Source Data Verification (SDV): Targeted, Risk-Based, and Paired With Source Data Review

At a glance

• SDV checks that data in the study system match the source record. It answers one narrow question: was this transcribed correctly.
• It is not the same as source data review (SDR), which reads the source in context for quality and consistency. ICH E6(R3) names both as distinct monitoring activities, and they catch different problems.
• 100% SDV is no longer the expectation. FDA’s risk-based monitoring guidance treats focusing on the most critical data as more protective than verifying every field.
• The skill is choosing what to verify: the critical data and critical processes that affect participant safety and result reliability, with a sample that adapts to what monitoring finds.
• Remote and electronic source change the mechanics, not the goal. eSource can cut transcription and enable remote review, but the verification question is the same.

What SDV is, and the one question it answers

Source data verification is the act of confirming that the data recorded in the study system, typically the eCRF, accurately reflect the original source record. That is its whole job: detect transcription errors between the source and the captured data. It is a quality-control check on accuracy, not a judgment about whether the data make clinical sense.

That narrowness is the point that gets lost. SDV will catch a “120” entered as “210.” It will not, on its own, notice that a blood pressure of 120 was recorded for a participant who was supposed to be excluded for hypertension. The second problem is a job for review, not verification.

SDV is not SDR, and ICH E6(R3) treats them separately

ICH E6(R3) is explicit that monitoring is a broad set of activities, and it lists source data review and source data verification side by side as distinct approaches. Monitoring involves a broad range of activities including source data review, source data verification, data analytics, and visits, using a range of approaches (ICH E6(R3) §3.11.4). The two are complementary:

	Source data verification (SDV)	Source data review (SDR)
Question	Does the captured data match the source?	Is the source itself consistent, complete, and clinically coherent?
Catches	Transcription errors	Process gaps, eligibility issues, missing context, safety signals
Mode	Field-by-field comparison	Reading the record in context

A monitoring programme that does heavy SDV and no SDR can be transcription-perfect and still miss the issues that actually threaten a participant or an endpoint. The modern model uses SDR to read for meaning and reserves SDV for the data where exact-match accuracy matters most.

The end of 100% SDV

For years many teams believed FDA expected frequent on-site visits with 100% verification of all data. FDA’s risk-based monitoring guidance was written specifically to correct that. There is a growing consensus that risk-based approaches to monitoring, such as focusing on the most critical data elements, are more likely to ensure subject protection and overall study quality than routine visits to all clinical sites and 100% data verification (FDA Risk-Based Monitoring guidance, Rationale). The same guidance frames the approach positively: a modern, risk-based approach focuses on critical study parameters and relies on a combination of monitoring activities, including greater use of centralized monitoring (FDA Risk-Based Monitoring guidance, Introduction).

ICH E6(R3) makes the same shift a requirement rather than an option. The sponsor should determine the appropriate extent and nature of monitoring based on identified risks (ICH E6(R3) §3.11.4). Verifying everything is not the safe default; it is a failure to prioritise, and under E6(R3) it is out of step with the expected risk-proportionate approach.

How to scope targeted SDV: what counts as “critical data”

If you are not verifying everything, the decision that matters is what to verify. The anchor is criticality: the data and processes whose error would meaningfully affect participant safety or the reliability of the results. In practice that usually includes informed-consent documentation, eligibility criteria, primary and key secondary endpoints, and key safety data, and excludes low-risk descriptive fields.

E6(R3) builds the sampling logic in directly. Checking the accuracy, completeness, and consistency of reported trial data against source records can be done on the basis of using samples and supported by data analytics, and the sample size and types of records may need adjustment based on previous monitoring results or other indications of insufficient data quality (ICH E6(R3) §3.11.4.5.4). Two consequences follow. First, a sample is acceptable; you do not need a census. Second, the sample is adaptive: a site that produces errors earns more verification, and a clean site earns less. None of this is ad hoc. It is documented up front: the sponsor should develop a monitoring plan tailored to the identified potential safety risks and risks to data quality (ICH E6(R3) §3.11.4.3), and the monitoring’s whole purpose is to ensure the participants’ rights, safety, and well-being and the reliability of trial results (ICH E6(R3) §3.11.4).

Remote and electronic source: same question, new mechanics

Risk-based SDV does not require anyone to be on site, and electronic source changes how verification happens. FDA’s eSource guidance notes that capturing data electronically can eliminate transcription of source data prior to entry into an eCRF, facilitate remote monitoring of data, and promote real-time access for data review (FDA Electronic Source Data guidance, benefits). When source is entered directly, there is sometimes nothing to “verify” against, because the eCRF entry is the source; the integrity question shifts to the audit trail and to knowing who entered it. eSource keeps that traceable by requiring each data element to be associated with an authorized data originator (FDA Electronic Source Data guidance, data originators). Remote SDV, where it still applies, is verification done against source accessed remotely rather than in a site’s records room. The mechanics differ; the question, did the system data match the source, does not.

Centralized monitoring: the engine that aims SDV

Targeted SDV only works if something tells you where to aim, and that something is usually centralized monitoring. ICH E6(R3) defines it as an evaluation of accumulated data, performed in a timely manner, by the sponsor’s qualified and trained persons such as a medical monitor, data scientist or data manager, and biostatistician (ICH E6(R3) §3.11.4.2). Centralized review reads the whole trial’s data continuously, looking for the patterns a field-by-field verifier at one site can never see: a center whose values cluster too tightly, a lab result that drifts off the population, a recruitment rate that is implausibly fast.

The guideline is specific about what that review hunts for. Monitoring of the data should identify missing data, inconsistent data, data outliers, and unexpected lack of variability, along with protocol deviations, and should examine data trends such as the range, consistency, and variability of data within and across sites (ICH E6(R3) §3.11.4.5.4). Read that as the targeting system for SDV. When central review flags a site or a field as anomalous, that is where verification effort goes. When it shows a site running clean, that site earns less on-site scrutiny. SDV stops being a fixed tax on every record and becomes a response to evidence.

This is also why SDV cannot be the whole monitoring story. A program that verifies transcription but never runs cross-site analytics will miss exactly the failures, fabricated data, an outlier center, an unnatural lack of variability, that centralized review is built to catch. FDA’s risk-based monitoring guidance encourages this combination directly, pointing sponsors toward greater use of centralized monitoring methods rather than reliance on on-site verification alone. So the modern shape is a loop: centralized review watches everything and points; targeted SDV verifies the critical things it points at; and source data review reads the context around them. SDV is one instrument in that loop, valuable precisely because it is no longer asked to do the whole job.

Where teams get it wrong

• Equating SDV with monitoring. SDV is one activity inside monitoring. A plan that is all SDV and no SDR, centralized review, or data analytics misses what E6(R3) actually asks for.
• Doing 100% SDV out of habit or fear. It is no longer the expectation, and FDA wrote its guidance to say so. Effort spent verifying non-critical fields is effort not spent on what matters.
• Verifying fields, ignoring processes. Critical-process review (was consent obtained before procedures, was eligibility met) protects participants in ways field-level matching cannot.
• Treating the sample as fixed. E6(R3) expects the sample to adapt to results. A static percentage is not risk-based; it is just a smaller census.
• Running SDV without centralized analytics. Field-level verification cannot see cross-site patterns. Without centralized review identifying outliers and trends, you are verifying transcription while the systemic problems that actually threaten the trial go unnoticed.

Done well, SDV is a precise instrument used where exact accuracy is critical, sitting inside a monitoring plan that uses review, analytics, and centralized methods for everything else. The shift from “verify it all” to “verify what matters” is not a relaxation of standards. It is the standard.

Sources

• ICH E6(R3) Good Clinical Practice, version R3
• FDA, Oversight of Clinical Investigations: A Risk-Based Approach to Monitoring, 2013
• FDA, Electronic Source Data in Clinical Investigations, 2013