Skip to main content

Life Sciences

FDA Guidance On 21 CFR Part 11 And Mobile Tech In Clinical Trials

In June 2017, the United States Food and Drug Administration (FDA) issued a new draft guidance document for public comment: Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers. You have until August 21, 2017, to share your thoughts and ideas about its content.

The guidance document covers five categories of questions and answers, all of which are interesting and useful, but what I want to focus on here is the section about using mobile technology in clinical research.

The industry has clearly embraced the idea that using mobile tech is the next big thing in clinical trials. It has the potential to save vast amounts of time and money, not to mention make the clinical research process a lot more pleasant for everyone involved.

But, the question remains: How do we make and keep mobile technology compliant?

Enter the FDA’s new guidance document, stage left.

While I strongly encourage you to read the full text of the guidance doc (the bulk of the content is only about 15 pages), my interpretations of the key points are below.

General Use

  • It’s perfectly acceptable to use mobile tech to capture, record, and/or transmit data from study participants.
  • The mobile tech used can be issued by the sponsor or can belong to the study participant – either way is fine.

Access Controls

  • Whenever possible, use the same kind of access controls you do for any kind of regulated computer system, like a unique user ID and password combination or a thumbprint scan.
  • Most importantly, when a study participant is required to actively enter data (e.g., a diary entry), you need to control their access.
  • In cases where access controls for the device just aren’t practical (e.g., a digital skin patch), have the participant sign something that states that only they will use the device.
  • In cases where a device is swallowed or implanted, access controls aren’t necessary.

Data Origination

  • All regulated data must be traceable to its origin. Data originators can be a person, a computer system, a device, or any other such instrument.
  • When a study participant physically enters data, he/she is the data originator.
  • When mobile technology senses data on its own without human intervention, the mobile tech is the data originator.
  • When data is collected from an electronic health record (EHR) system, the EHR system is the data originator.
  • To support all of the above, maintain a list of all authorized data originators.

Source Data

  • The FDA considers data to be “source data” once it is recorded in a “permanent manner.” This means that the data hanging out on the sensor/wearable is not source data. Nor is the data in transit between the sensor and the software vendor’s cloud. Nor is the data hanging out in the software vendor’s cloud before being transmitted to your EDC system. In short, generally speaking, data becomes source data once it hits an EDC or EHR system, and not before.
  • The FDA does NOT plan to inspect each mobile technology used in a clinical investigation for compliance. (But you still need to do your due diligence!)

Audit Trails

  • If the data goes from mobile technology directly to an EDC system, the audit trail should start in the EDC system. The only caveat is that the mobile tech needs to transmit the date and time of each measurement it takes, along with the measurement, and that complete record needs to be stored as a unit in the EDC system.
  • The same is true if the data goes from mobile technology to an EHR before entering an EDC system – the audit trail still starts at the EDC system.
  • When a study participant actively enters data into mobile tech (vs. passive data collection), the mobile tech needs to prevent unauthorized modifications before the data is transmitted to the EDC. There is no mention of needing an audit trail of AUTHORIZED modifications before transmission.


  • Sponsors should validate mobile technology before using it in clinical trials.
  • Validation needs to ensure the mobile tech is “reliably capturing, transmitting, and recording data.” To clarify, the device itself doesn’t need to be validated, as in it accurately senses the number of steps walked (i.e., the performance of mobile tech is outside the current scope of 21 CFR Part 11 and the guidance doc in question). Rather, what needs to be validated is that, if the device senses that 5,786 steps were walked, the value “5,786” is accurately recorded in the “steps” field/table, with a date and time stamp, and then that complete record is accurately transmitted to your EDC system.
  • Additionally, sponsors should ensure that device and software updates don’t affect the reliability described above (i.e., you need some sort of change control process).


  • The mobile tech MUST ensure security and confidentiality of data. The most common method is data encryption, both at rest and in transit.
  • For wearable biosensors, data encryption might be enough protection.
  • For mobile apps and mobile platforms, you probably need more than encryption and user access controls. Consider these safeguards: blocking remote wiping and disabling, disabling the ability to install and use file-sharing applications, implementing firewalls, and implementing procedures to delete stored health info before discarding or reusing a device.


  • Sponsors, investigators, study personnel, and study participants must ALL be adequately trained on the use of the mobile technology in a clinical trial. Just like all other training, it needs to happen PRIOR TO using the mobile tech, it needs to be documented, and it needs to happen over time as changes to the mobile tech are released.
  • Additionally, the FDA recommends reassessing and retraining study participants on mobile tech that is complex or that poses a higher risk to the conduct of the study.

Whew! There you go. As I stated back at the beginning, you should read the guidance document in full yourself. But the above should give you a good sense of the FDA’s current thinking about how to make and keep mobile technology compliant within the context of a clinical trial.

If you have any questions on any of the above, or would like to discuss a specific situation you are facing, feel free to drop us a line.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Marin Richeson

Marin joined the life sciences industry in 2001. Over the course of her tenure, she has held roles in clinical finance, IT, quality assurance, and validation. The diversity of her experience provides her with a unique perspective on the interconnectedness of this complex, multi-faceted industry. Marin Richeson is a lead business consultant in Perficient's life sciences practice.

More from this Author

Follow Us