Monday, March 11, 2019

When Sites, eSystems, and Inspections Meet

Q: Do study site personnel need to be able to answer questions about sponsor-provided computer systems during an inspection?

A: Yes, and there’s a simple thing that sponsors and CROs can do to prepare their sites.

This excerpt was lifted from an online, interactive course entitled “Developing a Part 11 Compliance Plan in Clinical Research.” While the course mainly targeted sponsors and CROs, who have the heaviest regulatory burden in this area, sites also have Part 11 and validation concerns, as demonstrated by this question.

Presenter Lisa Olson, a CSV/Part 11 expert with Polaris Compliance Consultants, briefly described her recommendation, which is both simple and effective. (And since that is total catnip to a compliance blogger, I interviewed her after her presentation to develop the following piece.)

So here it is. Here’s what she said...

Clinical research sites rely heavily on technology to store and manage study data, so regulators are focusing on computer systems and electronic data more than ever before. Many of the systems – such as Electronic Data Collection (EDCs), Interactive Response Technology (IRTs), and e-diaries – are selected and largely controlled by sponsors, CROs, and/or third-party vendors. That doesn’t mean, however, that site staff won’t be expected to answer questions about these systems during a regulatory inspection. Quite the contrary: site personnel are responsible for the integrity of the data these systems house. They need to be able to demonstrate the knowledge required to meet their regulatory obligations.

No one is expecting site staff to be computer specialists; the expertise on these systems resides within the sponsor/CRO/vendor organizations. But the better a site can satisfy a basic, frontline inquiry into the systems it uses, the less likely it is that an inspector will pursue additional lines of questions.

So how can sponsors and CROs help?

They can provide a set of short summaries (one page per system) that answer the questions regulators are likely to ask site staff members. Filed in the Investigator Site File (ISF), ready for use, these summaries will be valuable resources.

The Basics

First, sponsors/CROs should supply identifying information: the name of the system, the vendor, the version of the system currently being used, and a few sentences that describe what the system does.
User Access and Control

To ensure both data integrity and compliance with Part 11 e-record/e-signature regulation, it’s essential that access to a system be controlled and data entry/updates be traceable to a specific person. To that end, the one-pager should describe how unique logins are assigned and how users are restricted to activities appropriate to their roles in the study. A monitor requires read-only access to an EDC system. A study coordinator needs to be able to enter and change EDC data. A Principal Investigator must be able to sign electronic Case Report Forms (CRFs). The role determines the access. Staff should also be able to briefly describe how an audit trail captures metadata that show what data were entered/altered, by whom, and when. (And someone, though not everyone, needs to be able to demonstrate how the audit trail can be used to piece together the “story of the data.” That, however, is too much to ask from our one-pager.)

Validation 101

It would be unusual for site personnel to have detailed knowledge of Computer System Validation (CSV) activities. Nevertheless, the one-pager could include a single line that confirms that the system was validated and by whom. A contact number could be included in case a regulator asks for more information or wants to see validation documents.

Where’s The Data?

Regulators will often ask where system data are stored. The answer to that question can be a simple sentence: The data are hosted by the EDC vendor at such-and-such location, or stored at the CRO, or sit on a local server within the site’s IT department.

Finally, the last line of our one-pager could be a simple statement prepared by the sponsor, CRO, or vendor, confirming that the data are protected wherever they are being stored. The data center is secure and environmentally controlled; the data are backed up to protect against loss; the system is accessed via the web through an encrypted channel -- whatever protections apply.


Regulators are increasingly focused on the integrity of study-related data, and that means added scrutiny of electronic systems and records. More inspections are being conducted mid-study so regulators can evaluate and ask about live systems in current operation. It’s very difficult for sites to field these questions without help from the organizations who make the decisions and have the expertise.

It’s okay to tell an inspector, “I don’t know.” (And it’s always preferable to admit that than to improvise an answer.) But say it too many times, and it casts doubt on a site’s ability to produce and maintain reliable study data. That’s in no one’s interest.

It shouldn’t be overly burdensome to develop a one-page summary sheet for each system so site personnel can address an inspector’s questions on the spot. The Investigator Meetings or Site Initiation Visits would be a good opportunity for sites to raise this point with their sponsors/CROs.

Lisa Olson will be giving an encore presentation of “Developing a Part 11 Compliance Plan in Clinical Research,” on March 24th. She describes all the elements that regulators and clients will be expecting, and since sponsors and CROs can’t implement everything all at once, Lisa prioritizes the activities necessary for developing your plan. You can register for the online course, sponsored by the Life Science Training Institute, here. Use the promotion code olson to receive a 10% discount.

Sunday, December 9, 2018

FDA Puts Santa on the Naughty List!



December 1, 2018

Mr. Kris Kringle, Owner
Santa’s Workshop, LLC
1225 Santa Clause Way
North Pole, Arctic Circle
Dear Mr. Kringle:

The U.S. FDA inspected your manufacturing facility, Santa’s Workshop, LLC at
1225 Santa Claus Way, North Pole Arctic Circle, from April 2 to April 20, 2018.

This warning letter summarizes significant violations of CGMP regulations for finished product. See 21 CFR, parts 210 and 211. During our inspection, our investigators observed specific violations including, but not limited to, the following.

CGMP Violations

1.    Your firm failed to ensure that each person engaged in the manufacture, processing, packing, or holding of product has the education, training, and experience, or any combination thereof, to enable that person to perform his or her assigned functions (21 CFR 211.25(a) and 211.28).

Many members of your Enterprise Labor Force (ELF) unit lacked sufficient prior experience for designing and assembling (b)(4). At the time of our inspection, no ELF members had received training on CGMPs, and most were unaware of their responsibilities in the areas of cleanliness and proper attire. Hands and faces were often coated with chocolate, and bells on hats and shoes prevented protective apparel from attaining a proper fit. More generally, factory staff demonstrated an undisciplined, almost gleeful disregard for quality procedures. On three separate occasions, at critical stages of the manufacturing process, floor workers erupted into spontaneous song and dance.

Your written response of May 18, 2018 is inadequate because it does not address these training and experience deficiencies. While endearing, the ability to “sit on a shelf” or “live in a hollow tree” does not constitute acceptable manufacturing experience. Candy coating does not qualify as protective covering. And sticking one’s hands in a nearby snowdrift is not a recognized sanitation procedure. “Pure as the driven snow” is not a thing. Especially with all those reindeer knocking about.

2.    Your firm failed to maintain a system by which the distribution of each lot of product can be readily determined to facilitate its recall if necessary (21 CFR 211.150(b)).

Product distribution records were incomplete and, in the event of a recall, would be insufficient to identify all product recipients.

Your written response of May 18, 2018 is inadequate. Santa’s Own Procedures (SOPs) are insufficient to capture the information required to conduct a thorough recall.  Mr. Kringle may well know which customers are naughty and which are nice -- who’s good, who’s bad, who’s sleeping, and who’s awake, but this information is not written down and, in the opinion of our investigators, would be of limited value if it were.

3.    Your firm failed to store product at an appropriate temperature to ensure the identity, strength, quality, and purity of the products are not affected (21 CFR 211.142(b)).

Entire sections of the facility lacked effective air conditioning, resulting in destruction of all (b)(4) warehoused in two large storage rooms. A third inadequately cooled room was not in use, and except for some miscellaneous items – a couple hunks of coal, a corncob pipe, and a large, oddly sad puddle of water – the room was all but empty.

Your written response of May 18, 2108 was inadequate. FDA isn’t really sure what to do with “that old silk hat we found” in your response package.

4.    Products failing to meet established standards or specifications and any other relevant quality control criteria shall be rejected. Reprocessing may be performed (21 CFR 211.165(f)).

While not strictly a violation of 21 CFR 211.165(f), the rejection and quarantining procedures your firm follows for products that fail to meet established criteria is concerning. While it’s appropriate to reject a (b)(4) that swims, a (b)(4) with square wheels, a (b)(4) that shoots jelly, and a (b)(4) that rides an ostrich, exile to a remote island ruled by a flying lion is, in a word, extreme. Your firm also rejected and exiled a (b)(4)-in-a-box for what was almost certainly an easily remediated labeling problem; reprocessing would have been a more appropriate course of action. Also, we just have to know. Seriously. WHAT WAS WRONG WITH THE DOLLY???

5.    Your firm failed to establish adequate acceptance criteria for sampling and testing necessary to assure that batches of product meet appropriate specifications as a condition of their approval and release (21 CFR 211.165(d)).

Sampling procedures consisted of pulling each finished batch of (b)(4) out of a hot oven, taking a few nibbles, and declaring it “Jingle-icious.” Testers would frequently adulterate samples by submersing and saturating them with milk. These procedures are totally without scientific rigor. Furthermore, sampling was not restricted to members of the Quality Control Unit, but was extended to the entire plant floor. At times, sampling frequency was so high that there was very little, if any, of (b)(4) left to distribute. (On a personal note, our investigators would like to express their appreciation for the opportunity to participate in the testing activity. All the batches they sampled exceeded the strictest statistical quality control criteria, excepting the fruitcake, which could have benefited from additional stability testing and an earlier expiry date.)


Violations in this letter are not intended as an all-inclusive list. Typically the manufacturer is responsible for investigating violations, determining their root causes, and preventing their recurrence. However, in this case we’re going to make an exception. Though your methods and procedures are unconventional and frequently out of compliance with regulations, they are not wholly without merit. Our investigators have never experienced such a high level of workplace morale -- some calling it “downright merry” – and believe it warrants further observation. Investigators have suggested a series of mutually consultative visits to your workshop. Music, dance, batch samples, reindeer games, and the occasional adulterated eggnog are highly encouraged.

Holly Bush
Division Director/OPQO Division I
North Pole District Office

Monday, October 15, 2018

The One-Hour Study Site Audit

In an effort to tease out the priorities of a clinical study site audit, I asked six of our most experienced GCP auditors the following question:

If you only had one hour to conduct a study site audit,
what would you look at?

[Obligatory warnings:  Do not try this at home. This is just a simulation. Caveat lectorem. Dinosaurs in the mirror are bigger than they appear. Et cetera.]

Of course it’s not possible to conduct any kind of meaningful audit in so short a time, but it’s an interesting thought exercise because it gets to the heart of study site risk.

Monday, August 13, 2018

What Suprises GCP Auditors?

Last month, I scheduled one-on-one discussions with our most experienced GCP auditors to ask each of them the same question: What surprises you most about the audits you conduct?

I guess you could say that I was the one who was surprised. I’m not sure exactly what I was expecting to hear, but I thought my teammates were going to talk about things that were new. Instead, I heard a lot more about things that have been around for a long time. To a person, my colleagues said they were surprised to be observing some of the same audit findings they were observing 30 years ago...which *is* surprising when you consider most of them were mere children at the time. ;-)  It seems we have some stubbornly persistent quality and compliance issues in the biopharma industry that decades of neither experience nor technology have seemed to remedy. And the problems are not just persistent; they’re interrelated.

Tuesday, July 10, 2018

Hackin' the GDPR

Trying to comply with the GDPR got you down?
Maybe our parody will cheer you up.

(Sung to the tune of Lennon-McCartney's "Back in the U.S.S.R.")

Monday, May 14, 2018

eSource Terminology Untangled

True or False:

(1) eSource in clinical trials means eliminating the possibility for transcription errors.

(2) Data collected in Electronic Data Capture (EDC) systems is eSource.

Strictly speaking, both statements are false. If that surprises you, it’s probably because many casual uses of the term “eSource” actually differ from the formal definition laid out by FDA. If the participants in any discussion share the same interpretation of “eSource”, or if it’s clear from context how “eSource” is being used, then no harm, no foul. (Contemporary translation: “Meh.”) BUT…and you know where we’re going with this…when a term can be interpreted in multiple ways, there’s always a possibility for miscommunication and cross talk.

Monday, March 19, 2018

Delegation of Authority Log: Tips for Monitors

We may call them “site inspections”, but it’s not the site that’s being inspected when a regulator visits; it’s the Principal Investigator. Though a PI typically delegates study tasks to other staff members, he or she remains solely responsible for the conduct of the study. In fact, the ICH E6(R2) addendum adds two new sections to the international guidance that emphasize PI supervision.

That’s what makes the Delegation of Authority (DoA) log so important and why regulatory inspectors care about it so much. A DoA log serves as evidence that a PI has assigned study tasks only to those staff members with the education, training, and experience to carry them out. If delegates are unqualified to perform their tasks, subject safety could be at risk and it’s highly likely that the study data would be unusable.