The FDA lists a number of electronic systems used in clinical investigations that are owned or managed by sponsors or other regulated entities (e.g., CROs, IRBs) include: electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master forms (eTMFs), electronic Clinical Data Management System (eCDMS), and others. Requirements and recommendations specified in this guidance for these systems include:
Risk-Based Approach to Validation – Electronic systems should be validated if they are used to process/produce critical records that are submitted to the FDA. The FDA suggests a risk-based approach to validation, where the extent of validation varies from that which is defined by “internal business practice and needs” for off-the-shelf business tools in general use (e.g., word processors, spreadsheets, etc.), to “user acceptance testing, dynamic testing, and stress testing” for customized tools that have been developed to meet a unique business need. When determining the level of validation for a given system, sponsors and other regulated entities should consider the purpose and significance of the record (i.e., the extent of error that can be tolerated in the record without compromising its reliability and utility), and the attributes and intended use of the electronic system used to produce the record.
FDA Inspections of Electronic Systems – The FDA will focus on documentation of system validation for both the implementation of these electronic systems, as well as any changes made (e.g., upgrades, security patches, new instrumentation, etc.) to the system once in use. Migrations of source data to other systems or formats will be checked to ensure that the data is not altered in value or meaning in the process. Additionally, the FDA will review standard operation procedures (SOPs) and support mechanisms (e.g., training, technical support, audits, etc.) to ensure that the system is being used and functioning in the manner intended.
Vendor Audits – Sponsors and other regulated entities should use a risk-based approach in determining whether or not to perform vendor audits. To minimize time and cost burdens, the FDA suggests sponsors and other regulated entities consider “periodic, but shared audits conducted by trusted third parties.”
Security Safeguards – In order to assure compliance with 21 CFR Part 11.10 and 11.30, sponsors and other regulated entities must ensure that procedures and processes are in place to limit access to the electronic systems utilized in clinical investigation to appropriate, authorized users. Additionally, external security safeguards (e.g., firewalls, anti-spyware, antivirus, etc.), need to be in place to prevent, detect and mitigate the effects of computer viruses, worms and other harmful software code on study data and software.
Electronic Storage for Archiving Study-Related Records – Using a durable electronic storage device to archive a study-related record at the end of a clinical study is acceptable. Sponsors and other regulated entities should ensure that the content and meaning of the record and the integrity of the original data are preserved. If these records are archived in such a way that they can be searched, sorted, or analyzed, sponsors should provide electronic copies with the same capability to the FDA during an inspection if it is reasonable and technically feasible.
Investigative Sites Outside the United States – The FDA states that if a non-U.S. site is conducting a clinical trial under an investigational new drug application (IND, then both the sponsor and the site must follow FDA regulations – Part 11 requirements will apply to any required records kept in electronic format.