On 7 April 2020, the European Medicines Agency (EMA) issued a Notice to sponsors on validation and qualification of computerised systems used in clinical trials (Notice). This Notice was developed by the EMA’s GCP Inspectors Working Group (IWG) and the Committee for Medicinal Products for Human Use (CHMP) to highlight for clinical trial sponsors the legal and regulatory requirements which apply to software tools used in the conduct of clinical trials.

In addition, the EMA updated the Answers to Questions 8 and 9 of the Agency’s Q&A on Good Clinical Practice (GCP) (GCP Q&A) in line with the Notice.


As acknowledged in the Notice, the use of software tools in the conduct of clinical trials is a very common practice and will further increase in the future. These tools are used in most aspects of trial conduct, including patient data collection and recording, collection and reporting of safety information and clinical trial management. The use of software tools has, however, significant implications for GCP compliance of the clinical trial and the integrity, reliability and robustness of clinical data.

The publication of the Notice is triggered by the findings of recent GCP inspections of clinical trials which generated clinical data supporting applications for marketing authorisation submitted to the EMA. The inspectors identified issues related to the validation and qualification of software undermining the integrity, reliability and robustness of the generated clinical data and, ultimately, the acceptability of this data in support of applications for marketing authorisation.

EMA considered, therefore, that there is a need to highlight to sponsors what are the requirements for validation of software tools used in the conduct of clinical trials.

This issue has already been a subject of discussions between the competent authorities, sponsors of clinical trials and software vendors in the past. For example, the UK’s Medicines and Healthcare products Regulatory Agency (MHRA) has been very concerned about how the use of software tools has an impact on the validity of clinical trial data. In the second half of 2019, the MHRA held teleconference and roundtable discussions with software vendors to discuss what can be done to ensure that the software tools used in clinical trials comply with the regulatory requirements and are fit for purpose. The MHRA has not published the outcome or conclusion of these roundtable discussions.

The Notice

The Notice highlights the relevant provisions of EU law that are relevant for GCP compliance of software tools used in clinical trials and the inspection powers of the EMA and the EU Member States’ competent authorities.

The Notice insists on the fact that, while a clinical trial sponsor may delegate any of the trial-related activities to a third party, the sponsor remains responsible to ensure that the clinical trial is conducted in accordance with GCP and the applicable EU legislation. This includes the requirement for the clinical trial data to be recorded, handled and stored in a way that ensures its robustness, reliability and integrity.

The Notice highlights in particular the GCP requirements for validation and qualification of computerized systems (Sections 1.65 and 5.5.3 of ICH GCP E6(R2)), recording, handling and storage of clinical data (Section 2.10 of ICH GCP E6(R2)), as well as quality control (Section 2.13 of ICH GCP E6(R2)).

What is validation and qualification?

The term “qualification,” as used in the Notice and the GCP Q&A, relates to the verification of the functionality of the software tools used in the conduct of clinical trials. The term “validation” is used to describe the process of establishing and documenting that the specified requirements applicable to the software tools are consistently fulfilled from design until decommissioning of the system or transition to a new system. The validation must demonstrate that the software tools comply with defined specifications and are operated in accordance with defined procedures by a trained user.

The Notice stresses the importance of documenting the validation and qualification of software tools. Failure to document this and/or to produce the documentation when requested by GCP inspectors may lead to an inspection conclusion that the integrity, reliability and robustness of the clinical data is potentially undermined by the use of non-validated software tools and a recommendation for the CHMP not to rely on this data in support of an application for marketing authorisation. This includes scenarios in which the sponsor was not able to submit the required documents demonstrating the validation and qualification of the software tools due to practical difficulties in producing the documents in a timely manner, vendors’ inability or refusal to cooperate in the GCP inspections or deficiencies in the available documentation.

The above are far from purely hypothetical scenarios and have already occurred. Negative GCP inspection findings in relation to software tools and the reliability, integrity or robustness of clinical data may have significant negative impact on the related application for marketing authorisation and its prospects for success.

What is required from the sponsors?

The Notice and the Q&A GCP highlight that sponsors are required to:

  • validate software tools used in the conduct of clinical trials for compliance with GCP;
  • maintain an audit trail in relation to the clinical data that is recorded, stored and handled using the software tools; and
  • ensure proper access control and security of the clinical data.

More importantly, sponsors must ensure that they are in position to “provide adequate documentation of the required qualification and validation activities for computerised data collection tools/software during inspections”. Compliance with this requirement could be a challenge if the software tool is developed by a third-party vendor and the sponsor relies or is dependent on this vendor to generate and present the required documentation.

Practical considerations

The availability of the required validation and qualification documentation and the ability of the sponsor to produce it for review by the GCP inspectors depend in practise on:

  • the level of customisation of the software tools by the vendor (off-the-shelf software vs on-site customised software tools vs cloud solutions hosted by the vendor);
  • which party performs the actual validation and qualification (sponsor, vendor or both); and
  • the contractual obligations of the vendor to provide documentation to the sponsor and cooperate in the context of GCP inspections.

Irrespective of the above, the Notice and the GCP Q&A stress that the obligation to demonstrate the GCP compliance of the software tools and to provide documentary proof of the related validation and qualification to the GCP inspectors lies ultimately with the sponsor.

In light of the above, sponsors should consider the following items.

  1. Ensuring that the contractual agreements with vendors address:
    • the vendors’ obligations in relation to validation and qualification of software tools’ GCP compliance and establishment, maintenance and availability for inspection of the related documentation,
    • sponsors’ audit and verification of vendors’ compliance with these obligations, and
    • GCP inspections of vendors’ facilities.
  2. Assessing what validation and qualification of the software tools was conducted by the vendor and consider the need for additional validation and qualification.
  3. Ensuring that the validation and qualification exercise cover all versions and iterations of the software tools used in the clinical trial and is fully documented.
  4. Putting in place effective contractual obligations and practical mechanisms requiring vendors to provide sponsors in a timely manner with full information and documentation for:
    • assessment of the vendors’ validation and qualification of the software tools,
    • sponsors’ own validation and qualification of the software tools,
    • submission to and inspection by GCP inspectors, and
    • notification of any security issues or breaches relating to the software tools.