by Daniel R. Matlis
On May 10th, the FDA issued Guidance for Industry on “Computerized Systems Used in Clinical Investigations” Although the guidance provides Nonbinding Recommendations, it provides the agencies current thinking on the subject. It is interesting to note that this guidance is meant to supplements the guidance for industry on Part 11, Electronic Records; Electronic Signatures — Scope and Application issued in dated August 2003. The Scope and Application Guidance clarified that the Agency interprets the scope of Part 11 narrowly and intend to exercise enforcement discretion with regard to part 11 requirements for validation, audit trails, record retention, and record copying. This guidance reiterates that, all other Part 11 provisions remain in effect.
This guidance provides specific recommendations regarding the use of computerized systems in clinical investigations, but it is safe to assume that these guidelines will apply to electronic record systems across FDA regulated companies.
Here are the highlights of the Guidance The computerized systems should be designed to:
(1) Satisfy the processes assigned to these systems for use in the specific study protocol
(2) Prevent errors in data creation, modification, maintenance, archiving, retrieval, or transmission
It also recommends a complete set of Standard Operating Procedures which include, but are not limited to:
- System setup/installation (including the description and specific use of software, hardware, and physical environment and the relationship)
- System operating manual Validation and functionality testing Data collection and handling (including data archiving, audit trails, and risk assessment)
- System maintenance (including system decommissioning)
- System security measures
- Change control Data backup, recovery, and contingency plans
- Alternative recording methods (in the case of system unavailability)
- Computer user training
- Roles and responsibilities of sponsors, clinical sites and other parties with respect to the use of computerized systems in the clinical trials
FDA recommends that SOPs should be maintained either on-site or be remotely accessible through electronic files Source Documentation and Retention The guidance clarifies that when original observations are entered directly into a computerized system, the electronic record is the source document.
It goes on to suggest that when source data are transmitted from one system to another, or entered directly into a remote computerized system a copy of the data should be maintained at another location, typically at the clinical site but possibly at some other designated site. Copies should be made contemporaneously with data entry and should be preserved in an appropriate format, such as XML, PDF or paper formats.
Internal Security Safeguards
Limited Access Access must be limited to authorized individuals (21 CFR 11.10(d). This requirement can be accomplished by the following recommendations.
- We recommend that each user of the system have an individual account.
- The user should log into that account at the beginning of a data entry session, input information (including changes) on the electronic record, and log out at the completion of data entry session.
- The system should be designed to limit the number of log-in attempts and to record unauthorized access log-in attempts. Individuals should work only under their own password or other access key and not share these with others.
- The system should not allow an individual to log onto the system to provide another person access to the system. Passwords or other access keys be changed at established intervals commensurate with a documented risk assessment.
- When someone leaves a workstation, the person should log off the system.
- Alternatively, an automatic log off may be appropriate for long idle periods.
- For short periods of inactivity, we recommend that a type of automatic protection be installed against unauthorized data entry (e.g., an automatic screen saver can prevent data entry until a password is entered).
Audit Trails
The use of audit trails or other security measures helps to ensure that only authorized additions, deletions, or alterations of information in the electronic record have occurred and allows a means to reconstruct significant details about study conduct and source data collection necessary to verify the quality and integrity of data.
- Computer generated, time-stamped electronic audits trails are the preferred method for tracking changes to electronic source documentation
- The need for audit trails should be determined based on a justified and documented risk assessment that takes into consideration circumstances surrounding system use, the likelihood that information might be compromised, and any system vulnerabilities.
- Should it be decided that audit trails or other appropriate security measures are needed to ensure electronic record integrity, personnel who create, modify, or delete electronic records should not be able to modify the documents or security measures used to track electronic record changes.
- Audit trails or other security methods used to capture electronic record activities should describe when, by whom, and the reason changes were made to the electronic record.
- Original information should not be obscured though the use of audit trails or other security measures used to capture electronic record activities.
Date/Time Stamps
- Controls should be established to ensure that the system’s date and time are correct.
- The ability to change the date or time should be limited to authorized personnel, and such personnel should be notified if a system date or time discrepancy is detected.
- Any changes to date or time should always be documented.
- We do not expect documentation of time changes that systems make automatically to adjust to daylight savings time conventions.
- We recommend that dates and times include the year, month, day, hour, and minute and encourage synchronization of systems to the date and time provided by international standard setting agencies (e.g., U.S. National Institute of Standards and Technology provides information about universal time, coordinated (UTC)).
- For systems that span different time zones, it is better to implement time stamps with a clear understanding of the time zone reference used.
- System documentation should explain time zone references as well as zone acronyms or other naming conventions.
External Security Safeguards
In addition to internal safeguards built into a computerized system, external safeguards should be put in place to ensure that access to the computerized system and to the data is restricted to authorized personnel.
- Staff should be kept thoroughly aware of system security measures and the importance of limiting access to authorized personnel.
- Procedures and controls should be put in place to prevent the altering, browsing, querying, or reporting of data via external software applications that do not enter through the protective system software.
- A cumulative record should be maintained to indicate, for any point in time, the names of authorized personnel, their titles, and a description of their access privileges.
- That record should be kept in the study documentation, accessible for use by appropriate study personnel and for inspection by FDA investigators.
- Controls should be be implemented to prevent, detect, and mitigate effects of computer viruses, worms, or other potentially harmful software code on study data and software.
Other System Features
- Direct Entry of Data FDA recommend the incorporation prompts, flags, or other help features into computerized system to encourage consistent use of clinical terminology and to alert the user to data that are out of acceptable range.
- Firms should not use programming features that automatically enter data into a field when the field is bypassed (default entries). However, you can use programming features that permit repopulation of information specific to the subject.
- To avoid falsification of data, you should perform a careful analysis in deciding whether and when to use software programming instructions that permit data fields to be automatically populated.
Retrieving Data
- The computerized system should be designed in such a way that retrieved data regarding each individual subject in a study is attributable to that subject.
- Since reconstruction of the source documentation is essential to FDA’s review of the clinical study submitted to the Agency, information provided to FDA should fully describe and explain how source data were obtained and managed, and how electronic records were used to capture data. It is not necessary to reprocess data from a study that can be fully reconstructed from available documentation. Therefore, the actual application software, operating systems, and software development tools involved in the processing of data or records need not be retained.
System Controls
- When electronic formats are the only ones used to create and preserve electronic records, sufficient backup and recovery procedures should be designed to protect against data loss.
- Records should regularly be backed up in a procedure that would prevent a catastrophic loss and ensure the quality and integrity of the data.
- Records should be stored at a secure location specified in the SOP.
- Storage should typically be offsite or in a building separate from the original records.
- FDA recommends that firms maintain backup and recovery logs to facilitate an assessment of the nature and scope of data loss resulting from a system failure.
Change Controls
- The integrity of the data and the integrity of the protocols should be maintained when making changes to the computerized system, such as software upgrades, including security and performance patches, equipment, or component replacement, or new instrumentation.
- The effects of any changes to the system should be evaluated and some should be validated depending on risk.
- Changes that exceed previously established operational limits or design specifications should be validated.
- All changes to the system should be documented.
A rewrite of Part 11 it’s not, but the guidance provides an insight into the FDA’s position on system relying on electronic records and signatures.