1. You are here:
  2. Homepage
  3. News & Insights Search
  4. Commenters seek clarity in FDA draft guidance on electronic systems, signatures in clinical trials

rf-fullcolor.png

 

Regulatory News
May 18, 2023
by Jeff Craven

Commenters seek clarity in FDA draft guidance on electronic systems, signatures in clinical trials

Stakeholders used a comment period for US Food and Drug Administration (FDA) draft guidance on electronic systems, records, and signatures in clinical trials to ask the agency for more clarity on specific aspects of the guidance.

In response to advancing technology over the last several decades, the agency said an update to the 2003 Part 11 guidance on electronic records and signatures was necessary. These technological advances include but are not limited to standard features of electronic systems that contain audit trails, automated timestamps, and the ability to copy and archive records.

Emerging technology has also been used in unexpected and novel ways, is more readily shared between organizations, and is used more prevalently, FDA noted. To that end, the new draft guidance for sponsors, clinical investigators, institutional review boards (IRBs), contract research organizations (CROs), and other interested parties contains updated recommendations related to FDA-regulated clinical investigations under the agency’s purview (RELATED: FDA revises guidance on electronic systems and signatures in clinical trials, Regulatory Focus, 15 March 2023). 

“Understanding the evolving uses of electronic records, electronic systems, and electronic signatures in clinical investigations is important for FDA in its assessment of the authenticity, integrity, and reliability of data submitted in support of marketing applications or submissions,” FDA wrote.

In the new draft guidance, the agency used a question-and-answer format to address situations on the topics of electronic records, electronic systems, and electronic signatures as well as in information technology (IT) and digital health technology (DHT).

Stakeholders mostly used their comments to address the agency questions, but some also submitted general comments about the draft guidance. In their comment, the Pharmaceutical Research and Manufacturers of America (PhRMA) said the use of the term “regulated entities” throughout the draft guidance in conjunction with 21 CFR Part 11 regulations could be more specific in the introduction.

The Association of Clinical Research Organizations (ACRO) noted in their comment that the removal of a question from the 2017 draft guidance concerning how a user logs into an electronic system is worth reintroducing into the latest guidance. The question “is an important clarification from the FDA that when a user logs into an electronic system using their username and password, it is not necessary to re-enter the same username when executing the first signature in that session,” they said. 

Consistent terminology throughout the draft guidance, such as mentioning both “service provider” and “vendor” in the document, would be helpful, ACRO added.


Electronic records

FDA’s questions about electronic records concerned which circumstances electronic records submitted to the agency in a marketing application pertained to Part 11 requirements, if stakeholders should retain a certified copy of clinical investigation electronic records, retaining electronic records, whether to certify electronic records not related to a clinical investigation and if electronic communications are addressed by 21 CFR part 11. 

Stakeholders expressed different opinions on whether to retain certified copies of electronic records. While PhRMA said in their estimation that “sponsors do not need to maintain the paper copy if a true copy has been scanned and digitized,” the Advanced Medical Technology Association (AdvaMed) commented that the FDA should expand on their expectations for how long a sponsor should retain certified copies. 

Boehringer Ingelheim requested more clarity in their comment on what constitutes credibility and accuracy of electronic records used in clinical investigation. “We understand that any data capture and processing should be following defined processes (including source data verification) and using validated systems. If other measures besides validated systems are possible to demonstrate credibility and accuracy of data, please give an example for clarity,” they wrote.

In addition, Boehringer Ingelheim asked FDA to provide more detail on required metadata for certified copies of electronic records, such as whether the size of a file or number of files pertains to an original record or copy. “In many cases, ‘size of file’ and ‘number of files’ information could not be provided as part of the certified copy as such but would require an additional metadata file to be provided along with the certified copy(s). "This is not feasible for many certified electronic copies,” they wrote.

Addressing the question of electronic communication technology, ACRO said that email and text messaging “typically relies on infrastructure directly out of the control of sponsors or indeed investigational site personnel” and explained that “regulated entities may be constrained in their ability to secure end-to-end transfer.” 

“ACRO suggests that the guidance should acknowledge this and allow regulated entities to adopt reasonable risk-based measures to secure electronic records in transit,” they wrote.


Electronic systems owned or controlled by sponsors or other regulated entities

The agency’s questions on electronic systems focused on a risk-based approach for validation, documentation of electronic systems that fail, FDA focus of investigations for clinical investigator sites, security and safeguard requirements, considerations for audit trails, controls for accurate date and timestamping, training for personnel using electronic systems in clinical investigations, and whether FDA does preliminary evaluations of electronic systems for Part 11 compliance. 

In their comment, AdvaMed wrote that FDA should include how to guide risk-based assessments. Specifically, they noted that examples for sufficient risk-based assessment in different types of systems would be welcome. “While the considerations are helpful,” AdvaMed wrote, “they do not guide sponsors toward what FDA would accept in different situations.”

Commenting on the proposal to inform clinical investigator sites on the policies and procedures used by relevant electronic systems, PhRMA said the recommendation might result in the production of “voluminous information that could become outdated over time to sites, requiring sponsors to continuously update the sites on system changes that are not relevant to the study compliance, even after the trial has terminated.” 

PhRMA noted that some audit trails in clinical trial data outside source systems may not be reviewable. In these situations, “PhRMA recommends that FDA confirm that, for purposes of FDA inspections, sponsors should maintain an extract of audit trail data in human-readable format that the sponsor can demonstrate is linked to the original record.”

FDA’s requirement that a sponsor report security breaches to the agency is new to the 2023 guidance, ACRO said. The group requested more information from FDA on the “origins and basis of this new expectation.” In addition, ACRO said the agency should consider modifying the final guidance wording to limit reporting of security breaches “which have been internally investigated and confirmed as impacting the safety or privacy of clinical investigation participants.”


IT service providers and services

FDA’s questions focusing on IT providers and services in the draft guidance addressed the topics of whether stakeholders should enter into service-level agreements (SLA) with IT service providers, materials for meeting FDA regulatory requirements on IT services, and the focus of FDA inspection of IT services during a clinical investigation.

On the topic of service providers, the guidance should have “a clear distinction between self-service capabilities to create audit trail reports and use of the vendor to create such reports,” ACRO wrote in their comment. 

Sponsors also do not always enter into SLAs with vendors, ACRO added. “The term SLA is a broad definition that is not defined by the regulations and would likely be fulfilled by many different types of contracts,” they explained. “Because other contracts meet the requirements of SLAs, a clarification here would be helpful.”


Digital health technologies

FDA’s questions on DHTs focused on how to identify a data originator when data are captured from participants in clinical investigations, data attribution during DHT data capture, considerations during initial data transfer to a repository of electronic data, the location of DHT source data, and the focus of FDA inspections in this area.

DHT data processing and transformation can sometimes take place inside the DHT or in an external system, PhRMA noted, and recommended that “FDA confirm that, in both these circumstances, the Agency’s expectation is that sponsors retain the processed/transformed data, not the raw data initially captured by the DHT in a non-human readable format. 

“Maintaining the raw, pre-processed data, in non-human readable form, would not further enhance the accuracy or reliability of the data and, given the amount of raw data potentially generated by DHTs, would be burdensome to maintain,” they wrote.

Electronic signatures

The agency topic questions on electronic signatures addressed methods for creating valid signatures electronically, how to verify an electronic signer’s identity, requirements for use of biometrics in an electronic signature, and FDA certification of electronic systems and methods.

In their comment, Bayer said electronic signatures that meet all initial requirements and are seen as equivalent to a handwritten signature “should also apply to the validity of electronic signatures over time, especially if digital signatures are used.”

Another consideration for FDA is how to handle situations where a stored signed electronic document is tied to a vendor that is no longer in business. 

“If the signed document is retrieved from the archive, it is possible that the verification mechanism does not work/apply anymore,” they said. “If the signed document has been retained properly, the signature should not be considered invalid."

Draft guidance

Related topics

Pharmaceuticals
Return to listing

Recommended content

FDA_Badge2_260326_ALF.png
01 Apr 2026

FDA warns device maker, contract testing lab for GMP violations

The US Food and Drug Administration (FDA) has cited a medical device manufacturer and a contract drug testing laboratory for violations of current good manufacturing practices (CGMP). Additionally, regulators said the medical device maker has been selling products without marketing authorization, despite the company arguing that its products should be considered pre-amendment devices and therefore not regulated by the agency.

Regulatory News

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.