From Paper to Electronic the FDA Way

The U.S. FDA has recently released an update to their April 1999 Guidance, Computerized Systems Used in Clinical Trials.¹ This new Guidance, Computerized Systems Used in Clinical Investigations,² demonstrates that the FDA is still flexible and willing to engage regulated entities. If you compare the 1999 version with the 2007 version, you will find that it is shorter and provides more latitude for sponsors conducting clinical investigations. The new guidance does provide specific definitions for source documentation and direct data entry, and recommendations on how to use computerized systems in clinical investigations. It also includes advice for clinical sites, analytical laboratories, central laboratories or diagnostic centers—to name a few—that use computer systems to create, modify, maintain, archive, retrieve and transmit electronic records.

Industry has grappled with applying the earlier guidance at clinical sites, which often involve other organizations (information technology vendors, pharmacies, central laboratories, etc.) that are not under the clinical investigator's purview or control. This new guidance assists clinical sites on where to focus their efforts and provides specifics on standard operating procedures, data entry, system features, security, system dependability, system controls, training of personnel, record retention, and certification of electronic signatures.

Photography: Getty Images Illustration: Paul A. Belci

We would expect pharmaceutical, biopharmaceutical, and biotechnology companies and contract research organizations involved in drug research to be aware of the issues and suggestions outlined in the guidance. However, upon reading FDA's recently issued guidance document, you begin to comprehend the impact it may have on your specific policies, procedures, and processes. You realize that an in-depth review is needed to assure yourself and your establishment that you are in compliance with the recommendations, such as, "Have you documented the rationale as to why you are performing processes differently?"

One of the primary benefits of the new guidance may be that it forces you to reassess your corporate thinking regarding risk management and reaffirm your current business and quality practices. The increase in scope to include central laboratories and diagnostic centers is a step in the right direction. We have long recognized their implications and impact on data quality and integrity, even though these areas were not specifically mentioned. These additional focus areas are key functions that pharmaceutical, biopharmaceutical, and biotechnology clinical research professionals may not be prepared to adequately monitor or assess.

The interim

For the past 10 years or more, industry organizations such as the Drug Information Association, British Association for Quality Assurance, Association for Clinical Data Management, and Society for Quality Assurance have led efforts to update industry professionals' knowledge of computerized systems quality expectations. Pharmaceutical, biopharmaceutical, and biotechnology companies have recognized their responsibility in this regard and initiated action plans to close the gap.

This is not to say that regulatory pressure has been either consistent or extensive. The degree to which a computerized system and quality documentation was challenged generally fell to the field investigation personnel representing the FDA—and there has been a wide spectrum here. FDA, for their part, have for several years conducted specialized training for FDA headquarters and field staff. They have also actively participated in getting the word out to the aforementioned industry organizations. We commend their efforts and encourage them to continue these interactions.

Considering this FDA initiative, and the general increase in industry knowledge and understanding, the issuance of this upgraded guidance is timely. Moreover, many leaders in computerized system compliance validation have been instructing industry to improve data integrity and quality by reevaluating their system lifecycles and validation policies.

Guidance expectations

Guidance from FDA and other agencies worldwide has been part of drug development for the last three decades and many in the regulated industry comprehend the difference between a regulation and a guidance (see sidebar).

FDA Regulations vs Guidances

The purpose of FDA guidances is, quite simply, to provide the agency's current perspective on how to execute, document or report some type of regulation or directive. Usually agency regulations are written in such a way as to advise us on what we can and cannot do. Guidances allow the agency to recommend processes on how to implement regulations or provide points to consider on specific topics that weren't known when the regulation was first promulgated.

Guidance should be followed when issued as "final" by FDA unless there are compelling reasons to propose a different but equally compliant solution. However, it is important to understand that each recommendation provides the agency with latitude to recommend their current thinking on a specific topic. This type of disclaimer benefits both FDA and those they regulate. Specifically, it allows industry to adopt alternative ways to approach regulations providing they can support these approaches with a justified and documented process. One of FDA's principles is to help the regulated industry interpret and apply regulations and guidances; however, many times industry isn't sure of how to approach FDA.

Impact on clinical investigations

A comparison of the guidance's recommendations and your own computerized systems and associated work processes will start to reveal hidden issues that might have an impact on the planning, conducting, and reporting of clinical investigations. A few of these items include:

• Definitions (source data, source documents, first capture of information)

• Quality and data integrity

• Computerized system and clinical investigations

• Securing a computerized system

• Accurate time for computerized systems

• Long-term record retention.

Definitions.² Data, data everywhere but not a character to save. FDA did us a favor by referring back to the Part 11 Guidance for Industry On Scope and Application.⁴ First, they reiterated the importance of a Part 11 record and then reinforced this by describing in clear terms the definitions of direct entry, original data, and source documents. These clarifications will help the regulated companies and contract research organizations convince clinical sites of the importance of testing and maintaining computerized systems that are brought into their sites. It will also allow the elimination of maintaining paper records if capture of data occurs electronically. This is a bonus to the clinical investigator, sponsors, and CROs.

Quality and data integrity. Computerized systems are used throughout clinical sites, doctors' offices, and hospitals. The trick is to identify which ones apply to clinical investigations and determine what data are being required in a study protocol. Along those same lines are the computerized systems being used at analytical and central laboratories, diagnostic centers (x-ray, MRI, PET, etc.) and pharmacies. Sponsors and CROs need a mechanism to quickly evaluate, assess, and develop plans to bring those locations and systems into compliance.

FDA has been concerned with data integrity ever since it issued the 21 guidelines on clinical research in the 1970s⁵ and wrote guidance on process validation in the 1980s. Documentation of these events followed a paper paradigm. If paper can be handled in a precise and repeatable way, why can't electronic records? Industry is leading the way to assure the integrity of electronic information used in clinical investigations by developing and perfecting electronic data handling-from first capture to archiving—with quality and data integrity at the center of the paradigm shift. To effectively deliver this shift we must bring together experts in information technology, quality assurance, and regulatory affairs and system engineers, who can demonstrate and prove the reliability of the electronic record lifecycle. This includes that safeguards are built, tested, and retested into the software, hardware, and infrastructure to ensure electronic data integrity and quality.

Computerized systems and clinical investigations. The recommendations outlined in the guidance are not new, however, they remind us what is expected. So ask yourself: When does a computerized system become part of a clinical investigation? The guidance provides advice by centering its recommendations on how data are first captured and how that data are subsequently handled. For example:

Scenario 1: Data are first captured on paper and then manually entered into a computerized system. Source data are the paper documents. Examples: Data collected at clinical sites, IRBs, and medical practices.

Scenario 2: Data are first captured electronically into a computerized system and then manually entered into another database. Source data are the electronic records in the computerized system. Examples: Data collected at clinical sites, diagnosis after test evaluation in medical institutions.

Scenario: 3: Data are first captured electronically into a computerized system. Source data are the electronic records in the computerized system. Examples: Data collected at clinical sites, clinical laboratories, analytical laboratories, etc.

In each case, computerized systems handle clinical data as part of clinical research. Applicable predicate rules and Part 11 would apply since electronic records may have been created, modified, maintained, archived, retrieved or transmitted. Specifically, the guidance points out "the recommendation in this guidance would apply to computerized systems that create source documents (electronic records) that satisfy the requirements in 21 CFR 312.62(b) and 812.140(b), such as case histories."⁴

Securing computerized systems. To secure a computerized system we insist on physical and logical security configurations. Physical securities would include locked server rooms with only authorized access, buildings with key card access, and perimeter fencing. Logical security takes many forms, such as assigning privileges for users, screen savers with password control, and applications that time out after a defined period of inactivity. Audit trails provide behind-the-scenes security by supplying a lifecycle or history of each datum that is first collected, updated, and deleted. FDA relies on audit trails to track data and their changes over time, and uses them to reconstruct studies. The fundamentals of audit trails are who, when, what, and why:

• Who first recorded the information or changed it?

• When was the information collected or changed (date and time)?

• What information (i.e., data) was collected or changed?

• Why was the information changed (reason for first collection or when changed)?

Accurate time. Recording accurate time of collection or revision is becoming an essential element to secure information integrity of data and metadata. However, time must be established and synchronized to a reliable reference point to document data collection and audit trails. Many universities and government agencies provide access to a time reference at no charge. What is important is that computerized systems obtain time from a reliable source that is checked so that systems can be periodically updated.

Long-term record retention. Long-term record retention is an old issue. However, as electronic records continue to evolve, we need to develop a management policy that will ensure record integrity over the lifecycle of the information. Actually, many sponsor companies are now keeping information online but in a secure manner because the cost of storing data has dramatically decreased. The question now becomes one of process and timing. At what point in a clinical study when the data are locked and all clinical sites have been closed do you reduce the privileges to access data? Each of us must make this decision and document the rationale of our approach—including how to address online and off-line accessibility of electronic information and obsolescence of storage media, software, and hardware.

Conclusions

This article outlined how FDA has allowed industry to again take justified and documented risks in the planning, conducting, reporting, and submitting of key information for product approval. Data integrity is still an important attribute of this guidance. It should also be a warning for sponsors, CROs, and clinical sites that FDA still means business to assure the information submitted follows the ALOCA principle: Attributable, Legitimate, Original, Contemporaneous, and Accurate.

The next steps are up to you. How do you improve data integrity and quality? First you have to reevaluate your policies and procedures to ensure you are complying with the recommendations of this guidance or develop and document a rationale for why your procedures, while different, are still compliant. The effects of your diligence can most assuredly impact the safety and quality of the products you submit for approval. Next, compare your current work processes against the guidance and prepare an action on how this will impact you. For example, consider the following introductory steps:

• Sponsor and CRO responsibilities should include:

» conduct periodic computerized system assessments

» maintain an inventory

» ensure effective training

» review clinical data lifecycle, including data retention

• Clinical investigator and diagnostic and laboratory responsibilities should include:

» compile inventory of computerized systems at the site

» ensure there are qualified personnel to operate systems

» determine computerized systems have been tested for fitness of use

These are only a few of the key items that should be evaluated. The development of sponsor and clinical site assessments or checklists based on ICH Good Laboratory Practices and the FDA guidance will go far to ensure the right level of compliance.

Earl W. Hulihan* is corporate compliance officer and vice president of global regulatory affairs & quality assurance at Medidata Solutions Worldwide, 79 Fifth Avenue, Eighth Floor, New York, NY 10003, email: ehulihan@mdsol.com. Richard M. Siconolfi is director, computer system validation and management system lifecycle, health care, R&D, information & decision solutions, at Procter & Gamble.

*To whom all correspondence should be addressed.

References

1. Food and Drug Administration, Guidance for Industry: Computerized Systems Used in Clinical Trails (FDA, Rockville, MD, 1999).

2. Food and Drug Administration, Guidance for Industry: Computerized Systems Used in Clinical Investigations (FDA, Rockville, MD, 2007) http://www.fda.gov/cder/guidance/7359fnl.htm.

3. Food and Drug Administration, Investigations Operations Manual 2006 (2008 version), Section 1.10.1 (FDA, Rockville, MD), http://www.fda.gov/ora/inspect_ref/iom/ChapterText/1_10.html.

4. Food and Drug Administration, Guidance for Industry: Part 11, Electronic Records; Electronic Signature—Scope and Application (FDA, Rockville, MD, 2003).

5. Food and Drug Administration, Preamble to Proposed IND Regulations, 21 CFR Part 312, http://www.fda.gov/oc/gcp/preambles/48fr/48fr.html. Obligations of Clinical Investigators (Proposed 21 CFR Part 54; 43 FR 35210, 8 August 1978); and Obligations of Sponsors and Monitors (Proposed 21 CFR Part 52; 42 FR 49612, 27 September 1977).