What's New in the Updated FDA Guidance on Electronic Records and Signatures

In June of 2017, the FDA released an updated guidance for clinical investigators, and any other associated parties, that use electronic records and signatures in their drug development processes.  The updated guidance hopes to clarify recommendations and at the same time facilitate a broader use of such electronic records in order to improve the quality and efficiency of clinical trial investigations.  

In general, the goal is for the electronic records to be considered equivalent to any record and/or handwritten signature executed on paper.  In order to maintain this integrity, all electronic systems used need to be validated appropriately.  The FDA recommends, using a risk-based approach for validation and to consider the purpose and significance of the record, including the extent of error that can be tolerated without compromising the reliability and utility of the record for its regulatory purpose.

Free ebook download: Learn the 4-step process that simplifies the site  budgeting process.

Main Takeaways

Whether your validation methods are performed internally or you outsource, it’s best to keep the following in mind when performing your own mock audit prior to the FDA inspection process.


  • Obtain the ability to generate accurate and complete copies of records
  • Have the availability and retention of records for FDA inspection for as long as the records are required by applicable regulations
  • Have archiving capabilities in place
  • Access controls and authorization checks for users’ actions need to be performed
  • Obtain secure, computer-generated, time-stamped audit trails of users’ actions and changes to data
  • Encryption of data at rest and in transit need to be in place
  • Obtain electronic signature controls
  • Performance record of the electronic service vendor and the electronic service provided
  • Obtain ability to monitor the electronic service vendor’s compliance with electronic service 401 security and the data integrity controls


Additional Resources

Noteworthy, this document does not provide comprehensive detail on how to perform a risk assessment and validation processes.  It is more of a guidance for best practices.  In order to learn more of the how-to, we suggest you speak with your sponsor directly and also, there are many risk assessment methodologies and tools from a variety of industries that can be applied. For more information on these processes, we suggest you take a look at the International Council for Harmonisation (ICH) guidance for industry Quality Risk Management.  Also, the International Organization for Standardization’s (ISO) standard ISO 31010:2009 Risk Management – Risk Assessment Techniques.

New Call-to-action