Skip to main content

Clinical Trial Computerized Systems Regulation Review

What you need to know about the new FDA and EMA requirements for clinical trial data management and its impact on vendors
Jake Stowe
August 11, 2023
August 9, 2023


The purpose of this regulation review is to summarize and provide commentary on the latest guidance released by the Food and Drug Administration (FDA) and the European Medicines Agency (EMA) for the use of computerized systems in clinical trials. 

On September 7, 2023 the EMA guidance will come into effect.  FDA and EMA harmonize guidances and one can have high confidence that the final FDA guidance will closely align with the final guidance from EMA.  

The communication from EMA is clear with what they expect.  From [3]:

It is not acceptable to use computerised systems in clinical trials for which the validation status is not confirmed or for which appropriate documentation on system validation cannot be made available to GCP inspectors . . . This is irrespective of the number of sponsors making use of or having used the systems, the number of years such systems have been on the market, etc.”


Comparison of Good Manufacturing Practices (GMP) and Clinical Trial Data Management

Regulatory agencies such as the FDA and EMA oversee pharmaceutical manufacturers to ensure the integrity of their manufacturing processes. In the field of clinical trials, these agencies regulate sponsors (defined at article end) and focus on the flow, management, and traceability of data, rather than material.

The agencies are equally concerned about the origin and integrity of data as they are about the origin and integrity of materials in the manufacturing process. Data flows through various computerized systems, similar to manufacturing lines, where it is combined and transformed gradually into the final "product" that supports regulatory decisions.

Just as each step in the manufacturing process undergoes validation, the computerized systems, their links, the connections between them, and the data processing steps in clinical trials must also be validated. In this regulation review, we collectively refer to these elements as the Data Production and Processing System.

Summary of Computerized System Guidances


FDA and EMA scope similar responsibilities, but they emphasize different elements.  FDA emphasizes that any electronic records used to support a regulatory submission are 21 CFR Part 11 compliant.  EMA emphasizes the responsibility of the sponsor to validate the systems used as part of a data production and processing system supporting a clinical trial.  These differences in emphasis ultimately converge on a largely shared regulatory vision. 

Both agencies expect sponsors to assess the risk of their data production and processing system and ensure appropriate validation for high-risk areas. They acknowledge that many sponsors lack the resources and expertise for validation and will rely on vendors. Therefore, they expect sponsors to rely on their vendors for performing validation and will manage them via::

  1. Detailed supplier quality agreements
  2. Qualifying their products with user acceptance testing against formal user requirements
  3. Auditing the vendors and their formal quality systems 

What is considered high risk?

FDA (lines 262 - 276 of [1] direct quote of major bullets):

Considerations when applying a risk-based approach for validation of electronic systems include the following: 

  1. The purpose and significance of the record and the criticality of the data (e.g., how the record and data will be used to support the regulatory decision and/or ensure participant safety). 
  2. The intended use of the electronic system (e.g., used to process records that are essential to the clinical investigation). Validation is critical for electronic systems that are used for activities such as data integration, data analysis, adverse event recording or processing, endpoint evaluation, medical product dispensation, administration, and accountability. 
  3. The nature of the electronic system (e.g., commercial off-the-shelf (COTS) system, customized electronic system).

EMA (section 4.6 of [2], summarized): 

EMA considers the following to be areas of focus for risk assessment:

  1. Risks affecting the “rights, safety and well-being” of participants or the “reliability of the trial results.”
  2. Risks due to the complexity and the criticality of the specific computer system as a component of the overall data production and processing system.  Special care should be taken to understand how users interact with the system.
  3. Risks that affect data integrity based on ALCOA++ principles. 
  4. “Whether the system is used for standard care and safety measurements for participants or if systems are used to generate primary efficacy data that are relied on in e.g. a marketing authorisation application.”
  5. “Systems used for other purposes than what they were developed for, or which are used outside the supplier’s specification/validation are inherently higher risk.”

Agreed areas of focus for validation efforts

The agencies largely align on the main areas of focus that sponsors should be concerned regarding validation:

1. Intended use

  • Of the system itself (Vendor’s responsibility)
  • Of its use in a specific clinical trial (Sponsor’s responsibility) 

2. Data Integrity

  • Audit trails and ALCOA++ (ref. 4.5 in [2])
  • Data backup and retention
  • Security and access control
  • Part 11 (annex 11) signatures. 
  • Data collection interfaces - EMA explicitly states that fields should not be automatically filled in except under specific conditions. 

3. Data Processing

  • Data interoperability mechanisms
  • Data transformation mechanisms

4. Data Protections - GDPR

  • Data jurisdiction
  • Data dignity and compliance 

5. Trial or customer specific configuration

Impact on Vendors to Clinical Trial Sponsors

To comply with these guidances, vendors to clinical trial sponsors should be prepared to:

1. Operate within and maintain a formal quality management system that incorporates risk management, application lifecycle management, and change management.

  • Application lifecycle management and validation decomposition should be based on how the vendor assesses the risks of their product in relation to the integrity of the data production and processing systems of their clients.  If their intended use touches on areas the agencies consider high risk, it would be prudent to embrace a higher level of formality and decomposition.
  • They must run a formal issue tracking and change management process, this is an area of particular concern for regulators.

2. Be audited by sponsors and regulators.  Not only by their clients but also FDA and EMA.  Both agencies may directly audit vendors at their discretion.

3. Be supervised under detailed supplier quality agreements.  For SaaS vendors in particular, these agreements may be complex with respect to data retention and data jurisdiction.  Rapid availability of data for the duration of the retention period is necessary.  EMA also indicates that a test environment equivalent to the configured environment be made available for testing to the sponsor. 

4. Support sponsors in qualifying their products.  Many sponsors are also new to these guidelines, a vendor that is capable of explaining and providing support so that sponsors can meet their regulatory requirements will have a commercial advantage. 

5. Validate particular configurations of their product for specific sponsors or trials. 


These new guidelines present substantial commercial opportunities and risks to vendors of computerized systems for clinical trial data management and processing.

Sophisticated sponsors, such as major pharmaceutical companies, are very conservative with respect to quality and regulatory affairs.  As they represent the most risk within the healthcare system, they are under the most scrutiny by regulatory agencies.  Adverse regulatory findings for major pharmaceutical companies are serious material events that high-ranking executives pay attention to.  Accordingly, QA/RA departments will adjust their auditing posture towards computer system vendors to hedge their risks.  

Vendors who adapt to the new regulatory environment and can advise sponsors on the process of qualifying their systems could gain an enduring competitive advantage over rivals that need to be faster to adapt.  

Vendors who do not adjust adequately to the new environment face the risk of losing the trust of sponsors and their position in the market. 

Definitions of Actors

Sponsor: the entity responsible for funding and orchestrating the clinical trial.  A primary output for them is architecting the data production and processing system.  Sponsors are primarily pharmaceutical companies or major medical institutions. 

Investigator: a doctor or researcher who is participating in the trial.  There may be one or many investigators in a trial depending on the size.  They are important entities in the regulations because they have rights to maintain and access data that is generated by patients under their care while pursuing investigations and making clinical decisions. 

Vendor: third parties, particularly IT vendors, that provide solutions fitting within the data production and processing system.

Regulator: government entities or representatives charged with overseeing the quality of data production and processing systems and the transition of these system artifacts to patient healthcare.

Reviewed Documents

Food and Drug Administration (FDA)

Draft guidance:

[1] Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers

European Medicines Agency (EMA)

Final version - coming into effect September 7, 2023

[2] Guideline on computerised systems and electronic data in clinical trials

[3]Notice to sponsors on validation and qualification of computerised systems used in clinical trials