The U.S. Food and Drug Administration (FDA) has finalized its guidance on the use of electronic systems, records, and signatures in clinical investigations, impacting sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs). This guidance, finalized on October 1, 2024, aims to clarify good clinical practice compliance in the context of electronic records, digital health technology (DHT) data, and electronic signatures (e-signatures).
Key Updates in the Final Guidance
The final guidance addresses 29 questions related to electronic records, electronic systems, IT service providers, DHTs, and e-signatures. It emphasizes a risk-based approach to validation of electronic systems, building upon previous drafts and incorporating lessons learned from the increased reliance on remote technologies during the COVID-19 pandemic.
Electronic Records
The FDA clarified that Part 11 compliance is not required for electronic health records or other sources of real-world data until the data is entered into a sponsor’s electronic data capture (EDC) system. For trials conducted outside the U.S., Part 11 applies to any records required to be kept in electronic format, including those intended to support an investigational new drug application (IND) or a marketing application.
Record retention expectations remain consistent between electronic and other forms of data. Regulated entities must provide all records and data needed to reconstruct a clinical investigation, including metadata and audit trails.
Electronic Systems
Sponsors and clinical investigators must limit system access to authorized users and maintain a record of authorized personnel, including changes to permissions. Audit trails are crucial for capturing access and protecting information from modification, noting the date, time, individual, and reason for any changes.
Digital Health Technologies (DHTs)
The guidance addresses the increasing use of DHTs in clinical trials, emphasizing the importance of secure data transfer and protection against unauthorized manipulation. Each electronic data element should be associated with an authorized data originator, and sponsors should maintain a list of these originators for FDA inspection.
Data obtained using DHTs must be appropriately attributed to the data originator, and DHTs should be designed to prevent unauthorized changes. Clinical investigators are responsible for training participants on DHT use and documenting this training.
DHT data and associated metadata should be transmitted via a validated process to a durable electronic data repository, including an audit trail with date and time of transfer.
Electronic Signatures (e-signatures)
An e-signature must include the signer’s printed name, the date and time of execution, and the meaning associated with the signature, linked to the respective electronic record. Acceptable methods include computer-readable ID cards, biometrics, digital signatures, and username/password combinations. Each e-signature user must provide a letter of nonrepudiation to the FDA.
The Absence of AI Guidance
Notably, the final guidance does not address the use of artificial intelligence (AI) in clinical investigations for Part 11 compliance. While AI tools are being used for authentication, suspicious activity detection, and data extraction, the FDA has yet to provide specific guidance on their use in this context. Regulated entities remain responsible for ensuring compliance with the Federal Food, Drug, and Cosmetic Act (FDCA) and its regulations when incorporating AI into their operations.
