Software Validation - Clinical Trials



Dear covers,

I am having difficulties in identifying regulatory requirements for validating software that is used in clinical trials.

As a CRO we analyse medical images and calculate some biological parameters using software applications (some internally developed, some from third parties). Pharmaceutical companies typically use our results together with many others during a clinical trial to determine the effectiveness of a drug.

Regarding explicitly to software validation, I believe that 21 CFR 820.70(i) applies to us. Any other regulation (US or EU) we should be aware of?

Are there any Guidance documents for interpretation of the requirements? (e.g. does GAMP 5 applies to us?)

We are trying to draw a line on how deep, which tools and which changes would require which treatment regarding validation, based on the actual requirements and official guidance documents (combined with risk management practices).

Note: I am pretty familiar with the medical device regulations, including the FDA Guidance on the Essential Principles on Software Validation (which technically does not apply to us, although we are using it as a proxy for the moment).

Thank you!
Last edited by a moderator:


Involved In Discussions
I think Essential Principles is a good proxy, but also look into 21 CFR Part 11 for additional requirements for studies your sponsor intends to submit to FDA. There is an accompanying guidance document. I would post a link, but I'm not allowed to yet (post count not high enough). It is easily Google-able.

In combination with the applicable predicate rule (I guess in your case ICH GCP) they tell you what you need to validate for the Agency to consider electronic data and electronic signatures to be trustworthy and equivalent to paper records. They do not tell you how you need to validate; you are free to use GAMP 5 or another approach.

Speaking of Essential Principles, the EU has a similar document, Annex 11, which is GMP-specific. I don't know if there is a GCP-specific document.


Thank you JJ_FDA for your quick response.

Funnily enough part 11 does not apply to us because we provide paper records with handwritten signatures (pharma customers are happy with this).

So far the list of references goes as follows (intended to be updated):
Regarding computerised systems:
* (broken link removed)
Part of Volume 4 of GMP (rules governing medicinal products in the EU)
* (broken link removed) - section 5.4
* 21 CFR 820 - section .70(i)
Part of ICH Quality Guidelines

Regarding electronic signatures:
* 21 CFR 11
* associated FDA Guidance


Involved In Discussions
Are you absolutely sure that Part 11 doesn't apply to you for electronic records?

For example, even if you use paper records, your system may be considered in the scope of Part 11 based on whether they consider you to rely on the electronic record rather than the paper version to do regulated things. This may also be the case if there is information necessary to enable the reconstruction of your study that is in the electronic record but not reproduced in your paper record.

In the first case, consider where there is some data transformation going on (spreadsheet, instrument). I have no idea whether anything in a clinical setting would do this.

In the second case, consider audit trails. Is all of the data captured by the software's audit trail also reproduced in the printouts?

I have found RAMP (Risk Assessment and Management Process): An Approach to Risk-Based Computer System Validation and Part 11 Compliance by Siconolfi and Bishop useful.
Top Bottom