FDA Guidance on Computerized Systems Used in Clinical Investigations

Scope of this guidance
Computerized systems that contain data that support a marketing application
–Case histories
–Analytical test results (e.g., LIMS)
–Data captured from analytical instruments
–Electronic transcription of hardcopy source data
it Does not apply to:
–Computerized medical devices

Study Protocols
•Identify computerized system use within the trial process
•Computerized systems must:
–Satisfy process requirements defined in study protocol
–Have built-in error prevention

•Challenges
–More complicated protocols
–Some automated processes may not be defined at protocol authoring stage – Unnecessary protocol revisions

SOPs and system documentations

•Specific to computerized system
–Setup/Installation instructions
–Operating manual
–Validation
–Data collection and handling
–System maintenance
–Security controls
–Change control
–Backup/Restore
–Disaster recovery/contingency planning
–Data collection contingencies
–Training
–Roles and responsibilities

•Challenges
–Guidance states “Such SOPs should be maintained either on-site or be remotely accessible through electronic files as part of the specific study records, and the SOPs should be made available for use by personnel and for inspection by FDA.”

Source Documentation and Retention
•Original observations entered directly in computer = source document
•Investigator must retain source data, or a copy
•If source data not generated and stored at clinical site, a copy must be provided to clinical site or a designated site
–Copies must be made contemporaneously with data entry

•Challenges
–Does contemporaneous mean simultaneous?
•Initial impressions from FDA = Yes
•Often not logical and sometimes demonstrably impossible
•CDISC eSDI guidance on Electronic Source Data within Clinical Trials: “as soon as possible after the event to which it refers
–FDA’s concern: If Investigator does not retain a copy of the source data, the records can be modified and original data obscured
–Although Investigator may be able to remotely access data at Sponsor site, it is not under his/her control
–No longer acceptable to just send investigator copy of data at end of study

Access control

–Individual accounts
–Limit log-in attempts and record failed attempts
–Work only under own password/account
–Do not share password
–Password aging
–Procedural or automatic log-offs or lock-outs
–The system should not allow an individual to log onto the system to provide another person access to the system*

•Challenges
–“The system should not allow an individual to log onto the system to provide another person access to the system”
–How does the system control this?
•Should you not allow concurrent logins?
•Should you require periodic user checkpoints in the system?
•Does “system” include both the computerized application and procedural controls?