Key points from the CDRH and FDA draft guidance under 21 CFR part 11

In June 2017, the Center for Devices and Radiological Health (CDRH) of the US Food and Drug Administration (FDA or Agency) issued a draft guidance document titled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11—Questions and Answers.”

June 23, 2017 | Life sciences

While focused on the use of electronic records and signatures for clinical trial documents, the concepts and requirements outlined in the guidance reflect the Agency’s latest thinking on this topic and should be considered when implementing electronic records and signatures across the medical product lifecycle. At 28 pages, the document has a lot of content in keeping with FDA’s current policy of providing guidance documents that include more practical examples to help industry comply with the requirements.

Some key points from the draft guidance include:

  • The Agency will continue “to exercise enforcement discretion regarding certain part 11 requirements for validation, audit trails, record retention, and record copying.”
  • FDA continues “to encourage sponsors and other regulated entities to use a risk-based approach, as introduced in the 2003 part 11 guidance and further described in this guidance, when deciding to validate electronic systems, implement audit trails, or archive required records….”
  • The draft guidance covers several main areas:
    • Electronic systems, including commercial off-the-shelf (COTS) and customized electronic systems owned or managed by sponsors and other regulated entities;
    • Electronic services, outsourced by the sponsor or other regulated entities;
    • Electronic systems primarily used in the provision of medical care;
    • Mobile technology; and
    • Telecommunication systems
  • While regulations distinguish between closed and open systems, due to “the pervasive use of the internet and web-based systems” this distinction is “seldom relevant.” Since physical security may be reduced, additional security controls should be considered, “such as encryption and the use of appropriate electronic signature standards to ensure the authenticity, integrity, and confidentiality of records.”
  • Utilizing a risk-based approach, validation may range from “internal business practice and needs” for off-the-shelf business tools, such as word processors and Portable Document format tools, to “user acceptance testing, dynamic testing, and stress testing” for customized tools that manipulate data.
  • Validation should include change management for things like upgrades, including security patches.
  • The draft guidance defines ‘processing’ of records as including “creating, modifying, maintaining, archiving, retrieving, or transmitting.”
  • For electronic services, such as cloud computing that are used to process FDA-regulated data, the draft guidance provides a list of factors for the suitability of the outsourced electronic service. Note that this list can also be useful for assessing the suitability of internal systems and/or service providers:
    • Validation documentation
    • Ability to generate accurate and complete copies of records
    • Availability and retention of records for FDA inspection for as long as the records are required by applicable regulations
    • Archiving capabilities
    • Access controls and authorization checks for users’ actions
    • Secure, computer-generated, time-stamped audit trails of users’ actions and changes to data
    • Encryption of data at rest and in transit
    • Electronic signature controls
    • Performance record of the electronic service vendor and the electronic service provided
    • Ability to monitor the electronic service vendor’s compliance with electronic service security and the data integrity controls
  • As with other vendors, service agreements should be in place for electronic service providers.
  • Regarding the physical location of cloud-based solutions, the draft guidance states “If appropriate controls are in place, there are no limitations regarding the geographic location of cloud computing services.”
  • For mobile technology the draft guidance does not distinguish between mobile apps and mobile medical apps. Therefore, the requirements outlined in the draft guidance apply to both product categories.
  • For mobile technology the draft guidance makes an important distinction regarding source data. Acknowledging that “the data are collected and stored, perhaps for very short periods of time on the mobile technology before being transmitted’ and the data may pass temporarily through various electronic hubs or gateways before reaching” the company’s Electronic Data Capture (EDC) system, the guidance states “FDA considers source data as data that are first recorded in a permanent manner…..”, which, in general, will be the EDC system.
  • From the standpoint of auditability and traceability for mobile technology, “When data are copied or transmitted directly from the mobile technology to the … EDC system or from the mobile technology to the EHR and then to the … EDC system, the audit trail begins at the time the data enter the … EDC system.” This has implications for the use of mobile devices for data entry in a manufacturing environment (e.g., tablets), as well as other places in the product life cycle.
  • Regarding the validation of mobile technology for part 11 compliance, “For mobile technology, validation ensures that the mobile technology is reliably capturing, transmitting, and recording data to produce accurate, reliable, and complete records.” Note that this validation is specific to part 11 and does not “address the performance of wearable biosensors, mobile apps, or portable devices (i.e., the ability to measure what they are designed to measure)”, which would follow standard medical device validation requirements.
  • The document provides important guidance regarding electronic signature during continuous processes, provided the appropriate controls are in place: “When an individual logs into an electronic system using a username and password, it is not necessary to re-enter the username when an individual executes a series of signings during a single, continuous period of controlled system access. After a user has logged into a system using a unique username and password, all signatures during the period of controlled system access can be performed using the password alone (see § 11.200(a)).32.

These are just a few of the elements detailed in the guidance. As noted above, much of the logic applied herein to clinical investigations is leverageable for operational systems that must comply with 21 CFR 11. For these reasons, this guidance is a valuable read for anyone concerned about part 11 compliance anywhere in the product lifecycle.

This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this article.

Contact us

Bill Greenrose
Managing director | Deloitte Risk and Financial Advisory

Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?