Clinical Trial Software Key Regulations and Guidelines

When implementing any software in a regulated environment (such as pharmaceutical GxP requirements) one should follow a defined set of regulatory documents and guidelines to ensure transparency and the proposed solutions. Reliable electronic systems protect patients from unsafe or unethical treatments or delays in the detection of adverse events (AEs). Strict data validation rules, audit trials and security measures minimize risk of errors, that could otherwise invalidate the entire clinical trial upon regulatory body inspection – the ability to demonstrate clear adherence to recognized standards streamlines the review process, reduces the risk of audit findings and overall boosts the chances of a favourable outcome. Audits and inspections can happen at any time, and a well-maintained, controlled environment consistent with guidelines and regulatory documents assures spontaneous inspection readiness.

Moreover, regulations like FDA’s 21 CFR Part 11 [1] or EMA’s Annex 11 to The Rules Governing Medicinal Products in the European Union [2] are legally binding documents, and the non-compliance may damage institutions operations, business and reputation.

• International Council for Harmonisation (ICH) Guidelines

The International Council for Harmonisation (ICH) guideline for good clinical practice (ICH E6(R2), soon E6(R3) [3]) is a guideline that harmonizes the scientific and technical requirements for the registration of medicinal products, focusing on Good Clinical Practice (GCP), which in turn outlines the quality standards for designing, conducting, recording, monitoring and reporting clinical research on humans. In the second revision, ICH E6(R2), guideline on risk-based monitoring, data integrity and sponsor oversight of vendors and systems was introduced. The new revision, ICH E6(R3) will emphasise more modern and flexible approach to quality management, risk proportionality, and technology usage.

The chapter 4.3 of the ICH E6(R3) lists the duties of the parties responsible of the computerized systems. Importantly, the system should be accompanied by a comprehensive operating procedure to ensure appropriate use of the system for essential activities related to data collection, handling and management. It stresses the need to have the personnel properly trained, and that the system should manage the data in a secured, backed up way.

Important part of the chapter 4.3 is the part on validation activities. According to the guideline, the party responsible for the software is responsible to implement an approach to validation based on a risk assessment that takes into consideration the intended application of the system. The validation procedures, through the lifecycle of the software, should cover system design, its requirements, functionality testing, configuration, release, setup, installation and change control. The responsible party should always be ready to prove the validated state of the used software, including the products developed by third parties, proving that the system behaves as intended and is fit for purpose.

ICH E6 sets the overarching GCP framework that many national regulators follow or adapt – it is not a law, but many national regulatory bodies have adopted or aligned their regulations with ICH, and therefore the compliance with this document is expected and controlled. If non-compliance is detected, inspections may result in findings, national authority warnings, rejection of trial data, and it may jeopardize patient safety and study ethical standards.

• FDA Regulations - 21 CFR Part 11 – Electronic Records; Electronic Signatures

The 21 CFR Part 11 of the FDA regulations establishes the criteria which are required to consider electronic records and signatures to be reliable and equivalent to paper records, and applies to all the systems managing data and documentation for activities regulated by FDA, including clinical trials.

In order to be compliant with the FDA, the used software must be validated, proving accurate and reliable performance, with enabled audit trials and robust security and authorization concept in place. The software must link electronic signatures to records, requiring two identification components, e.g. username and a password.

In case of a detected non-compliance, FDA can issue a warning letter highlighting the findings, and in the most severe cases, FDA can stop an ongoing trial or reject certain data from FDA reviews and approvals.

• EMA Requirements (European Union) – EudraLex, Volume 4, Annex 11 – Computerised Systems

EudraLex, Volume 4, Annex 11 – Computerised Systems describes requirements for the systems used in activities regulated by the European Medicines Agency (EMA), including clinical trials.

It states that the party responsible for the system must carry out formal risk management. Annex 11 addresses the entire system life cycle, from user requirement definition to retirement. To be compliant, supplier assessment must be carried out, and their competence and reliability are key factors when selecting a product or a service provider. The regulation focuses strongly on audit trails, system security, backup, and business continuity, requiring system performance, data integrity, and validation status to be reviewed periodically.

Annex 11 of the European law is well-aligned with FDA’s 21 CFR Part 11, however it includes a broader focus on lifecycle activities and vendor management. On the other hand, the American Part 11 focuses heavily on requirements for electronic records and signatures. European Annex 11 is legally binding in the EU for manufacturing and clinical trial data, and both sets of guidelines are commonly referenced globally.

• Swissmedic - Federal Act on Medicinal Products and Medical Devices & Ordinance on Clinical Trials in Human Research (TPA, ClinO)

Swiss Therapeutic Products Act (TPA) [4] is a legal framework regulating medicinal products and medical devices in Switzerland, requiring any clinical trial to comply with Good Clinical Practice (GCP) standards. Ordinance on Clinical Trials in Human Research (ClinO) [5] describes requirements for clinical trial design, conduct and reporting in Switzerland. It requires compliance with ICH GCP principles and provides Swiss-specific provisions on ethical review, safety reporting, and sponsor responsibilities. Noteworthy, in contrast to the FDA and EMA regulations, it does not contain a standalone equivalent of 21 CFR Part 11 or Annex 11, but still enforces study data to be accurate, reliable, and stored securely.

Switzerland has mutual recognition agreements with the EU, Swissmedic often references or applies equivalent Good Manufacturing Practice (GMP) and Good Laboratory Practice (GLP) guidelines, and in general, if Annex 11 requirements are met, the Swiss ones are also satisfied, assuming all local specifics are correctly implemented. For example, documentation may need to be prepared and available in Swiss official languages, and the compliance with the national data privacy laws (Federal Act on Data Protection, FADP) [6] must be assured.

Identified non-compliance can lead to critical or major inspection findings, which may require corrective actions or result in partial suspension of a trial if data integrity is compromised, delaying product approvals or requiring repeating study phases, damaging organizations’ reputation. In case of severe and persistent issues, Swissmedic may even withdraw the clinical trial authorization from the sponsor or a CRO.

• Good Automated Manufacturing Practice (GAMP 5)

Good Automated Manufacturing Practice (GAMP 5) [7], [8] is an industry best practice widely recognized by regulators for computer system validation (CSV). It outlines a risk-based approach to compliance of computerized systems in GxP environments, including clinical trials, by introducing a framework known as “V-model” for the entire system lifecycle and emphasizes a scalable, risk-based approach. GAMP 5 does not have the force of law (unlike FDA/EMA regulations), but it is an important guidance to help meet regulatory expectations. GAMP 5 constitutes an important standard for software used in commercial business in pharmaceutical industry, as well as in clinical trials [9], [10], [11], [12].

Second edition of the GAMP 5, published in July 2022, recognizes modern approach to software development, acknowledging its nonlinear and cyclical nature, adapting approaches considering iterative and continuous planning, development, testing and deployment. It emphasizes critical thinking methodology and systematic risk analysis, resulting in informed decisions thorough the development lifecycle.

According to GAMP 5, each computerized system life cycle encompasses four major phases: concept, project, operation and retirement. In the concept phase, early evaluation of the solution is done, including cost-benefit analysis and preliminary requirement development. During the project phase, system development, customization and implementation happens, including supplier selection, specification, testing and release. Risk management done in this phase aims to identify and eliminate potential system-related risks. In the operation phase, the longest of the phases, encompasses day-to-day operations of the system following the prepared standard procedures, by trained personnel. In this phase, change management plays a crucial role to ensure smooth operations and adaptation of the software to the changing environment. At the end of its lifecycle, system enters retirement phase, focusing on a seamless decommissioning and transition to a new solution. Validation Plan lists the activities relevant to the entire validation life cycle of a system, covering software, hardware, and processes to ensure compliance with standards. User Requirement Specification (URS) documents all necessary requirements needed for the system to be fit for its intended purpose, with unique identifiers to guarantee each function is verified and intact throughout development. Design Qualification (DQ) confirms the system’s design meets GMP expectations, and Installation Qualification (IQ) confirms that the software is properly installed. Operational Qualification (OQ) tests the system’s functionality under normal, day-to-day circumstances, and Performance Qualification (PQ) verifies that it meets required performance standards. Validation Summary Report compiles all results, while Periodic Reviews help ensure the system remains in its validated state, and thus compliant [13].

• References:

[1]     “Guidance for Industry Part 11, Electronic Records; Electronic Signatures-Scope and Application,” 2003. [Online]. Available: http://www.fda.gov/cvm/guidance/guidance.htmlorhttp://www.fda.gov/cdrh/ggpmain.htmlhttp://www.cfsan.fda.gov/~dms/guidance.html.

[2]     “EudraLex The Rules Governing Medicinal Products in the European Union Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use.”

[3]     “INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS FOR PHARMACEUTICALS FOR HUMAN USE ICH HARMONISED GUIDELINE GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R3).”

[4]     “Federal Act on Medicinal Products and Medical Devices (Therapeutic Products Act, TPA).”

[5]     The Federal Assembly of the Swiss Confederation, “Ordinance on Clinical Trials with the exception of Clinical Trials of Medical Devices 1 Chapter 1 General Provisions Section 1 Purpose and Definitions.”

[6]     The Federal Assembly of the Swiss Confederation, “Federal Act on Data Protection”.

[7]     GAMP 5. A Risk-Base Approach to Compliant GxP Computerized Systems. Tampa, Florida: ISPE, 2008.

[8]     F. Pedro, F. Veiga, and F. Mascarenhas-Melo, “Impact of GAMP 5, data integrity and QbD on quality assurance in the pharmaceutical industry: How obvious is it?,” Drug Discov Today, vol. 28, no. 11, p. 103759, Nov. 2023, doi: 10.1016/j.drudis.2023.103759.

[9]     Y. Shin et al., “A Good Practice–Compliant Clinical Trial Imaging Management System for Multicenter Clinical Trials: Development and Validation Study,” JMIR Med Inform, vol. 7, no. 3, p. e14310, Aug. 2019, doi: 10.2196/14310.

[10]   L. Licchetta et al., “TELEmedicine for EPIlepsy Care (TELE-EPIC): protocol of a randomised, open controlled non-inferiority clinical trial,” BMJ Open, vol. 11, no. 12, p. e053980, Dec. 2021, doi: 10.1136/bmjopen-2021-053980.

[11]   Y. Wakabayashi, H. Matsui, K. Ikai, M. Hayashi, H. Wakabayashi, and K. Yamamoto, “Developing a Practical Method for Validation of Computerized Systems Integrated With Smart and/or Wearable Devices for Regulatory Compliance of Clinical Trials,” Ther Innov Regul Sci, vol. 51, no. 1, pp. 118–124, Jan. 2017, doi: 10.1177/2168479016666585.

[12]   S. K. Mørk et al., “Personalized therapy with peptide-based neoantigen vaccine (EVX-01) including a novel adjuvant, CAF®09b, in patients with metastatic melanoma,” Oncoimmunology, vol. 11, no. 1, Dec. 2022, doi: 10.1080/2162402X.2021.2023255.

[13]   J. R. Raja, A. Kella, and D. Narayanasamy, “The Essential Guide to Computer System Validation in the Pharmaceutical Industry,” Cureus, Aug. 2024, doi: 10.7759/cureus.67555.