August 21, 2018 | Norman Goldfarb is Editor of the Journal of Clinical Research Best Practices and Chairman of MAGI. His passion is advancing the practice of clinical research by standardizing best practices in incremental steps, so every day is better than the last. He joins Clinical Informatics News with a monthly column highlighting new ideas for advancing clinical research. This month he speaks with Michelle Grienauer, a Senior Regulatory Attorney at Kinetiq (the consulting division of Quorum Review IRB).

Michelle, what do you think it's about time for the clinical research enterprise to start doing?

It’s about time research sites recognize that certain electronic systems used in clinical investigations are subject to FDA Part 11 and require validation to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

What systems are subject to Part 11?

Any electronic system used to create, transmit or store clinical trial data must be trustworthy and reliable. Most sites utilize some type of electronic system, such as electronic case report forms (eCRFs), electronic source forms (eSource), electronic trial master files (eTMFs), electronic site regulatory files (eISF), electronic clinical data management systems (eCDMS), or electronic IRB application systems (eIRBs). Some sites might mistakenly believe that avoiding electronic signatures is enough to dodge Part 11 compliance, but Part 11 also applies if you have any FDA-regulated electronic records. Other sites might not understand that Part 11 is not the only FDA regulation that requires computer system validation…there are the “predicate rules,” as well that define what systems are subject to Part 11.

What does validation involve?

Validation is the process for demonstrating that a computerized system functions as intended. This process usually involves identifying and documenting the system’s requirements (what the system is intended to do and how users will interact with the system), testing the system to ensure it performs correctly, training system users, and establishing a process for ongoing maintenance and change control procedures.

The good news is that the FDA has explicitly endorsed a risk-based approach for validating electronic systems, based on their impact on study participant safety and record integrity. This means that a research site has the flexibility to develop an individualized risk-based validation plan based on how they use these systems.

It sounds like a lot of work.

Yes, Part 11 validation is a lot of work. If you’re building your own system and your IT team does not have the expertise, you can bring in an experienced consultant, but he or she will still need a lot of information from your people.

Commercial systems from vendors that say they meet Part 11 standards are a good option. But keep in mind that FDA guidance clearly states that regulated entities are still responsible for Part 11 compliance. This means selecting a vendor carefully. You have to keep compliance documentation on site, including specified requirements of the outsourced system, a description of standard operating procedures, the results of testing and validation, the service agreement defining what is expected from the vendor, and procedures for notifying the site of changes and incidents with the service.

Are there any benefits other than regulatory compliance?

Sites should not look at Part 11 compliance as yet another regulatory burden. The point of the regulation is to ensure that electronic systems work properly, and that should be the goal of any clinical research site, with or without Part 11.

Has the FDA ever written up a site for Part 11 noncompliance?

Yes, and it isn’t pretty. Sites typically get written up for violating the underlying “predicate rule” that required validation or maintaining a certain study record (e.g., medical device quality requirements, clinical trial record requirements). For example, sites have received warning letters (which are publicly available on the Agency’s website) for failing to perform validation testing or maintaining audit trails and for failing to obtain adequate validation documentation from an external software vendor. Of the warning letters FDA issued in 2014-2016 regarding software and computers, about a quarter focused specifically on software validation. Additionally, over the past decade, the number of inspection observations related to computer software steadily increased.

Norman M. Goldfarb is Managing Director of First Clinical Research LLC, a provider of clinical research best practices information services. Contact him at 1. 650 465.0119 or ngoldfarb@firstclinical.com.