The FDA regulates computerized systems used in clinical trials under the authority of Title 21 the Code of Federal Regulations Part 11 (21 CFR Part 11). These regulations apply only to use of systems in trials the results of which will be submitted to the FDA as part of the drug development/approval process.
This document serves as a brief ‘cheat sheet’ of some critical aspects of the 21 CFR Part 11 rules and regulations. While it is not a substitute for a thorough understanding of the law and related FDA Guidance, it may aid in understanding and reference.
I. General Principles
FDA Guidance Documents (http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM072322.pdf) explain that the key principle behind regulations on computerized systems used in clinical trials is that the data should be attributable, original, accurate, contemporaneous, and legible.
· Attribution & Originality:
o Data entry allows freehand annotations/notes that are attributable and time-stamped
o User Authentication is required as part of a closed system, using biometrics or userid/password
o Passwords must be changed at established intervals
o The system must log users off or timeout after a specified period of inactivity
o The system should keep secure time-stamped audit trails that can’t be modified by system users
o External applications w/o the same authentication & audit protections as the main system should not modify any records in the system
o A change to a record should not obscure original record info
o Procedures should be in place to make sure system date/time are accurate
o Training is necessary for users of the system and should be documented
o Study protocols should define usage of a system to create, modify, transmit, maintain, archive, and retrieve data. The system should enforce requirements defined in protocol (eg use of metric units) and check for errors in data entry, modification, retrieval, and transmission.
o The system should have SOPs for setup/install, data collection, system maintenance, backup and recovery, security, and change control
o Vendor should provide design-level validation of software (incl design spec, test plan, test results, and write-up) as well as documentation of software. For each install, trial sponsor and/or site should validate with test data
o The system should have documented processes for change control & revalidation upon modification/upgrade, and modifications/upgrades should be documented
o The system should be able to display cumulative record of system users and privileges at any given time, incl. user’s name, title, and access privileges
During an audit, the FDA may inspect everything (records and systems). FDA should be able to read all audit trails and the system should generate in human-readable and electronic form accurate and complete copies of records and audit trails.
II. FDA Guidance on Enforcement and Discretion (or, What Types of Activities and Records Does 21CFR Part 11 Apply To?)
From Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and
Application, August 2003 – (http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM072322.pdf):
We intend to enforce all other provisions of part 11 including, but not limited to, certain controls for closed systems in § 11.10. For example, we intend to enforce provisions related to the following controls and requirements:
• limiting system access to authorized individuals
• use of operational system checks
• use of authority checks
• use of device checks
• determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks
• establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures
• appropriate controls over systems documentation
• controls for open systems corresponding to controls for closed systems bulleted above (§11.30)
• requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300)
Everyone working in clinical trials must comply with applicable predicate rules, and records that are required to be maintained or submitted must remain secure and reliable in accordance with the predicate rules.
III. Use of Electronic Signatures
Electronic signatures are used to ensure that actions/records are attributable in a legally binding manner. Following is a summary relevant excerpts from the regulation 21 CFR Part 11 (See http://www.fda.gov/ora/compliance_ref/part11/FRs/background/pt11finr.pdf p.36). The summary covers the controls and procedures that should be in place to ensure that the electronic signature can be considered binding and verifiable. Three important sections define system controls, signature controls, and password controls:
– System Controls include controls in workflows, procedures, and system design to ensure that attribution and electronic signatures can be verified. Most important are:
o System validation (discussed above)
o Audit trails (also discussed above)
o Operational system checks – enforcing permitted sequencing of events (workflow management)
o Authority checks – ensuring that only authorized individuals can use the system
o Device (e.g., terminal) checks to determine, as appropriate, the validity of the
source of data input or operational instruction (IP Address logging)
o Documentation of adequate user education, training, and experience.
o Policies for individual accountability for actions initiated under their electronic
o Controls over distribution of, access to, and use of system documentation
o Change control procedures documenting time-sequenced modification of system documentation.
– Signature Controls (for signatures based on passwords) include:
o Use of at least two distinct id components such as an user id and password.
o Signature Verification:
§ When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
§ When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
– Password Controls include:
o Password expiration
o Rigid and rigorous password de-activation and temporary generation protocols
Excerpts from the Regulation 21 CFR Part 11 Related to Electronic Signatures
§ 11.3 Definitions.
(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.
(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.
Subpart B—Electronic Records
§ 11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
§ 11.30 Controls for open systems.
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
§ 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous
period of controlled system access, the first signing shall be executed using all
electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and
designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a
single, continuous period of controlled system access, each signing shall be
executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
§ 11.300 Controls for identification codes/passwords.
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
Anayansi Gamboa has an extensive background in clinical data management as well as experience with different EDC systems including Oracle InForm, InForm Architect, Central Designer, CIS, Clintrial, Medidata Rave, Central Coding, OpenClinica Open Source and Oracle Clinical.
Disclaimer: The legal entity on this blog is registered as Doing Business As (DBA) – Trade Name – Fictitious Name – Assumed Name as “GAMBOA”.