are webbased eCRFs a compliance problem for ...

Download PDF
5 downloads 22164 Views 65KB Size Report
Comment
(eCRFs) for clinical investigators to enter trial data at their site. Using web- ... the computer's hard disc to store data and then a copy was ... gator's computer hard drive and the sponsor had the .... Recovery Plans (DRP) and other provisions as.
BRIEF COMMUNICATION

Discussion Point: Are Web-based eCRFs a Compliance Problem for Industry? Colin Wilsher, PhD, FRQA Quality Assurance, Pfizer Medical, 1, Long View, Berkhamsted, HP4 1BY, UK

Summary Pharmaceutical companies often rely upon web-based electronic Case Report Forms (eCRFs) for clinical investigators to enter trial data at their site. Using web-based technology means that the investigator directly enters data onto the sponsor company’s server via the Internet. Does this cause a problem with complying with international standards regarding data integrity? Copyright r 2010 John Wiley & Sons, Ltd.

Introduction With paper Case Report Forms (CRFs) the situation has always been as described in International Conference on Harmonization (ICH) Good Clinical Practice (GCP) 8.3.14 [1], where the investigator site retains a copy of the CRF and the sponsor retains the original. Commonly this was done by using No Carbon Required (NCR) paper which produced two or more copies of the same entry. These were split and so investigators and sponsors had identical copies. Any changes made subsequently were accomplished through data query forms that were also copied to both sponsor and investigator. Early versions of eCRFs used the computer’s hard disc to store data and then a copy was downloaded to the sponsor. This was slow and *Correspondence to: Colin Wilsher, Quality Assurance, Pfizer Medical, 1, Long View, Berkhamsted, HP4 1BY, UK. E-mail: [email protected]

Copyright r 2010 John Wiley & Sons, Ltd.

had the risk that the data could be lost before it was downloaded. A much faster system came with web-based technology where the investigator could use a web browser to put information on the sponsor’s server as soon as he pushed the return or enter button. No information was retained on the investigator’s computer hard drive and the sponsor had the data as soon as the investigator entered it.

What do international regulations and guidance documents say? The European Medicines Agency (EMA) ‘Reflection Paper on Expectations for Electronic Source Documents Used In Clinical Trials’ sets out the current thinking of the EU GCP Inspectors Working Group on the use of electronic source documents and data in clinical trials and on the inspection of these. ‘This paper sets out the

Qual Assur J (2010) DOI: 10.1002/qaj.455

C. Wilsher

considered expectations of GCP inspectors at this time’ [2]. This paper quotes the Clinical Data Interchange Standards Consortium (CDISC) e-SDI Group publication ‘CDISC Standards and electronic Source Data within Clinical Trials’ [3]. CDISC requirements shed some light on this, not only because they are quoted in EU guidance documents, but also because they provide a set of international standards. As ICH GCP 6.4.9 allows data to be directly entered into the CRF, there are concerns about how this would be used. For instance, CDISC requirement no. 10 specifically states: ‘The sponsor shall not have exclusive control of a source document. If source data are captured and entered directly into a web-based system without first being captured to paper or other local source and all data are stored in a central server that is not located at the investigator site, the sponsor should not have exclusive control of the source data.’ Two other CDISC requirements also have a bearing on this: CDISC requirement no. 5: ‘The investigator shall maintain the original source document or a certified copy. The principle behind this requirement is that the investigator has the source document or a certified copy, thus ensuring protection against changes to the data once it has been passed to another party. Where data is stored on a remote (often central) server without retention of a contemporary local copy, the method by which an investigator or other party retains control of data they have generated should be clearly established, and this control should be demonstrable.’ CDISC requirement no. 6: ‘Source data shall only be modified with the knowledge or approval of the investigator. The method by which it is ensured that the investigator knows of and approves of modifications to the data should be clearly established, and this control should be demonstrable.’ Another major, relevant document is the US Food and Drug Administration’s (FDA) ‘Guidance for Industry – Computerized Systems Used in Clinical Investigations’ (CSUCI), Copyright r 2010 John Wiley & Sons, Ltd.

published in May 2007 [4]. This document is intended to be a companion to 21 Code of Federal Regulations (CFR) Part 11 [5]. The guidance states: ‘When source data are transmitted from one system to another (e.g. from a personal data assistant to a sponsor’s server), or entered directly into a remote computerized system (e.g. data are entered into a remote server via a computer terminal that is located at the clinical site), or an electrocardiogram at the clinical site is transmitted to the sponsor’s computerized system, a copy of the data should be maintained at another location, typically at the clinical site but possibly at some other designated site. Copies should be made contemporaneously with data entry and should be preserved (y).’ It offers assistance in understanding the use of electronic records but does not offer advice on how to solve the problems that might be created by the use of web-based eCRFs. The FDA has released guidance on patientreported outcome (PRO) measures: ‘The principal record keeping requirements for clinical investigators include the preparation and maintenance of adequate and accurate case histories (including the case report forms and supporting data), record retention, and provision for the FDA to access, copy, and verify records (i.e. source data verification). The investigator’s responsibility to control, access, and maintain source documentation can be satisfied easily when paper PRO instruments are used, because the patient usually returns the diary to the investigator who either retains the original or a certified copy as part of the case history. The use of electronic PRO instruments, however, may pose a problem if direct control over source data is maintained by the sponsor or the contract research organization and not by the clinical investigator. We consider the investigator to have met his or her responsibility when the investigator retains the ability to control and provide access to the records that serve as the electronic source documentation for the purpose of an FDA inspection. The clinical trial protocol, or a separate document, should specify how the electronic PRO source Qual Assur J (2010) DOI: 10.1002/qaj

Discussion Point

data will be maintained and how the investigator will meet the regulatory requirements.’ [[6], emphasis by author] The FDA has passed comment on this topic, for instance, in the presentation of Patricia Beers-Block from the Good Clinical Practice Program Office of the Commissioner on 15 September 2008. She stated that the FDA had issued an untitled letter to a sponsor for failure to provide clinical investigators with the information needed to conduct investigation: ‘Computerized records did not permit CI (Clinical Investigator) to retain a copy of data submitted via eCRFs (case histories). CI cannot rely on data stored on the sponsor’s system to meet his/her regulatory obligation. Clinical investigator must maintain adequate, accurate, complete, and current clinical trial records [21 CFR 312.62(b) and 812.140] [7].’ Industry is trying to make progress and this can be seen in the ‘Practical Considerations for Clinical Trial Sites using Electronic Health Records’ [8] that was released by Electronic Health Records for Clinical Research (EHRCR) Working Group sponsored by eClinical Forum and PhRMA EDC/eSource Task Group. This document contains a checklist which investigators can use and which includes the CDISC requirements. It helps investigators identify potential problems with using EHRCR, but does not offer a solution for industry with regard to the use of web-based technology using eCRFs.

Possible scenarios for consideration 1. 2. 3. 4. 5. 6.

Make investigator access to the web-based server available Supply the investigator with a copy of the data after the study Retain 100% of all information on original source documents at site Retain a local electronic copy at site Use internal (sponsor) safeguards and controls Use a Trusted Third Party (TTP) to host the server information

Copyright r 2010 John Wiley & Sons, Ltd.

What are the advantages and disadvantages of these approaches? 1.

Make investigator access to the web-based server available

This helps the investigator have access to the data he has supplied to the sponsor. Usually this access is to the sponsor’s server and so this still does not address the problem of the sponsor having sole control over the data. Also the investigator only has access to his data as long as there is a technological link and that the sponsor continues to support such a link. As the investigator does not retain locally a copy of the submitted electronic data, he will find it difficult to verify what is available to him on the web-based system. 2.

Supply the investigator with a copy of the data after the study

This ensures that the investigator eventually receives a copy of his data but it is not contemporaneous. This non-contemporaneous information has usually been held under the control of the sponsor. This means that it is possible that there could be changes without the investigator’s knowledge. When delivered in bulk at the end of study, it makes it difficult for the investigator to check his data against his source. 3.

Retain 100% of all information on original source documents held at site

The purpose is to completely verify the contents of the eCRF against the source documents. This certainly avoids the sponsor having control over source data. This solution does not answer the immediate problem where the submitted copy of the data is in the care of the sponsor, but at least the sponsor-controlled data can always be checked against the source. ICH GCP section 6.4.9 allows for the scenario where data are directly entered into the eCRF. If 100% of data has separate source documents Qual Assur J (2010) DOI: 10.1002/qaj

C. Wilsher

at site, this scenario does not take advantage of the eCRFs ability to accept source data directly.

4.

Retain a local electronic copy at site

Some companies make sure that the investigator’s computer retains a contemporaneous copy of what is sent to the sponsor. There are various technical challenges as to how this local storage can be adequately arranged. The solution is good, but it is important to make sure that the information is protected against infringement of confidentiality and theft. A validated system is required with Disaster Recovery Plans (DRP) and other provisions as per the FDA Guidance for Industry regarding computerized systems in clinical trials [4]. Some companies may reject this idea, because it is an additional burden and does not exclusively rely upon web-based technology. There is also the risk that unless a good DRP is in place, the computer information (typically on a laptop) can easily be lost.

5.

Use internal (sponsor) safeguards and controls

All data handling in a sponsor company (or Contract Research Organisation contracted by the sponsor) should be performed according to Standard Operating Procedures and should be documented with a full audit trail so that all steps can be fully traceable. Many sponsors have sophisticated quality systems in place to ensure the integrity of the data. These sponsor processes may be more developed than a trusted third party (see later) who may be newly developing this process. Although internal safeguards do provide accountability, inspectors sometimes have concerns that there is no independent element to this and that the sponsor has full control over all these steps and retains access codes. Although this goes some way to provide assurance it does not fully comply with CDISC requirement no. 10, if any source data are entered directly into the eCRF. Copyright r 2010 John Wiley & Sons, Ltd.

6.

Use a Trusted Third Party (TTP) to hold the server information

In this scenario the information from the investigator would not go directly to the sponsor but to a TTP who would arrange for the data to be immediately divided (in a timely fashion) and for exact copies to be held by the sponsor and by an independently hosted secure repository for the investigators. This also has its technical and business challenges arranging for a truly independent TTP, who will carry out its duties for the long periods of time required by the data retention requirements of GCP. The TTP might be financed by the sponsor (or multiple sponsors and/or governmental organisations) and agreements and safeguards would be needed to ensure that the TTP remained independent of the sponsor and that the sponsor was unable to control the investigators’ data.

Is there a way forward? In order to provide assurances to the regulators and their inspectors, sponsors may have to go to considerable lengths to show that their web-based system offers the same or greater assurances than paper-based systems. This debate continues throughout industry.

Disclaimer These are my personal opinions and not that of any organisation or employer associated with the author.

References 1. International Conference On Harmonisation Of Technical

Requirements

For

Registration

Of

Pharmaceuticals For Human Use, ICH Harmonised Tripartite Guideline for Good Clinical Practice E6 (R1), 10 June 1996.

Qual Assur J (2010) DOI: 10.1002/qaj

Discussion Point

2. European Medicines Agency (EMA) GCP Inspectors

6. Food and Drug Administration, Center for Drug

Working Group. Reflection Paper on Expectations for

Evaluation and Research (CDER), Center for Bio-

Electronic Source Documents Used In Clinical Trials, GCP

logics Evaluation and Research (CBER), Center for

Inspectors Working Group (draft), 17 October 2007.

Devices and Radiological Health (CDRH). Guidance

3. Clinical Data Interchange Standards Consortium

for Industry – Patient-Reported Outcome Measures:

(CDISC) e-SDI Group. CDISC Standards and electronic

Use in Medical Product Development to Support

Source Data within Clinical Trials, 20 November 2006. 4. Food and Drug Administration, Center for Drug

Labeling Claims, December 2009. 7. Patricia

Beers-Block,

Good

Clinical

Practice

Evaluation and Research (CDER), Center for Biolo-

Program Office of the Commissioner. Reflections

gics Evaluation and Research (CBER), Center for

on Computerized Systems Used in Clinical Trial.

Devices and Radiological Health (CDRH). Guidance

Presentation at FDA at PhRMA BRMC Meeting,

for Industry – Computerized Systems Used In Clinical Investigations, May 2007.

15 September 2008. 8. Practical Considerations for Clinical Trial Sites using

5. Food and Drug Administration. 21 Code of Federal

Electronic Health Records (EHRs) in support of

Regulations Part 11 – Electronic Records, Electronic

Clinical Research Addressing Regulatory Considera-

Signatures.

tions (Release 1.0), 2 April 2009.

Copyright r 2010 John Wiley & Sons, Ltd.

Qual Assur J (2010) DOI: 10.1002/qaj