On March 15, 2023, the U.S. Food and Drug Administration (FDA or the Agency) issued a draft guidance entitled Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers (2023 Draft Guidance). The 2023 Draft Guidance revises the draft guidance for industry the Agency issued in June 2017 entitled Use of Electronic Records and Electronic Signatures in Clinical Investigations under 21 CFR Part 11—Questions and Answers (2017 Draft Guidance). If finalized, the 2023 Draft Guidance will also supersede the May 2007 FDA guidance for industry entitled Computerized Systems Used in Clinical Investigations.

At a high level, the 2023 Draft Guidance clarifies that 21 CFR part 11 (Part 11) applies to new information technology (IT) services that create, modify, maintain, archive, retrieve, or transmit electronic records.  It also imposes on sponsors the responsibility to ensure that the electronic records they submit through IT vendors conform to FDA’s regulatory requirements.  In addition, the 2023 Draft Guidance introduces recommendations for implementing time-stamped audit trails to verify data.

Compared to the 2017 Draft Guidance, the 2023 Draft Guidance features revised recommendations regarding the risk-based approach for validation of electronic systems[1] and provides new definitions of key terms related to digital and electronic research infrastructure.  It also applies to a broader range of regulated studies.[2]

Comments on the 2023 Draft Guidance must be submitted by May 15, 2023.

Background

Over the last few decades, recordkeeping practices in clinical investigations that were traditionally paper-based have transformed into digital enterprises.  As part of this transformation, sponsors have had to grapple with the regulatory standards and requirements that apply to these digitized processes and records—in particular, the requirements under Part 11, which apply to digital records that are created, modified, maintained, archived, retrieved, or transmitted under any records requirement set forth in FDA regulations.

FDA has addressed the scope and applicability of Part 11 in several guidances over the years, including in the context of clinical trials.[3]  Most recently, in the 2017 Draft Guidance, FDA affirmed a narrow and practical interpretation of Part 11 and encouraged a risk-based approach to the validation of electronic systems, implementation of electronic audit trails, and archiving of electronic records.

As technology has continued to evolve, and as sponsors have begun using and managing electronic systems in novel ways in the conduct of clinical investigations, questions about Part 11’s scope and applicability have continued to surface.  The COVID-19 pandemic brought these issues to the forefront for many sponsors and investigators, as they were forced to rely heavily on digital technologies and remote processes to conduct clinical investigations.  Recognizing that FDA’s ability to assess the authenticity, integrity, and reliability of data submitted in support of marketing applications and other submissions hinges on the industry’s alignment on electronic records, electronic systems, and electronic signatures, the Agency issued the 2023 Draft Guidance.

Major Provisions of the 2023 Draft Guidance

The 2023 Draft Guidance is formatted similarly to the 2017 Draft Guidance, and it includes twenty-eight questions and answers.  FDA has grouped these questions and answers into five sections: (A) electronic records, (B) electronic systems owned or controlled by sponsors or other regulated entities, (C) information technology service providers and services, (D) digital health technologies, and (E) electronic signatures.  FDA continues to take a narrow and practical interpretation of Part 11, but it has augmented its risk-based approach to validation through additional considerations and recommendations.

Section A: Electronic Records

Section A covers electronic records used in clinical investigations that fall under the scope of Part 11 requirements.  In the 2023 Draft Guidance, FDA clarifies that Part 11 applies to electronically formatted records from clinical investigations with non-U.S. sites.  The 2023 Draft Guidance also notes that Part 11 applies to electronic records from real-world data sources submitted to FDA as part of a marketing application, even if FDA regulations do not specifically identify such records.[4]

Like the 2017 Draft Guidance, the 2023 Draft Guidance requires that sponsors retain only certified copiesof electronic records.  But the 2023 Draft Guidance defines this term with greater specificity than the 2017 Draft Guidance: a certified copy is a copy of an original paper or electronic record that has been verified by a dated signature or a validated process to have the same information, “including data that describe the context, content, and structure,” as the original.[5]  Unlike the 2017 Draft Guidance, the 2023 Draft Guidance does not deem copies that lack important metadata to be incomplete; instead, it merely stresses the importance of metadata for establishing the authenticity or integrity of certain record types.

Section B: Electronic Systems Owned or Controlled by Sponsors or Other Regulated Entities

Section B of the 2023 Draft Guidance describes recommendations for electronic systems that are owned or controlled by sponsors or other regulated entities and are used to produce required records in clinical investigations.  Such systems include electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master files (eTMFs), electronic clinical data and trial management systems (eCDMS, eCTMS), interactive response technology (IRT) systems, and electronic IRB management systems.

The 2023 Draft Guidance expands upon the 2017 Draft Guidance’s risk-based approach to validation of electronic systems used in clinical investigations.  The 2023 Draft Guidance outlines three considerations when applying this risk-based approach based on the nature of the electronic system: (1) the purpose and significance of the record and the criticality of the data, i.e., how the record and data will be used to support the regulatory decision and/or ensure patient safety; (2) the intended use of the electronic system, e.g., whether the electronic system is used to process records that are essential to the clinical investigation; and (3) whether the electronic system is a commercial off-the-shelf (COTS) system or a new, custom-made system.

In conjunction with the third consideration, the 2023 Draft Guidance clarifies that the extent of validation for COTS office utility software should be guided by both the organization’s internal business practices and the intended use of the software in the clinical investigation.  As a general matter, FDA does not anticipate that validation will be necessary for COTS office utility software used as intended by the manufacturer.  Conversely, validation of new custom-made electronic systems should include a review of the vendor’s SOPs, the system and software development life cycle model, validation documentation, change control procedures, and change control tracking logs.  In addition, regulated entities should perform user acceptance testing.  

Although FDA states that it does not intend to review sponsors’ audit reports of IT service providers’ systems, products, and services, it also states that such documentation should be retained as part of the clinical investigation records and made available for inspection by FDA.  The 2023 Draft Guidance broadly defines IT service providers to mean a vendor who provides data hosting and/or computing services—e.g., software as a service, platform as a service, and infrastructure as a service—to sponsors and other regulated entities.

With respect to inspections of sponsors, the 2023 Draft Guidance diverges from and elaborates on the 2017 Draft Guidance.  Whereas the 2017 Draft Guidance outlined only three pieces of information that FDA would review during inspections of sponsors’ electronic systems to determine Part 11 compliance, the 2023 Draft Guidance spends over a full page detailing the precise documentation FDA intends to review.  Such documentation includes audit trail information and interoperable data standards; procedures for data collection, handling, and management; systems for restricting access to electronic systems; change control procedures; vendor contracts; corrective and preventive actions; internal and external audits of electronic systems and of vendors that are performed or provided by the sponsor or independent consultants; and roles and responsibilities of sponsors, clinical sites, and other parties with respect to the use of electronic systems in the clinical investigation.

With respect to inspections of other regulated entities, such as CROs or investigators, the 2023 Draft Guidance encourages such entities to retain electronic systems information demonstrating that those systems comply with the requirements of Part 11.  Such information includes policies and procedures related to the system account setup and management, access controls and user access privileges, system user manuals, and system training materials and records.  During clinical site inspections, FDA will review records related to staff training on the use of electronic systems; procedures and controls in place for system access, data creation, data modification, and data maintenance; and the use of electronic systems at the clinical investigator site to generate, collect, transmit, and archive data.

Section C: Information Technology Service Providers and Services

Section C explores considerations for determining the suitability of information technology service providers and services.  While the 2017 Draft Guidance posited that sponsors and other regulated entities would broadly use mobile technology during the course of clinical investigations, the 2023 Draft Guidance enumerates three types of IT services routinely provided for sponsors: data hosting, cloud computing software, and platform and infrastructure services.

The 2023 Draft Guidance recommends sponsors enter into written service level agreements with IT service providers that describe, at a minimum, the scope of the work and IT service being provided, the parties’ roles and responsibilities with respect to quality and risk management, and details regarding data access.  In addition, the 2023 Draft Guidance clarifies that sponsors are responsible for any duties and functions related to the clinical investigation not specifically transferred to a service provider via a transfer of regulatory obligation (TORO).

Compared to the 2017 Draft Guidance, the 2023 Draft Guidance offers greater clarity regarding the circumstances under which FDA would choose to inspect IT service providers.  For instance, the Agency notes it can request to conduct focused investigations of IT service providers irrespective of whether a TORO is established.  Such an investigation could be triggered by a specific regulatory concern, such as a concern regarding the integrity of trial data.  The Agency also clarifies that sponsors should have access to all study-related records maintained by IT service providers, since FDA may review those records during a sponsor inspection.

Section D: Digital Health Technologies[6]

Section D discusses the use of digital health technologies (DHTs) for remote data acquisition from participants in clinical investigations evaluating medical products.  DHTs encompass a broader range of technologies than the mobile technologies discussed in the 2017 Draft Guidance.  Mobile technologies included mobile platforms, mobile applications, wearable biosensors, other remote sensors, and portable and implantable electronic devices, while DHTs incorporate all computing platforms, connectivity, software, and sensors for health care and related uses.

In the 2023 Draft Guidance, FDA recommends that data originators transmit data captured from DHTs and any relevant associated metadata into a durable electronic data repository, such as a clinical investigation site database, a vendor database, or an EDC system.  Transmission should occur as soon as possible after data generation, and the audit trail should include the date and time of such transmission.

Unlike the 2017 Draft Guidance, the 2023 Draft Guidance affirms that FDA may verify the data sponsors submit in support of applications or submissions against the electronic source data during inspections.  FDA recommends that sponsors allow for the inspection, review, and copying of such records in human readable form.

Section E: Electronic Signatures

Section E examines methods for creating valid electronic signatures in connection with clinical investigations.  The 2023 Draft Guidance’s discussion of electronic signatures largely echoes the 2017 Draft Guidance.  However, the 2023 Draft Guidance acknowledges that a statement of testament suffices in situations where electronic signatures cannot be placed in a specified signature block.  It also clarifies that FDA considers signatures drawn with a finger or an electronic stylus on a mobile platform or other electronic system to be a handwritten electronic signature, and that these types of signatures are valid only if placed on the electronic document exactly as they would appear on a printed document.  

*    *    *

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Food, Drug, and Device practice:

Wade Ackerman+1 424 332 4763ackermanw@cov.com
Scott Cunningham+1 415 591 7089scunningham@cov.com
Paula Katz+1 202 662 5050pkatz@cov.com
Julia Post+1 202 662 5249jpost@cov.com
Christina Kuhn+1 202 662 5653ckuhn@cov.com
Emily Statham+1 202 662 5064estatham@cov.com


[1] The 2023 Draft Guidance does not provide comprehensive detail on how to perform a risk assessment. However, the Agency notes there are many risk assessment methodologies from a variety of industries that can be applied, including the ICH guidance for industry entitled Q9(R1) Quality Risk Management (June 2022) and the International Organization for Standardization’s (ISO’s) standard ISO 31010:2019 Risk management – Risk assessment techniques.

[2] The 2023 Draft Guidance was issued by a broader range of Centers at FDA than prior guidance on this topic. Whereas the 2017 Draft Guidance was issued by the Center for Drug Evaluation and Research (CDER), the Center for Biologics Evaluation and Research (CBER), and the Center for Devices and Radiological Health (CDRH), the 2023 Draft Guidance was also issued by the Centers for Food Safety and Applied Nutrition (CFSAN), Tobacco Products (CTP), Veterinary Medicine (CVM), Office of Regulatory Affairs (ORA), and Office of Clinical Policy (OCLiP).

[3] See, e.g., FDA, Use of Electronic Health Record Data in Clinical Investigations (2018); FDA, Use of Electronic Records and Electronic Signatures in Clinical Investigations under 21 CFR Part 11 — Questions and Answers (2017); FDA, Electronic Source Data in Clinical Investigations (2013); FDA, Computerized Systems Used in Clinical Investigations (2007); FDA, Part 11, Electronic Records; Electronic Signatures — Scope and Application (2003).

[4] See, e.g., FDA 2023 Draft Guidance 4 n. 20 (2023); FDA, Use of Electronic Health Record Data in Clinical Investigations: Guidance for Industry (2018); FDA, Electronic Source Data in Clinical Investigations: Guidance for Industry (2013).

[5] The 2017 Draft Guidance described a certified copy as being a verified copy that has “all of the same attributes and information as the original.”

[6] In the 2023 Draft Guidance, FDA cross-references its January 2022 draft guidance for industry, investigators, and other stakeholders entitled Digital Health Technologies for Remote Data Acquisition in Clinical Investigations (2022 Draft DHT Guidance). The 2023 Draft Guidance reflects many of the DHT principles contained in the 2022 Draft DHT Guidance.

Photo of Wade Ackerman Wade Ackerman

Through more than a decade of experience in private practice and positions within the FDA and on the Hill, Wade Ackerman has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. Mr. Ackerman advises clients on FDA…

Through more than a decade of experience in private practice and positions within the FDA and on the Hill, Wade Ackerman has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. Mr. Ackerman advises clients on FDA regulatory matters across a range of sectors, including drugs and biologics, cosmetics, medical devices and diagnostics, and digital health products and services associated with drugs and traditional devices. He serves as one of the leaders of Covington’s multidisciplinary Digital Health Initiative, which brings together the firm’s considerable resources across the broad array of legal, regulatory, commercial, and policy issues relating to the development and marketing of digital health technologies.

Photo of Scott Cunningham Scott Cunningham

Scott Cunningham is a member of the firm’s Food and Drug practice group.  He represents pharmaceutical, biotechnology, and medical device companies as well as trade associations in matters before the FDA, Congress, state and federal courts, and other regulatory and enforcement agencies.  Scott has…

Scott Cunningham is a member of the firm’s Food and Drug practice group.  He represents pharmaceutical, biotechnology, and medical device companies as well as trade associations in matters before the FDA, Congress, state and federal courts, and other regulatory and enforcement agencies.  Scott has significant experience in areas including new product development and clinical trials; IRBs; new product approvals; Hatch-Waxman exclusivities and product life-cycle management; advertising and promotion; False Claims Act and Anti-Kickback compliance issues and pharmaceutical investigations; Orphan Drug; pediatric exclusivity; manufacturing and cGMPs; import/export; controlled substances; SEC disclosure; and other aspects of federal and state regulation of pharmaceuticals, biologics, and medical devices.

Scott also has an active pro bono practice where he regularly serves as a Guardian ad Litem representing children in neglect & abuse and child custody cases.

Photo of Paula Katz Paula Katz

Paula Katz advises clients on pharmaceutical compliance and enforcement. She joined the firm after serving as Director of Guidance and Policy for the Office of Manufacturing Quality in the Center for Drug Evaluation and Research (CDER) at the Food and Drug Administration (FDA).

Paula Katz advises clients on pharmaceutical compliance and enforcement. She joined the firm after serving as Director of Guidance and Policy for the Office of Manufacturing Quality in the Center for Drug Evaluation and Research (CDER) at the Food and Drug Administration (FDA). While at the FDA, Paula focused on current good manufacturing practice (CGMP) enforcement and drug quality policy issues. She advised CDER and FDA leadership regarding manufacturing supply chain controls, contract manufacturing, data and application integrity, administrative law and procedure, and regulatory policy development and enforcement strategy.

Photo of Julia Post Julia Post

Julia Post advises biotechnology, pharmaceutical, medical device, and trade association clients on a variety of federal and state regulatory and compliance matters. In particular, Julia has experience in areas including biosimilars and interpretation and implementation of the Biologics Price Competition and Innovation Act…

Julia Post advises biotechnology, pharmaceutical, medical device, and trade association clients on a variety of federal and state regulatory and compliance matters. In particular, Julia has experience in areas including biosimilars and interpretation and implementation of the Biologics Price Competition and Innovation Act of 2009; human cells, tissues, and cellular and tissue-based products (HCT/Ps); market exclusivity; informed consent requirements; and pharmacy substitution practices.

Prior to joining the Food and Drug practice group, Julia was a member of the Litigation practice group where she focused on representing clients in Hatch-Waxman patent litigation.

Photo of Christina Kuhn Christina Kuhn

Christina Kuhn advises medical device, pharmaceutical, and biotech companies on a broad range of FDA regulatory strategy and compliance matters. She has experience with cutting-edge and complex medical technologies, including software and digital health products, oncology products, next-generation sequencing, diagnostics, and combination products.…

Christina Kuhn advises medical device, pharmaceutical, and biotech companies on a broad range of FDA regulatory strategy and compliance matters. She has experience with cutting-edge and complex medical technologies, including software and digital health products, oncology products, next-generation sequencing, diagnostics, and combination products.

Christina frequently helps multinational device manufacturers as well as start-up device companies navigate the premarket regulatory process, advising companies on regulatory classification, clinical development strategy, and agency interactions. She also has significant experience counseling medical device companies on postmarket compliance requirements, including those related to advertising and promotion, quality systems and manufacturing, medical device reporting, registration and listing, and recalls. She advises clients on responding to and resolving enforcement actions, such as FDA inspections and Warning Letters as well as Department of Justice investigations.

Christina advises clients on, and performs regulatory due diligence for, corporate transactions, including acquisitions, public offerings, co-development agreements, and clinical trial agreements.

Christina also regularly assists industry associations and medical device and pharmaceutical companies in commenting on FDA guidance documents and rulemaking as well as drafting and analyzing federal legislation.

Christina is a frequent contributor to Covington’s Digital Health and InsideMedicalDevices blogs.

Photo of Emily Statham Emily Statham

Emily Statham is an associate in the firm’s Washington, DC office, where she is a member of the Food, Drug, and Device and Life Sciences Transactions Practice Groups. She advises pharmaceutical, biotechnology, and medical device companies on a variety of regulatory, compliance, and…

Emily Statham is an associate in the firm’s Washington, DC office, where she is a member of the Food, Drug, and Device and Life Sciences Transactions Practice Groups. She advises pharmaceutical, biotechnology, and medical device companies on a variety of regulatory, compliance, and transactional issues.