Regulatory spotlight
We offer selected excerpts from relevant guidances below, to help you get oriented and understand their significance.
It is your responsibility to fully examine and interrogate these guidances in detail. Click through on individual resource links to be taken to the primary source material.
Clinical trials with decentralized elements
Conducting Clinical Trials With Decentralized Elements
Coordination challenges with multiple locations in DCTs.
Variability in data collection across decentralized locations and remote tools.
Challenges in implementing certain statistical approaches in DCTs.
Need for DHTs to be accessible and suitable for all trial participants.
Ensuring compliance with local laws and regulations.
Recommendations
Develop clear protocols for integrating decentralized elements into clinical trials, specifying remote and in-person activities.
Use digital health technologies (DHTs) and electronic systems to streamline data acquisition, informed consent, and investigational product tracking.
Provide training for all stakeholders, including trial personnel, local health care providers, and participants, on decentralized processes.
Implement robust safety monitoring plans to address adverse events in decentralized settings.
Ensure compliance with local and international laws governing telehealth, data privacy, and investigational product use.
Regulatory Considerations
Maintain compliance with FDA requirements under 21 CFR parts 312 and 812 for drug and device trials, respectively.
Document all trial activities and data flows in trial protocols and data management plans, ensuring traceability and integrity.
Ensure informed consent processes meet FDA standards and provide clear communication to participants about decentralized trial activities and data handling.
Address investigational product accountability by documenting IP distribution, storage, and return or disposal.
Design electronic systems for decentralized trials to comply with 21 CFR part 11 requirements for data reliability, security, and confidentiality.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“To account for multiple sources of data collection in a DCT, the sponsor should include at least the following in a data management plan or other trial-related documents:
- Data origin and data flow from all sources to the sponsor (see section III.J) (e.g., a diagram that depicts the flow of data from creation to final storage)
- Methods and technologies used for remote data acquisition from trial participants, trial personnel, and contracted service providers (e.g., local clinical laboratory facilities and local HCPs who perform trial-related activities)
- A list identifying service providers for data collection, handling, and management.”
— Section III.D.1 (The Sponsor), p. 7, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Sponsors should describe in the trial protocol or other trial-related documents how operational aspects of the DCT will be implemented. This description should cover, but may not be limited to, the following:
- Scheduled and unscheduled clinical trial visits
- Activities to be performed by trial personnel and those that may be performed by local HCPs
- Transmission of reports on activities performed at different locations
- Delivery of IPs to trial participants, if applicable, and accountability for IPs
- Safety monitoring and management of adverse events.”
– Section III.D.1 (Roles and Responsibilities — The Sponsor), pp. 7–8, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Study records should capture the visit type (i.e., telehealth or in person), the visit location (e.g., participant’s home, local health care facility, traditional clinical trial site), the date of the visit, and the data originator.”
– Section III.D.1 (Roles and Responsibilities — The Sponsor), p. 8, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Sponsors should ensure compliance with local laws, regulations, and licensing requirements governing medical practice and IP administration relevant to the conduct of a DCT. This may involve addressing laws in multiple U.S. States, territories, and other countries.”
– Section III.D.1 (Roles and Responsibilities — The Sponsor), p. 8, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Electronic systems that are used to produce and process trial records required by the FD&C Act and FDA regulations are subject to 21 CFR part 11. These systems must ensure data reliability, security, privacy, and confidentiality.”
– Section III.J (Electronic Systems Used When Conducting DCTs), p. 20, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Remote trial personnel or local HCPs submitting trial data directly into the eCRF should be included in the sponsor’s list of authorized data originators.”
– Section III.J (Electronic Systems Used When Conducting DCTs), p. 20, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
Regulatory submissions – standardized study data
Providing Regulatory Submissions in Electronic Format — Standardized Study Data
Scope of Requirements: The requirement applies to NDAs, ANDAs, certain BLAs, and INDs.
Study data must conform to FDA-supported standards listed in the Data Standards Catalog.
Noncommercial INDs (e.g., investigator-sponsored or expanded access INDs) are exempt but may voluntarily comply.
Supported Standards: FDA currently supports standards like SDTM, ADaM, and SEND for tabulation and analysis.
Controlled terminology standards (e.g., MedDRA, CDISC Controlled Terminology) are critical for semantic data interoperability.
Implementation Timelines: New standards become mandatory 24 months after the transition date announced in the Federal Register.
Updates to existing standards are required for studies starting 12 months after their transition date.
Waivers: Waivers may be granted to allow submission using unsupported standard versions, but not for non-standardized data formats.
FDA-Sponsor Interactions: Sponsors should engage with the FDA early in the development process to align on data standardization plans.
Pre-submission technical reviews and Type C meetings can be used to resolve data standardization issues.
Recommendations
Ensure compliance with FDA-supported standards as listed in the Data Standards Catalog.
Begin using the latest supported standards early in the study lifecycle to avoid non-compliance.
Engage with FDA during early-phase development to confirm data standardization plans.
Use tools like the Study Data Technical Conformance Guide for additional implementation support.
Submit waiver requests early if specific standard versions cannot be used.
Regulatory Considerations
Submissions that do not meet the electronic format and data standard requirements may be refused filing (NDAs and BLAs) or refused receipt (ANDAs).
Compliance with standardized formats is mandatory unless explicitly exempted or a waiver is granted.
Updates to supported standards are announced in the Federal Register, with defined implementation periods to allow sponsors to transition.
Sponsors must include critical files like demographic datasets and define.xml files in their submissions to demonstrate standard conformance.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Study data contained in the submission types identified in this guidance must be submitted electronically in a format that FDA can process, review, and archive.”
“Submissions that are not submitted electronically and electronic submissions that are not in a format that FDA can process, review, and archive will not be filed or received, unless exempt from the electronic submission requirements or if FDA has granted a waiver.”
– Section I. INTRODUCTION, p. 6, Providing Regulatory Submissions in Electronic Format – Standardized Study Data Guidance for Industry (June 2021)
“Currently, the Agency can process, review, and archive electronic submissions of clinical and nonclinical study data that use the standards specified in the Data Standards Catalog (Catalog).”
– Section II.C. What Are the Requirements That Must Be Followed for Electronic Submission of Standardized Study Data?, p. 8, Providing Regulatory Submissions in Electronic Format – Standardized Study Data Guidance for Industry (June 2021)
“The Clinical Data Interchange Standards Consortium (CDISC) Study Data Tabulation Model (SDTM) and Standard Exchange for Nonclinical Data (SEND) are examples of study data standards for tabulations data.”
– Section II.C.2. Study Data Standard, p. 9, Providing Regulatory Submissions in Electronic Format – Standardized Study Data Guidance for Industry (June 2021)
“The use of controlled terminology standards, also known as vocabularies, is an important component of study data standardization and is a critical component of achieving semantically interoperable data exchange.”
– Section II.C.3. Controlled Terminology Standard, p. 10, Providing Regulatory Submissions in Electronic Format – Standardized Study Data Guidance for Industry (June 2021)
“When planning a study (including the design of case report forms, data management systems, and statistical analysis plans), the sponsor or applicant must determine which FDA-supported standards to use or request a waiver of those requirements as described in section II.D.”
– Section II.C. What Are the Requirements That Must Be Followed for Electronic Submission of Standardized Study Data?, p. 9, Providing Regulatory Submissions in Electronic Format – Standardized Study Data Guidance for Industry (June 2021)
Initial discussions about which data standards to use for study data should take place as early as possible during drug development, especially for safety data, but should in any event occur no later than the end of phase 2.
“Sponsors and applicants may use established FDA-sponsor meetings (e.g., pre-IND and end-of-phase 2) to discuss the study data standardization plan and to raise data standardization issues (if any) related to NDAs and BLAs.”
“Sponsors and applicants may also request a separate Type C meeting to discuss substantive data standardization issues for NDAs and BLAs.”
– Section III.A. Meetings With FDA, p. 14, 15, Providing Regulatory Submissions in Electronic Format – Standardized Study Data Guidance for Industry (June 2021)
Remote data acquisition
Digital Health Technologies for Remote Data Acquisition in Clinical Investigations
There is a need for comprehensive validation and verification processes for DHTs.
Ensuring data security and privacy is a significant concern.
Usability issues for diverse populations need to be addressed.
There is a lack of clarity on whether certain DHTs meet the definition of a device under the FD&C Act.
The guidance does not establish legally enforceable responsibilities.
Recommendations
Ensure DHTs are fit-for-purpose for clinical investigations.
Implement robust data security measures to protect participant information.
Conduct usability evaluations to ensure DHTs can be used by intended populations.
Engage with FDA early to discuss the use of DHTs in clinical investigations.
Develop a risk management plan to address potential issues with DHT use.
Regulatory Considerations
Verification and validation should be addressed regardless of device classification.
Sponsors should ensure compliance with data protection and privacy regulations.
FDA evaluates DHT data based on endpoints, medical products, and patient populations. Sponsors can engage with FDA’s Q-Submission Program for feedback on DHT usage in clinical trials.
Sponsors should understand the legal implications of using DHTs in clinical investigations.
The guidance provides recommendations but does not establish legally enforceable responsibilities.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Operational specifications (e.g., data storage capacity, frequency of data transmission) should be adequate to minimize missing data.
DHT alerts (e.g., low battery, poor signal, data not being recorded or transmitted to the server) are recommended to help trial participants, trial personnel, and/or sponsors prevent loss of data or missing data. The trial should include processes to ensure that trial participants understand how to respond to these alerts.
Availability and capacity of participant and sponsor network systems should be adequate to handle the volume of data obtained, particularly for frequent or continuous recordings.
Safeguards should be in place to manage cybersecurity risks, prevent unauthorized access to the DHT and the data it collects, and ensure privacy and security.”
– Section IV.A.3 (Design and Operation of DHTs and Other Technologies), p. 12–13, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Sponsors should ensure the ability of connected systems in the clinical investigation to effectively and securely exchange information and to use the information that has been exchanged. FDA encourages the use of public data exchange standards, including those related to identification of the data source, as appropriate. Interoperability of DHTs should be evaluated to demonstrate that the interactions on the electronic interface perform as intended and the resulting DHT measurements are interpreted appropriately.”
– Section IV.C.2 (Interoperability), p. 16–17, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Use of a DHT to remotely acquire data in a clinical investigation may impact the type and amount of missing data. Sponsors should have a plan in place to reduce the potential for missing data (e.g., sponsor and/or investigator automated data monitoring and alerts, participant reminders, ‘run-in’ period for participants, investigator outreach to participants) and to address missing data and data quality issues.”
– Section IV.E (Statistical Analysis and Trial Design Considerations), p. 20, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“The study should be designed to ensure the collection of appropriate data needed to perform planned analyses. The protocol and statistical analysis plan should also:
- Define relevant events and issues that could affect data collection, data quality, and analysis, including changes in technology during the study and whether the DHT is used as directed
- Describe strategies for identifying and handling these events and issues.”
– Section IV.E (Statistical Analysis and Trial Design Considerations), p. 20-21, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Sponsors should consider cybersecurity threats that could potentially impact the functionality of the DHT, resulting in a clinical risk to participants (e.g., corrupting the output of a continuous glucose monitor). Accordingly, sponsors should consider FDA information on cybersecurity to ensure that data can be securely stored and transmitted.”
– Section IV.F.1 (Clinical Risks to Trial Participants), p. 22, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Sponsors, investigators, and IRBs should be aware that unique privacy risks may arise when DHTs are used in a clinical investigation. The following should be considered, as applicable:
- The risk of potential disclosure of personally identifiable information or participant locations via a breach of the DHT or associated data storage, such as a durable electronic data repository.
- DHTs or other technologies may have end-user licensing agreements or terms of service that allow sharing of data with other parties.
- To protect data privacy for trial participants, it may be appropriate for sponsors to proactively work with manufacturers to modify the end-user license agreement or terms of service for the purposes of the study, as applicable.”
– Section IV.F.2 (Privacy-Related Risks), p. 22, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
‘The informed consent process should specify who may have access to data collected through the DHT during or after the clinical investigation (e.g., sponsors, investigators, participants, DHT manufacturers, other specified third parties) and during what time frame.
An explanation of measures to protect participant privacy and data, and limitations to those measures, when DHTs are used should be included.
If participants may incur additional expense because they are taking part in the clinical investigation, the consent process must explain the added costs, which could include costs for the participants that may result from using the DHT during the clinical investigation (e.g., data use charges).”
– Section IV.F.3 (Informed Consent), p. 23-24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“When using DHTs to record and transmit data during a clinical investigation, the relevant data captured from the DHT, including all relevant associated metadata, should be securely transferred to and retained in a durable electronic data repository as part of the record of the clinical investigation. FDA regulations include record retention requirements for clinical investigators and sponsors and provide for FDA inspection of certain records relating to a clinical investigation.”
– Section IV.G (Record Protection and Retention), p. 24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“In planning for record retention in a clinical investigation using DHTs, FDA recommends the following:
- Sponsors should discuss with review divisions the type of DHT data recorded from participants to be submitted for FDA review…
- The data output of the DHT to support an endpoint for the clinical investigation, including associated metadata (e.g., the times the measurements were made), should generally be transmitted to a durable electronic data repository…DHT data must be maintained according to record retention requirements and should be in human readable form…
- For data collected directly from study participants through DHTs, FDA considers electronic data that are located in the first durable electronic data repository to which the data are transferred to be the source data. These source data should be available for inspection.”
– Section IV.G (Record Protection and Retention), p. 24-25, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Sponsors should plan for unanticipated changes to DHTs or associated technology (e.g., updates needed to resolve a security concern, DHT unavailable due to discontinuation or supply issues) during the clinical investigation whether the DHTs or associated technology are provided by the sponsor or using a “bring your own” approach. DHT updates and other changes during a clinical investigation may lead to inconsistencies in measurements that can impact the evaluation of the trial outcome. Sponsors should keep a record of the timing and nature of any updates for each DHT.
If a DHT or associated technology, such as a general computing platform, is updated during a clinical investigation (e.g., operating system update), sponsors should ensure that the DHT remains fit-for-purpose, such that the updates do not affect the measurements and that verification and validation studies (see section IV.C of this guidance) are still applicable. In situations where the measurements may be affected, it may be necessary to validate the measurements (e.g., using previously collected data or a new prospective study) after introduction of the update to ensure that no changes to the measurements occurred.”
– Section IV.H.4 (Other Considerations—Sponsor’s Role), p. 25, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Ensure that data has been transferred from the DHT into a durable electronic data repository… Develop end-of-study closeout procedures (e.g., when/how data collection and/or transmission ends, revocation of system access).”
– Section IV.H.1 (Sponsor’s Role), p. 26-27, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
PFDD 1: Comprehensive and representative input
Patient-Focused Drug Development: Collecting Comprehensive and Representative Input
Patient experience data encompass a range of inputs, including symptom burdens, treatment impacts, patient preferences, and views on unmet medical needs.
These data inform all stages of medical product development, from discovery to post-market use.
Quantitative methods (e.g., surveys) provide numerical insights, while qualitative methods (e.g., interviews) offer in-depth understanding. Mixed methods combine both for a fuller perspective.Social media and verified patient communities present novel data collection opportunities but require consideration of verification and representativeness challenges.
Probability sampling (e.g., stratified random sampling) is emphasized for generalizability, while non-probability methods (e.g., convenience sampling) are useful for exploratory research. Representativeness ensures that patient input reflects the diversity and heterogeneity of the target population.
Data collection should adhere to good clinical practices and regulatory standards.
Research protocols should address missing data, quality assurance, and confidentiality.
Early collaboration with the FDA is recommended to align on study designs and regulatory requirements.
Recommendations
Define clear research objectives and determine specific research questions before selecting data collection methods.
Use probability sampling methods whenever feasible to ensure representativeness of the target population.
Address data quality through rigorous planning, data management, and adherence to FDA-supported standards.
Incorporate diverse perspectives by including underrepresented patient populations, tailoring methods to specific subgroups as needed.
Leverage existing data sources, such as patient registries and literature, to complement primary data collection efforts.
Regulatory Considerations
Data submitted to FDA should include clear documentation of the study protocol, intended use, and data collection methodologies.
Researchers must comply with human subject protection regulations (e.g., 21 CFR Parts 50 and 56) and good clinical practice guidelines.
For data intended to support regulatory submissions, adherence to FDA-supported data standards (e.g., CDISC) is strongly encouraged.
Missing data should be addressed through pre-planned strategies and summarized in the study report.
Patient experience data must meet methodological rigor to ensure their reliability and relevance for regulatory decision-making.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Before initiating data collection, you should formulate a data management plan (DMP) – a written document that describes the data you expect to acquire or generate during your research study; how you intend to manage, describe, analyze, and store said data; and what mechanisms you will use at the end of your study to preserve and share your data (Stanford University Libraries n.d.).”
– Section III.G. Data Management, p. 26, Patient-Focused Drug Development: Collecting Comprehensive and Representative Input, Final, 2020 (FDA)
“External stakeholders should use appropriate data standards when collecting, managing, and reporting patient experience data. When planning a study (including the design of case report forms, data management systems, and data analysis plans), you should determine which FDA-supported standards to use. See Appendix 1. Standards and Requirements Pertaining to Submission of Data for some data standards resources.”
– Section III.H. Data Standards, p. 26, Patient-Focused Drug Development: Collecting Comprehensive and Representative Input, Final, 2020 (FDA)
“FDA expects that external stakeholders will be responsible for monitoring the study, ensuring data integrity, and performing the data analysis.”
– Section III.I. Monitoring and Quality Assurance, p. 27, Patient-Focused Drug Development: Collecting Comprehensive and Representative Input, Final, 2020 (FDA)
“External stakeholders should plan how to store their data in advance of starting their study. Researchers should decide how data will best be stored so that the data can be easily retrieved and protected from any type of damage or loss.”
– Section III.J. Storing Data, p. 27, Patient-Focused Drug Development: Collecting Comprehensive and Representative Input, Final, 2020 (FDA)
PFDD 3: Fit-for-purpose clinical outcome assessments (COAs)
Patient-Focused Drug Development: Selecting, Developing, or Modifying Fit-for-Purpose Clinical Outcome Assessments
The guidance applies to four types of Clinical Outcome Assessments (COAs): Patient-Reported Outcomes (PROs), Observer-Reported Outcomes (ObsROs), Clinician-Reported Outcomes (ClinROs), and Performance Outcomes (PerfOs). A COA is considered fit-for-purpose when the validation evidence is sufficient to support its context of use (COU). To determine if a COA is fit-for-purpose, sponsors must clearly describe the Concept of Interest (COI) and the COU, and present sufficient evidence to support a clear rationale for the COA’s proposed interpretation and use. The rationale for using a COA should include up to eight components, such as justification for the COA type, capturing the important parts of the COI, appropriate administration and scoring, minimal influence from irrelevant factors or measurement error, and correspondence with the Meaningful Aspect of Health (MAH). The most direct assessment of how a patient feels or functions (MAH) should be used as the COI whenever possible.
Recommendations
Sponsors should use the Roadmap to Patient-Focused Outcome Measurement to guide the selection, modification, or development of a COA. The process begins with understanding the disease/condition (including patient perspectives) and conceptualizing clinical benefits and risks (defining the MAH, COI, and COU). When feasible, existing COAs are generally preferred, especially for well-established COIs, as this approach is often the least burdensome. If an existing COA is modified or used in a different context, additional evidence (e.g., cognitive interviews, psychometric studies) must be collected to justify its fitness for the new context of use. For new COA development, sponsors should involve patients, document all steps, and generally avoid using the new COA for the first time in a registration (pivotal) trial; a standalone observational study or early phase trial is recommended for evaluation.
Regulatory Considerations
Sponsors are encouraged to interact early and throughout medical product development with the relevant FDA review division to ensure COAs are appropriate for the intended COU. Sponsors should communicate their proposed COA-based endpoint approach, including the MAH, COI, COA type/name/score, and the final COA-based endpoint, ideally using the suggested format. The type and amount of evidence required to support the rationale for a COA’s use is weighed against the degree of uncertainty regarding that part of the rationale. For ClinROs, it is recommended to use an assessor masked to treatment assignment and study visit for primary endpoints, if feasible. FDA strongly discourages proxy-reported measures for concepts known only to the patient (e.g., pain) and recommends using an ObsRO to measure observable behaviors instead when the patient cannot self-report.
Recommendations
Clearly define the concept of interest and its context of use to ensure COAs align with trial objectives.
Use conceptual and measurement frameworks to communicate how COAs measure patient experiences and generate interpretable scores.
Leverage existing COAs where possible, modifying them only when justified, and document all modifications rigorously.
Ensure COAs are accessible and inclusive, incorporating features like large fonts, touch interfaces, or audio assistance for diverse populations.
Conduct early engagement with FDA to discuss COA selection, development, and validation plans.
Regulatory Considerations
Fit-for-purpose validation requires evidence of conceptual alignment, scoring reliability, and sensitivity to clinically meaningful changes.
Digital health technologies used for COAs must comply with FDA’s guidance on data integrity, usability, and technical performance.
COAs intended for regulatory submissions must be developed and validated before pivotal trials to avoid jeopardizing trial outcomes.
Modifications to COAs or scoring methods during trials necessitate justification and revalidation.
Sponsors should submit comprehensive documentation on COA development, including scoring algorithms and item tracking matrices.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“The use of a standardized case report form is recommended, which should include information on whether an assistive device was used during the test. The use of assistive devices should be standardized, and the type of device, if used, should be recorded. If the test was not completed, sponsors should collect the reason for not completing the test. These pieces of information should be part of the analysis data sets and may play a role in analysis and interpretation of the data.”
– Appendix D (Performance Outcome Measures), p. 50, Patient-Focused Drug Development: Selecting, Developing, or Modifying Fit-for-Purpose Clinical Outcome Assessments, Final, October 2025 (FDA)
PFDD 4: Incorporating COAs into endpoints
Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints for Regulatory Decision-Making
COA-based endpoints should reflect meaningful patient health aspects and support clear treatment effect inferences.
Selection of endpoints requires a well-supported rationale, including evidence of their importance to patients.
Use of MSD and MSR approaches enhances the interpretation of treatment effects by linking COA scores to meaningful patient experiences. Proper anchors (e.g., global impression of severity) are essential for validating these approaches.
Frequency and timing of COA data collection must align with disease characteristics and study objectives.
Adjustments for potential practice effects and assistive device use are critical for robust outcome measurement.
Proper handling of missing data and sensitivity analyses ensure valid conclusions from COA-based endpoints.
Continuous, ordinal, and dichotomized endpoints require tailored statistical methods for analysis.
Early engagement with the FDA is crucial for aligning study designs and COA approaches with regulatory expectations.
Recommendations
Engage patients and caregivers early to identify meaningful endpoints and assess potential barriers to COA use.
Use anchor-based methods to validate COA scores and define meaningful thresholds for interpretation.
Develop and pilot test study protocols to ensure COA reliability, usability, and alignment with regulatory requirements.
Implement strategies to reduce participant burden, such as concise COA instruments and patient-friendly data collection methods.
Submit comprehensive documentation, including endpoint justification and scoring rationale, to FDA for feedback before trial initiation.
Regulatory Considerations
Endpoints must be supported by evidence of their fit-for-purpose status and alignment with the trial’s objectives.
COAs used in digital or adaptive formats must meet FDA’s standards for usability and data integrity.
Trials with nonrandomized designs require robust measures to mitigate bias in COA-based endpoint analysis.
Thresholds for MSD or MSR must be prespecified and justified with empirical evidence.
Sponsors must follow FDA guidance for submitting COA-based data, ensuring compliance with electronic data standards.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Sponsors should clearly describe the COA-based endpoint, including:
- …Rules for handling missing item responses or task results when computing COA scores, along with justification for the rules…
- Timing of the assessments used to construct the endpoint.”
– Section II.A.1 (Selecting and Justifying Endpoints), p. 8, Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints for Regulatory Decision-Making, Draft, 2023 (FDA)
“Missing data are problematic because they may lead to reduced power and potential bias in the estimated treatment effect when missingness is related to treatment effectiveness or to adverse events from the treatment… Every effort should be made to avoid missing COA data. This begins with collecting only those COAs necessary to assess the endpoint… and designing a data collection plan that is least burdensome and as easy as possible for patients and/or caregivers… It is important to collect reasons for missing data to inform suitable sensitivity analyses of the study endpoints…”
– Section II.B.3 (Missing Data), p. 20, Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints for Regulatory Decision-Making, Draft, 2023 (FDA)
“Methods to handle the missing data for a COA-based endpoint should be aligned with the estimand of interest and addressed in the statistical analysis plan.”
– Section II.B.3 (Missing data), p. 21, Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints for Regulatory Decision-Making, Draft, 2023 (FDA)
“Regardless of how patient experience data is collected in a given study, patient experience data collected and submitted to FDA to support a regulatory medical product application are subject to statutory and regulatory submission requirements that apply to the study data and submission type. Guidance documents that address data formatting and submission include, but are not limited to, the following:
- …Code of Federal Regulations, (CFR) Title 21, Chapter 1—with particular attention given to Parts 11, 21, 312.57, 312.62(b) and (c), and 812.140
- …FDA guidance for industry Computerized Systems Used in Clinical Investigations (May 2007)
- …FDA guidance for industry Electronic Source Data in Clinical Investigations (September 2013)
- …FDA guidance for industry Providing Regulatory Submissions in Electronic Format—Standardized Study Data (June 2021).”
– Section IV.B (Formatting and Submission Considerations), p. 38–39, Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints For Regulatory Decision-Making, Draft, 2023 (FDA)
“Clinical trials using COAs should include a schedule of COA administration as part of the overall study assessment schedule in the protocol. The COA schedule should consider the natural course of the disease or condition (i.e., acute, chronic, or episodic), the research questions to be addressed, the trial duration, patient burden, the disease stage of the target patient population, the expected time frame when the investigational product is likely to affect the COA-based endpoint, and timing of collection of COAs if temporary study interruptions or discontinuation of study interventions are anticipated to occur.”
– Section II.A.3 (Clinical Trial Duration and Timing of Assessments for COA-Based Endpoints), p. 14-15, Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints for Regulatory Decision-Making, Draft, 2023 (FDA)
“In general, COA assessment frequencies or the rules governing when the COA is measured should be the same for all treatment arms (see event-triggered data collection below).”
– Section II.A.3 (Clinical Trial Duration and Timing of Assessments for COA-Based Endpoints), p. 18, Patient-Focused Drug Development: Incorporating Clinical Outcome Assessments Into Endpoints for Regulatory Decision-Making, Draft, 2023 (FDA)
PRO guidance
Patient-Reported Outcome Measures: Use in Medical Product Development to Support Labeling Claims
PRO instruments must demonstrate content validity through patient input and qualitative research, ensuring the instrument measures concepts relevant to the population and condition being studied.
Sponsors must confirm the reliability, construct validity, and ability to detect change for the PRO instrument before use in confirmatory clinical trials.
Statistical analysis plans should address multiplicity, handling of missing data, and cumulative distribution function comparisons to interpret clinical trial results.
Modifications to PRO instruments (e.g., format changes, population adaptations) require evidence that measurement properties are preserved.
Electronic PRO systems must comply with regulatory requirements for data integrity, security, and investigator access.
Recommendations
Develop and validate PRO instruments early in the clinical development process, ensuring alignment with the clinical trial’s endpoint model.
Document all stages of instrument development, including qualitative input from patients, pilot testing, and cognitive interviews.
Use clear and consistent administration procedures, whether paper-based or electronic, to minimize variability and missing data.
Define responder thresholds using anchor-based methods and consider presenting cumulative distribution functions to interpret treatment benefits.
Address cultural and linguistic adaptation of PRO instruments by ensuring equivalent content validity and measurement properties across versions.
Regulatory Considerations
Include detailed descriptions of the PRO instrument, its conceptual framework, and scoring algorithms in regulatory submissions.
Ensure PRO instruments used in clinical trials comply with FDA requirements for record-keeping, data security, and source data accessibility.
Plan for the FDA to review all modifications to PRO instruments, including changes in administration mode or population.
Address missing data in clinical trial protocols and statistical analysis plans, ensuring prespecified handling rules.
Provide evidence that PRO instruments reliably measure the intended concepts across all study populations and data collection methods.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
Specific Concerns When Using Electronic PRO Instruments
“When PRO instruments are used, sponsors must ensure that FDA regulatory requirements are met for sponsor and investigator record keeping, maintenance, and access.6 These responsibilities are independent of the method used to record clinical trial data and, therefore, apply to all types of PRO data including electronic PRO data. Sponsors are responsible for providing investigators with all information to conduct the investigation properly, for monitoring the investigation, for ensuring that the investigation is conducted in accordance with the investigational plan, and for permitting the FDA to access, copy, and verify records and reports relating to the investigation.
The principal record keeping requirements for clinical investigators include the preparation and maintenance of adequate and accurate case histories (including the case report forms and supporting data), record retention, and provision for the FDA to access, copy, and verify records (i.e., source data verification). The investigator’s responsibility to control, access, and maintain source documentation can be satisfied easily when paper PRO instruments are used, because the patient usually returns the diary to the investigator who either retains the original or a certified copy as part of the case history. The use of electronic PRO instruments, however, may pose a problem if direct control over source data is maintained by the sponsor or the contract research organization and not by the clinical investigator. We consider the investigator to have met his or her responsibility when the investigator retains the ability to control and provide access to the records that serve as the electronic source documentation for the purpose of an FDA inspection. The clinical trial protocol, or a separate document, should specify how the electronic PRO source data will be maintained and how the investigator will meet the regulatory requirements.
In addition, the FDA has previously provided guidance to address the use of computerized systems to create, modify, maintain, archive, retrieve, or transmit clinical data to the FDA and to clarify the requirements and application of 21 CFR part 11.Because electronic PRO data (including data gathered by personal digital assistants or phone-based interactive voice recording systems) are part of the case history, electronic PRO data should be consistent with the data standards described in that guidance. Sponsors should plan to establish appropriate system and security controls, as well as cyber-security and system maintenance plans that address how to ensure data integrity during network attacks and software updates.”
– Section IV.F (Specific Concerns When Using Electronic PRO Instruments), p. 26, Patient-Reported Outcome Measures: Use in Medical Product Development to Support Labeling Claims, Final, 2009 (FDA)
Q-Submission Program
Requests for Feedback and Meetings for Medical Device Submissions: The Q-Submission Program
Pre-Submissions (Pre-Subs) allow submitters to obtain FDA feedback on specific questions before submitting formal IDEs, 510(k)s, PMAs, or other applications. Early feedback can improve submission quality and streamline the review process.
Submission Issue Requests (SIRs) provide a mechanism for addressing issues raised in FDA hold letters (e.g., 510(k) deficiencies) to help expedite resolutions.
Study Risk Determinations help sponsors clarify whether clinical studies are significant risk (SR), non-significant risk (NSR), or exempt from IDE regulations.
Informational Meetings are non-feedback sessions aimed at familiarizing FDA staff with new devices or sharing updates on ongoing development.
The program encourages timely submissions, including supplements for ongoing discussions and amendments to update materials.
Recommendations
Clearly define the purpose and goals of the Q-Sub in the submission to facilitate effective FDA review.
Include specific, well-formulated questions that focus on a limited number of topics to ensure actionable feedback.
For Pre-Subs, align planned testing and submissions with FDA guidance and include detailed device descriptions, testing protocols, and relevant background information.
Use SIRs to discuss proposed solutions to deficiencies raised in FDA hold letters, focusing on timely resolution.
Draft and submit meeting minutes promptly (within 15 days of meetings) to ensure accurate documentation of FDA feedback.
Regulatory Considerations
Submitters should adhere to the timelines specified for different Q-Sub types, including 70 days for Pre-Sub feedback or 21 days for SIRs submitted promptly after a hold letter.
Q-Subs should include all relevant regulatory history and references to prior FDA communications to streamline the review process.
FDA feedback through the Q-Sub program is non-binding and based on the information available at the time; subsequent submissions must align with the provided feedback to maintain consistency.
Informational Meeting requests should clearly state that feedback is not expected and may be used to track interactions outside other formal Q-Sub types.
Confidentiality of Q-Subs is maintained in compliance with FDA’s disclosure regulations and the Freedom of Information Act (FOIA).
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Is the cybersecurity management plan, described in Section 2, sufficient to ensure cybersecurity of our device for our future 510(k) submission? If not, can FDA provide feedback on what additional cybersecurity information is needed?”
“In the attached credibility assessment plan, we perform a prospective adequacy assessment. If our proposed credibility activities are successful, does FDA agree that the plans are adequate to demonstrate that the credibility of our model is commensurate with the assessed model risk?”
– Appendix 2 (Example Pre-Sub Questions), p. 37-38, Requests for Feedback and Meetings for Medical Device Submissions: The Q-Submission Program, Final, May 29, 2025 (FDA)
When the sDHT is a regulated medical device: Cybersecurity in medical devices
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
Cybersecurity threats in healthcare are increasingly frequent and severe, posing risks to device safety and clinical care.
Many vulnerabilities arise from third-party software components and interconnected device ecosystems.
Legacy devices often lack adequate cybersecurity controls, leading to increased patient and organizational risks.
Cybersecurity risk management processes must integrate safety and security assessments throughout the device lifecycle.
Transparency in device cybersecurity is crucial for enabling safe integration and use by healthcare providers and end users.
Recommendations
Implement a Secure Product Development Framework (SPDF) for comprehensive cybersecurity throughout the product lifecycle.
Include a Software Bill of Materials (SBOM) for all premarket submissions to track software dependencies and vulnerabilities.
Perform robust cybersecurity testing, including penetration testing and vulnerability assessments.
Enhance device labeling with clear cybersecurity-related instructions and risks for users.
Develop a coordinated vulnerability disclosure plan for postmarket cybersecurity management.
Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulation requirements, including design controls and risk management.
Compliance with Section 524B of the FD&C Act for cybersecurity of cyber devices.
Submission of SBOMs and detailed security risk management reports for premarket applications.
Provision of cybersecurity information as part of device labeling to prevent misbranding under Section 502 of the FD&C Act.
Integration of security testing and validation as part of the FDA review process.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
Security Objectives:
- Authenticity, which includes integrity;
- Authorization;
- Availability;
- Confidentiality; and
- Secure and timely updatability and patchability.
Premarket submissions should include information that describes how the above security objectives are addressed by and integrated into the device design. The extent to which security requirements, architecture, supply chain, and implementation are needed to meet these objectives will depend on but may not be limited to:
- The device’s intended use, indications for use, and reasonably foreseeable misuse;
- The presence and functionality of its electronic data interfaces;
- Its intended and actual environment of use;
- The risks presented by cybersecurity vulnerabilities;
- The exploitability of the vulnerabilities; and
- The risk of patient harm due to vulnerability exploitation.
– Section IV.B (Designing for Security), p. 8, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Final, 2025 (FDA)
“FDA recommends providing, at minimum, the following types of views in premarket submissions:
- Global System View;
- Multi-Patient Harm View;
- Updateability/Patchability View; and
- Security Use Case View(s).
Documenting these views in premarket submissions should include both diagrams and explanatory text. These diagrams and explanatory text should contain sufficient details to permit an understanding of how the assets within the medical device system function holistically within the associated implementation details. For the security architecture views, manufacturers should follow the recommendations outlined in Appendix 2 when determining the level of detail to include in premarket submissions.
These security architecture views should:
- Identify security-relevant medical device system elements and their interfaces;
- Define security context, domains, boundaries, critical user roles, and external interfaces of the medical device system;
- Align the architecture with (a) the medical device system security objectives and requirements, (b) security design characteristics in order to address the identified threats; and
- Establish traceability of architecture elements to user and medical device system security requirements. Such traceability should exist throughout the cybersecurity risk management documentation.”
– Section V.B.2 (Security Architecture Views), pp. 23–24, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Final, 2025 (FDA)
Data Integrity
- “Verify the integrity of all incoming data, ensuring that it is not modified in transit or at rest. Cryptographic authentication schemes verify data integrity, but do not verify data validity. Therefore, the integrity of all incoming data should be verified to ensure that it is not modified in transit or at rest;”
- “Protect the integrity of data necessary to ensure the safety and effectiveness of the device, e.g., critical configuration settings such as energy output.”
Confidentiality
- “Manufacturers should ensure support for the confidentiality of any/all data whose disclosure could lead to patient harm (e.g., through the unauthorized use of otherwise valid credentials, lack of encryption). Loss of confidentiality of credentials could be used by a threat-actor to effect multi-patient harm. Lack of encryption to protect sensitive information and or data at rest and in transit can expose this information to misuse that can lead to patient harm. For example, confidentiality is required in the handling and storage of cryptographic keys used for authentication because disclosure could lead to unauthorized use/abuse of device functionality.”
– Appendix 1 (Security Control Categories and Associated Recommendations – Data Integrity and Confidentiality), p. 43, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Final, 2025 (FDA)
“Security risk management should be an integrated part of a manufacturer’s entire quality system, addressed throughout the TPLC. The quality system processes entail the technical, personnel, and management practices, among others, that manufacturers use to manage potential risks to their devices and ensure that their devices are, and once on the market, remain, safe and effective, which includes security…
FDA recommends that security risk management processes, as detailed in the QS regulation, be established or incorporated into those that already exist, and should address the manufacturer’s design, manufacturing, and distribution processes, as well as updates across the TPLC. The processes in the QS regulation which may be relevant in this context include, but are not limited to design controls (21 CFR 820.30), validation of production processes (21 CFR 820.70), and corrective and preventive actions (21 CFR 820.100) to ensure both safety and security risks are adequately addressed. For completeness in performing risk analyses under 21 CFR 820.30(g), FDA recommends that device manufacturers conduct both a safety risk assessment and a separate, accompanying security risk assessment to ensure a more comprehensive identification and management of patient safety risks.
A device should be designed to eliminate or mitigate known vulnerabilities.”
– Section V.A (Security Risk Management), p. 11, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Final, 2025 (FDA)
“For devices with cybersecurity risks, informing users of relevant security information may be an effective way to comply with labeling requirements relating to such risks. FDA also believes that informing users of security information through labeling may be an important part of design and development activities to help mitigate cybersecurity risks and help ensure the continued safety and effectiveness of the device.”
– Section VI (Cybersecurity Transparency) and Section VI.A (Labeling Recommendations for Devices with Cybersecurity Risks), pp. 27–28, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Final, 2025 (FDA)
Scope of PFDD guidances
The FDA’s Patient-Focused Drug Development (PFDD) Guidance Series “is intended to facilitate the advancement and use of systematic approaches to collect and use robust and meaningful patient and caregiver input that can better inform medical product development and regulatory decision making.”
While the PFDD series provides this key framework, different FDA centers emphasize distinct guidances in their assessments. For instance, the Center for Drug Evaluation and Research (CDER) and the Center for Biologics Evaluation and Research (CBER) currently utilize PFDD 1 and 2. In contrast, the Center for Devices and Radiological Health (CDRH) uses Principles for Selecting, Developing, Modifying, and Adapting Patient Reported Outcome Instruments for Use in Medical Device Evaluation, for patient-reported outcomes. All centers are also preparing for the implementation of PFDD 3 (finalized Oct 2025) and the forthcoming PFDD 4, which will together replace the older 2009 guidance on Patient-Reported Outcome Measures.
FDA example
Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations
AI-enabled medical devices require robust risk assessment to address data drift, bias, and transparency challenges.
The total product lifecycle (TPLC) approach is essential for managing AI-enabled devices, ensuring continuous oversight and updates.
There is a need for improved standardization in AI model validation and performance monitoring to ensure consistency in regulatory submissions.
Effective data management practices, including dataset representativeness and bias control, are critical for AI model development.
Cybersecurity vulnerabilities in AI-enabled medical devices must be proactively addressed to prevent risks to patient safety and data integrity.
Recommendations
AI-enabled device manufacturers should integrate Good Machine Learning Practice (GMLP) principles throughout the device lifecycle.
Marketing submissions should include comprehensive documentation of AI model development, validation, and performance monitoring.
Developers should implement transparency measures, such as model interpretability and explainability, to enhance user trust and understanding.
AI models must undergo rigorous bias evaluation to ensure equitable performance across diverse patient populations.
A predetermined change control plan (PCCP) should be established to allow safe and effective AI model updates post-market without additional FDA submissions.
Regulatory Considerations
FDA encourages early engagement through the Q-Submission Program for AI-enabled device manufacturers.
Compliance with FDA-recognized consensus standards, such as ANSI/AAMI/ISO 14971 for risk management, is recommended.
AI-enabled devices must meet labeling requirements, ensuring that users clearly understand model inputs, outputs, and performance metrics.
Post-market surveillance and continuous monitoring of AI model performance are necessary to ensure ongoing safety and effectiveness.
Cybersecurity measures must be included in regulatory submissions, detailing safeguards against data breaches and unauthorized model modifications.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
The Artificial Intelligence-Enabled Device Software Functions, Draft, FDA 2025 notes model cards can help organize labeling and public submission information. Appendix E provides a full, worked example card; Appendix F shows a completed example within a 510(k) summary.
Once you’ve read the guidances, explore these best practices from the field:
Industry spotlight
Gathers real-world examples, case studies, best practices, and lessons learned from peers and leaders in the field relevant to this section. Use these insights to accelerate your work and avoid common pitfalls.