Findings
FDA considers electronic records and signatures to be equivalent to paper records and handwritten signatures when they meet the requirements of 21 CFR part 11. Advances in technology, including Digital Health Technologies (DHTs) and cloud computing, necessitate updated guidance on ensuring the authenticity, integrity, and confidentiality of electronic data in clinical investigations. Records submitted to the FDA under predicate rules (e.g., marketing applications) are subject to part 11. FDA does not intend to assess the compliance of external Real-World Data (RWD) sources like Electronic Health Record (EHR) systems with part 11, but the sponsor remains responsible for the quality and integrity of all submitted data.

Recommendations
Risk-Based Validation: Regulated entities should use a risk-based approach to validation for all electronic systems deployed, proportionate to the risks to participant safety and reliability of trial results. Validation must cover system functionality, trial-specific configurations, customizations, and interoperability.
Data Retention & Audit Trails: Electronic records must be retained for the applicable period in a secure and traceable manner. Audit trails must capture all changes (old/new value, user ID, date/time) and should be protected from modification.
Security & Access Controls: Logical and physical access controls (e.g., strong login credentials, multi-factor authentication) must limit system access to authorized users based on a documented risk assessment. Security safeguards (e.g., encryption, antivirus) must be in place to protect data at rest and in transit.
DHT Use: DHTs should be selected and validated to be fit for purpose. The data originator (person, system, or DHT itself) must be associated with every data element as part of the audit trail. The final location of source data for inspection is the durable electronic data repository, not the individual DHT.
Outsourcing: Regulated entities must have a written agreement with IT service providers (including for cloud computing) detailing roles, responsibilities, and the service provider's ability to provide data integrity and security safeguards. The sponsor must maintain oversight.

Regulatory Considerations
FDA does not certify electronic systems or signature methods; they are evaluated during inspection. Users of electronic signatures must submit a letter of non-repudiation to the FDA certifying that the electronic signature is the legally binding equivalent of a handwritten signature. Security breaches impacting participant safety or privacy should be reported to the IRB and FDA in a timely manner.

Findings
The FDA considers electronic records and signatures equivalent to their paper counterparts when they meet the requirements of 21 CFR Part 11. Due to technological advances, electronic systems and digital health technologies (DHTs) are now integral to clinical trials, requiring a modern, risk-based approach to ensure data integrity. Sponsors remain ultimately responsible for the quality and integrity of all data submitted, even when using third-party IT service providers or data from real-world sources like EHRs. The authenticity, integrity, and confidentiality of electronic data are paramount and must be maintained through robust system controls throughout the data lifecycle.

Recommendations
Regulated entities should use a justified and documented risk-based approach to validate all electronic systems before and during a clinical trial, with the level of validation depending on the system's potential to impact participant safety and trial result reliability. Secure, computer-generated, time-stamped audit trails must be implemented to track the creation, modification, and deletion of all electronic records without obscuring original data. Robust logical and physical access controls are necessary to limit system access to authorized individuals. Entities should have written agreements with IT service providers that clearly define roles, responsibilities, and procedures for ensuring data security and long-term retention.

Regulatory Considerations
The requirements of 21 CFR Part 11 apply to all electronic records created, modified, or submitted to the FDA under predicate rules for clinical investigations, including those from foreign sites under an IND or IDE. While the FDA does not intend to assess the Part 11 compliance of external source systems like EHRs, data becomes subject to these regulations once transferred into the sponsor's electronic system. During inspections, the FDA will focus on system validation, data handling procedures, security protocols, audit trails, and documentation of sponsor oversight. Users must certify to the FDA that their electronic signatures are the legally binding equivalent of handwritten signatures.

Findings
Regulatory frameworks differ across regions, with the FDA focusing on digital health technologies and the EU emphasizing digital methodologies under MDR.
Determining whether a DHT qualifies as a medical device depends on its intended use and functionality, necessitating region-specific evaluations.
Health authority engagement can occur through FDA pathways like Critical Path Innovation Meetings (CPIM) and EMA’s Innovation Task Force (ITF).
Verification and validation of DHTs are crucial to ensure reliability and compliance with regulatory requirements in clinical trials.
Cybersecurity and compliance with privacy laws, such as GDPR, are mandatory considerations for DHT implementation.

Recommendations
Engage Regulators Early: Utilize FDA, EMA, or MHRA pathways (e.g., CPIM, ITF) during early development to align on requirements and mitigate risks.
Conduct thorough assessments to determine if a DHT qualifies as a medical device under regional regulations.
Implement robust validation and verification processes to confirm that DHTs are fit-for-purpose in clinical investigations.
Ensure compliance with GDPR, HIPAA, and other relevant data protection standards to safeguard patient information.
Adhere to GCP guidelines, including the ALCOA+ principles, to maintain data credibility and patient safety throughout the trial.

Regulatory Considerations
FDA Regulations: Evaluate DHTs under the FDA’s framework for medical devices, including exemptions under 21 CFR Part 812 and the Digital Health Software Precertification Program.
EU MDR/IVDR: Comply with MDR for medical devices and IVDR for in-vitro diagnostics, ensuring alignment with Annex VIII for software classification.
UK MHRA Guidance: Reference MHRA’s flowcharts for determining if a software qualifies as a medical device and ensure compliance with UK-specific regulatory requirements.
Global Harmonization Efforts: Consider global standards, such as ICH E6 (R2) and GHTF/IMDRF guidelines, to align multinational clinical trials.
Leverage pathways like EMA’s qualification process for novel methodologies and FDA’s DDT qualification program for broader acceptance of digital endpoints.

Findings
Complex clinical trials involve unique challenges in design, operational feasibility, and regulatory compliance, necessitating early engagement with stakeholders.
Master protocols streamline trial processes by integrating shared scientific frameworks across sub-protocols, enhancing efficiency and data integrity.
Bayesian approaches, while promising, require transparency and rigorous validation to ensure robustness in trial outcomes.
The use of biomarkers and related assays in CCTs introduces added complexity, particularly concerning regulatory status and performance validation.
Effective risk-based quality management systems are essential to safeguard participant safety and maintain trial reliability.

Recommendations
Develop clear and detailed master protocols to define the shared framework, communication plans, and statistical methodologies for CCTs.
Employ risk-based quality management strategies, including robust risk assessment and targeted training for site personnel.
Ensure early and continuous engagement with regulators, investigators, and patients to address design complexities and operational challenges.
Pre-specify statistical plans and evaluation frameworks for Bayesian methods, adaptive designs, and biomarker integration.
Establish mechanisms for transparent reporting and management of safety data across sub-protocols while safeguarding trial integrity.

Regulatory Considerations
Adhere to EU CTR and IVD regulations, ensuring compliance in the use of biomarkers, companion diagnostics, and related assays.
Include comprehensive documentation of trial design, including shared frameworks, sub-protocols, and statistical methodologies, in submissions.
Implement robust data governance frameworks to ensure ALCOA++ (attributable, legible, original, accurate, complete, consistent) standards for regulatory submissions.
Plan for periodic reassessment of benefit-risk ratios during the trial, particularly when modifications or new data emerge.
Establish independent Data Monitoring Committees (DMCs) for long-term and complex trials to oversee safety and interim analyses.

Findings
The DTRA Best Practice Evaluation Rubric uses five dimensions to determine if a DCT practice should be considered a "best practice":
Evidence of Success: Requires measurable and demonstrable success using KPIs and tangible outcomes.
Improving Patient Experience: Must address the needs of patients, caregivers, and therapeutic experts, demonstrating improved experience and engagement.
Site Impact: Must consider the implications of adoption and the practical impact on site burden and working practices.
Operational and Technical Feasibility: Ensures operational and technical aspects (including ongoing support, security, integrity, scaling, and reuse) have been fully considered when deploying new technologies.
Regulatory & Ethical Compliance: Requires appropriate consideration of global and local regulations and guidance (e.g., ICH E6/E8, GDPR, HIPAA), including adherence to privacy, consent, and ethical safeguards.

Recommendations
A practice should demonstrate several key factors across the dimensions:
Patient-Centricity: Reduce patient burden by offering the option to reduce physical visits and enable greater patient empowerment and access to information. It should strive to increase the diversity of recruited patients while mitigating bias toward technologically literate patients.
Site Support: Achieve a net reduction in burden for sites, utilizing simple, intuitive technology with minimal, on-demand training. It must provide clarity of fiduciary responsibility and use technology to increase risk-based monitoring without sacrificing data integrity.
Technical Rigor: Have a clear problem statement and a thoroughly defined strategy to mitigate operational and technical risks. It should take a holistic approach and ensure the solution is fit for use for the specific patient population, aligning with data privacy and security standards.

Regulatory Considerations
Practices must ensure compliance with both global and local regulations and Health Authority guidance. Explicit attention must be given to aligning with ICH E6 (Good Clinical Practice) and privacy laws like GDPR and HIPAA. The design must protect stakeholders providing sensitive or personal data with safeguards to ensure ethical safety.

Findings
Vendor selection should assess 13 categories, including General organizational operation and products, Quality Management Principles, Practices of product or service design, Device supply and provisioning, Account provisioning, Study specific materials, Live trial support, Trial closeout activities, Data handling/processing and data flow (GDPs), Device and Data (sensors + raw data) algorithm accessibility, Interoperability/Integration, Validation/Clinical Relevance/standard of documentation, and Cybersecurity. Key aspects to consider include having Validation and verification of the device and algorithm in place, ability to support multiple countries, an established quality management system. Vendors must assure maintained data integrity and quality, and provide evidence of Good Clinical Practice (GCP) compliance. Robust practices in Good manufacturing practice, Good product development practices (for hardware and software, including software lifecycle documentation), and Good scientific practices are required.

Recommendations
Sponsors should engage with vendors early in study design to tailor the technology capabilities and data requirements to patient needs and preferences. Vendors are typically responsible for device verification and analytical validation, but collaboration with sponsors and other stakeholders on clinical validation is beneficial to establish validation thresholds, specific needs of target clinical populations, and acceptability and usability of the technology. Sponsors should enable a feedback loop from patients back to vendors to improve technology for specific target populations. Sponsors or researchers should prioritize access to high-fidelity and sensor-level data to enable novel research and assessment of additional health aspects. Specific inquiries for vendors should cover: measurements offered (Accelerometry output for scratch detection, sleep measurement, environmental factors, and vitals), device material and safety testing (irritation/sensitization), usability/patient burden (e.g., disturbance during sleep), and applicability to Pediatrics, different ethnic groups, and different skin colors.

Regulatory Considerations
For software development, vendors should document and monitor the software lifecycle for quality, and demonstrate that algorithms have been tested with appropriate datasets. Assurances of GCP compliance are necessary. Vendors should demonstrate that their manufacturing practices ensure devices from different batches provide the same result measurements. Collaboration on clinical validation with sponsors and other stakeholders is a key component to generate the necessary evidence for the Validation/Clinical Relevance/standard of documentation requirement for regulatory purposes.

Findings
Traditional on-site monitoring, which often involves 100% source data verification, is not the most effective way to ensure data quality and can divert resources from more critical activities. A risk-based approach allows for the early identification of potential issues, enabling proactive risk mitigation and improved trial oversight. The successful implementation of RBM requires a cultural shift within organizations, moving from a reactive to a proactive mindset. Collaboration among sponsors, CROs, and sites is essential for the effective adoption of RBM methodologies.

Recommendations
Sponsors should adopt a systematic, risk-based approach to monitoring that is tailored to the specific risks of their clinical trial. This includes conducting a thorough risk assessment during the planning phase to identify critical data and processes. The use of centralized monitoring and advanced analytics should be a core component of any RBM strategy to detect unusual patterns or trends in the data. Training for all stakeholders, including site staff and monitors, is crucial for the successful implementation of RBM.

Regulatory Considerations
Global regulatory agencies, including the FDA, EMA, and Japan's PMDA, have issued guidance that supports and encourages the use of risk-based approaches to monitoring clinical trials. Regulatory submissions should include a description of the RBM methodology used in the trial and a justification for the approach taken. The adoption of RBM is consistent with Good Clinical Practice (GCP) principles, which emphasize a focus on patient safety and data quality.

Findings
The EMA emphasizes early engagement to align on regulatory pathways and qualification processes for DHTs.
Context of Use (CoU) is critical in assessing digital technologies, requiring clear justification for their application in clinical trials.
The selection of digital endpoints must demonstrate clinical relevance, reliability, and sensitivity to change.
Validation of digital biomarkers must include data supporting their relationship to clinical outcomes of interest.
Changes to technology during development require a risk-based management approach to maintain the validity of data.

Recommendations
Begin early consultations with the EMA to determine the most suitable regulatory pathways and to define the Context of Use.
Ensure that qualification submissions provide robust evidence on clinical validity, reliability, and sensitivity to change.
Develop best practice guides for the implementation of digital technologies in clinical trials, including training for users and compliance monitoring.
Use an iterative approach for technology qualification, allowing adjustments based on emerging data and findings.
Provide clear risk management strategies for handling technology updates and assessing their impact on data integrity.

Regulatory Considerations
Adhere to applicable regulations, including the Medical Devices Regulation (MDR) and ISO standards, for technologies used in medicinal product development.
Implement data protection measures compliant with EU regulations, ensuring the integrity and security of sensitive health data.
Submit validation documentation demonstrating compliance with Good Clinical Practice (GCP) and Computer System Validation (CSV) standards.
Incorporate statistical planning aligned with ICH guidelines, including pre-planned analyses for endpoints supported by digital technologies.
Engage with multidisciplinary teams and potentially parallel processes with other regulatory agencies (e.g., FDA, PMDA) for a comprehensive qualification process.

Findings
The EMA emphasizes early engagement to align on regulatory pathways and qualification processes for DHTs.
Context of Use (CoU) is critical in assessing digital technologies, requiring clear justification for their application in clinical trials.
The selection of digital endpoints must demonstrate clinical relevance, reliability, and sensitivity to change.
Validation of digital biomarkers must include data supporting their relationship to clinical outcomes of interest.
Changes to technology during development require a risk-based management approach to maintain the validity of data.

Recommendations
Begin early consultations with the EMA to determine the most suitable regulatory pathways and to define the Context of Use.
Ensure that qualification submissions provide robust evidence on clinical validity, reliability, and sensitivity to change.
Develop best practice guides for the implementation of digital technologies in clinical trials, including training for users and compliance monitoring.
Use an iterative approach for technology qualification, allowing adjustments based on emerging data and findings.
Provide clear risk management strategies for handling technology updates and assessing their impact on data integrity.

Regulatory Considerations
Adhere to applicable regulations, including the Medical Devices Regulation (MDR) and ISO standards, for technologies used in medicinal product development.
Implement data protection measures compliant with EU regulations, ensuring the integrity and security of sensitive health data.
Submit validation documentation demonstrating compliance with Good Clinical Practice (GCP) and Computer System Validation (CSV) standards.
Incorporate statistical planning aligned with ICH guidelines, including pre-planned analyses for endpoints supported by digital technologies.
Engage with multidisciplinary teams and potentially parallel processes with other regulatory agencies (e.g., FDA, PMDA) for a comprehensive qualification process.

Findings
FDA requires OUS clinical investigations to comply with GCP, ensuring the credibility and accuracy of data and protecting human subjects.
Statements on GCP compliance and supporting information are mandatory for OUS data submissions.
Waivers are permitted in circumstances where GCP compliance is unattainable or where local regulations differ significantly from FDA requirements.
Investigations must demonstrate that OUS data are applicable to U.S. populations and medical practices.
Sponsors must provide robust documentation, including investigator qualifications, site descriptions, IEC reviews, and informed consent processes.

Recommendations
Ensure clinical investigations adhere to GCP standards, including IEC review and informed consent, for all OUS clinical data submitted to FDA.
Include detailed supporting information in submissions, such as investigator qualifications, facility descriptions, protocols, and data summaries.
Clearly identify any deviations from GCP and justify how data integrity and subject protection were maintained.
Use FDA’s Pre-Submission Program to discuss potential challenges with GCP compliance or data validation before submission.
Retain all required records for at least two years after FDA’s decision on the application or submission.

Regulatory Considerations
FDA evaluates OUS clinical data on a case-by-case basis, considering the adequacy of GCP compliance and supporting documentation.
For significant risk device investigations, sponsors must provide the most comprehensive documentation, while non-significant risk and exempt devices require less detailed information.
Waivers may be granted when justified by public health considerations or when local laws prohibit compliance with specific FDA requirements.
FDA retains the right to inspect clinical sites or review source documents to validate data integrity and compliance with GCP.
Sponsors must ensure that OUS data are valid and relevant to the U.S. population and medical practice.

Findings:
Challenges in ensuring audit trail visibility for FDA inspections.
Risks of transcription errors when converting paper records into eCRFs.
Limited integration and standardization across electronic health record systems.
Potential security vulnerabilities in electronic signatures and data transmission.
Lack of comprehensive data quality checks in eCRF systems.

Recommendations:
Ensure the use of robust audit trails to track all changes and modifications to electronic source data.
Develop data management plans outlining roles, responsibilities, and data flow processes.
Use automated data capture methods (e.g., direct device transmission to eCRFs) to minimize errors.
Train clinical investigators and staff on maintaining accurate records and using eCRF systems.
Establish clear protocols for managing and retaining source data for FDA inspections.

Regulatory Considerations:
Compliance with FDA Part 11 regulations on electronic records and electronic signatures.
Retention of original or certified copies of source documents for FDA review.
Access control measures, such as unique logins and passwords, for eCRF systems.
Adherence to data traceability requirements, including data element identifiers.
Use of secure and interoperable systems for transmitting data to the eCRF.

Findings
Emphasizes the importance of DMCs in enhancing trial participant safety.
Highlights the need for DMC independence to prevent bias.
Discusses the historical context and evolution of DMCs in clinical trials.
Notes that not all trials require a formal DMC.

Recommendations
Sponsors should consider establishing a DMC for trials with significant safety concerns.
Ensure DMC independence from sponsors to maintain objectivity.
Limit DMC use to trials where they are most beneficial due to added complexity.
Clearly define roles and responsibilities of all parties involved in trial monitoring.
Develop procedures to assess and manage potential conflicts of interest for DMC members.

Regulatory Considerations
Compliance with FDA regulations on adverse event reporting under 21 CFR 312.32 and 812.150.
Adherence to confidentiality protocols for unblinded data as per 21 CFR 314.126(b)(5).
Use of DMC recommendations to inform protocol changes while minimizing potential bias.
Maintenance of detailed records for DMC meetings and interim analyses for regulatory audits.
Engagement with FDA on early termination of trials or significant protocol changes due to safety concerns.