Release of final Guidance is a step in the right direction for Agency and trials.
After waiting until the very last possible day before writing this month's column, I was about to begin when an email appeared, announcing that the FDA had released the final Guidance for Computerized Systems Used in Clinical Investigations (in the draft version, the title said "Trials," so this was already a notable change). Seizing on the opportunity, I read the document over a few times and decided to share my first impressions.
It is my experience that new regulations or guidance need to be mulled over and discussed for a while before they can be adequately assessed. Subtle use of language in a guidance, intended or otherwise, is best understood after many people have read, thought about, and interpreted the document. Therefore, this quick look is simply that—a general first impression, where I will point out a few interesting features of the new Guidance.
This discussion doesn't reflect the thinking or conclusions of any organization or company with which I am associated—or this magazine. In fact, by the time it is published, it may not even reflect my thinking. Disclaimer accomplished, and now we will turn to the document.
For those who are unfamiliar with the history of this document, it is worth a brief narrative.
The Electronic Records, Electronic Signature regulation, known as 21 CFR Part 11, was created to address issues around the quality, security, and integrity of data obtained from electronic systems that would be used in support of a marketing application. Part 11 was published in April 1997 and took effect in August 1997 after a long period of comment on a previously published draft version.
It was viewed as a landmark regulation that served as a model for other governmental executive branch agencies with similar concerns about data integrity. Of particular note, the FDA mandate doesn't extend directly to computerized systems, except where they are incorporated in medical devices. However, the predicate rule of Good Clinical Practice (GCP), which dictated important principles of data integrity in a paper-based system of data collection, was seen as equally applicable in electronic systems and created the framework from which Part 11 was designed, and through which it could be enforced.
In reading the Part 11 preamble and regulations, it is clear that the drafters worked diligently to create a stringent yet workable framework that could be applied across a broad range of different systems from manufacturing to clinical trials and beyond. The inclusiveness of the language naturally led to significant areas where sponsors and others were unclear on interpretation, intended enforcement rigor, and intent.
In addition, the pace of development and approval of new regulation and guidance is much slower than the pace of new developments in information technology. This was manifest in the regulation by an apparent discrepancy in emphasis vs the realities of information technology. Two examples at the extremes are the repeated mention and potential bias toward biometric authentication and the very limited consideration of the Internet, which was just beginning to transition at the time from novel and exciting technology to the essential business tool that it is today.
FDA published the Guidance for Computerized Systems Used in Clinical Trials (GCSUCT) in 1999 to address the rapidly developing field of electronic data capture and other technologies and to clarify some of the areas of confusion that had arisen in interpreting Part 11.
The first guidance, although quite helpful in many areas, was at times overly prescriptive in some of its recommendations and frustratingly silent in others. The first five of a series of guidances on Part 11 began to be published to address some of these issues, but in February 2003 these were all abruptly withdrawn leaving only the original GCSUCT intact. This previously unprecedented action announced a new approach to the FDA's interpretation of Part 11, which was described in the Part 11, Electronic Records; Electronic Signatures—Scope and Application Guidance published in draft form in February 2003 and finalized in August of the same year. This document declared a significantly narrowed scope and intended enforcement of Part 11 and declared an approach of enforcement discretion in areas of validation, audit trails, legacy systems, copies of records, and record retention. They advised the use of a documented risk-based assessment for choosing appropriate compliance in these areas. Not surprisingly, the result of these sudden and dramatic changes was more confusion and uncertainty in the industry, at least for a while. Over time, helpful meetings and discussions with the FDA created a general understanding of the intent of the agency.
As newer technologies developed and began to be used in clinical trials, the GCSUCT began to show its age. In addition, the expanding use of EDC, electronic patient-reported outcomes (ePRO) technologies, and other newer patient data collection technologies, along with a desire by some to reduce transcription of data through primary entry of source data into computerized systems (eSource data entry) or transfer from electronic health records began to place new demands on a document not designed for these issues.
This milieu led the FDA to publish a new draft GCSUCT in September 2004. A blue-line comparison of the original GCSUCT and the first draft can be found at: http://www.biotechnicalservices.com/downloads/BSI%20-%20Computer%20in%20Clin%20Trials.pdf.
The newly published Guidance is, in fact, the final version of the 2004 draft GCSUCT, with a change from "Clinical Trials" to "Clinical Investigations" in the name (thus GCSUCI), possibly reflecting a broader scope and the emerging use of observational research and registries to obtain safety data for FDA submission. The GCSUCI must continue to be considered in the context of the predicate rule of GCP, which hasn't substantially changed and places a number of important constraints on the creation and maintenance of source documents.
Regardless of advances in technology, any regulation or guidance of computerized systems must fall in line behind GCP. In addition, Part 11 remains in full force, though it has been somewhat modified in scope and enforcement by a guidance document. Therefore, even if a magical new technology was developed that could ensure absolute integrity, security, and privacy of data, it would officially have to fit into the existing framework of GCP and Part 11, rather than act as a substitute for any provision of these.
Finally, it can never be said enough: Guidance is simply guidance, not regulation. The FDA says it best in a big black box at the beginning of every guidance document:
"This guidance represents the Food and Drug Administration's (FDA's) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. An alternative approach may be used if such approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance."
The new GCSUCI seems very carefully considered and worded. It clearly and simply stakes out positions that fit with GCP and Part 11, but seems to work at the edges to recognize the potential advantages that technology can bring to the process of clinical trial data collection. Although prescriptive in places, it seems far less focused on specific technologies and issues and more on general principles that can be easily extended and applied to many different systems.
When compared to the original GCSUCT from 1999 and even to its draft predecessor from 2004, it seems to continue to move away from specific examples toward more generally applicable statements of principle. It has been very effectively restructured in comparison to the originals, replacing a laundry list of principles with specific sections on topics such as study protocols, standard operating procedures, source documents and retention, internal and external security safeguards, etc.
Throughout the document there is a definite focus on the integrity of source data, especially when electronic systems might be used to collect this data. It is here that a major and significant change is apparent:
"When source data are...entered directly into a remote computerized system...a copy of the data should be maintained at another location, typically at the clinical site but possibly at some other designated site."
Until this was published, all previous indications were that the FDA would continue to require that source data be created and maintained at the clinical site, as mandated by 21 CFR 312.52b. Many in the industry insisted that it was possible to create a higher level of data integrity by storing data at a third-party organization rather than at an investigative site. Apparently, the FDA heard this and has "bent the predicate rule" just a bit to allow for this.
Another significant change that might be easily missed is that the copies of data that may acceptably be retained as the source could be (in addition to the ever present XML and PDF)...paper. While quite controversial in the past because paper couldn't retain all of the metadata of an electronic record, this small change can provide a comfort factor to investigators who are not technophiles.
A third, subtle change is apparent in the listed components of an audit trail: "when, by whom, and the reason changes were made to the electronic record." Although "reason for change" has been a part of the European GCP, it has not heretofore been specified by the FDA. Many sponsors would prefer that investigators be spared the need to enter this information, but this statement certainly indicates the expectations of the FDA in this regard.
Despite the continued improvements in clarity and applicability of the GCSUCI, there remain some problematic recommendations. One of these has the best of intentions, and in a perfect world would be possible: "The system should not allow an individual to log onto the system to provide another person access to the system." As far as I can tell, there is no reasonable way to accomplish this. Standard passwords, token systems, biometric scanners, and other devices, even if they require random and periodic re-authentication, can't distinguish who is typing once the authentication is performed.
In the highest security settings where a proximity device with continuous facial monitoring could be deployed, there is still no way to determine who is doing the typing. I suppose that a smart keyboard that recognizes individual keyboard pressures and typing rates could accomplish this, but isn't this a bit over the top?
In summary, my first impression of the freshly issued GCSUCI is that it represents a thoughtful next step toward creating a workable environment for the development and deployment of computerized systems in clinical trials. No doubt, the holes and deficiencies will be revealed over time, but this is certainly moving in the right direction.
Paul Bleicher MD, PhD, is the founder and chairman of Phase Forward, 880 Winter Street, Waltham, MA 02451, (888) 703-1122, email@example.com. He is a member of the Applied Clinical Trials Editorial Advisory Board.