Regulatory spotlight
We offer selected excerpts from relevant guidances below, to help you get oriented and understand their significance.
It is your responsibility to fully examine and interrogate these guidances in detail. Click through on individual resource links to be taken to the primary source material.
Clinical trials with decentralized elements
Conducting Clinical Trials With Decentralized Elements
Coordination challenges with multiple locations in DCTs.
Variability in data collection across decentralized locations and remote tools.
Challenges in implementing certain statistical approaches in DCTs.
Need for DHTs to be accessible and suitable for all trial participants.
Ensuring compliance with local laws and regulations.
Recommendations
Develop clear protocols for integrating decentralized elements into clinical trials, specifying remote and in-person activities.
Use digital health technologies (DHTs) and electronic systems to streamline data acquisition, informed consent, and investigational product tracking.
Provide training for all stakeholders, including trial personnel, local health care providers, and participants, on decentralized processes.
Implement robust safety monitoring plans to address adverse events in decentralized settings.
Ensure compliance with local and international laws governing telehealth, data privacy, and investigational product use.
Regulatory Considerations
Maintain compliance with FDA requirements under 21 CFR parts 312 and 812 for drug and device trials, respectively.
Document all trial activities and data flows in trial protocols and data management plans, ensuring traceability and integrity.
Ensure informed consent processes meet FDA standards and provide clear communication to participants about decentralized trial activities and data handling.
Address investigational product accountability by documenting IP distribution, storage, and return or disposal.
Design electronic systems for decentralized trials to comply with 21 CFR part 11 requirements for data reliability, security, and confidentiality.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Sponsors must ensure proper monitoring of an investigation… FDA recommends risk-based monitoring approaches and the use of centralized monitoring to identify and proactively follow up on missing data, inconsistent data, data outliers, and potential protocol deviations that may be indicative of systemic or significant errors.”
– Section III.D.1 (Roles and Responsibilities — The Sponsor), p. 8, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“To protect the safety and welfare of trial participants in a DCT, sponsors should implement a safety monitoring plan that addresses the following: The safety monitoring plan should take the decentralized nature of the clinical trial into account and ensure that adverse events and medication errors are appropriately collected and adequately addressed. … When applicable, the safety monitoring plan should describe the type of information that will be collected by a DHT, how that information will be used and monitored, and what action trial participants or personnel should take in response to abnormal findings or electronic alerts.”
– Section III.I (Safety Monitoring in DCTs), pp. 15–16, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Trial participants should have clear instructions about how to contact trial personnel to report adverse events and to have pertinent questions answered. Trial participants should also be able to arrange for an unscheduled visit with trial personnel using telehealth or an in-person visit, as appropriate.”
– Section III.I (Safety Monitoring in DCTs), p. 16, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
Risk-based monitoring of clinical investigations
A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers
A proactive risk assessment is essential for optimizing study quality by identifying and mitigating risks to human subject protection and data integrity before and during a trial. Monitoring should be comprehensive, addressing not only likely risks identified initially but also less probable, high-impact risks and unanticipated issues that emerge. The effectiveness of a monitoring strategy depends on tailoring its timing, frequency, and methods to study-specific factors like complexity and site experience. Centralized monitoring, as part of a risk-based approach, can detect systemic issues like data omissions or protocol deviations more rapidly than traditional on-site visits alone.
Recommendations
Sponsors should formally document their risk assessment methodologies and ensure these assessments directly inform the creation and revision of monitoring plans. Monitoring plans must be detailed, outlining the study design, specific data sampling strategies, and clear protocols for escalating significant issues. When significant problems are identified, sponsors must conduct a timely root cause analysis and implement corrective and preventive actions. All monitoring activities, findings, and subsequent actions should be thoroughly documented and communicated to sponsor management, clinical site staff, and other relevant parties.
Regulatory Considerations
FDA regulations mandate sponsor oversight and proper monitoring but do not prescribe specific methods, providing the flexibility for sponsors to adopt a risk-based approach. The FDA may request a sponsor’s risk assessment and monitoring plan documentation during an inspection. This guidance represents the Agency’s current thinking and is nonbinding, allowing sponsors to use alternative approaches if they satisfy regulatory requirements. A key focus of monitoring should be to ensure critical trial processes, such as the maintenance of blinding, are protected to maintain overall data and trial integrity.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“How should sponsors follow up on significant issues identified through monitoring, including communication of such issues?
Significant issues should be thoroughly evaluated in a timely manner at the appropriate levels (for example, sponsor, clinical sites) as described in the monitoring plan. A root cause analysis followed by appropriate corrective and preventive actions should be undertaken promptly to reduce the impact of the identified issue on the rights, safety, and welfare of participants in the clinical investigation and/or the integrity of the data. Additionally, the risk assessment and monitoring plan should be reviewed and revised, as needed, to help ensure the risk of recurrence is decreased, or if possible, eliminated. In instances in which corrective actions modify study processes, the protocol and/or associated investigational plans should be amended to reflect changed processes. Related systemic issues should be identified and resolved promptly to help ensure that investigation quality, including the rights, safety, and welfare of investigation participants and data integrity, is maintained. Examples of preventive and corrective actions that may be warranted include but are not limited to (1) improved training for the clinical investigator and site staff; (2) halting enrollment at a clinical site pending resolution of identified issues; (3) clarifying or revising the protocol and/or other related investigational plans and documents; and/or (4) modifying vendor service agreements to ensure adequate trial support. Significant issues identified through monitoring and oversight activities and the actions to be taken should be documented and communicated to the appropriate parties, which may include, but are not limited to (1) sponsor management; (2) sponsor teams; (3) clinical sites; (4) institutional review boards; (5) other relevant parties (for example, DMCs and relevant contract research organizations); and (6) applicable regulatory agencies, including FDA, when appropriate.”
– Section III.C (Follow-Up and Communication of Monitoring Results), p. 9, A Risk-Based Approach to Monitoring of Clinical Investigations: Questions and Answers, Final, 2023 (FDA)
“Monitoring should be conducted per the pre-established monitoring plan, and important issues identified through monitoring should be addressed as they are identified. Monitoring plans should also include directions for when and to whom important issues identified during monitoring should be escalated. In addition, FDA recommends that monitoring plans provide guidance on when and how to adjust monitoring activities based on observed monitoring findings. For example, when important issues are identified during monitoring of a clinical site, there may be a need to increase the duration or frequency of on-site visits at that site.
Sponsors’ risk management processes should continue throughout the conduct of the investigation. FDA also encourages sponsors to use the information gained from each investigation, including the monitoring experience, to inform, as appropriate, the conduct of other ongoing investigations, future clinical investigations, risk assessments, and monitoring plans.
The study-level monitoring plan and associated monitoring activities are among the elements utilized by sponsors in their overall risk-based quality management approach to product development; they are important tools to facilitate sponsors identifying and addressing issues during the conduct of clinical investigations. The 2013 RBM guidance outlines factors that sponsors should consider in developing a monitoring plan and tailoring monitoring plans to the needs of the investigation and provides examples of monitoring methods and techniques. Since finalizing the 2013 RBM guidance, FDA has concluded that additional guidance may be beneficial regarding its recommendations for planning a monitoring approach, developing the content of monitoring plans, and addressing and communicating monitoring results. The following questions and answers are intended to assist sponsors in planning and conducting risk based approaches to monitoring.”
– Section II (Background), p. 3, A Risk-Based Approach to Monitoring of Clinical Investigations—Questions and Answers, Final, 2023 (FDA)
“Sponsors should also monitor risks that are less likely to occur, but that could have a significant impact on the quality of the investigation including on the rights, safety, and welfare of trial participants.
Monitoring plans should consider important risks and should be sufficiently comprehensive so that risks that arise during the investigation that were not anticipated can be identified and addressed.
Monitoring plans should take into account important risks identified in the initial risk assessment while also enabling sponsors to identify and address risks that arise during the investigation that were not anticipated. Monitoring plans should therefore be revised, as needed, if new information about risks becomes available.”
– Section III.A (Monitoring Approach, Q2), p. 5, A Risk-Based Approach to Monitoring of Clinical Investigations—Questions and Answers, Final, 2023 (FDA)
“How should monitoring activities and the results of these activities be documented and shared with those involved in the investigation?
As described in the 2013 RBM guidance, documentation of monitoring activities should generally include the following: (1) the date of the activity; (2) the individuals conducting and participating in the activity; (3) a summary of the data or activities reviewed; (4) a description of any noncompliance, potential noncompliance, data irregularities, and/or other deficiencies identified; and (5) a description of any actions taken, to be taken, or recommended (see section V of the 2013 RBM guidance for additional information). Such documentation should include the results of monitoring activities in sufficient detail to allow verification of adherence to the monitoring plan describing those activities. Monitoring activities to be documented should include on-site and remote monitoring of clinical sites and centralized monitoring across clinical sites.
Reports of monitoring activities should be provided to appropriate management (including sponsor staff responsible for the conduct and oversight of the clinical investigation) in a timely manner for review and follow-up. In addition, sponsors should inform the clinical investigator of monitoring findings from monitoring activities that are relevant to the clinical investigator’s activities.”
– Section III.C (Follow-Up and Communication of Monitoring Results, Q7), pp. 9-10, A Risk-Based Approach to Monitoring of Clinical Investigations—Questions and Answers, Final, 2023 (FDA)
When the sDHT is a regulated medical device: Cybersecurity in medical devices
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
Cybersecurity threats in healthcare are increasingly frequent and severe, posing risks to device safety and clinical care.
Many vulnerabilities arise from third-party software components and interconnected device ecosystems.
Legacy devices often lack adequate cybersecurity controls, leading to increased patient and organizational risks.
Cybersecurity risk management processes must integrate safety and security assessments throughout the device lifecycle.
Transparency in device cybersecurity is crucial for enabling safe integration and use by healthcare providers and end users.
Recommendations
Implement a Secure Product Development Framework (SPDF) for comprehensive cybersecurity throughout the product lifecycle.
Include a Software Bill of Materials (SBOM) for all premarket submissions to track software dependencies and vulnerabilities.
Perform robust cybersecurity testing, including penetration testing and vulnerability assessments.
Enhance device labeling with clear cybersecurity-related instructions and risks for users.
Develop a coordinated vulnerability disclosure plan for postmarket cybersecurity management.
Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulation requirements, including design controls and risk management.
Compliance with Section 524B of the FD&C Act for cybersecurity of cyber devices.
Submission of SBOMs and detailed security risk management reports for premarket applications.
Provision of cybersecurity information as part of device labeling to prevent misbranding under Section 502 of the FD&C Act.
Integration of security testing and validation as part of the FDA review process.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Because vulnerability management is a critical part of a device’s security risk management processes, an SBOM or an equivalent capability should be maintained as part of the device’s configuration management, be regularly updated to reflect any changes to the software in marketed devices, and should support documentation, such as the types detailed in 21 CFR 820.30(j) (Design History File) and 820.181 (Device Master Record).”
– Section V.A.4 (Third-Party Software Components), p. 16, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
“Cybersecurity risks may continue to be identified throughout the device’s TPLC. Manufacturers should ensure they have appropriate resources to identify, assess, and mitigate cybersecurity vulnerabilities as they are identified throughout the supported device lifecycle.”
– Section V.A.6 (TPLC Security Risk Management), p. 18, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
“As part of using an SPDF, manufacturers should update their security risk management documentation as new information becomes available, such as when new threats, vulnerabilities, assets, or adverse impacts are discovered during development and after the device is released.”
– Section V.A.6 (TPLC Security Risk Management), p. 18, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
“Devices should be designed to be resilient to possible cyber incident scenarios (also known as “cyber-resiliency”) and maintain availability. Cyber-resiliency capabilities are important for medical devices because they provide a safety margin against unknown future vulnerabilities.”
– Appendix 1 (Resiliency and Recovery), p. 45, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
“Devices should be capable of being updated in a secure and timely manner to maintain safety and effectiveness throughout the product’s lifecycle.”
– Appendix 1 (Firmware and Software Updates), p. 45, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
Remote data acquisition
Digital Health Technologies for Remote Data Acquisition in Clinical Investigations
There is a need for comprehensive validation and verification processes for DHTs.
Ensuring data security and privacy is a significant concern.
Usability issues for diverse populations need to be addressed.
There is a lack of clarity on whether certain DHTs meet the definition of a device under the FD&C Act.
The guidance does not establish legally enforceable responsibilities.
Recommendations
Ensure DHTs are fit-for-purpose for clinical investigations.
Implement robust data security measures to protect participant information.
Conduct usability evaluations to ensure DHTs can be used by intended populations.
Engage with FDA early to discuss the use of DHTs in clinical investigations.
Develop a risk management plan to address potential issues with DHT use.
Regulatory Considerations
Verification and validation should be addressed regardless of device classification.
Sponsors should ensure compliance with data protection and privacy regulations.
FDA evaluates DHT data based on endpoints, medical products, and patient populations. Sponsors can engage with FDA’s Q-Submission Program for feedback on DHT usage in clinical trials.
Sponsors should understand the legal implications of using DHTs in clinical investigations.
The guidance provides recommendations but does not establish legally enforceable responsibilities.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Operational specifications (e.g., data storage capacity, frequency of data transmission) should be adequate to minimize missing data… DHT alerts (e.g., low battery, poor signal, data not being recorded or transmitted to the server) are recommended to help trial participants, trial personnel, and/or sponsors prevent loss of data or missing data. The trial should include processes to ensure that trial participants understand how to respond to these alerts… Availability and capacity of participant and sponsor network systems should be adequate to handle the volume of data obtained, particularly for frequent or continuous recordings… Safeguards should be in place to manage cybersecurity risks, prevent unauthorized access to the DHT and the data it collects, and ensure privacy and security.”
– Section IV.A.3 (Design and Operation of DHTs and Other Technologies), p. 10, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Develop a safety monitoring plan as part of the protocol that addresses how abnormal measurements related to trial participants’ safety (e.g., hypoglycemia, arrhythmia, apnea) measured by DHTs will be reviewed and managed… The plan should indicate under what circumstances and how trial participants will be informed of abnormal findings detected by the DHT (e.g., critical abnormality alerts). The plan should describe how participants and trial personnel should respond to these findings.”
– Section IV.H.1 (Safety Monitoring), p. 24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Investigators should…review data from DHTs as specified in the safety monitoring plan (see section IV.H.1).”
– Section IV.H.2 (Investigator’s Role), p. 24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“The sponsor should… develop a risk management plan to address potential problems trial participants may experience when using a DHT or other technology during a clinical investigation.
Potential problems may involve, but are not limited to:
- Clinical and privacy-related risks.
- Participants using the DHT incorrectly.
- Interference between mobile applications or software functions…
- Loss, damage, and replacement of a DHT…
- DHT malfunction…
- Trial participants upgrading or updating a DHT”
– Section IV.H.1 (Sponsor’s Role) [Other Considerations When Using DHTs], p. 23–24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
Once you’ve read the guidances, explore these best practices from the field:
Industry spotlight
Gathers real-world examples, case studies, best practices, and lessons learned from peers and leaders in the field relevant to this section. Use these insights to accelerate your work and avoid common pitfalls.