In recent years, regulatory agencies have placed renewed emphasis on data integrity in clinical trials, bringing clinical practice and data management more closely in line with the well-established expectations seen in manufacturing environments.
As the use of computerized systems in clinical research and trial management expands, particularly in decentralized and digitally enabled trials, sponsors and clinical teams are being asked to demonstrate greater transparency and control over the full lifecycle of electronic data.
This article explores the growing focus on data integrity in good clinical practice (GCP), and how regulatory guidance is evolving to support a risk-based, system-lifecycle approach to computerized systems in clinical settings.
As clinical data becomes more digital and distributed, it must still meet foundational principles of integrity, traceability, and accountability. Agencies like the FDA, EMA, and bodies such as the ICH are updating and aligning their guidance to reflect these expectations, particularly around the use of electronic systems, cloud platforms, and emerging technologies such as artificial intelligence and digital health tools.
In 2024, the FDA issued an updated Questions and Answers Guidance on the use of electronic systems in clinical investigations [1]. While reaffirming a pragmatic interpretation of 21 CFR Part 11 with a focus instead on the underlying predicate rules, the guidance underscores the need for sponsors to document the systems used in each study and the system requirements as they map the flow of clinical data from initial capture through to archival. Importantly, sponsors are encouraged to adopt a risk-based approach to system lifecycle management including scaled validation, oversight and controls based on the criticality of the data and the role of the system in the trial.
Similarly, the EMA’s 2023 guideline on computerized systems in clinical trials [2] provides a detailed framework for evaluating data integrity across the data lifecycle. It calls for structured inventories of systems, specified system requirements, validated systems, and appropriate periodic reviews. Guided by ALCOA++ principles it specifies documentation of data storage locations, and the use of electronic signatures, segregation of duties, audit trails and management and controls of certified copies (The certification process should verify the copy preserves the data integrity of the original, including relevant metadata). A key requirement is that sponsors and investigators maintain direct, read-only access to electronic records—even after system decommissioning—to support inspections for the retention period. Additionally Sponsors must maintain oversight and ultimate responsibility for all computerized systems used in clinical trials, including those managed by vendors/CROs.
ICH E6(R3) guidance on good clinical practice [3], currently in draft, adds further emphasis on data governance. It suggests that all systems used in clinical trials—whether provided by the sponsor or investigator site—should be assessed for fitness for purpose, and that responsibilities across parties must be clearly defined and documented.
What emerges from these updates is a growing alignment between clinical and manufacturing system expectations. In good manufacturing practice (GMP), computerized systems have long been subject to lifecycle validation, change management, and regular review. The manufacturing sector has benefitted from a standardized interpretation of guidance such as ISPE’s GAMP 5 [4], which supports a structured, risk-based approach to validation.
By contrast, clinical systems are developed and deployed on a trial-by-trial basis and have historically lacked the same level of formality in validation and oversight. However, as clinical research becomes more reliant on electronic platforms for data capture, monitoring, and analysis, the expectations are aligning with those of other regulated systems.
The 2024 edition of the ISPE GAMP Good Practice Guide: Validation and Compliance of Computerized GCP Systems [5] bridges this gap directly. It adapts the GAMP 5 principles to the GCP environment, recognizing the specific challenges posed by decentralized teams, short study timelines, and third-party technologies such as ePRO, EDC, and IRT systems.
The guide introduces a layered model to address both platform and trial-specific system configurations. It distinguishes between shared infrastructure, validated system architectures, and the unique configurations required for each clinical trial. This layered view helps sponsors and vendors determine where to focus validation efforts and how to manage systems that serve both clinical and non-clinical functions.
Another notable development addressed in the GAMP GCP guide is the increasing use of data science techniques and artificial intelligence (AI) / machine learning (ML) within clinical trials. These technologies are being explored for a wide range of applications—from recruitment and eligibility screening, to event adjudication, safety signal detection, and real-world data integration.
These tools offer exciting opportunities to improve efficiency and insight generation, they also introduce new risks, and the GAMP guide emphasizes that AI/ML systems used in clinical contexts must still meet traditional expectations for validation and oversight with additional considerations for model development and data fairness.
This includes:
Risk-based validation principles remain applicable and systems that influence critical trial outcomes or participant safety will require a higher degree of control and documentation, regardless of whether they are powered by deterministic logic or adaptive algorithms.
Sponsors and clinical IT teams are encouraged to adopt structured approaches to system classification, validation, and oversight. An effective first step is to develop a complete catalog of all systems involved in clinical trials, clearly distinguishing between those specifically designed for trial operations and those that support trial activities incidentally.
For example, systems such as EDC platforms or electronic informed consent solutions, developed specifically to support regulatory trials, typically require full validation under GxP standards. In contrast, systems like electronic health records or imaging platforms may require additional assessment if they are considered sources of trial-critical data. Sponsors should assess these systems for their role as "eSource" and determine appropriate controls based on the relevance of the data they handle.
Oversight of service providers and vendors is also a key theme. Whether a system is hosted internally or delivered via Software-as-a-Service (SaaS), regulatory guidance emphasizes the need for documented roles, change control, and data ownership across parties. Contracts and agreements should clarify who is responsible for validation activities, audit support, access controls, data ownership and data retention, including after system retirement.
Periodic review of validated systems is also a growing expectation. Changes in infrastructure, software updates, or evolving regulations may require systems to be reassessed to ensure they remain in a validated state throughout their operational lifecycle.
The current regulatory trajectory suggests a growing expectation that GCP environments adopt the same level of maturity in system governance as their GMP counterparts. Clinical trial systems typically operate with time-bound, multi-party data while manufacturing data are continuous and centralized, but the fundamental principles of risk-based validation, data integrity, and documented oversight can can remain consistent.
Sponsors, CROs, and clinical technology providers are encouraged to view their systems through this broader lens. Applying consistent standards across clinical and manufacturing domains can reduce compliance risk, improve inspection readiness, and strengthen data quality across the product lifecycle.
As life sciences organizations continue to pursue digital transformation in both R&D and manufacturing, a unified approach to GxP compliance—grounded in shared principles and tailored to context—offers a scalable and sustainable path forward.
References: