Findings
The rapid advancement of sensor technology and connectivity has enabled high-frequency, longitudinal monitoring of physiological processes, yet the infrastructure for large-scale deployment remains resource-intensive. Current challenges include a lack of standardized terminology for digital decision-making tools and significant variability in environmental factors that affect sensor performance. Proprietary algorithms and device-specific barriers often hinder the verification and validation processes necessary for regulatory approval. Additionally, there is a distinct gap between granular digital features and their clinical relevance or meaningfulness to patients. Ethical concerns are emerging around data management, patient anxiety in psychiatric contexts, and the responsibility for addressing adverse events detected by remote monitoring.

Recommendations
Stakeholders should develop consensus-driven frameworks for standardized device performance reporting and environmental testing to streamline evaluations for specific contexts of use. The community should adopt a modular approach to data standards that bins requirements by concept of interest and disease-specific needs. Collaborative efforts between patients and developers are essential to bridge the gap between technical metrics and meaningful aspects of health. It is recommended to implement ""bring-your-own-device"" (BYOD) frameworks that ensure data reliability while supporting the inevitable evolution of technology during long-term studies. Researchers and clinicians must be trained in the ethical, legal, and social implications of digital health technology use, particularly regarding data privacy and the management of remote-detected safety signals.

Regulatory Considerations
Digital health technologies used to collect endpoints must meet high evidentiary requirements for validation, with complexity increasing when multiple sensors or complex software are bundled. Regulatory agencies like the FDA and EMA have established pathways for the qualification of drug development tools, including biomarkers and clinical outcome assessments. Integration of new draft guidance on remote health monitoring with existing regulatory workflows is necessary to reduce uncertainty in trial evaluations. While many digital health technologies do not qualify as medical devices unless they have a specific medical purpose, synergies between device risk assessments and drug trial data integrity frameworks should be explored. Early engagement with regulators remains a critical step for obtaining feedback on novel digital endpoints and ensuring the suitability of evidentiary support.

Findings
AI-enabled medical devices require robust risk assessment to address data drift, bias, and transparency challenges.
The total product lifecycle (TPLC) approach is essential for managing AI-enabled devices, ensuring continuous oversight and updates.
There is a need for improved standardization in AI model validation and performance monitoring to ensure consistency in regulatory submissions.
Effective data management practices, including dataset representativeness and bias control, are critical for AI model development.
Cybersecurity vulnerabilities in AI-enabled medical devices must be proactively addressed to prevent risks to patient safety and data integrity.

Recommendations
AI-enabled device manufacturers should integrate Good Machine Learning Practice (GMLP) principles throughout the device lifecycle.
Marketing submissions should include comprehensive documentation of AI model development, validation, and performance monitoring.
Developers should implement transparency measures, such as model interpretability and explainability, to enhance user trust and understanding.
AI models must undergo rigorous bias evaluation to ensure equitable performance across diverse patient populations.
A predetermined change control plan (PCCP) should be established to allow safe and effective AI model updates post-market without additional FDA submissions.

Regulatory Considerations
FDA encourages early engagement through the Q-Submission Program for AI-enabled device manufacturers.
Compliance with FDA-recognized consensus standards, such as ANSI/AAMI/ISO 14971 for risk management, is recommended.
AI-enabled devices must meet labeling requirements, ensuring that users clearly understand model inputs, outputs, and performance metrics.
Post-market surveillance and continuous monitoring of AI model performance are necessary to ensure ongoing safety and effectiveness.
Cybersecurity measures must be included in regulatory submissions, detailing safeguards against data breaches and unauthorized model modifications.

Findings
Establishing cross-sector consortia does not guarantee success without a unified objective and stakeholder buy-in. A neutral, independent facilitator is a key element for successful governance in many collaborative platforms. Many consortia lack consistent methods for storing critical data, meeting minutes, and regulatory briefing packages, which creates barriers after project completion. Regulatory success depends heavily on the early development of a strategy that defines the necessary evidence to validate innovative methodologies. Successful examples include the qualification of biomarkers for polycystic kidney disease and type 1 diabetes, as well as imaging measures for Alzheimer’s disease.

Recommendations
Consortium members should develop an initial regulatory strategy during the project scoping and planning phases. Teams must explicitly define the context of use for any proposed tool to articulate exactly what decisions the output will inform. A robust data strategy should be implemented early, including formal agreements for data use, standardization, and sharing that remain in place in perpetuity. Consortia must prioritize sustainability plans to ensure data and active databases remain available for research and regulatory use after funding expires. Projects should integrate regulatory science expertise from the start to cover both EU and US frameworks.

Regulatory Considerations
Regulators require individual patient-level data that is fully curated, standardized, and presented through formal submissions like qualification applications. Formal regulatory endorsement ensures a tool can be trusted for consistent interpretation in drug development and marketing authorization evaluations. Early engagement with agencies such as the FDA and EMA is essential to gain feedback on novel methodologies and align study designs with regulatory expectations. Specific pathways like the EMA Qualification of Novel Methodologies and the FDA Qualification Process for Drug Development Tools should be utilized. Regulatory qualification may require ongoing access to databases to support the long-term use of the methodology.

Findings
Sites must establish effective data privacy and security plans, especially considering regional and global regulations like GDPR.
Risk mitigation is critical, including plans to address unanticipated issues and potential patient disengagement due to technology challenges.
Budgeting and contracting often involve additional considerations, such as storage, training, and technical support requirements for connected devices.
Sites require adequate training to ensure staff and patients are prepared to use connected devices efficiently.
Companion applications or services often play an essential role in device functionality and data transmission.

Recommendations
Develop a clear plan for data pathways, including storage, security, and regulatory compliance.
Establish detailed risk mitigation and management strategies to handle unexpected challenges.
Ensure comprehensive training programs for site staff and patients to enhance device usability.
Incorporate device storage and resource allocation into budgeting and contracting processes.
Facilitate effective communication with sponsors and vendors to resolve operational and technical issues promptly.

Regulatory Considerations
Ensure connected devices comply with CFR 21, Part 11, and other relevant data collection and transmission regulations.
Understand and adhere to local and regional data privacy laws, such as GDPR, when managing patient data.
Verify that appropriate licenses and regulatory approvals are in place for device data transmission and storage.
Assess and address shipping and handling regulations for devices, ensuring safe and compliant transportation.

Findings
Coordination challenges with multiple locations in DCTs.
Variability in data collection across decentralized locations and remote tools.
Challenges in implementing certain statistical approaches in DCTs.
Need for DHTs to be accessible and suitable for all trial participants.
Ensuring compliance with local laws and regulations.

Recommendations
Develop clear protocols for integrating decentralized elements into clinical trials, specifying remote and in-person activities.
Use digital health technologies (DHTs) and electronic systems to streamline data acquisition, informed consent, and investigational product tracking.
Provide training for all stakeholders, including trial personnel, local health care providers, and participants, on decentralized processes.
Implement robust safety monitoring plans to address adverse events in decentralized settings.
Ensure compliance with local and international laws governing telehealth, data privacy, and investigational product use.

Regulatory Considerations
Maintain compliance with FDA requirements under 21 CFR parts 312 and 812 for drug and device trials, respectively.
Document all trial activities and data flows in trial protocols and data management plans, ensuring traceability and integrity.
Ensure informed consent processes meet FDA standards and provide clear communication to participants about decentralized trial activities and data handling.
Address investigational product accountability by documenting IP distribution, storage, and return or disposal.
Design electronic systems for decentralized trials to comply with 21 CFR part 11 requirements for data reliability, security, and confidentiality.

Findings
FDA considers electronic records and signatures to be equivalent to paper records and handwritten signatures when they meet the requirements of 21 CFR part 11. Advances in technology, including Digital Health Technologies (DHTs) and cloud computing, necessitate updated guidance on ensuring the authenticity, integrity, and confidentiality of electronic data in clinical investigations. Records submitted to the FDA under predicate rules (e.g., marketing applications) are subject to part 11. FDA does not intend to assess the compliance of external Real-World Data (RWD) sources like Electronic Health Record (EHR) systems with part 11, but the sponsor remains responsible for the quality and integrity of all submitted data.

Recommendations
Risk-Based Validation: Regulated entities should use a risk-based approach to validation for all electronic systems deployed, proportionate to the risks to participant safety and reliability of trial results. Validation must cover system functionality, trial-specific configurations, customizations, and interoperability.
Data Retention & Audit Trails: Electronic records must be retained for the applicable period in a secure and traceable manner. Audit trails must capture all changes (old/new value, user ID, date/time) and should be protected from modification.
Security & Access Controls: Logical and physical access controls (e.g., strong login credentials, multi-factor authentication) must limit system access to authorized users based on a documented risk assessment. Security safeguards (e.g., encryption, antivirus) must be in place to protect data at rest and in transit.
DHT Use: DHTs should be selected and validated to be fit for purpose. The data originator (person, system, or DHT itself) must be associated with every data element as part of the audit trail. The final location of source data for inspection is the durable electronic data repository, not the individual DHT.
Outsourcing: Regulated entities must have a written agreement with IT service providers (including for cloud computing) detailing roles, responsibilities, and the service provider's ability to provide data integrity and security safeguards. The sponsor must maintain oversight.

Regulatory Considerations
FDA does not certify electronic systems or signature methods; they are evaluated during inspection. Users of electronic signatures must submit a letter of non-repudiation to the FDA certifying that the electronic signature is the legally binding equivalent of a handwritten signature. Security breaches impacting participant safety or privacy should be reported to the IRB and FDA in a timely manner.

Findings
The FDA considers electronic records and signatures equivalent to their paper counterparts when they meet the requirements of 21 CFR Part 11. Due to technological advances, electronic systems and digital health technologies (DHTs) are now integral to clinical trials, requiring a modern, risk-based approach to ensure data integrity. Sponsors remain ultimately responsible for the quality and integrity of all data submitted, even when using third-party IT service providers or data from real-world sources like EHRs. The authenticity, integrity, and confidentiality of electronic data are paramount and must be maintained through robust system controls throughout the data lifecycle.

Recommendations
Regulated entities should use a justified and documented risk-based approach to validate all electronic systems before and during a clinical trial, with the level of validation depending on the system's potential to impact participant safety and trial result reliability. Secure, computer-generated, time-stamped audit trails must be implemented to track the creation, modification, and deletion of all electronic records without obscuring original data. Robust logical and physical access controls are necessary to limit system access to authorized individuals. Entities should have written agreements with IT service providers that clearly define roles, responsibilities, and procedures for ensuring data security and long-term retention.

Regulatory Considerations
The requirements of 21 CFR Part 11 apply to all electronic records created, modified, or submitted to the FDA under predicate rules for clinical investigations, including those from foreign sites under an IND or IDE. While the FDA does not intend to assess the Part 11 compliance of external source systems like EHRs, data becomes subject to these regulations once transferred into the sponsor's electronic system. During inspections, the FDA will focus on system validation, data handling procedures, security protocols, audit trails, and documentation of sponsor oversight. Users must certify to the FDA that their electronic signatures are the legally binding equivalent of handwritten signatures.

Findings
Misclassification of wakefulness during sleep periods and issues with tracking outside main sleep bouts.
Bias in performance evaluation studies due to limited representation of diverse populations.
Hidden complexities in consumer-grade devices related to data access, fees, privacy, and security.

Recommendations
Carefully interpret study results based on wearable sleep-tracking technology data.
Address biases in study populations by including diverse cohorts.
Ensure proper preprocessing of data from consumer-grade devices.
Avoid inserting personally identifiable information in device settings.
Evaluate issues related to specific populations like minors.

Regulatory Considerations
Complexity of privacy laws across different countries.
Need for strategies to protect personal information in device settings.
Consideration of specific population issues, such as minors, in regulatory frameworks.

Findings
There is a lack of alignment in concepts, definitions, and terminology related to digital health technologies, which hinders global drug development programs.
Different regulatory agencies interpret common terms like "monitoring" differently, leading to confusion and inconsistency.
The classification of digital measures impacts evidentiary requirements and regulatory acceptance, but detailed guidance on these requirements is lacking.

Recommendations
Align terminology and definitions across stakeholders to ensure consistency in understanding and communication.
Reuse existing terms where possible to avoid unnecessary complexity.
Focus on what is measured rather than how it is measured to streamline regulatory processes.
Encourage companies and regulators to reflect on and adopt a common lexicon within their organizations.
Move quickly to address critical questions about evidence needed for validation of digital measures.

Regulatory Considerations
Regulatory authorities should apply consistent standards for all endpoints, regardless of data acquisition methods.
The classification of DHTs as medical devices or not will impact their regulatory pathway and requirements.
There is a need for dialogue with regulators to clarify source data requirements for data acquired by DHTs.

Findings
A proactive risk assessment is essential for optimizing study quality by identifying and mitigating risks to human subject protection and data integrity before and during a trial. Monitoring should be comprehensive, addressing not only likely risks identified initially but also less probable, high-impact risks and unanticipated issues that emerge. The effectiveness of a monitoring strategy depends on tailoring its timing, frequency, and methods to study-specific factors like complexity and site experience. Centralized monitoring, as part of a risk-based approach, can detect systemic issues like data omissions or protocol deviations more rapidly than traditional on-site visits alone.

Recommendations
Sponsors should formally document their risk assessment methodologies and ensure these assessments directly inform the creation and revision of monitoring plans. Monitoring plans must be detailed, outlining the study design, specific data sampling strategies, and clear protocols for escalating significant issues. When significant problems are identified, sponsors must conduct a timely root cause analysis and implement corrective and preventive actions. All monitoring activities, findings, and subsequent actions should be thoroughly documented and communicated to sponsor management, clinical site staff, and other relevant parties.

Regulatory Considerations
FDA regulations mandate sponsor oversight and proper monitoring but do not prescribe specific methods, providing the flexibility for sponsors to adopt a risk-based approach. The FDA may request a sponsor's risk assessment and monitoring plan documentation during an inspection. This guidance represents the Agency's current thinking and is nonbinding, allowing sponsors to use alternative approaches if they satisfy regulatory requirements. A key focus of monitoring should be to ensure critical trial processes, such as the maintenance of blinding, are protected to maintain overall data and trial integrity.

Findings
AI-DSFs undergo iterative improvements, necessitating a structured framework for modifications to ensure safety and effectiveness.
PCCPs enable manufacturers to streamline modifications by avoiding repeated marketing submissions, reducing regulatory burden.
Critical elements of a PCCP include data management practices, re-training protocols, performance evaluation, and user update procedures.
Comprehensive risk management and transparency are essential to address potential biases and maintain user trust.
Certain modifications, such as those significantly affecting safety or effectiveness, may still require a new marketing submission.

Recommendations
Structure PCCPs with a clear description of planned modifications, a detailed modification protocol, and a robust impact assessment.
Include methods for data collection, re-training, and performance evaluation aligned with quality system regulations.
Specify user update procedures to communicate changes transparently and ensure safe device use.
Address cybersecurity risks and bias mitigation strategies in modification protocols.
Use the FDA Q-Submission Program to discuss PCCPs prior to submitting marketing applications for AI-DSFs.

Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System Regulations, including design controls and risk management.
PCCPs must include modifications that would otherwise require a PMA supplement or new 510(k) submission.
Modifications implemented under PCCPs must conform to FDA-reviewed protocols and be documented in the device master record.
Transparency to users via device labeling updates and public summaries of authorized PCCPs is required.
Modifications outside the scope of an authorized PCCP or deviations from the protocol require new FDA marketing submissions.

Findings
High rates of missing data in DHTs compared to traditional measures due to technical and software difficulties.
Practical issues such as unfamiliarity with platforms, connectivity difficulties, and lack of data visibility.
Specific technical issues like blocking of websites by firewalls and failed software updates leading to data loss.

Recommendations
Ensure appropriate workforce training for those involved in DHT deployment.
Conduct pilot evaluations in study sites to identify potential issues early.
Improve data visibility at both site and central coordinating team levels.
Implement robust feasibility testing before full-scale deployment.
Co-design DHTs with study staff and patients to enhance usability.

Regulatory Considerations
The FDA requires adequate training, education, and experience for those responsible for data capture using mobile technologies.
Ensure data integrity through oversight responsibilities as recommended by the Clinical Trials Transformation Initiative.