FDA's Questions and Answers on 21 CFR Part 11 for Clinical Investigations
Six Key Points
White Paper
Jul 18, 2019

We examine six of the more significant points from the draft guidance, specifically as they pertain to the eTMF, and offer insights on how this guidance provides justification for streamlining processes.

This document provides guidance to sponsors, clinical investigators, institutional review boards (IRBs), contract research organizations (CROs), and other interested parties on the use of electronic records and electronic signatures in clinical investigations. It clarifies, updates, and expands upon recommendations in the FDA’s 2003 guidance document, “Part 11, Electronic Records; Electronic Signatures – Scope and Application”

The FDA acknowledges that the world has changed since the original part 11 guidance was issued in 1997. Much of this guidance is devoted to re-examining requirements in an outsourced cloud environment and to addressing mobile technology. To this end, the five main headings of the guidance are:

  1. Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities
  2. Outsourced Electronic Services
  3. Electronic Systems Primarily Used in the Provision of Medical Care
  4. Mobile Technology
  5. Electronic Signatures

In this paper, we will examine six of the more significant points from the draft guidance, specifically as they pertain to electronic Trial Master File (eTMF).

FDA recommends risk-based approaches for validating electronic systems.

“Sponsors and other regulated entities should use a risk-based approach for validating electronic systems.”

However, many organizations may be doing more validation than is strictly required, and could make greater use of validation packages provided by their vendors. According to the FDA, for COTS systems that perform functions beyond office utilities, such as COTS EDC systems, validation should include a description of standard operating procedures and documentation from the vendor that includes, but is not limited to, results of their testing and validation to establish that the electronic system functions in the manner intended. For COTS systems that are integrated with other systems or for customized systems that are developed to meet a unique business need, sponsors should develop and document a validation plan, conduct the validation in accordance with the plan, and document the validation results.

FDA could inspect your vendor.

“Under certain circumstances, FDA may choose to inspect the electronic service vendors… engaged in providing services and functions that fall under areas regulated by FDA. For example, if… the required records are not available from the sponsor or the clinical investigation site, FDA may choose to inspect records specific to the clinical investigation at the vendor’s facilities.”

FDA could require access to your electronic systems.

“If simple screenshots or paper printouts are used to produce a report and that report fails to capture important metadata (e.g., the data originator and the audit trail of the data) … FDA would require access to the electronic system used to produce those data to review the complete record.”

FDA has not changed their thinking about electronic signatures.

FDA still states that they are requiring a signed, dated signature for certifying paper copies. This is not new, but unfortunately remains at odds with ICH regulations that state that certification can be done using either a signature or a validated process.
No discussion of requiring digital signature is in the guidance, even though it is acknowledged that cloud is an “open” system. This is consistent with other FDA guidance stating that they do not have a preference between digital and electronic signature.

Vendor audits are not required, but should be a risk-based decision.

“Sponsors and other regulated entities should base their decision to perform vendor audits on a risk-based approach.”

Surprisingly, vendor audits are not a hard and fast requirement. Similar criteria to that used to determine validation requirements should be used to determine the need for vendor audits. In addition, FDA suggests that sponsors should consider periodic but shared audits conducted by trusted third parties. This would be a major benefit to many small pharma and biotech companies – but it would require a major change in thinking for most QA departments to accept findings conducted by a third party on behalf of multiple organizations.

FDA recommends risk-based approaches for validating electronic systems.

“Sponsors and other regulated entities should obtain service agreements with the electronic service vendor.”

Points that the FDA suggests that sponsors consider before entering into an agreement, in addition to those requirements already clearly stated in Part 11, include:

  • The vendor’s validation documentation
  • Archiving capabilities
  • Encryption of data at rest and in transit
  • Performance record of the electronic service vendor and the electronic service provided
  • Ability to monitor the electronic service vendor’s compliance with electronic service security and data integrity controls

Related Solutions
Site and Investigators

Helping Sites and Investigators grow through innovation and collaboration

FDA Enforcement

Responding to FDA enforcement.

You may also be interested in
Contact Us
Contact Us
Contact Us

Email Us

Get in touch today to discover the right solutions for you.

Call Us

We are pleased to speak with you during our standard business hours.

U.S. Toll-Free only
+1 866 267 4479

For international call please find a number in our toll-free list.