What Are the Fda Guidelines for Electronic Signatures?

27-Jan-2025

The FDA’s 21 CFR Part 11 provides foundational guidance for electronic records and signatures in the pharmaceutical industry. Part 11 is based on the basic prerequisite that systems must be validated according to GMP. (It’s also relevant for GDP, GLP, GCP, and medical devices.)

Pharma companies that choose to maintain electronic records or to submit certain types of information to the FDA's Draft Guidance for Electronic Records are subject to Part 11, which applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements outlined in Agency regulations.

Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug, and Cosmetic Act and the Public Health Service (PHS) Act. The Food and Drug Administration establishes its requirements for electronic records and signatures in 21 CFR Part 11. The regulation is meant to allow the greatest possible use of the technology while ensuring the integrity and security of electronic records and signatures, supporting the Food and Drug Administration's responsibility to protect public health.

FDA's Draft Guidance for Electronic Records key provisions of the final guidance.

Electronic records

Source of real-world data: The FDA clarified that Part 11 compliance will not be required for electronic health records or other electronic systems that are sources of real-world data. The FDA will only assess compliance with Part 11 once an electronic record is entered into a sponsor's electronic data capture (EDC) system.

Conducting trials outside the US. Part 11 applies to any records required to be kept in electronic format: This includes any foreign clinical investigations for which the use of such data is intended to support an investigational new drug application (IND) or a marketing application, even if that study is not conducted under an IND.1

Retention of records: The FDA does not make a distinction between electronic data and other types of data regarding record retention. During an inspection, the regulated entity should be in the position to present all records and data that will be required to reconstruct a clinical investigation. Such records should, in particular, include metadata (for example, the date and time stamp for when the original data were acquired, as well as changes made to the data) and audit trails. Backup and recovery procedures should be in place where records exist only in electronic form.

Electronic systems placed by authorized institutions

Electronic system validation. Electronic systems should be validated before use in a clinical investigation.

FDA inspection of electronic systems. For every clinical investigation, the sponsor and clinical investigator should document:

• The electronic systems that would be used to create, modify, maintain, archive, retrieve, or transmit relevant electronic records.
• The system requirements.
• Sponsors and clinical investigators should be ready to provide the FDA with information such as:
• System validation.
• Staff training on the use of the system.
• Procedures and controls for access to the system data creation and modification and maintenance of data
• Documentation on using electronic systems in clinical investigations includes access rights and backup, recovery, and contingency plans for source records.

Protection: The sponsor and clinical investigator shall limit system access to only authorized users. Maintain a record of all clinical trial personnel authorized to access the electronic system, as well as any changes to any rights or permissions. The sponsors and clinical investigators shall maintain an audit trail of access and guard such information against change. This would include the date and time any changes to the record are recorded, the name of the person performing the change, and the reason why the change is being made.

Electronic signatures (e-signatures)

• The e-signature should embody the signer's printed name, date, and time of signing, as well as the associated meaning. Such an e-signature must also be attached to the appropriate electronic record.
• Method of electronic signature. Part 11 does not describe which particular method has to be utilized. Computer-readable ID cards, biometrics, digital signatures, and usernames and passwords may all work for it.
• Letters of nonrepudiation. Each e-signature user shall send to the FDA a letter of nonrepudiation certifying that the e-signature is intended to be the legally binding equivalent of a traditional handwritten signature.

FDA's Draft Guidance for Electronic Records and Electronic Signatures rule offers companies a chance to take advantage of the efficiencies afforded by electronic recordkeeping. The rule also presents its challenges, and taking all the necessary steps to ensure compliance with the requirements will be demanding and expensive. Although the FDA has vowed leniency and is allowing companies to bring themselves into compliance, the agency will someday actively enforce this regulation.

Meanwhile, device companies can expect that the FDA will want to see some documentation of the effort they have made to comply with part 11. That documentation should include an inventory of all proposed and existing systems. New systems should be designed to comply, and existing systems must be evaluated so that a high priority is put toward bringing those systems that are creating mandated records and supporting submissions to the FDA into compliance.

Device companies may need to consider the level of risk they are willing to assume in determining whether to bring individual systems into conformity. Once it has decided to bring its systems into conformity, though, it should have a set of plans with definable but realistic timelines to help it meet this objective.