Follow us on LinkedIn


Thursday 29 July 2021

A general overview of the requirements presented in the new EMA guideline on the use of computerized systems and on the collection of electronic data in clinical trials.

Computerized systems are increasingly used in clinical research. The complexity of these systems and clinical trials themselves has evolved rapidly in recent years, leading to an increase in the use of computerized systems.


The EMA Reflection Paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials has begun to address these issues since its publication in 2010.


The new guideline (currently a draft)Guideline on computerised systems and electronic data in clinical trials aims to assist sponsors, researchers and other parties involved in clinical trials on the use of computerized systems and on the collection of electronic data in clinical trials in compliance with the requirements of current legislation (Directive 2001/20/EC and Directive 2005/28/EC) and of ICH E6 Good Clinical Practice Guideline.
The draft will be available for comment until the end of 2021.


A general and non-exhaustive overview of the requirements presented in the draft of the new guideline is provided below.



  • Data integrity

Failure to maintain data integrity during the envisaged retention period can render the data unusable and is equivalent to the loss or destruction of the data. Lack of data integrity is considered a GCP non-compliance.

  • Responsibility

The roles and responsibilities in clinical trials must be clear. Responsibility for conducting a trial is legally assigned to two parties (the investigators and their institutions, and the sponsors), each of whom may use computer systems to manage trials data.

  • Electronic data and the concept of metadata

Without the context provided by the metadata, the data has no meaning.

  • Source data

The first permanent data obtainable from the electronic generation of data is considered the data source.
This process must be validated to ensure that the data source is representative of the original observation and contains the necessary matadata to ensure ALCOA requirements.

  • ALCOA ++
  • Criticalities and risks

ICH-GCP E6 (R2) introduces the need for a quality management system with a risk-based approach. Risks need to be considered both at the system level and at the specific clinical trial level. Risks related to the use of computerized systems, especially those related to data integrity, must be identified, analyzed and mitigated. The approach used to reduce the risk must be proportionate to the risk.

  • Data collection

The approved clinical trial protocol should specify which data is to be generated / acquired, by whom, when and which tools or procedures are to be used.

  • Electronic signature

Whenever an electronic signature is used in a clinical trial to replace a signature required by GCPs, the functionality of the electronic signature must meet expectations for authentication, non-repudiation, indissoluble linking and time stamping.

  • Data protection

The confidentiality of records that could identify trial participants must be protected by complying with the privacy and confidentiality rules required by regulatory requirements.

  • Validation of computerized systems

All computer systems used in a clinical trial must be subject to a process that confirms compliance with requirements and system performance. Validation should ensure accuracy, reliability and expected performance from design to system decommissioning or transition to a new system. The processes used for validation must be decided by the System Owner (e.g. sponsors, researchers, technical structures) and described on a document.
System Owners must ensure adequate supervision of validation activities and documentation by contractors to ensure that adequate procedures are in place and that these are followed. Documentation must be retained to demonstrate that the system is maintained in the validated state and must be available for both software validation and clinical trial specific configuration validation. Validation of the specific configuration must ensure that the system is consistent with the requirements of the approved clinical trial protocol and that functionality testing is performed.

  • Direct access to computerized systems


The guideline requires:

  • a description of the systems and data allocation, responsibilities, databases used and an assessment of their suitability for the intended purpose
  • written procedures for using the systems
  • training for the use of computerized systems
  • security processes to guarantee data integrity and data protection


For each trial, it is necessary to know which data and electronic records will be collected, modified, imported and exported, archived and their methods of transmission. Electronic data, and corresponding audit trails, must be accessible to investigators, monitors, auditors and inspectors without compromising the confidentiality of the identities of trial participants (ICH-GCP 1.21).

  • Data collection and location

The location of all source data must be specified before the start of the process and kept up to date (ICH-GCP 8.1. Appendix).

  • Transcription from paper to electronic

Original data collected on paper must be transcribed manually or through a validated input tool in the system or database. In case of manual transcription, risk-based methods should be implemented to ensure the quality of the transcribed data.

  • Transfer between electronic systems

Trail data is regularly transferred within the organization and between systems. All file and data transfers must be validated.

  • Direct data acquisition

Direct data acquisition can be performed by automated devices or other technical tools. Such data must always be accompanied by the metadata relating to the device used.

  • Data entry verification

Data entry controls must be validated. Suspension of controls must be documented and justified.



  • Audit trail

In a computerized system, the audit trail must be secure, computer generated, with date and time. The audit trail must be robust and it must not be possible for a normal user to turn it off.

  • Audit trail review

Risk-based audit trail review procedures should be in place and the performance of the data review should be documented. Data review must focus on critical data and be proactive and ongoing.

  • Data signature

Investigators are responsible for the data entered into the systems under their supervision. This data must be reviewed and signed. The signature of the principal investigator and an authorized member of his staff is documented confirmation that the data meet the ALCOA requirements.

  • Copied data

Data can be copied or transcribed for various purposes. If a data is irreversibly replaced by a copy, this must be certified (ICH-GCP 1.63).

  • Certified copies

When creating a certified copy, you need to consider the nature of the original document. The copying process must be based on a validated process.

  • Hosting and data control

All participant data generated during a clinical study should be available to the investigator during and after the study. The sponsor must not have exclusive control of the data entered in a computerized system.

  • Cloud

In case of using a cloud solution, the sponsor (ICH-GCP 5.2.1) and / or the investigator (ICH-GCP 4.2.6) should ensure that the contracting party providing the cloud is qualified (see Annex 4). Data jurisdiction can be complex given the nature of cloud solutions and services shared across different sites, countries and continents; however, any uncertainties should be addressed and resolved through contractual obligations prior to using a cloud solution.
If the manager chooses to perform the computer system qualification himself, the cloud provider should provide a test environment identical to the production environment.

  • Back-up

You need to back up your data and configurations on a regular basis. The use of replicated servers is recommended. Backups should be stored in separate physical locations and logical networks and not behind the same firewall as the original data to avoid simultaneous destruction or alteration. The frequency of backups and their retention should be determined with a risk-based approach.

  • Data migration

It should be ensured that the migration does not adversely affect existing data and metadata. After migration, a check should be performed on the key data.

  • Archiving

The investigator and sponsor should be aware of the required retention periods for clinical trial data and documents. Retention periods must comply with the data protection principle on limitation of retention.

  • Decommissioning

After the trial is completed, the databases can be deactivated. It is recommended to decide the timing of decommissioning taking into consideration, for example, whether or not the clinical trial will be used under the terms of a marketing authorization application in the near future, in which case it could be recommended to keep the databases. A dated and authenticated copy of the databases and data must be archived and available upon request. In the event of decommissioning, the sponsor must ensure that the databases can be restored.


The draft of the new EMA guideline also consists of 5 Annexes that specifically deal with:

  1. Contratti
  2. Validation of computerized systems
  3. User management
  4. Security
  5. Requirements related to specific types of systems, processes and data



Cover designed by @Freepik

Article edited by

Giulia Colombo, Senior Marketing Specialist for Quality Systems



Guideline on computerised systems and electronic data in clinical trials, draft,10 giugno 2021

Ask for a consultancy


 < Back

Adeodata S.r.l.
Via E. Mattei, 2

22070 Bregnano (CO)



Registered office: Via Carducci, 32 — 20123 Milano

VAT Nr. 05617310965    REA 1834791 Milano   PEC

Adeodata SA
Via Calgari, 2

CH 6900 Lugano

IDI CHE-112.203.579

© 2019 Adeodata. All rights reserved.

Designed and developed by Carrara Communication