The Draft Guidance impacts IT service providers, contract research organizations (CROs), sponsors, research institutions, investigators and institutional review boards (IRBs).
This post examines select issues that impact:
We include numerous Takeaways for contracting parties.
Boldly striding into the Part 11 space that is occupied by a variety of interrelated (sometimes confusingly) draft and final guidances, this Draft Guidance: (a) replaces the draft guidance entitled Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 — Questions and Answers (June 2017); (b) expands upon the guidance entitled Part 11, Electronic Records; Electronic Signatures – Scope and Application (August 2003); (c) when finalized, will supersede the guidance entitled Computerized Systems Used in Clinical Investigations (May 2007); and (d) lists eight Part 11-related guidance documents in the appendix.
As used in the Draft Guidance and this post, the term “Service Level Agreements (SLAs)” means the documents negotiated between IT service providers and their customers (as opposed to the service level agreements typically attached to a SaaS agreement, where the SLA details percentage uptime, remedies for failure to meet that uptime and other functional specifications).
The Draft Guidance repeatedly refers to, but does not define, “other regulated entities.” We note that FDA identified CROs and IRBs as examples of other regulated entities in the 2017 draft guidance that this Draft Guidance replaces.
The Draft Guidance uses a Q&A format to address:
This post follows the Q&A format of the Draft Guidance. We focus on select issues that impact IT contracts and the use of DHTs in the clinical trials enterprise. For each Question in Sections IIIB-E, we begin with the Draft Guidance’s recommendations and add our commentary as “Takeaways.”
The Draft Guidance highlights the importance of compliance with good clinical practices (GCPs) and ties in Part 11.
For electronic records that are subject to Part 11, this section looks at real-world data sources (Q1), foreign studies (Q2), certification Q3 and Q4), record retention (Q5) and electronic communication methods (Q6).
If you run fully or partially decentralized clinical trials (DCTs), the plethora of potential electronic systems supporting the study will come as no surprise. The Draft Guidance gives a veritable alphabet soup of examples of electronic systems used to produce electronic records required in clinical investigations, including eCRF, EDC, eTMF, eCDMS, eCTMS, electronic quality management systems (no acronym!), IRT, IVRS, IWRS, electronic IRB management systems, eIC and web portals that display ePRO, eCOA and DHT-collected data (you’ll be quizzed at the end).
FDA reiterates (from its 2003 Part 11 Guidance) that “FDA intends to exercise enforcement discretion regarding specific Part 11 requirements for validation of computerized systems.”
The Draft Guidance lays out considerations for a risk-based approach to validation of electronic systems. FDA distinguishes between commercial off the shelf software (COTS) and customized software, and observes that validation for the former is not generally required if the COTS is used as intended by the manufacturer.
Takeaways: Sponsors do not need to validate commercial off the shelf software (COTS) if the COTS is used as intended by the manufacturer. Depending on the IT services, sponsors should consider whether to include corresponding representations and warranties in the SLA.
FDA recommends that for each study protocol, the sponsor should diagram the data flow from initial creation to final storage. The sponsor should describe (a) the electronic systems used to collect data; and (b) the electronic systems used to create, modify, maintain, archive, retrieve or transmit relevant electronic records.
The Draft Guidance sets forth 11 bullet points for which sponsors should determine whether documentation or SOPs are appropriate. Documentation related to the bulleted list should be retained as part of the clinical investigation records and available for inspection by FDA.
FDA identifies seven areas that FDA will generally focus on during a sponsor inspection. Of special note for IT vendors, sponsors and CROs, this list includes “contracts with vendors or other delegated entities that detail their functions and responsibilities.”
Takeaways: For each study protocol, sponsors should perform an electronic systems mapping and a data mapping exercise. When negotiating an SLA, the parties should take into account FDA’s bulleted list and the seven areas for sponsor inspection, keeping in in mind that FDA may review vendor contracts like the SLA.
Sponsors should provide information (e.g. policies and procedures) to sites about the Part 11-regulated electronic systems they or their vendors use. Investigators should retain this information and have it available for an FDA inspection, as the information may bear on the sponsor’s compliance.
Sites whose systems fall under Part 11 should follow the answers to Question 8. Not surprisingly, FDA may inspect the site’s SOPs and documentation regarding the use of electronic systems.
Takeaways: Sponsors need to provide sites with information about the sponsors’ relevant electronic systems and be prepared for the site to share that information with FDA as part of an FDA audit of sponsor compliance. Sites should also be prepared to follow Question 8 if their own systems fall under Part 11.
FDA generally will not review audits conducted by sponsors or other regulated entities of their IT providers.
Takeaways: SLA parties generally do not need to worry that sponsor audits of their IT providers will be shared with FDA. It is unclear what the exceptions might be.
Turning to the security of these electronic systems, FDA recommends security fundamentals like using logical and physical access controls, cumulative records of authorized access, and standard security safeguards. Examples include:
Takeaway: Follow security basics. In today’s world, how can you afford not to?
We have written about cybersecurity here, here and here. Katherine Leibowitz is a frequent speaker on cybersecurity issues in technology contracting and the clinical trials enterprise at industry conferences and webinars.
Tucked quietly into the end of Q11, FDA recommends two things:
Takeaways: The security breach terms of #2 are vague and leave a lot to the imagination. This is a common conundrum in IT contracting. What is a security breach? What is the threshold for when an event “could impact” safety or privacy? Which contracting party makes this determination? What triggers a report to the sponsor? How quickly? Who reports to the IRB and FDA? What about notifying study subjects? The answers will vary depending on the party, the IT and data at issue, and the relative negotiating positions of each party. Keeping FDA in mind, the negotiated compromises need to baked into the SLAs and clinical trial agreements.
FDA reiterates its intent to exercise enforcement discretion regarding audit trails under Part 11 and reminds everyone that compliance with the predicate rules is still a “must.”
Reflecting FDA’s focus on the impact of technology impact on trial data integrity, FDA observes, “Even where there are no predicate rule requirements related to documentation, it is nonetheless important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the electronic records.”
Takeaway: Regulations aside, best practices include having audit trails or other physical, logical, or procedural security measures in place to ensure data integrity. This is another no-brainer in today’s interconnected world.
Subsection C addresses IT service providers and IT services (e.g. data hosting, cloud computing software, platform and infrastructure services). FDA reminds everyone that sponsors and other regulated entities are responsible for ensuring that electronic records comply with Part 11.
The introduction to Subsection C contains a bulleted list of due diligence items for sponsors and other regulated entities to consider when assessing an IT service provider’s ability to ensure the authenticity, integrity and confidentiality of study records and data.
Takeaways: Due diligence of IT vendors is critical. FDA’s bulleted list serves sponsors and IT vendors alike. Sponsors and other regulated entities should remember to check the list when performing due diligence of their IT vendors, and to build appropriate representations and warranties into the SLA. IT vendors should be prepared to respond by having appropriate policies and documentation on hand, and by examining the nature and extent of what they are warranting and confirming that the SLA does not overpromise.
Yes. We included the full question here because we find it astonishing that sponsors and other regulated entities would consider not having a written service level agreement (SLA) with their IT providers.
After performing the due diligence based on the bulleted list located in the introduction to Section III.C (discussed immediately above), FDA recommends that the sponsor or other regulated entity enter into a written SLA with the IT service provider. Among other things, the SLA should address data integrity and security safeguards, and should clearly set forth the scope of the services, the respective roles and responsibilities of each party to the contract and details regarding data access throughout the regulatory retention period.
FDA reminds stakeholders that the sponsor is responsible for duties and functions related to the study that are not specifically and lawfully transferred to and assumed by IT service provider (e.g. via a transfer of regulatory obligations (TORO) to a CRO under 21 CFR 312.52; this applies to drug studies; there is no parallel under 21 CFR 812 for device studies).
Takeaways: Don’t use IT services for your clinical trial without a written contract with the IT vendor. Don’t enter into that written contract unless you have performed due diligence on the IT vendor with FDA’s list in mind (and the vendor passed with flying colors).
Even more firmly inserting itself in the IT relationships, FDA explains that “Sponsors and other regulated entities who outsource IT services should make the following information available for FDA upon request:
FDA may inspect IT service providers who are subject to a TORO.
“FDA can also request to conduct focused investigations of IT service providers for examination of trial records” even if there is no TORO, such as if FDA has a specific concern about data integrity. The SLA should provide the sponsor with access to all study-related records maintained by IT service providers, as FDA can review those records during a sponsor inspection.
Takeaways: The SLA should give the sponsor access to all study-related records. Further, IT providers (whether or not subject to a TORO) might be inspected.
Section III.D discusses special Part 11 considerations for DHTs used to collect data in clinical investigations. In addition, the principles of Sections III.A – C regarding electronic systems apply equally to DHTs. The Draft Guidance builds on FDA’s draft guidance from December 2021 on the use of DHTs in clinical trials, which we previously wrote about here and here.
For DHTs specifically, the Draft Guidance tackles:
Takeaways: This Section III.D. expands upon FDA’s December 2021 DHT draft guidance by introducing more granular recommendations regarding the use of DHTs in clinical trials. While DHTs may have previously fallen under the radar, as studies become increasingly decentralized and technology-centric, the Draft Guidance illustrates increased FDA attention to DHTs. Stakeholders in clinical trials that employ DHTs should review this entire Draft Guidance with particular attention to Section III.D (and should do so in conjunction with the December 2021 DHT draft guidance).
Electronic signatures and their associated electronic records that comply with Part 11 generally will be viewed as the equivalent of handwritten signatures.
The Draft Guidance tackles:
Takeaways: The Draft Guidance updates FDA’s electronic signatures recommendations to account for new technologies. Stakeholders should review these recommendations when building out their IT support. Authentication of a person’s identity (is the electronic signatory who they say they are?) is always a challenge in the electronic world and has become even more so with the explosion of generative artificial intelligence software that can, for example, create quite convincing voice clones. But that’s a story for another day…
The recently revised Part 11 Draft Guidance reflects a deep dive by FDA into IT services supporting clinical trials, including granular attention to DHTs. The document includes best practices for contracting, outsourcing and documentation, and serves as a warning to stakeholders of FDA’s increased attention to data integrity and security in the increasingly-technologized clinical trials enterprise. It’s also a reminder that contracts in regulated industries need appropriate regulatory seasoning. With the modernization and decentralization of clinical trials mandated by FDORA, we expect FDA to continue focusing on the impact of IT services on clinical investigation study data and participant integrity, security, privacy and safety. We will continue to monitor developments and encourage you to check our Insights for updates.
Access the Draft Guidance.
This contents of this alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This content is not intended to and does not, by its receipt, create an attorney-client relationship. The contents are intended for general informational purposes only. We urge you to consult your attorney about the specific situation and any legal questions you may have. Attorney advertising in some jurisdictions. © 2023 Leibowitz Law. All rights reserved. “Leibowitz Law” is a trade name of Leibowitz LLC.
To be notified when we post new Insights, please sign up for our email list. As industry thought leaders, Leibowitz Law Insights address developing issues at the intersection of law, regulation, technology and life sciences…