EMA Guideline on Computerised Systems and Electronic Data in Clinical Trials
04 Jul 2023
Lambda Therapeutic Research acknowledges the release of the European Medicines Agency - Good Clinical Practice Inspectors Working Group (GCP IWG)'s 'Guideline on computerised systems and electronic data in clinical trials' (EMA/INS/GCP/112288/2023), on March 7th, 2023, to come into effect six months after publication. This guideline replaces the 'Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials' (EMA/INS/GCP/454280/2010).
Computerised systems are increasingly being used in clinical research. The complexity of these systems has rapidly evolved in recent years, from electronic case report forms (eCRF) and electronic patient-reported outcomes (ePROs) to various wearable devices used for continuous monitoring of trial participants. This evolution also includes the use of artificial intelligence (AI). Consequently, there is a need to provide guidance to all stakeholders involved in clinical trials, reflecting these changes in data types and trial methodologies, to ensure the quality and reliability of trial data, as well as the rights, dignity, safety, and well-being of the participants.
This guideline will describe some generally applicable principles and provide definitions of key concepts. It will also cover the requirements and expectations for computerised systems, including validation, user management, security, and the handling of electronic data throughout its life cycle.
The scope of this guideline encompasses computerised systems (including instruments, software, and 'as a service' solutions) used in the creation and capture of electronic clinical data, as well as the control of other processes that have the potential to affect participant protection and the reliability of trial data. This applies to clinical trials involving investigational medicinal products (IMPs). All electronic data should adhere to the ALCOA principle.
This includes, but is not limited to, the following:
- Electronic medical records
- Electronic devices used by clinicians to collect data (e.g., mobile devices supplied to clinicians)
- Data capture for trial participants, such as biometrics (e.g., wearables or sensors)
- Electronic case report forms (eCRFs)
- Data capture related to the transit and storage temperatures for investigational medicinal products (IMPs) or clinical samples.
- Data capture, generation, handling, or storage in a clinical environment where analysis, tests, scans, imaging, evaluations, etc., involving trial participants or samples from trial participants are performed in support of clinical trials (e.g., LC-MS/MS systems, medical imaging, and related software)
- Electronic trial master files (e-TMFs) used to maintain and archive essential clinical trial documentation.
- Electronic informed consent for providing information and/or capturing informed consent when allowed by national legislation.
- Interactive Response Technologies (IRT) used for the management of randomisation, supply, and receipt of IMP (e.g., via a web-based application)
- Portals or other systems used for supplying information from the sponsor to the sites or from the sponsor or site to adjudication committees and others.
- Systems/tools used to conduct remote activities such as monitoring or auditing.
While there is already much information and guidance available for electronic and computerised data, this guideline will focus solely on computerised systems. It describes the requirements for validation, user management, and information technology (IT) security.
Description of Systems
The responsible party should maintain a list of physical and logical locations of the data, such as servers, as well as the functionality and operational responsibility for computerised systems and databases used in a clinical trial. An assessment of their fitness for purpose should also be included. In cases where multiple computerised systems/databases are used, there should be a clear overview available to understand the extent of computerisation. System interfaces should be described, defining how the systems interact, including validation status, methods used, and security measures implemented.
Documented procedures should be in place to ensure the correct use of computerised systems. These procedures should be controlled and maintained by the responsible party.
All individuals involved in conducting a clinical trial should be qualified through education, training, and experience to perform their respective tasks. This also applies to training on computerised systems. Systems and training should be designed to meet the specific needs of system users, such as sponsors, investigators, or service providers. Special consideration should be given to the training of trial participants when they are system users.
Training on the relevant aspects of legislation and guidelines should be provided to those involved in developing, coding, building, and managing trial-specific computerised systems. This includes individuals employed at a service provider supplying eCRF, IRT, ePRO, and the trial-specific configuration, customization, and management of the system during the clinical trial. All training should be documented, and the records retained and made available for monitoring, auditing, and inspections.
Security and Access Control
To maintain data integrity and protect the rights of trial participants, computerised systems used in clinical trials should have security processes and features to prevent unauthorized access and unwarranted data changes. The blinding of treatment allocation, where applicable, should also be maintained.
Checks should be implemented to ensure that only authorized individuals have access to the system and that they are granted appropriate permissions (e.g., the ability to enter or modify data). Records of authorized access to the systems, along with the respective levels of access, should be clearly documented. The system should also record changes to user roles, access rights, and permissions.
Training on the importance of security, including the need to protect passwords and keep them confidential, should be documented. Additionally, there should be enforcement of security systems and processes, identification and handling of security incidents, prevention of social engineering and phishing.
Accurate and unambiguous date and time information, given in coordinated universal time (UTC) or time and time zone (set by an external standard), should be automatically captured. Users should not be able to modify the date, time, and time zone on the device used for data entry when this information is captured by the computerised system and used as a timestamp.
For each trial, it should be identified which electronic data and records will be collected, modified, imported, and exported, as well as how they will be archived, retrieved, and transmitted. Electronic source data, including the audit trail, should be directly accessible by investigators, monitors, auditors, and inspectors without compromising the confidentiality of participants' identities.
Data Capture and Location
The primary goal of data capture is to collect all data required by the protocol. All relevant observations should be documented in a timely manner. The location of all source data should be specified prior to the start of the trial and updated during the trial, as applicable.
Source data collected on paper (e.g., worksheets, paper CRFs, diaries, or questionnaires) need to be transcribed manually or using a validated entry tool into the electronic data collection (EDC) system or database(s). In the case of manual transcription, risk-based methods should be implemented to ensure the quality of the transcribed data (e.g., double data entry and/or data monitoring).
Trial data are regularly transferred between systems. The process for file and data transfer needs to be validated and ensure data and file integrity for all transfers. Data collected from external sources and transferred over open networks should be protected from unwarranted changes and secured/encrypted to prevent the disclosure of confidential information. All transfers needed during the conduct of a clinical trial should be pre-specified.
Validation of transfer should include appropriate challenging test sets and ensure that the process is available and functioning at the start of the clinical trial (e.g., to enable ongoing sponsor review of diary data, lab data, or adverse events by safety committees). Data transcribed or extracted from electronic sources, along with their associated audit trails, should be continuously accessible according to delegated roles and corresponding access rights. Adequate considerations should be made for the transfer of source data and records when the original data or file are not maintained, in order to prevent the loss of data and metadata.
Direct data capture can be performed using electronic data input devices and applications such as electronic diaries, questionnaires, and eCRFs for direct data entry. When treatment-related pertinent information is captured first in a direct data capture tool, such as a trial participant diary, a PRO form, or a special questionnaire, a documented procedure should exist to transfer or transcribe the information into the medical record when relevant.
Direct data capture can also be achieved using automated devices such as wearables or laboratory or other technical equipment (e.g., medical imaging, electrocardiography equipment) that are directly linked to a data acquisition tool. Such data should be accompanied by metadata concerning the device used (e.g., device version, device identifiers, firmware version, last calibration, data originator, timestamp of events).
Computerised systems should validate manual and automatic data inputs to ensure adherence to a predefined set of validation criteria. Edit checks should be relevant to the protocol and developed and revised as needed. They should be validated, and the implementation of individual edit checks should be controlled and documented. If edit checks are paused at any time during the trial, this should be documented and justified. Edit checks can be run immediately at data entry, automatically during defined intervals (e.g., daily), or manually.
Approaches for edit checks should be guided by necessity, avoiding bias, and ensuring traceability when data are changed as a result of an edit check notification. The sponsor should not make automatic or manual changes to data entered by the investigator or trial participants unless authorized by the investigator.
In conclusion, the EMA guideline on computerized systems and electronic data in clinical trials provides essential principles and requirements to ensure the quality, reliability, and security of trial data while safeguarding the rights and well-being of participants. Adhering to these guidelines enhances the efficiency and integrity of computerized systems, promoting advancements in medical research and the development of safe and effective treatments. Read the guidelines here.