22
Jun
2023

Part 11 Application to Clinical Investigations

, ,
0

In March 2023, FDA released a draft guidance on Part 11 Application to Clinical Investigations.  The specific introduction in the guidance stated:

This document provides guidance to sponsors, clinical investigators, institutional review boards(IRBs), contract research organizations (CROs), and other interested parties on the use of electronic systems, electronic records, and electronic signatures in clinical investigations of medical products, foods, tobacco products, and new animal drugs. The guidance provides recommendations regarding the requirements, including the requirements under 21 CFR part 11 (part 11), under which FDA considers electronic systems, electronic records, and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

The guidance also explains how the lifecycle of this guidance document will fit in with related guidance documents.  As illustrated below, the intention for this guidance is to:

  • Revise (and retitle) the guidance, “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 — Questions and Answers (June 29, 2017)”
  • Expand upon the recommendations in the guidance, “Part 11, Electronic Records; Electronic Signatures — Scope and Application (August 2003)”
  • Supersede (replace) the guidance, “Computerized Systems Used in Clinical Investigations (May 2007)”

 

Part 11 application to clinical investigations

Some key take-aways from the guidance:

  1. 21 CFR Part 11 applies to real-world data used in support of predicate rules.
  2. 21 CFR Part 11 applies to data collected at non-US sites in support of predicate rules.
  3. Use validated process to create certified copies of clinical investigation records.
  4. Ensure storage of clinical investigation records are maintained with reliable method.
  5. While 21 CFR Part 11 does NOT address security of records during transmission, other privacy and security laws may necessitate encryption or other types of protection.

Validation of electronic systems used in clinical investigations

The guidance provides input and considerations to the software validation plan for an electronic system used in clinical investigations:

  • Criticality and significance of the record.
  • Intended use functionality – consider the workflow and the essential operations of the software to support the clinical investigation over the entire lifecycle of use, e.g., pre-study, peri-study, post-study.
  • Some office productivity tools may not need protocoled test cases – examine existing downstream QC.
  • Assess your vendor’s / supplier’s custom-made or custom-configured systems for state-of-the-art software validation activities: planning, requirements generation, software design rather than ad-hoc coding, testing at multiple levels such as unit and system, change control, and configuration management.  Do they have a clear strategy for “maintaining” a validated state for subsequent software releases.
  • Audit trail integrity.

Inspection readiness

What documentation should the sponsor have in place for electronic systems that fall under the scope of part 11, and what will be FDA’s focus during inspections of the sponsor?  The guidance gives input to this question – the electronic system “package” should include:

  • Have clear description of the software system.  SoftwareCPR would recommend layered architecture diagrams mapping data flow, software components, configurable items, control checkpoints.
  • Validation as described above.
  • Describe roles and responsibilities of sponsors, clinical sites, and other parties.
  • Describe installation process and necessary infrastructure, including any expected or required testing or “checks” to be performed by the sponsor.
  • Describe any necessary interfaces if applicable and how to ensure or verify interoperability.
  • User management process including instructions for sponsor if applicable.
  • Data backup, recovery, and contingency plan including any required actions by the sponsor.  Contingency plan to cover manual data entry or other method.
  • Training materials.
  • Auditing plans and reports to verify data integrity.

Refer to the guidance for more detail and requirements.

 

See our 2017 post on 21 CFR Part 11.

Need help with planning your Part 11 strategy?  Our partner John Murray was the internal expert with 21 CFR Part 11 during his tenure at FDA.  Contact us to setup a consultation with John.

About the author

Partner and General Manager, Brian Pate is ISO 1385:2016 Lead Auditor certified for Medical Device Quality Management Systems (MD), and ISO 19011:2018 Management Systems Auditing (AU) and Leading Management Systems Audit Teams (TL). Brian started his medical device career in anesthesia clinical research in 1985 and has since worked both academia and industry including many years with Johnson & Johnson, Baxter Healthcare, and GE Medical. Brian’s roles have included software engineering, systems engineering, quality assurance, and regulatory affairs. Brian has served on multiple AAMI TIR working groups, including TIR32-2008 (Application of ISO 14971 Risk Management to Software; now IEC 80002-1) and TIR45-2012 (Guidance on the use of Agile practices in the development of medical device software) and served as a reviewer for the 2nd edition of TIR45. Brian serves on the AAMI Software Committee and as an AAMI instructor for the software, design controls, and agile methods courses. Brian also is a member of the Underwriters’ Laboratories (UL) Standards Technical Panel for UL1998 (Software in Programmable Components) and or UL5500 (Remote Software Updates).

SoftwareCPR Training Courses

ISO13485:2016 ISO 13485 Internal Audit(or) Training Course (Live, 3-day)

IEC 62304 and other Emerging Standards Impacting Medical Device Software (Live, 3-day)

Being Agile & Yet CompliantISO 14971 SaMD Risk Management

Software Risk Management

Medical Device Cybersecurity

Software Verification

IEC 62366 Usability Process and Documentation

Or just email training@softwarecpr.com for more info.

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
office@softwarecpr.com
Partners located in the US (CA, FL, MA, MN, TX) and Canada.