Monday, March 11, 2019

When Sites, eSystems, and Inspections Meet

Q: Do study site personnel need to be able to answer questions about sponsor-provided computer systems during an inspection?

A: Yes, and there’s a simple thing that sponsors and CROs can do to prepare their sites.

This excerpt was lifted from an online, interactive course entitled “Developing a Part 11 Compliance Plan in Clinical Research.” While the course mainly targeted sponsors and CROs, who have the heaviest regulatory burden in this area, sites also have Part 11 and validation concerns, as demonstrated by this question.

Presenter Lisa Olson, a CSV/Part 11 expert with Polaris Compliance Consultants, briefly described her recommendation, which is both simple and effective. (And since that is total catnip to a compliance blogger, I interviewed her after her presentation to develop the following piece.)

So here it is. Here’s what she said...

Clinical research sites rely heavily on technology to store and manage study data, so regulators are focusing on computer systems and electronic data more than ever before. Many of the systems – such as Electronic Data Collection (EDCs), Interactive Response Technology (IRTs), and e-diaries – are selected and largely controlled by sponsors, CROs, and/or third-party vendors. That doesn’t mean, however, that site staff won’t be expected to answer questions about these systems during a regulatory inspection. Quite the contrary: site personnel are responsible for the integrity of the data these systems house. They need to be able to demonstrate the knowledge required to meet their regulatory obligations.

No one is expecting site staff to be computer specialists; the expertise on these systems resides within the sponsor/CRO/vendor organizations. But the better a site can satisfy a basic, frontline inquiry into the systems it uses, the less likely it is that an inspector will pursue additional lines of questions.

So how can sponsors and CROs help?

They can provide a set of short summaries (one page per system) that answer the questions regulators are likely to ask site staff members. Filed in the Investigator Site File (ISF), ready for use, these summaries will be valuable resources.

The Basics

First, sponsors/CROs should supply identifying information: the name of the system, the vendor, the version of the system currently being used, and a few sentences that describe what the system does.
User Access and Control

To ensure both data integrity and compliance with Part 11 e-record/e-signature regulation, it’s essential that access to a system be controlled and data entry/updates be traceable to a specific person. To that end, the one-pager should describe how unique logins are assigned and how users are restricted to activities appropriate to their roles in the study. A monitor requires read-only access to an EDC system. A study coordinator needs to be able to enter and change EDC data. A Principal Investigator must be able to sign electronic Case Report Forms (CRFs). The role determines the access. Staff should also be able to briefly describe how an audit trail captures metadata that show what data were entered/altered, by whom, and when. (And someone, though not everyone, needs to be able to demonstrate how the audit trail can be used to piece together the “story of the data.” That, however, is too much to ask from our one-pager.)

Validation 101

It would be unusual for site personnel to have detailed knowledge of Computer System Validation (CSV) activities. Nevertheless, the one-pager could include a single line that confirms that the system was validated and by whom. A contact number could be included in case a regulator asks for more information or wants to see validation documents.

Where’s The Data?

Regulators will often ask where system data are stored. The answer to that question can be a simple sentence: The data are hosted by the EDC vendor at such-and-such location, or stored at the CRO, or sit on a local server within the site’s IT department.

Finally, the last line of our one-pager could be a simple statement prepared by the sponsor, CRO, or vendor, confirming that the data are protected wherever they are being stored. The data center is secure and environmentally controlled; the data are backed up to protect against loss; the system is accessed via the web through an encrypted channel -- whatever protections apply.


Regulators are increasingly focused on the integrity of study-related data, and that means added scrutiny of electronic systems and records. More inspections are being conducted mid-study so regulators can evaluate and ask about live systems in current operation. It’s very difficult for sites to field these questions without help from the organizations who make the decisions and have the expertise.

It’s okay to tell an inspector, “I don’t know.” (And it’s always preferable to admit that than to improvise an answer.) But say it too many times, and it casts doubt on a site’s ability to produce and maintain reliable study data. That’s in no one’s interest.

It shouldn’t be overly burdensome to develop a one-page summary sheet for each system so site personnel can address an inspector’s questions on the spot. The Investigator Meetings or Site Initiation Visits would be a good opportunity for sites to raise this point with their sponsors/CROs.

Lisa Olson will be giving an encore presentation of “Developing a Part 11 Compliance Plan in Clinical Research,” on March 24th. She describes all the elements that regulators and clients will be expecting, and since sponsors and CROs can’t implement everything all at once, Lisa prioritizes the activities necessary for developing your plan. You can register for the online course, sponsored by the Life Science Training Institute, here. Use the promotion code olson to receive a 10% discount.

No comments:

Post a Comment