CAPA Framework – IoT and Wearable Devices for Remote Capture

Published on 21/12/2025

Regulatory Strategies and CAPA Framework for IoT and Wearable Devices in Remote Trials

Table of Contents

Introduction: Integration of Wearables and IoT in Decentralized Clinical Trials

With the shift towards decentralized clinical trials (DCTs), the use of Internet of Things (IoT) devices and wearable technology has gained widespread acceptance for remote monitoring and real-time data capture. Devices such as smartwatches, biosensors, digital patches, and connected inhalers allow continuous data collection from trial participants outside of traditional clinical settings. However, the integration of these technologies introduces unique compliance risks, especially related to data integrity, validation, patient privacy, and corrective action.

This tutorial article explores how sponsors can implement a CAPA (Corrective and Preventive Action) framework to ensure the compliance and performance of IoT and wearable devices in clinical research. We focus on regulatory expectations from the FDA, EMA, and ICH GCP, and offer practical insights from audit findings and global inspections.

Regulatory Landscape: FDA, EMA, and ICH GCP Perspectives

Regulatory authorities have increasingly recognized the value of wearable devices for continuous data collection. The FDA’s guidance on “Digital Health Technologies for Remote Data Acquisition” (2023) outlines expectations for device validation, cybersecurity, and data management. EMA has

also issued similar notes emphasizing transparency, subject safety, and oversight.

ICH E6(R3) further clarifies that all technology used in clinical trials must be “fit-for-purpose,” and the sponsor is responsible for ensuring that device-generated data are accurate, reliable, and verifiable. Key principles include:

Pre-use validation and verification of devices under study-specific conditions
Ongoing calibration and performance monitoring
Audit trails and timestamping of all captured data
Documentation of any device failure or data inconsistency

Key CAPA Areas When Using IoT and Wearable Devices

A comprehensive CAPA framework for wearable integration should address the following categories:

Issue Type	Example Scenario	CAPA Strategy
Data Loss	Device fails to upload readings due to sync error	Log issue, analyze frequency, re-train subjects, and implement device update or replacement
Validation Gap	Device not tested under subject’s real-world conditions	Conduct retrospective validation with sample data sets, document justification
Privacy Breach	Data stored on cloud without encryption	Initiate security risk assessment, update encryption protocols, notify IRBs if necessary
Regulatory Finding	Audit identifies incomplete audit trail of device data	Perform root cause analysis, revise SOPs, implement monitoring dashboards

Real-World Audit Example: IoT Wearable in a Phase II Diabetes Trial

In a 2022 FDA audit of a US-based sponsor using continuous glucose monitors (CGMs) as wearables, several compliance gaps were identified. These included:

Absence of device performance logs for 5% of participants
Inconsistencies between recorded glucose levels and subject diaries
Improper deactivation process for withdrawn subjects

The CAPA included:

Deployment of real-time analytics for device performance tracking
Reconciliation of CGM data with subject-reported values
Updated SOPs for subject withdrawal and data locking

Validation of Wearable Devices: Functional and Environmental Testing

Device validation must include both functional and environmental testing to ensure suitability for the clinical population. Considerations include:

Battery life under expected usage conditions
Data accuracy under motion, heat, humidity, or body fluid exposure
Sensor wearability and patient comfort assessments
Signal transmission stability and sync frequency

Validation reports should be filed in the TMF and made available for regulatory inspections. Retrospective validation may be needed when new devices are introduced mid-study.

Cybersecurity and Risk Mitigation Measures

Wearable devices pose heightened cybersecurity risks due to cloud connectivity, Bluetooth syncing, and mobile device integration. Sponsors must adopt layered security frameworks including:

End-to-end data encryption

Device authentication tokens

Routine penetration testing and firewall monitoring

System alerts for unauthorized access attempts

Security incidents must be logged and assessed under data breach policies. IRBs and participants should be notified when privacy risk thresholds are exceeded.

Data Review and Remote Monitoring of Wearable Inputs

Clinical data obtained through wearables must undergo the same level of review as site-collected data. Strategies include:

Automated flagging of out-of-range values (e.g., heart rate above 160 bpm)

Cross-checking wearable readings with scheduled site visits or subject reports

Remote Source Data Verification (rSDV) when possible

Dashboards displaying device adherence and patient engagement metrics

Conclusion: Inspection-Ready Use of IoT and Wearables in Clinical Trials

IoT and wearable technologies represent the frontier of remote trial execution and participant-centric data collection. However, regulatory agencies require clear validation, documentation, and CAPA strategies for their use. By embedding device oversight into the clinical quality system—from validation and SOPs to data monitoring and security—a sponsor can ensure their use of wearables not only advances trial goals but meets global regulatory standards.