrics should be uniquely identified with the individual and should not change over time.

Before, or at the same time, a person uses an electronic signature in an electronic record required by the FDA, users of e-signatures must submit a letter of non-repudiation to the FDA to certify that the electronic signature is intended to be the legally binding equivalent of a traditional handwritten signature. Organizations may submit one letter of non-repudiation to cover all the e-signatures used by that organization.

Aligning With Best Practices

The FDA's guidance provides crucial insight into its evolving perspective on electronic systems, e-records, and e-signatures. With these new guidelines, it’s imperative that all stakeholders, including sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs), carefully consider these recommendations and proactively implement necessary changes to their quality system³ to align with best practices and regulatory expectations.

So, what action can be taken now? Organizations can, and should, start by creating a policy document that says your firm will abide by these guidelines. They can then supplement that policy with standard operating procedures detailing how to actually implement the recommendations moving forward. It’s also advised to set up enabling work instructions with forms to provide checklists, ensuring the firm’s activities meet the guidelines outlined by the industry guidance.

There is currently no deadline for public comments.

References

1. U.S. Food and Drug Administration. (2024, October). Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/electronic-systems-electronic-records-and-electronic-signatures-clinical-investigations-questions
2. Epperson, E. & Stone, L. (2025, January 23). Strategizing And Implementing Your Clinical Trial Technologies. https://www.clinicaltechleader.com/doc/strategizing-and-implementing-your-clinical trial-technologies-0001
3. Shockey, S. (2023, August 28). Conducting a Quality System Maturity Assessment. https://clarkstonconsulting.com/insights/quality-systems-and-quality-culture-assessment/

About The Authors:

Randall Jacobs is a principal consultant with Clarkston Consulting with extensive experience across the life sciences. His expertise includes quality assurance, quality systems, quality process improvement, quality systems implementation, internal auditing, supplier quality and auditing, incoming material inspection, documentation, training, change control, deviations, CAPA, product disposition, customer complaints, and validation oversight. Additionally, he has experience in multi-national regulatory compliance to include audit and inspection support and is an ASQ Certified Quality Auditor (CQA).

Laurie Stone, director at Clarkston Consulting, has more than 20 years of experience in clinical operations across different stages of development, providing expertise in quality, management, and compliance in the biotech, pharma, and medical device industries.