← Methods repository
guideline

FDA Sentinel System Methods

The FDA Sentinel System is a national active surveillance system for monitoring the safety of marketed medical products using routinely collected electronic healthcare data. Its methods infrastructure includes the Common Data Model (Sentinel CDM), standardised analytic tools (CIDA, SCDM queries, propensity-score toolkits), and published methods guidance for distributed database querying, study design, and bias control. Sentinel methods are among the most operationally mature and regulatorily authoritative frameworks for pharmacoepidemiological evidence in the United States.

Guidelineguidelineactive-surveillancepharmacovigilancefdasentinel-systemcommon-data-modelsequential-testinghdps
Methods reference only. Use primary source citations and local policy before applying this in a study protocol, regulatory submission, payer dossier, or clinical decision.

What it is

— The FDA Sentinel System is a congressionally mandated active post-market surveillance programme administered by the US Food and Drug Administration under the FDA Amendments Act (FDAAA) of 2007. It queries a distributed network of administrative claims and electronic health record data from US insurers, health systems, and data partners — currently covering more than 500 million patient-years of longitudinal data — using a Common Data Model (Sentinel CDM) that standardises data structure across partners without centralising data. The Sentinel System's methods infrastructure — the subject of this catalog entry — consists of: (1) the Sentinel Common Data Model (CDM) (defining standardised tables, coding conventions, and derived variables); (2) the Modular Programs (reusable SAS/R analytic tools distributed as open-source code through the Sentinel Innovation Center for querying the CDM for cohort identification, covariate extraction, and outcome ascertainment); (3) the CIDA (Cohort Identification and Data Analysis) framework (a pre-specified, protocol-driven workflow for active surveillance queries that controls for false discovery in repeated looks); (4) the propensity-score toolkits (including high-dimensional propensity score [hdPS] modules implemented for distributed execution); and (5) published methods papers and guidance that document design decisions, analytic choices, and validation studies. Platt et al. (2018, NEJM) provided the first major public description of how the Sentinel System functions as a routine safety-assessment tool. The system is operated through a partnership between FDA and the Sentinel Innovation Center (hosted at Harvard Pilgrim Health Care Institute / Harvard Medical School).

When to use

— Reference Sentinel methods when: (1) Designing a pharmacoepidemiology or drug-safety study in US administrative data — the Sentinel CDM conventions for enrollment, diagnosis, procedure, drug, and laboratory data are the de facto US standard for distributed claims analysis; aligning a study's data infrastructure with Sentinel CDM conventions maximises reproducibility and comparability to FDA's own analyses. (2) Adapting or citing Sentinel modular programs — the open-source Sentinel programs for cohort identification (including active-comparator new-user designs), covariate extraction (including hdPS), and outcome ascertainment represent peer-reviewed, FDA-validated implementations that can be adapted for non-Sentinel databases. (3) Preparing a drug-safety RWE submission to FDA — FDA's reviewers are familiar with Sentinel methods conventions; a study that aligns with CIDA framework design and hdPS implementation provides a more credible regulatory-science evidence package. (4) Active post-market surveillance protocol design — for safety signals requiring repeated interim analysis, the CIDA framework's sequential testing and group-sequential methods (including maxSPRT, CUSUM, and likelihood ratio tests) provide validated designs for continuous surveillance. (5) Validation of phenotype algorithms in claims data — the Sentinel Data Core and published Sentinel validation studies are a reference for PPV/sensitivity benchmarks for common outcome algorithms (e.g., MI, stroke, fracture, GI bleed). Decision rule: Sentinel methods are US claims-centric; for EHR-based surveillance or European data, equivalent frameworks include the EU-ADR, OHDSI/OMOP, and ENCePP approaches.

What it requires (checklist domains)

— Using Sentinel methods rigorously requires adherence to its principal analytic conventions: Data model alignment: data must conform to or be mapped to the Sentinel CDM table and field definitions (enrollment spans, medical claims, pharmacy claims, laboratory, vital status) before any Sentinel modular program can be applied. Continuous enrollment requirement: Sentinel analyses define observable time using continuous enrollment windows (typically ≥183 days pre-index for baseline covariate capture); gaps in enrollment are handled by censoring. Active-comparator new-user design: the Sentinel modular programs implement ACNU design by default — both the treatment and comparator must be new users (no prior use in the baseline window) with a concurrent active comparator; prevalent-user analyses require explicit justification and are methodologically disfavoured. Propensity score / hdPS implementation: the Sentinel hdPS toolkit operationalises the Schneeweiss et al. algorithm at distributed scale — empirically identified covariates from prior healthcare utilisation supplemented by pre-specified clinical covariates; propensity-score trimming and assessment of balance (standardised mean differences) are required outputs. Outcome ascertainment: outcomes must be defined by validated algorithms with reported PPV/sensitivity from Sentinel validation studies or equivalent; single-code, unvalidated outcome definitions are not acceptable in Sentinel queries. Sequential testing / CIDA: for active surveillance (repeated looks), the CIDA framework specifies the maximum information fraction, the sequential test (typically MaxSPRT for rare events), and the signalling threshold; a non-pre-specified sequential analysis or one that ignores inflation from repeated looks is methodologically inadequate. Distributed execution: analyses run locally at each data partner against the CDM; only aggregate statistics (not patient-level data) are returned to the coordinating centre, preserving privacy.

When NOT to use — limitations and common misapplications

— (1) Assuming Sentinel coverage is population-representative — Sentinel data are primarily employer-sponsored and Medicare Advantage claims; Medicaid, Medicare fee-for-service, uninsured, and VA populations are covered by separate or supplemental systems; generalisability to all US patients requires acknowledgment of these coverage gaps. (2) Applying Sentinel CDM conventions uncritically to non-US data — the CDM is designed for US claims coding (ICD-10-CM, NDC, HCPCS); applying it to European administrative data or EHR requires remapping and validation. (3) Citing Sentinel results as causal evidence — Sentinel queries are designed for rapid signal detection and hypothesis generation, not definitive causal inference; a Sentinel signal requires confirmatory study design with full confounder control. (4) Using Sentinel modular programs without CDM alignment — the programs assume specific CDM table structures; applying them to data not mapped to the Sentinel CDM produces incorrect results. (5) Ignoring the sequential testing framework for repeated analyses — running standard cohort analyses with multiple looks without a pre-specified sequential test inflates the false-positive rate; the CIDA framework and maxSPRT exist precisely to control this. (6) Over-relying on hdPS without clinical review — the hdPS empirically identifies covariates from claims patterns; it can produce technically adequate propensity scores while omitting clinically important confounders not captured in claims codes; clinical expert review of the covariate space remains necessary.

How it maps to this catalog

— Sentinel methods are the implementation backbone for most of the US claims-based pharmacoepidemiology concepts in this catalog. The Sentinel CDM is the data-infrastructure substrate for claims-analysis and is the reference for fit-for-purpose- data-assessment-rwe (enrollment continuity, observability windows, coding completeness). The ACNU design implemented in Sentinel modular programs is the same design documented in active-comparator-new-user and time-zero-index-date-alignment-rwe (index-date alignment and washout conventions). The hdPS toolkit is the large-scale implementation of high-dimensional-propensity-score-hdps-rwe; Schneeweiss et al.'s original algorithm and Sentinel's implementation are the canonical references. Outcome algorithm validation conducted through Sentinel validation studies provides PPV/sensitivity benchmarks for claims-outcome-algorithm-ppv-sensitivity-rwe. The sequential testing and maxSPRT approach in the CIDA framework corresponds to maxSPRT-sequential-testing and treescan-statistics-rwe (spatial-temporal self-controlled scan statistics) in the methods catalog. Distributed execution and the federated data model intersect with ohdsi-cdm (the OHDSI/OMOP CDM approach, which is an alternative but complementary data-model standard). FDA guidance on using the Sentinel System for regulatory-grade RWE is documented in fda-rwe-framework and fda-rwd-ehr-claims in this catalog's guidelines section; Sentinel is the operational implementation of those frameworks.