By Sue Coons, MA

Revisions to the Common Rule took effect in 2018, but questions remain about how these changes have affected the Federalwide Assurance (FWA) and institutional responsibilities under the FWA. Two advisors from regulatory compliance provider Advarra hosted a webinar in December, “Institutional Responsibilities under a Federalwide Assurance” to offer clarification to IRBs and institutional officials (IOs) on how to navigate these changes.1

Details of the FWA

Federal regulations under 45 CFR 46.103(a) describe the assurance requirement: “Each institution engaged in research that is covered by this policy, with the exception of research eligible for exemption under § 46.104, and that is conducted or supported by a federal department or agency, shall provide written assurance satisfactory to the department or agency head that it will comply with the requirements of [the Common Rule].”2 The FWA is the only written assurance accepted by the Department of Health and Human Services Office for Human Research Protections (OHRP), said Lauren Hartsmith, JD, CIP, director of regulatory affairs at Advarra. “It’s the mechanism through which the institution assures compliance with the Common Rule.”

Hartsmith thinks of the FWA as a written agreement in which an institution makes certain commitments it must honor. One of the mechanisms where an institution assures compliance within the FWA is a box in the applicability section that institutions can voluntarily select. If that box is selected, it indicates the institution is extending OHRP’s compliance oversight authority to all research at that institution regardless of funding source, Hartsmith said.

“[Checking the box says] at this institution, we will follow the Common Rule for all research regardless of funding. If there are any issues with that research or if OHRP has questions about that research, OHRP has the compliance oversight authority over that research, and we will honor that.”

The box is not automatically checked. The selection can be changed later by going through the FWA process, updating the form, and resubmitting it to OHRP, Hartsmith said. She directed the participants to the OHRP website where they can click on the “Register IRBs and Obtain FWAs” tab and then go to the “IRB & FWAs Status” tab. From there, an institution can obtain a copy of its FWA to see if the box is checked.

If an institution is contemplating changing its voluntary checking of the box, get advice from legal counsel first, said Lisa Rooney, JD, managing director of Advarra’s regulatory consulting services. “There are two states [New York and Virginia] that say that if you do not agree to abide by the Common Rule for all research regardless of funding source, then you will need to abide by the state laws that we have in place for human subjects research. That can have some negative effects on your human research protection program.”

The checked box on the FWA is important to consider in multisite research, even in research activity that does not receive federal support. That research may be affected if one or more sites have an FWA and have checked the box. “If one or more of those sites has checked the box on the FWA, that site is committing to following the Common Rule for all research conducted at that institution,” Hartsmith said. “The FWA ultimately becomes much broader than just having importance for research that’s conducted or supported by the federal government.”

Assurance Requirement Deletions

Under the Common Rule revisions, several requirements of the assurance process were deleted. These include an IRB roster, IRB grant review, a declaration of ethical principles, and a list of reviewing IRBs. Hartsmith emphasized that although these regulatory requirements were deleted, the FWA process remains unchanged, and these requirements are part of the FWA process.

“On an FWA, institutions still are going to need to designate a statement of ethical principles. They’re going to need to designate at least one IRB, and they’re going to need to submit an IRB roster and report changes in IRB membership to OHRP.”

However, now that process is handled through the IRB registration system. “OHRP has said, however, that the public will learn about any changes to the assurance process before they’re implemented, and that they’ll have a chance to comment on the proposed changes.”

Webinar participants questioned why provisions deleted from the regulations still are required on the FWA. Section 103 in the Common Rule sets the minimum information to be addressed in a written assurance process, but the government can go above and beyond that, Hartsmith explained. “The first step in terms of trying to modify the FWA process was to change the regulations, and then OHRP will need to go through a separate process to change the actual assurance form.” Now that those elements are not written into the regulations specifically, she said, OHRP has the flexibility and the ability to modify the assurance process.

Research Eligible for Exemption

Another consideration under the revised Common Rule is the exception of research eligible for exemption, Hartsmith said. “Again, you need to be engaged in research, and it needs to be nonexempt research.” If the box is unchecked on the FWA, the Common Rule will apply for any activity that is supported or conducted by a Common Rule department or agency that is nonexempt, that meets the definitions of human subjects research, and in which an institution is engaged. If the box is checked on the FWA, the Common Rule applies for nonexempt activities that meet the definition of human subjects research, and in which the institution is engaged. The difference is whether the activity is supported by a Common Rule department or agency, Hartsmith said.

The revised Common Rule names eight research exemptions. One exemption is research in educational settings. “[The exemptions] cover a lot of what I would consider to be low-risk activities,” Hartsmith said. “If an activity fits into one or more of these exemption categories, it’s considered exempt research.”

The concept of limited IRB review also is in the revised Common Rule and is noted in four of the eight exemptions. “Even though limited IRB review might be involved in an exemption, it’s still considered exempt from other requirements of the Common Rule,” she said.

In terms of when the Common Rule in its entirety applies, it has to be nonexempt activities. “If the activity meets one of these categories, then you don’t have to worry about the Common Rule.”

Research and Human Subjects

To meet the requirements of the Common Rule, an activity also needs to meet the definition of research and the regulatory definition of a human subject, Hartsmith said. “The activity is going to need to be a systematic investigation, including development, testing, and evaluation designed to develop or contribute to generalizable knowledge.” The revised Common Rule includes four explicit carve-outs from the definition of research. Hartsmith suggested studying the full regulations to learn about those.

The definition of human subject means a living individual about whom an investigator conducting research obtains information or biospecimens through intervention or interaction, or obtains or generates individual private information or identifiable biospecimens, Hartsmith said. The full regulations give other descriptions and requirements.

An institution must be considered engaged in nonexempt research activity for the Common Rule requirements to apply and for the need to even have an FWA to apply, Hartsmith said. The concept of engagement is not defined in the regulations or in a statute, but instead is largely addressed through OHRP educational materials. Hartsmith recommended that anyone wanting to learn about engagement begin with OHRP’s mini-tutorial video on its website. An engagement analysis is really only necessary if an activity is nonexempt human subjects research covered by an FWA, she said. “I have a quotation here from the 2008 engagement guidance where OHRP says the determination of engagement depends on the specific facts of a research study and may be complex.”

Understanding the concept is tricky, she said. “If you’re trying to analyze whether or not your institution is engaged in research in a specific activity as it’s contemplated by OHRP, and you’re having a hard time doing that analysis and thinking through the issues, it’s hard because this is a really tricky area. I recommend being patient, keep a copy of the relevant regulations and the guidance documents handy, and know you’re aren’t alone.”

Generally, an institution is considered to be engaged when, for the purposes of a specific research project, its employees or agents obtained data about the subjects of the research through intervention or interaction, identifiable private information about the subjects of the research, or if the employees or agents obtained the informed consent of human subjects for the research, Hartsmith said. “OHRP has outlined specific scenarios where even if one of these things might be true, an institution might not be deemed to be engaged in research, but you’ll need to go through the OHRP guidance document for more information.”

Another rule states if the only portion of a nonexempt human subjects research activity conducted at an institution would on its own be considered exempt or would be considered not human subjects research, then that institution is not engaged, she said. One exception is that in any scenario where there is federal support, at least one institution needs to be determined to be engaged in any nonexempt human subjects research activity.

IO Responsibilities

Rooney spoke about IO responsibilities under a FWA vs. the institutional responsibilities. The IO commits the institution to compliance with federal regulations, she said. “In fact, the FWA instruction provides that the person signing the FWA on behalf of an institution has to be an official that is legally authorized to represent and bind the institution to the terms on the FWA.”

When an IO signs the FWA, the IO is signing and assuring the IO understands the institution’s responsibilities under the FWA. “The IO is also assuring that any human subjects who are going to participate in research that falls under the institution’s FWA will be protected and also assures that the IRB on which the institution will rely, be it an internal or an external IRB, will comply with the terms of the institution’s FWA when reviewing research.”

Rooney placed the IO responsibilities into two buckets. The first bucket are those responsibilities that remain constant, regardless of whether an institution relies on an internal or external IRB for the review approval or oversight of nonexempt human subject research that is covered by the institution’s FWA. The second bucket consists of IO responsibilities that can change depending on whether an institution relies on an internal or external IRB.

“What is important to note here is that if an institution is going to rely on an external IRB for review and approval of research, the IO’s responsibilities are governed by the IRB authorization agreement that’s covering the research that’s to be reviewed,” Rooney said.

Regardless of where the IO responsibilities fall within these two buckets, the IO is responsible either solely or collectively, with support from the external IRB, for assuring the institution complies with the Common Rule when the institution, employees, or agents engage in nonexempt human subjects research.

Rooney reviewed several IO responsibilities that remain the same regardless of whether the institution relies on an internal or external IRB:

  • Understanding human research protection program (HRPP) responsibilities. The IO should complete many different training modules, at the minimum the OHRP module specific to IOs.
  • Setting the tone of respect for complying with the regulations and for protecting human subjects. “If a culture of compliance doesn’t come from the top from your IO, then an institution will most likely not have a robust human research protection program, and may not be able to provide potential human subjects with the protections that are needed,” Rooney said.
  • Designating OHRP-registered IRBs to review research covered by the FWA. “You are required to designate an IRB on your FWA, be it internal or external,” she said. This is simple with an internal IRB, but more complicated with an external IRB. With the external IRB, IOs must ensure the IRB is registered with OHRP, that it is active, and that it is registered to review the type of research that IOs are seeking. Lastly, the IOs also have to enter into a comprehensive IRB authorization agreement.
  • Ensuring reports are submitted to federal agencies. These reports could give information about unanticipated problems involving risks to subjects or other serious or continuing noncompliance. For the internal IRB, it could involve a suspension or termination of IRB approval.
  • Providing OHRP guidance to the research community.
  • Submitting, renewing, and updating the FWA according to regulations and current policy at OHRP.
  • Confirming that assurances are in place for all the participating sites that are conducting nonexempt human subjects research activities for the study, and that IRB reviews and certifications are submitted to the appropriate authority.
  • Not approving a research project that has been disapproved by the IRB.
  • Serving as a knowledgeable point of contact for OHRP. Rooney shared a story in which an IO at an institution had no idea who the OHRP representative was during a site visit or why the agency may be visiting.
  • Responsibility for signing any memoranda of understanding or agreements regarding the institution’s HRPP.

Creating Authorization Agreements

The IRB authorization agreement is an important component of using an external IRB. “With the revised Common Rule, there is a provision under 45 CFR-46-103(a), which says that whenever an FWA-covered research protocol is going to be reviewed and approved by an IRB that is external to the institution that’s conducting the research, the institutions and the external IRB must enter into an IRB authorization agreement,” Rooney explained.

These agreements can be relatively short and simple, such as applying to only one protocol, or they can run several pages and apply to all human subjects research covered by the institution’s FWA. “At a minimum, the IRB authorization agreement has to include the skills of the institutions relying on the IRB for the research, as well as to allocate the roles and responsibilities between each entity, what those roles will be undertaken, and which people undertake those roles. Between the institution and the IRB, the institutions are ensuring compliance with Common Rule requirements when reviewing, approving, and conducting the research.”

Make sure any roles and responsibilities are clearly allocated in the IRB authorization agreement, and that both parties understand who is responsible for each task before undertaking the review, approval, and oversight of research, Rooney said. “Failure to do so can result in noncompliance.”

During a site visit, Rooney recalled when an IO and an IRB each claimed the other owned records particular to one protocol. “As a result of this misunderstanding, no one maintained these records and IRB documents, and that discovery was made in front of a regulatory agency. It’s important to iron out these roles and responsibilities.”

Changing IO Responsibilities

Rooney discussed IO responsibilities that can change when using an external IRB:

  • Training. When relying on an external IRB, the IO will train IRB staff on how the institution’s internal IRB will communicate with the external IRB and the investigators. “Beyond that, you as an IO may want to just ensure that the external IRB members are being trained,” she said.
  • IRB resource, space, and staff requirements. If the IO is using an internal IRB, he or she should provide sufficient resources, staff, and space. If the IO relies on an external IRB, then the IO should perform due diligence to make sure the external IRB provides them.
  • The receipt of written procedures, recordkeeping, and required reports. “The IO could ask for a review of policies and procedures, IRB meeting minutes, and audit findings to conduct its own oversight and ensure that some oversight is occurring. The IO also could notify the IRB of any issues that the institution may discover while working with the external IRB,” Rooney said.
  • IRB information. The IO may ask the external IRB for a copy of the IRB roster. If the IRB does not want to give out the roster, it could provide certification indicating that it satisfies regulatory requirements.
  • Investigator oversight. “Investigator oversight tends to be somewhat of a collective responsibility between the IO and the IRB when relying on an external IRB. The IRB authorization agreement should define how investigators will be overseen,” Rooney said.

An IO satisfies responsibilities when relying on an external IRB by conducting due diligence before executing an IRB authorization agreement with an external IRB, Rooney concluded. Second, an IO needs to enter into a comprehensive authorization agreement that clearly allocates the responsibilities between the IO and the external IRB. Those responsibilities, she said, should collectively cover all Common Rule requirements related to the research.


  1. Advarra. Institutional responsibilities under a Federalwide Assurance (FWA). December 2020.
  2. Electronic Code of Federal Regulations. 45 CFR 46.103(a): Protection of human subjects. July 19, 2018.