Here I provide some key summaries and considerations relative to FDA’s draft guidance that was submitted for review and comment in June 2017.
If you don’t want to review the entire guidance, here are the topics, although keep in mind there may be broader application and expectation. Also remember, these are comments on a draft guidance that is yet to be finalized.
A: Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities
B: Outsourced Electronic Services
C: Electronic Systems Primarily Used in the Provision of Medical Care
D: Mobile Technology
E: Telecommunication Systems
Rather than summarize in general terms relative to the narrow scope of the guidance, I seek to identify and bring to consideration key areas of this guidance that may have broader implications across the FDA regulated landscape. Note, there are 28 total questions in the guidance, and I am only addressing nine that I believe warrant unique consideration.
Q2: For electronic systems owned or managed by sponsors and other regulated entities that fall under the scope of 21 CFR part 11, what will be FDA’s focus during inspections?
During inspection, FDA will focus on any source data that are transferred to another data format or system to ensure that checks are in place and that critical data are not altered in value or meaning during the migration process. This means the definition of source data, critical data, and how the overall data flow works for a given system needs to be specified and verified based on intended use and associated risk.
Q13: Does FDA consider it acceptable for data to be distributed across a cloud computing service’s hardware at several different geographic locations at the same time without being able to identify the exact location of the data at any given time?
If appropriate controls are in place, there are no limitations regarding the geographic location of cloud computing services. However, it is critical for sponsors and other regulated entities to understand the data flow and know the location of the cloud computing service’s hardware in order to conduct a meaningful risk assessment regarding data access, integrity, and security. Data privacy laws may differ from country to country. Therefore, sponsors and other regulated entities should perform appropriate risk assessments to ensure that data residing on storage devices outside their country can be retrieved and accessed during FDA inspections. This reinforces the need for infrastructure and system-specific backup and recovery processes being specified, verified, and qualified as applicable.
Q14: What should sponsors and other regulated entities have available on site to demonstrate that their electronic service vendor is providing services in accordance with FDA’s regulatory requirements?
Sponsors and other regulated entities should have the following information available to FDA upon request at each of their regulated facilities that use the outsourced electronic services: Specified requirements of the outsourced electronic service, A service agreement defining what is expected from the electronic service vendor (see section IV.B.Q12), Procedures for the electronic service vendor to notify the sponsor or other regulated entity of changes and incidents with the service. This reinforces the need to always integrate the vendor quality management system with the owner/sponsor quality management system and the importance of service agreements.
Q17: What access controls should sponsors implement for mobile technology accessed by study participants for use in clinical investigations?
Specifically, for mobile apps that rely on study participants’ user entry, access controls must be in place to ensure that entries come from the study participant (see 21 CFR 11.10(d)). For wearable biosensors and other portable electronic devices intended for a single study participant to wear or use (e.g., small physiologic sensors with no display screen), basic user access controls may be difficult to implement. In cases where access controls are impractical, sponsors should consider obtaining a signed declaration from the study participant confirming that the device will only be used by the study participant. Basic user access controls are not necessary when using ingestible sensors and implantable electronic devices. This consideration appears in-line with 21 CFR 11.10(g).
Q18: When using mobile technology to capture data directly from study participants in clinical investigations, how do sponsors identify the data originator?
For the purposes of recordkeeping, audit trail, and inspection, each electronic data element should be associated with an authorized data originator. The data originator may be a person, a computer system, a device, or an instrument that is authorized to enter, change, or transmit data elements via a secure protocol into the sponsor’s EDC (electronic data capture) system or into the electronic system of a trusted proxy agent such as a contract research organization. The guidance goes on by identifying and defining the need for a data element identifier. This consideration appears in-line with 21 CFR 11.10(h).
Q19: Does FDA consider the mobile technology to contain the source data?
FDA considers source data as data that are first recorded in a permanent manner. In general, for data collected directly from study participants through mobile technology, the first permanent record is located in the sponsor’s EDC system or the EHR (electronic health record), and not in the mobile technology. This also means that the audit trail begins where the permanent electronic record is stored.
Q21: What should sponsors consider when using a risk-based approach to validation of mobile technology used in clinical investigations?
For mobile technology, validation ensures that the mobile technology is reliably capturing, transmitting, and recording data to produce accurate, reliable, and complete records. The guidance goes on to say that Part 11 regulations do not address the performance of wearable biosensors, mobile apps, or portable devices (i.e., the ability to measure what they are designed to measure). However, 21 CFR Part 11 10(a) does dictate that electronic record systems shall have procedures and controls including validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. My interpretation of FDA’s statement in this guide is to defer level and extent of validation questions away from the guide and to the other more applicable guides based on classification of the application, device, or platform.
Q22: What security safeguards should sponsors implement to ensure security and confidentiality of data when mobile technology is used to capture, record, and transmit data directly from study participants in clinical investigations?
If the data are transmitted wirelessly from the mobile technology to the sponsor’s EDC system in a clinical investigation, the data must be encrypted at rest and in transit to prevent access by intervening or malicious parties (see § 11.30). Also, as stated in the guidance, the distinction between a system being “open” or “closed” is becoming seldom relevant because of the pervasive use of the internet and web-based systems. Therefore, additional risk assessment and associated controls may be important when using mobile apps and mobile platforms. In addition to having encryption and basic user access controls in place (see section IV.D.Q17), sponsors should consider implementing additional security safeguards as follows:
When these telecommunication systems are interactive and used for real-time communication, the interactions are regarded as similar to face-to-face interactions (i.e., the clinical investigator or study personnel and the study participant actively participate in real-time communication through audio, video, and other live chat communication), and part 11 regulations do not apply to the telecommunication system.
When these interactive telecommunication systems are used to record source data in a permanent manner, allowing the interactive communication and data to be reviewed at a later date by the sponsor, clinical investigator, study personnel, and FDA, sponsors and other regulated entities should consider whether there are adequate controls in place to ensure that the reliability, confidentiality, and privacy of records are preserved. Sponsors should also consider the processes that are in place to ensure user authentication and to prevent alteration of source data.
Q26: When an individual executes a series of signings during a single, continuous period of controlled system access, could the initial logging into an electronic system using a unique username and password be used to perform the first signing and satisfy the requirements found in 21 CFR 11.200(a)?
After a user has logged into a system using a unique username and password, all signatures during the period of controlled system access can be performed using the password alone (see § 11.200(a)).
In addition, in such cases, the signing should be done under controlled conditions that prevent another person from impersonating the legitimate signer. Such controlled conditions may include (1) requiring an individual to remain in close proximity to the workstation throughout the signing session (2) using measures for automatic inactivity disconnect that would de-log the first individual if no entries or actions were taken within a fixed, short time frame and (3) requiring that the single component needed for subsequent signings be known to and usable only by the authorized individual. The need for this level of control should be captured in a 21 CFR Part 11 assessment for the system and any application, platform or other device/system controls must be defined in the applicable design/configuration document and SOP(s) for the system.
Hopefully you have found this summary to be helpful and thought-provoking. I look forward to FDA’s final decision on this guide. If you want to follow-up on the status of guide you can search for it on the FDA site here.