Regulatory Strategies and CAPA Framework for IoT and Wearable Devices in Remote Trials

Introduction: Integration of Wearables and IoT in Decentralized Clinical Trials

With the shift towards decentralized clinical trials (DCTs), the use of Internet of Things (IoT) devices and wearable technology has gained widespread acceptance for remote monitoring and real-time data capture. Devices such as smartwatches, biosensors, digital patches, and connected inhalers allow continuous data collection from trial participants outside of traditional clinical settings. However, the integration of these technologies introduces unique compliance risks, especially related to data integrity, validation, patient privacy, and corrective action.

This tutorial article explores how sponsors can implement a CAPA (Corrective and Preventive Action) framework to ensure the compliance and performance of IoT and wearable devices in clinical research. We focus on regulatory expectations from the FDA, EMA, and ICH GCP, and offer practical insights from audit findings and global inspections.

Regulatory Landscape: FDA, EMA, and ICH GCP Perspectives

Regulatory authorities have increasingly recognized the value of wearable devices for continuous data collection. The FDA’s guidance on “Digital Health Technologies for Remote Data Acquisition” (2023) outlines expectations for device validation, cybersecurity, and data management. EMA has also issued similar notes emphasizing transparency, subject safety, and oversight.

ICH E6(R3) further clarifies that all technology used in clinical trials must be “fit-for-purpose,” and the sponsor is responsible for ensuring that device-generated data are accurate, reliable, and verifiable. Key principles include:

• Pre-use validation and verification of devices under study-specific conditions
• Ongoing calibration and performance monitoring
• Audit trails and timestamping of all captured data
• Documentation of any device failure or data inconsistency

Key CAPA Areas When Using IoT and Wearable Devices

A comprehensive CAPA framework for wearable integration should address the following categories:

Real-World Audit Example: IoT Wearable in a Phase II Diabetes Trial

In a 2022 FDA audit of a US-based sponsor using continuous glucose monitors (CGMs) as wearables, several compliance gaps were identified. These included:

• Absence of device performance logs for 5% of participants
• Inconsistencies between recorded glucose levels and subject diaries
• Improper deactivation process for withdrawn subjects

The CAPA included:

• Deployment of real-time analytics for device performance tracking
• Reconciliation of CGM data with subject-reported values
• Updated SOPs for subject withdrawal and data locking

Validation of Wearable Devices: Functional and Environmental Testing

Device validation must include both functional and environmental testing to ensure suitability for the clinical population. Considerations include:

• Battery life under expected usage conditions
• Data accuracy under motion, heat, humidity, or body fluid exposure
• Sensor wearability and patient comfort assessments
• Signal transmission stability and sync frequency

Validation reports should be filed in the TMF and made available for regulatory inspections. Retrospective validation may be needed when new devices are introduced mid-study.

GCP-Compliant SOPs for IoT and Remote Monitoring Devices

Standard Operating Procedures (SOPs) are essential for managing compliance across all device use scenarios. Key SOPs include:

• Device provisioning, shipping, and activation logs
• Training protocols for site staff and participants on proper device usage
• Procedures for troubleshooting and error handling
• Data reconciliation and reporting of device-related deviations
• Archival processes for IoT data within eTMF systems

All SOPs should be version controlled, approved by QA, and trained prior to device use. GCP mandates traceability for all clinical systems including wearable platforms.

Cybersecurity and Risk Mitigation Measures

Wearable devices pose heightened cybersecurity risks due to cloud connectivity, Bluetooth syncing, and mobile device integration. Sponsors must adopt layered security frameworks including:

• End-to-end data encryption
• Device authentication tokens
• Routine penetration testing and firewall monitoring
• System alerts for unauthorized access attempts

Security incidents must be logged and assessed under data breach policies. IRBs and participants should be notified when privacy risk thresholds are exceeded.

Data Review and Remote Monitoring of Wearable Inputs

Clinical data obtained through wearables must undergo the same level of review as site-collected data. Strategies include:

• Automated flagging of out-of-range values (e.g., heart rate above 160 bpm)
• Cross-checking wearable readings with scheduled site visits or subject reports
• Remote Source Data Verification (rSDV) when possible
• Dashboards displaying device adherence and patient engagement metrics

Useful Reference

Explore the WHO trial platform listing wearable-based studies:
WHO International Clinical Trials Registry Platform (ICTRP)

Conclusion: Inspection-Ready Use of IoT and Wearables in Clinical Trials

IoT and wearable technologies represent the frontier of remote trial execution and participant-centric data collection. However, regulatory agencies require clear validation, documentation, and CAPA strategies for their use. By embedding device oversight into the clinical quality system—from validation and SOPs to data monitoring and security—a sponsor can ensure their use of wearables not only advances trial goals but meets global regulatory standards.