Entering the Post-Paper Realism: The Principles of Cyber Ethics

Posted by Marcin Hernik | Apr 26, 2023 10:00:00 AM

The Shoulds and Shouldn’ts of Electronic Systems and Data in Clinical Trials


With the word should being mentioned 569 times and constituting ~7% of the content (only outweighed by data – 618 instances), in this blog we will catch a glimpse of the multitude of visions the EU GCP Inspectors Working Group have on how to avoid the dystopian future of a paperless world in their long overdue, and at last finalised, Guideline on computerised systems and electronic data in clinical trials.

The new guideline comes into effect on 10th September 2023; that is 6 months after publication, replacing their Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials.

However, before we indulge ourselves in the realm of regulations, requirements, necessities, expectations and guidelines, first, I feel obliged to say hello. I am sure you will locate my name somewhere on the website, but for the purposes of this blog post, I will just remain a humble, single data point, corresponding to a much bigger data piece (random cerebral sci-fi movie soundtrack on).

Second, a sense of duty compels me to note the difference among different auxiliary verbs as some of them express obligation, whereas others are simply used to give advice, at least in a general sense.


The False Dichotomy

On 15th March 2023, right after EMA published their guidance, FDA followed suit by releasing their draft guidance for industry, talking about electronic systems and signatures. Whereas the EMA clearly point out their document covers requirements and expectations, the FDA explicitly state that: 

“…the use of the word should in Agency guidance's means that something is suggested or recommended, but not required.”

Two different continents, two different definitions of the same word. However, the one constant in a sea of variables is the agencies’ approach towards the very use of electronic systems – there is still no legal requirement or expectation that these are to be used to collect the data (even though it is highly recommended).

Come on, it is 2023 - if you have already added an e to a mail, why would you not want to add it to a TMF? A ‘should’ shy of a requirement.


Retrofitting the (e)TMF Guideline

“For electronic trial master files (eTMFs), please refer to the respective guideline”:

Guideline on the content, management and archiving of the clinical trial master file (paper and/or electronic).

 To all the eTMF-oholics out there, fear not, as the commandments described in the new guidance apply to all systems in scope, and the eTMF is indeed listed as one of them. The point is you will now have to use more of your parallel reading skills as one guideline supplements another. If you are proficient at it, you may also want to have a try at reading these before you entertain yourself with the new guideline, as along your local requirements, they provide the legal background:

  • Regulation (EU) No 536/2014, or Directive 2001/20/EC and Directive 2005/28/EC
  • ICH Guideline for good clinical practice E6 R2 (EMA/CHMP/ICH/135/1995 Revision 2)

 So, what has changed?

As we would all love this blog to remain in a digestible form, I refuse to list all the changes between the new and the superseded guideline, instead using the previously published TMF-specific guidance that remains in effect as a “comparator”. Looking at the superseded guidance, it would be about the additions rather than the changes as they moved from flash fiction to an epic novel (13 vs 52 pages).

To start with, we need to understand the pivotal difference between the two. The new guideline focuses on the system; it will not directly tell you how to manage your study-specific TMFs’ content, how to organize your TMF structure, what the essential documents are, or where to file that email. What it will do however, is outline the expectations regarding your authoritative electronic TMF repository, at the same time building the foundation for what a regulated electronic system needs to look like.

What piqued my curiosity the moment I started reading the guideline is that the EMA have recognized both the evolving complexity and potential of the computerised systems, which is perfectly exemplified by their acknowledgement of both the existence and importance of the artificial intelligence (AI). Indeed, having deeply learned hundreds of thousands of documents, some of the eTMF systems now introduce more elaborate AI solutions that help TMF contributors with the most mundane tasks. Although something more than the acknowledgement of the growing importance of AI and general expectations may be coming in a future Annex to the guideline, it does show the EMA move with times!

With ‘data’ being used in the guideline in a broader meaning, including documents, records, or any form of information, we come to a simple conclusion – everything has become data, and should be treated as such. However, until that Matrix digital rain becomes human-readable information, it must be viewed in context, and that context is called metadata. It is an integral part of any record maintained in the eTMF and we cannot talk about data integrity without it. This nicely leads us to the next topic – the principles of data integrity (aka ALCOA). When reading the guidance, you might have noticed another + added. Yes, the new guidance introduced a new principle – Traceability – making the ALCOA++ a data integrity decalogue.


“Data should be traceable throughout the data life cycle. Any changes to the data, to the context/metadata should be traceable, should not obscure the original information and should be explained, if necessary. Changes should be documented as part of the metadata (e.g. audit trail).”


This is nothing new as we already know the intimate friendship between the eTMF and its audit trail, but it finally deserved a seat at the ALCOA table, highlighting its significance in ensuring data (e.g., TMF) contributors’ adherence to the remaining principles. Traceability, a controller of the ALCOA.

Staying with the audit trails for a moment, the new guideline offers a robust definition along with the expectations of how they should be set-up and managed. This includes the expectation of a risk-based, proactive, ongoing, and documented review focusing on critical data, both the individual data points (e.g., a description of a single or a group of actions taken for a document by a specified user and in a specified time) and metadata (e.g., user access reviews). Remember, the data only makes sense if it tells a story. Now, according to popular belief, the TMF is a story of a clinical trial. If so, the audit trail is its backstory. If the audit trail is still seen as an elephant in the room in your company, be aware that the lack of reviews must be justified using a valid rationale.

Taking a side-step on to that very topic of validity, and one of importance, the electronic system itself should be validated. Nothing revolutionary here – no need to panic or tear your hair out – just be aware the GCP Inspectors Working Group decided to amplify this and put all their sound knowledge as an annex to the guideline. Apart from the computerised systems validation, the EMA have also added something extra on the importance of Agreements (one of the few places where the TMF is mentioned) stating they should dictate who, what, where, when, why, and how of the essential documents management. Interestingly, the examples of TMF documents provided are study-specific emails on important decisions, relevant helpdesk tickets, and meeting minutes. Taking this on board, you may want to reconsider your risk factors when conducting TMF reviews!

Taking heed of spreading cyber security threats, the Inspectors have also devoted special attention to two seemingly inseparable (but split into two annexes) topics of user management and the overall security of electronic systems. Of note, both supplements specify the need for reviews of both the users and their access rights, considering the minimum required level of user access and unusual user behaviour in the system. If you are also deep into cyberpunk genre, this may seem like an example of a discrimination of an AI; but going down to earth the authors rightly point out that:

“…human users should be readily distinguishable from machine accounts”.


So, if you still want to personify your machine by naming it after your favourite grandparent or pet dog, imagine having to explain it to the inspectors.

Noteworthily, the guideline also raises other trendy topics related to the security such as controlled use of USB drives, remote authentication and connection (e.g., VPN and 2FA), password managers, or inactivity logout (ideally, mouse jiggler-resistant!).

Outside the realm of annexes, the last topic I want to mention is cloud solutions, as interestingly the EMA recognize that cloud computing may put sponsors and investigators at risk due to the lack of transparency on the side of cloud providers. Indeed, there are risks related to cloud solutions such as potential data breaches and downtime. On the other hand, you get a centralised, integrated repository you can access anywhere and anytime – many see it as the future of data storage and management, eventually replacing the old-fashioned models entirely. Regardless of whether it is a cirrus or a stratocumulus, the requirements set out in the guidance apply to the cloud the same way they do for any other data centres!



Overall, the new guideline introduced by the EMA provides a comprehensive framework for the proper use of computerised systems and electronic data in clinical trials and is compulsory reading for all individuals in the industry. Even though the post-paper world will still be trying to re-conceive the paper-based reality for a long time, with more and more legal requirements being slowly introduced by the regulators, it is reassuring to see the agency adapt to the rapidly changing landscape, clarifying their expectations as more electronic system functionalities are being introduced. I should reiterate, computerised systems are not required (yet!). However, when they are used, the expectations are quite demanding compared to paper-based solutions. Therefore, utilising generic file-sharing solutions like SharePoint is going to become increasingly difficult to justify.

Until we change our document mindset to data mindset, and see records as data elements put into context, we will not be ready to accept the new reality. In the end, electronic record expectations will need to change from being generally equivalent to paper records. After all, an eTMF is a database at its core. With ~ 10% decrease in tree cover since 2000, eventually there may be no other option than move to electronic data to reduce paper waste and pollution.

To conclude, I hope you enjoyed reading this post and are now more likely to have a read through the beast that is the new EMA guideline. Perhaps it is time to embrace the technology that is readily available and consider going paperless? Let us save some trees together and allow AI to learn some more about the TMF!


Until the next time – we will be back with some more captivating thoughts!

Topics: TMF

How to Reduce Risk and Effort When Migrating a Trial Master File

Migrating Trial Master File (TMF) data is a fairly common occurrence, usually driven by one or more of the following ...

Read More

Consistency: The Secret to Improving Quality and Efficiency in TMF Document Processing

Based on extensive work helping trial sponsors and Contract Research Organizations (CROs) implement Trial Master File ...

Read More

Solved: Is Our TMF Missing More than We Know?

In a poll of nearly 100 TMF professionals during a recent Phlexglobal webinar, “Lowering your TMF Risk Temperature: ...

Read More

How Risk-Based TMF Quality Checks and Quality Review Improve Inspection-Readiness

For the kickoff of Phlexglobal’s “TMF Summer Shorts” program July 18, 2023, we purposely chose a hot topic: how to ...

Read More

Building a Strong Sponsor-CRO Relationship for an Inspection-ready TMF

Collaborative sponsor-contract research organization (CRO) relationships can be the key to ensuring outsourced clinical ...

Read More

Entering the Post-Paper Realism: The Principles of Cyber Ethics

The Shoulds and Shouldn’ts of Electronic Systems and Data in Clinical Trials Intro

Read More

Subscribe To Our Blog!

Digital Brain Header Large Brain Right

It's time to raise your standard 

Contact Us