This guidance breakdown is available for paid subscribers. Only paid subscribers get regular full access to our guidance breakdowns and other analyses. If you’re not already a paid subscriber, you can upgrade here.

Earlier this month, the FDA finalized a guidance that revises a draft version released for comment last year by clarifying the applicability of Part 11 to real-world data submitted to the agency as part of a marketing application.

The guidance applies to electronic systems in clinical investigations of medical products, foods, tobacco products, and new animal drugs.

Read the full final guidance document

It includes 29 questions and answers on electronic records, electronic systems deployed by regulated entities, information technology service providers, and digital health technologies, as well as a glossary and an appendix covering FDA references.

The FDA said the guidance updates recommendations for applying and implementing data integrity and data security controls and expands on the recommendations on the risk-based approach to validation of electronic systems described in the August 2003 guidance on electronic signatures.

Some of the changes made to the guidance include clarifying the applicability of part 11 to real-world data sources submitted to the FDA and clarifying the applicability of part 11 to clinical investigations conducted outside the U.S. In Question 1, the agency clarifies that electronic records from RWD sources submitted to the FDA as part of a marketing application are subject to Part 11 requirements. Yet, the use of EHR data in clinical investigations will not be subject to Part 11.
 
These EHRs may include hospital admission records, pharmacy records, laboratory records, and imaging records created during the course of patient care that are used to support marketing applications or other submissions. Yet once the electronic record enters the sponsor’s electronic data capture (EDC) system, the FDA intends to assess compliance with Part 11.

The guidance also adds a new Question 29 on whether users of electronic signatures must submit a letter of non-repudiation to the FDA certifying that an electronic signature is the legally binding equivalent of a traditional handwritten signature.

The FDA said the answer is yes and that:

“users of electronic signatures must submit a letter of non-repudiation to FDA to certify that the electronic signature is intended to be the legally binding equivalent of a traditional handwritten signature. Organizations may submit one letter of non-repudiation to cover all the electronic signatures used by that organization. Information on how to submit the certification either electronically or by mail is on the FDA’s web page on letters of non-repudiation agreement.”

Below, we’ve distilled the key takeaways from each of the 29 questions the guidance addresses. 

1. Are electronic records from real-world data sources submitted to the FDA as part of a marketing application or under other predicate rules subject to part 11 requirements? Part 11 applies once data enters the sponsor's EDC system, not to original EHR/RWD sources.

2. If a sponsor conducts a clinical investigation with a non-U.S. (foreign) site, are the electronic records submitted to the FDA as part of a marketing application or under other predicate rules subject to part 11 requirements? Part 11 applies to electronic records submitted to the FDA regardless of origin.

3. Should regulated entities maintain and retain a certified copy of clinical investigation electronic records? Keep certified copies of electronic records with date/time stamp of creation.

4. Is the FDA recommending that electronic records from medical service providers not involved in the clinical investigation be certified? Certification is not required for copies from providers not involved in the study.

5. How should regulated entities retain electronic records from a clinical investigation? Use secure storage methods, maintain backups, and preserve metadata.

6. Are electronic communication methods (e.g., email systems or text messages) addressed by 21 CFR part 11? They’re not specifically addressed by Part 11; use appropriately secure methods.

7. What should be considered when using a risk-based approach to validate electronic systems deployed in clinical investigations? Validate electronic systems based on intended use, data importance, and potential impact.

8. What will the FDA's focus be during inspections of the sponsor for electronic systems that fall under the scope of part 11, and what documentation should the sponsor have in place for such systems? Data handling, system lifecycle, data integrity, access controls, and change management.

9. What will the FDA's focus be during the inspections of clinical investigators for electronic systems that fall under the scope of part 11? Staff training, access controls, and system use documentation.

10. During an inspection, will the FDA review the reports of audits performed by sponsors or other regulated entities of IT service providers' electronic systems, products, and services? The FDA generally won't review IT provider audit reports during inspections.

11. What are the FDA's requirements and recommendations regarding using security safeguards for electronic systems deployed by regulated entities? Implement access controls, conduct risk assessments, and use encryption and other security measures.

12. What are the FDA's expectations for the use of audit trails by regulated entities? Capture changes to records, including who, what, when, and why.

13. Should an audit trail record every keystroke? Not necessary; record deliberate actions like saving or submitting data.

14. What controls should be in place to ensure that the electronic system's date and time are correct? Ensure system date/time accuracy, limit change abilities, and document any changes.

15. What are the requirements and recommendations for training individuals who use electronic systems in clinical investigations? Provide and document relevant training on electronic systems for all users.

16. Does the FDA provide preliminary evaluations of electronic systems to be used in a clinical investigation to determine whether they comply with part 11 requirements? The FDA doesn't pre-evaluate electronic systems for Part 11 compliance.

17. What should regulated entities include in agreements with IT service providers? Include scope, roles, responsibilities, and data access plans.

18. What should regulated entities have available to demonstrate that the IT services are performed following the FDA's regulatory requirements? Have agreements and quality management documentation available for the FDA.

19. Would FDA inspect or investigate IT service providers in a clinical investigation? The FDA may inspect providers with regulatory responsibilities or data integrity concerns.

20. How do sponsors identify the data originator when using DHTs to record participant data in clinical investigations? Identify authorized data originators (person, system, device) for each data element.

21. How should data attribution be ensured when DHTs are used to record and transmit data in clinical investigations? Use access controls, participant education, and data monitoring to ensure correct attribution.

22. What should be considered when transferring the data from a DHT to a durable electronic data repository? Use validated processes to transfer data to a durable repository promptly.

23. For inspection purposes, what is the location of the source data recorded by a DHT? For inspections, source data is in the durable electronic repository, not individual devices.