Regulatory spotlight
We offer selected excerpts from relevant guidances below, to help you get oriented and understand their significance.
It is your responsibility to fully examine and interrogate these guidances in detail. Click through on individual resource links to be taken to the primary source material.
Risk-based monitoring of clinical investigations
A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers
A proactive risk assessment is essential for optimizing study quality by identifying and mitigating risks to human subject protection and data integrity before and during a trial. Monitoring should be comprehensive, addressing not only likely risks identified initially but also less probable, high-impact risks and unanticipated issues that emerge. The effectiveness of a monitoring strategy depends on tailoring its timing, frequency, and methods to study-specific factors like complexity and site experience. Centralized monitoring, as part of a risk-based approach, can detect systemic issues like data omissions or protocol deviations more rapidly than traditional on-site visits alone.
Recommendations
Sponsors should formally document their risk assessment methodologies and ensure these assessments directly inform the creation and revision of monitoring plans. Monitoring plans must be detailed, outlining the study design, specific data sampling strategies, and clear protocols for escalating significant issues. When significant problems are identified, sponsors must conduct a timely root cause analysis and implement corrective and preventive actions. All monitoring activities, findings, and subsequent actions should be thoroughly documented and communicated to sponsor management, clinical site staff, and other relevant parties.
Regulatory Considerations
FDA regulations mandate sponsor oversight and proper monitoring but do not prescribe specific methods, providing the flexibility for sponsors to adopt a risk-based approach. The FDA may request a sponsor’s risk assessment and monitoring plan documentation during an inspection. This guidance represents the Agency’s current thinking and is nonbinding, allowing sponsors to use alternative approaches if they satisfy regulatory requirements. A key focus of monitoring should be to ensure critical trial processes, such as the maintenance of blinding, are protected to maintain overall data and trial integrity.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“This system to manage the quality of the investigation should help ensure data integrity while safeguarding the rights, safety, and welfare of trial participants, for example, by focusing on the design of efficient clinical trial protocols, tools for identifying and tracking potential risks, and procedures for data collection and processing. This system should include a risk-based approach to monitoring tailored to the potential risks for the specific clinical investigation.”
– Section II (Background), p.2 , A Risk-Based Approach to Monitoring of Clinical Investigations: Questions and Answers, Final, 2023 (FDA)
“FDA recommends that at the protocol design stage, sponsors identify the critical data and processes necessary for human subject protection and maintaining data integrity for the investigation. Once these are identified, sponsors should perform a risk assessment and determine whether risks to critical data and processes may be mitigated through revisions to the protocol and investigational plans.
When risks cannot be resolved through such revisions, sponsors should determine how remaining critical risks will be identified, tracked, and managed via the sponsors’ monitoring plan or related study oversight plans during the conduct of the investigation. Such efforts to build quality into the design and execution of clinical investigations should be informed by representative study team members involved with conduct, monitoring, and/or reporting of the investigation. Perspectives from patients within the target population to be recruited for a clinical investigation would also be valuable.”
– Section II (Background), pp. 2-3, A Risk-Based Approach to Monitoring of Clinical Investigations: Questions and Answers, Final, 2023 (FDA)
“Monitoring should be conducted per the pre-established monitoring plan, and important issues identified through monitoring should be addressed as they are identified. Monitoring plans should also include directions for when and to whom important issues identified during monitoring should be escalated. In addition, FDA recommends that monitoring plans provide guidance on when and how to adjust monitoring activities based on observed monitoring findings. For example, when important issues are identified during monitoring of a clinical site, there may be a need to increase the duration or frequency of on-site visits at that site.”
– Section II (Background), p. 3, A Risk-Based Approach to Monitoring of Clinical Investigations: Questions and Answers, Final, 2023 (FDA)
“Monitoring plans should be developed for each investigation based on the risk assessment for that investigation. Monitoring plans should address both study-specific and site-specific risks. Monitoring plans also should be designed to enable the management of anticipated and unanticipated risks. As stated earlier, sponsors are encouraged to develop risk-based monitoring plans that emphasize critical risks with the greatest potential to adversely affect investigation quality, including (1) the rights, safety, and welfare of participants in a clinical investigation; and (2) the collection or analysis of critical clinical data such as safety and efficacy/effectiveness endpoints.”
– Section III.B (Monitoring Plan Content), p. 8, A Risk-Based Approach to Monitoring of Clinical Investigations: Questions and Answers, Final, 2023 (FDA)
“Monitoring activities to be documented should include on-site and remote monitoring of clinical sites and centralized monitoring across clinical sites. Reports of monitoring activities should be provided to appropriate management (including sponsor staff responsible for the conduct and oversight of the clinical investigation) in a timely manner for review and follow-up. In addition, sponsors should inform the clinical investigator of monitoring findings from monitoring activities that are relevant to the clinical investigator’s activities.”
– Section III.C (Follow-Up and Communication of Monitoring Results), pp. 9-10, A Risk-Based Approach to Monitoring of Clinical Investigations: Questions and Answers, Final, 2023 (FDA)
Clinical trials with decentralized elements
Conducting Clinical Trials With Decentralized Elements
Coordination challenges with multiple locations in DCTs.
Variability in data collection across decentralized locations and remote tools.
Challenges in implementing certain statistical approaches in DCTs.
Need for DHTs to be accessible and suitable for all trial participants.
Ensuring compliance with local laws and regulations.
Recommendations
Develop clear protocols for integrating decentralized elements into clinical trials, specifying remote and in-person activities.
Use digital health technologies (DHTs) and electronic systems to streamline data acquisition, informed consent, and investigational product tracking.
Provide training for all stakeholders, including trial personnel, local health care providers, and participants, on decentralized processes.
Implement robust safety monitoring plans to address adverse events in decentralized settings.
Ensure compliance with local and international laws governing telehealth, data privacy, and investigational product use.
Regulatory Considerations
Maintain compliance with FDA requirements under 21 CFR parts 312 and 812 for drug and device trials, respectively.
Document all trial activities and data flows in trial protocols and data management plans, ensuring traceability and integrity.
Ensure informed consent processes meet FDA standards and provide clear communication to participants about decentralized trial activities and data handling.
Address investigational product accountability by documenting IP distribution, storage, and return or disposal.
Design electronic systems for decentralized trials to comply with 21 CFR part 11 requirements for data reliability, security, and confidentiality.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“The trial protocol should specify how adverse events identified remotely will be evaluated and managed. The protocol should describe how care will be provided for adverse events that require urgent or in-person attention.”
– Section III.B (Remote Clinical Trial Visits and Clinical Trial-Related Activities), p. 7, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Sponsors must ensure proper monitoring of an investigation. As with any trial, sponsors may use a variety of approaches to monitor DCTs, and the monitoring plan for a trial should be based on the sponsor’s risk assessment. A trial monitoring plan should (1) describe how monitoring will be implemented to assess protocol compliance and data quality and integrity, (2) specify the frequency with which trial records and source documents will be reviewed, and (3) note any unique aspects related to the decentralized elements. FDA recommends risk-based monitoring approaches and the use of centralized monitoring to identify and proactively follow up on missing data, inconsistent data, data outliers, and potential protocol deviations that may be indicative of systemic or significant errors.”
– Section III.D.1 (Roles and Responsibilities — The Sponsor), pp. 8–9, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Investigators are responsible for the conduct of the DCT and for protecting the rights, safety, and welfare of subjects under their care. Investigators must also maintain accurate records of each subject’s case history… Investigators should review data from other trial personnel and local HCPs, as applicable, and follow up on any data that are missing, concerning, or appear to be in error.”
– Section III.D.2 (The Investigator and Delegation of Trial-Related Activities), p. 9, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Electronic systems can be used to perform multiple functions to manage DCT operations, including… Tracking IPs that are shipped directly to trial participants… Syncing information recorded by DHTs… Serving as communication tools between trial personnel and trial participants… Training should be provided to all parties (e.g., trial personnel, local HCPs, and trial participants) who are using electronic systems to support the conduct of DCTs.”
– Section III.J (Electronic Systems Used When Conducting DCTs), p. 17, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“If unreasonable and significant safety risks emerge because of use of an IP (e.g., due to remote administration), sponsors must discontinue all or part of the trial presenting the risk… and notify FDA, the IRB, and all investigators who have participated in the trial.”
– Section III.I (Safety Monitoring in DCTs), p. 16, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
“Trial participants should have clear instructions about how to contact trial personnel to report adverse events and to have pertinent questions answered. Trial participants should also be able to arrange for an unscheduled visit with trial personnel using telehealth or an in-person visit, as appropriate.”
– Section III.I (Safety Monitoring in DCTs), p. 18, Conducting Clinical Trials With Decentralized Elements, Final, 2024 (FDA)
Remote data acquisition
Digital Health Technologies for Remote Data Acquisition in Clinical Investigations
There is a need for comprehensive validation and verification processes for DHTs.
Ensuring data security and privacy is a significant concern.
Usability issues for diverse populations need to be addressed.
There is a lack of clarity on whether certain DHTs meet the definition of a device under the FD&C Act.
The guidance does not establish legally enforceable responsibilities.
Recommendations
Ensure DHTs are fit-for-purpose for clinical investigations.
Implement robust data security measures to protect participant information.
Conduct usability evaluations to ensure DHTs can be used by intended populations.
Engage with FDA early to discuss the use of DHTs in clinical investigations.
Develop a risk management plan to address potential issues with DHT use.
Regulatory Considerations
Verification and validation should be addressed regardless of device classification.
Sponsors should ensure compliance with data protection and privacy regulations.
FDA evaluates DHT data based on endpoints, medical products, and patient populations. Sponsors can engage with FDA’s Q-Submission Program for feedback on DHT usage in clinical trials.
Sponsors should understand the legal implications of using DHTs in clinical investigations.
The guidance provides recommendations but does not establish legally enforceable responsibilities.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Trial participants and trial personnel should be trained on the appropriate use of DHTs. In some situations, it may also be appropriate to provide training to participants’ caregivers. Trial personnel should be trained on responsibilities for data collection and maintenance of trial integrity and quality throughout the investigation. Any training materials should be included as part of the submission.”
– Section IV.H.3 (Training), p. 24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Develop a safety monitoring plan as part of the protocol that addresses how abnormal measurements related to trial participants’ safety (e.g., hypoglycemia, arrhythmia, apnea) measured by DHTs will be reviewed and managed… The plan should indicate under what circumstances and how trial participants will be informed of abnormal findings detected by the DHT (e.g., critical abnormality alerts). The plan should describe how participants and trial personnel should respond to these findings.”
– Section IV.H.1 (Safety Monitoring), p. 24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Training should:
- Occur before trial participants or caregivers begin using the DHT to collect data for the purposes of the clinical investigation
- Be scheduled, provided, and documented during the clinical investigation, as appropriate (e.g., if changes or updates alter the way sponsors, clinical investigators, other trial personnel, trial participants, or caregivers interact with the DHT)
- Be available to trial personnel, trial participants, and/or caregivers having difficulty using DHTs during the investigation”
– Section IV.H.3 (Training), p. 25, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Sponsors should consider addressing the following as part of the training for trial participants, caregivers, and/or trial personnel, as appropriate:
- Setting up, activating, and operating DHTs
- …Ensuring the security and privacy of data collected by the DHT
- …Responding to DHT signals, notifications, errors, hardware upgrades, and software updates, including procedures for troubleshooting and instructions for whom to contact for unresolved issues
- Verifying that DHTs are being used appropriately and that data are being collected, uploaded, or synchronized as planned”
– Section IV.H.3 (Training), p. 25, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“The sponsor should… develop a risk management plan to address potential problems trial participants may experience when using a DHT or other technology during a clinical investigation. Potential problems may involve, but are not limited to:
- Clinical and privacy-related risks
- Participants using the DHT incorrectly
- Interference between mobile applications or software functions…
- Loss, damage, and replacement of a DHT…
- DHT malfunction…
- Trial participants upgrading or updating a DHT”
– Section IV.H.1 (Sponsor’s Role) [Other Considerations When Using DHTs], p. 23–24, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
“Sponsors should plan for unanticipated changes to DHTs or associated technology (e.g., updates needed to resolve a security concern, DHT unavailable due to discontinuation or supply issues) during the clinical investigation… DHT updates and other changes during a clinical investigation may lead to inconsistencies in measurements that can impact the evaluation of the trial outcome. Sponsors should keep a record of the timing and nature of any updates for each DHT.
If a DHT or associated technology… is updated during a clinical investigation (e.g., operating system update), sponsors should ensure that the DHT remains fit-for-purpose… it may be necessary to validate the measurements… after introduction of the update. Significant changes in the measurement after updates may invalidate the results from a clinical investigation.”
– Section IV.H.4 (DHT Updates and Other Changes), p. 25–26, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations, Final, 2023 (FDA)
When the sDHT is a regulated medical device: Cybersecurity in medical devices
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
Cybersecurity threats in healthcare are increasingly frequent and severe, posing risks to device safety and clinical care.
Many vulnerabilities arise from third-party software components and interconnected device ecosystems.
Legacy devices often lack adequate cybersecurity controls, leading to increased patient and organizational risks.
Cybersecurity risk management processes must integrate safety and security assessments throughout the device lifecycle.
Transparency in device cybersecurity is crucial for enabling safe integration and use by healthcare providers and end users.
Recommendations
Implement a Secure Product Development Framework (SPDF) for comprehensive cybersecurity throughout the product lifecycle.
Include a Software Bill of Materials (SBOM) for all premarket submissions to track software dependencies and vulnerabilities.
Perform robust cybersecurity testing, including penetration testing and vulnerability assessments.
Enhance device labeling with clear cybersecurity-related instructions and risks for users.
Develop a coordinated vulnerability disclosure plan for postmarket cybersecurity management.
Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulation requirements, including design controls and risk management.
Compliance with Section 524B of the FD&C Act for cybersecurity of cyber devices.
Submission of SBOMs and detailed security risk management reports for premarket applications.
Provision of cybersecurity information as part of device labeling to prevent misbranding under Section 502 of the FD&C Act.
Integration of security testing and validation as part of the FDA review process.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
The device should be able to detect cybersecurity events in a timely manner, which may include monitoring of network traffic, system logs, and/or user activity.
– Appendix 1 (Event Detection and Logging), p. 43, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
The device should log cybersecurity events, including but not limited to: successful and unsuccessful authentication and authorization attempts, configuration changes, and potential malicious activity.
– Appendix 1 (Event Detection and Logging), p. 43, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
Audit logs should be preserved to enable forensic analysis and incident response.
– Appendix 1 (Event Detection and Logging), p. 43, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
The device should provide mechanisms for alerting users or administrators to potential cybersecurity incidents.
– Appendix 1 (Event Detection and Logging), p. 43, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
Security risk management should be conducted throughout the total product lifecycle (TPLC) of the device. This includes premarket development as well as postmarket monitoring and response.
– Section V.A.6 (TPLC Security Risk Management), p. 18, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2025 (FDA)
Artificial Intelligence in Software as a Medical Device (SaMD)
Artificial Intelligence and Machine Learning in Software as a Medical Device
AI/ML technologies offer dynamic learning capabilities but require careful regulation to ensure safety and effectiveness.
The FDA recognizes that traditional regulatory paradigms may not align with the adaptive nature of AI/ML and is developing frameworks to address this.
Guidance documents, such as the AI/ML SaMD Action Plan and predetermined change control plan (PCCP) recommendations, provide a structured approach for handling software updates.
Collaboration across FDA centers (CDRH, CBER, CDER) facilitates consistent regulatory practices for AI/ML across medical products.
Transparency and real-world data integration are key focuses in regulating AI/ML technologies.
Recommendations
Manufacturers should use FDA’s premarket pathways, including 510(k), De Novo, or PMA, for AI/ML-enabled SaMD.
Apply Good Machine Learning Practices (GMLP) during development to ensure algorithm reliability, transparency, and patient safety.
Include a predetermined change control plan (PCCP) in submissions to allow for iterative updates without requiring resubmissions.
Follow lifecycle management practices to maintain AI/ML system performance after deployment.
Engage with FDA early in development to align on appropriate regulatory strategies for novel AI/ML implementations.
Regulatory Considerations
AI/ML-driven SaMD updates may require premarket review, depending on the significance of changes and associated risks.
The FDA has outlined principles for transparency, including clear labeling and documentation of AI/ML system capabilities and limitations.
Guidance documents like the “Good Machine Learning Practice” and “Marketing Submission Recommendations for PCCP” should be followed for compliance.
Collaboration between FDA centers ensures alignment on the use of AI in combination products and broader healthcare applications.
Lifecycle management strategies must account for real-world data to ensure continuous learning and safe AI/ML system updates.
Some summaries are generated with the help of a large language model; always view the linked primary source of a resource you are interested in.
“Numerous stakeholders have expressed the unique challenges of labeling for AI/ML-based devices and the need for manufacturers to clearly describe the data that were used to train the algorithm, the relevance of its inputs, the logic it employs (when possible), the role intended to be served by its output, and the evidence of the device’s performance.”
– Section 3 (Patient-Centered Approach Incorporating Transparency to Users), p. 4, Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, 2021 (FDA)
“The Agency is committed to supporting a patient-centered approach including the need for a manufacturer’s transparency to users about the functioning of AI/ML-based devices to ensure that users understand the benefits, risks, and limitations of these devices.”
– Section 3 (Patient-Centered Approach Incorporating Transparency to Users), p. 4, Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, 2021 (FDA)
“The Agency acknowledges that AI/ML-based devices have unique considerations that necessitate a proactive patient-centered approach to their development and utilization that takes into account issues including usability, equity, trust, and accountability.”
– Section 3 (Patient-Centered Approach Incorporating Transparency to Users), p. 4, Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, 2021 (FDA)
“Promoting transparency is a key aspect of a patient-centered approach, and we believe this is especially important for AI/ML-based medical devices, which may learn and change over time, and which may incorporate algorithms exhibiting a degree of opacity.”
– Section 3 (Patient-Centered Approach Incorporating Transparency to Users), p. 4, Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, 2021 (FDA)
Once you’ve read the guidances, explore these best practices from the field:
Industry spotlight
Gathers real-world examples, case studies, best practices, and lessons learned from peers and leaders in the field relevant to this section. Use these insights to accelerate your work and avoid common pitfalls.