The updated version “Guideline on computerised systems and electronic data in clinical trials” will be effectivce September 2023.
Keywords: Computerised systems, electronic data, validation, audit trail, user
management, security, electronic clinical outcome assessment
(eCOA), interactive response technology (IRT), case report form
(CRF), electronic signatures, artificial intelligence (AI)
6.7. Cloud solutions
Irrespective whether a computerised system is installed at the premises of the sponsor, investigator, another party involved in the trial or whether it is made available by a service provider as a cloud
solution, the requirements in this guideline are applicable. There are, however, specific points to be
considered as described below.
Cloud solutions cover a wide variety of services related to the computerised systems used in clinical
trials. These can range from Infrastructure as a Service (IaaS) over Platform as a Service (PaaS) to Software as a Service (SaaS). It is common for these services that they provide the responsible party
on-demand availability of computerised system resources over the internet, without having the need or
even the possibility to directly manage these services.
If a cloud solution is used, the responsible party should ensure that the service provider providing the
cloud is qualified.
When using cloud computing, the responsible parties are at a certain risk, because many services are managed less visibly by the cloud provider.
Contractual obligations with the cloud solution provider should be detailed and explicit and refer to all
ICH E6 relevant topics and to all relevant legal requirements (see Annex 1).
Data jurisdiction may be complex given the nature of cloud solutions and services being shared over
several sites, countries, and continents; however, any uncertainties should be addressed and solved by
contractual obligations prior to the use of a cloud solution.
If the responsible party choses to perform their own validation of the computerised system, the cloud
provider should make a test environment available that is identical to the production environment.
The investigator and sponsor should be aware of the required retention periods for clinical trial data and
essential documents, including metadata. Retention periods should respect the data protection principle
of storage limitation. An inventory of all essential data and documents and corresponding retention
periods should be maintained. It should be clearly defined which data are related to each clinical trial
activity and where this record is located and who has access/edit rights to the document. Security
controls should be in place to ensure data confidentiality, integrity, and availability.
It should be ensured that the file and any software required (depending on the media used for storage)
remain accessible, throughout the retention period. This could imply e.g. migration of data (see
Suitable archiving systems should be in place to safeguard data integrity for the periods established by
the regulatory requirements including those in any of the regions where the data may be used for
regulatory submissions, and not just those of the country where the data are generated.
Source documents and data should always be available when needed to authorised individuals to meet
their regulatory obligations. Please refer to section 4.11 direct access.
Data should be maintained in a secure manner and should only be transferred between different
(physical) locations in a validated process. Data should be archived in a read-only state.
Appropriate archiving should be in place to ensure long term readability, reliability, retrievability of
electronic data (and metadata), in line with regulatory retention requirements. Please also refer to
section 6.11. Requirements for the retention of clinical trial data and documents are frequently different
from requirements for other data and documents held by the investigators. It should be ensured that
there is no premature destruction of clinical trial data in case of e.g. institution relocation or closure. It
is the responsibility of the sponsor to inform the hospital, institution or practice as to when these
documents will no longer need to be retained.
There are specific requirements for backup, etc. of electronic data, which can be seen in section 6.8 and
which are equally applicable to research institutions. Please also refer to the guideline on the content,
management and archiving of the clinical trial master file (paper and/or electronic) EMA/INS/GCP/856758/2018.
The total of activities, processes, roles, policies, and standards used to manage and control the data
during the entire data life cycle, while adhering to ALCOA++ principles (see section 4.5.).
Data life cycle
All processes related to the creating, recording, processing, reviewing, changing, analysing, reporting,
transferring, storing, migrating, archiving, retrieving, and deleting of data.