Acceptance of data from clinical trials for decision-making purposes depends on the Regulatory Authorities’ ability to verify the quality and integrity of the data.
As explained in this article, data integrity has become a major priority during regulatory inspections. Deficiencies on the computerised systems used to generate and handle clinical trials data (moving forward referred to as eClinical systems), compromises not only the data integrity but also the data reliability and robustness. GCP applies to all parties involved in the clinical trial conduct including computerised systems vendors.
The software used must be in a validated state. If the use of the software involves configuration/programming for a clinical trial, this must be validated to ensure it is functioning correctly. For example: eCRF (design of entry screen, edit checks, clinical database), IRT (design of randomization and allocation system for IMP for a clinical trial), ePRO (design of entry screens, edit checks, data transfer), statistical package (programming for analysing data).
A considerable number of software applications are provided by, or purchased from, vendors and are customized to different degrees. Observations are raised during GCP inspections regarding the level of validation/qualification needed to be performed by a sponsor when using a system that has already been (or is supposed to have been) validated by the supplier.
The EMA “Notice to sponsors on validation and qualification of computerised systems used in clinical trials” published on the 7th of April 2020 reinforces that:
The EMA notice to sponsors, covers two main aspects: documentation of qualification activities and contractual arrangements with eClinical systems vendors which we will explain in different articles.
This first article focuses on the documentation requirements with regards to the eClinical systems qualification and validation activities and the sponsor role.
The responsibility to ensure the validated state is with the sponsor who is also responsible for providing adequate documented evidence on the validation process.
It is expected that software systems are validated to accepted standards. Principles of computer system validation should also be applied to study specific builds/programs/applications, particularly:
ICH GCP E6(R2), sections 5.2.1 and 5.5.3.a, respectively specify that , “the ultimate responsibility for the quality and integrity of the trial data always resides with the sponsor” and “the sponsor should ensure and document that the electronic data processing system(s) conforms to the sponsors established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation).”
ICH GCP E6(R2), section 1.65 defines validation of computerised systems as “a process of establishing and documenting that the specified requirements of a computerised system can be consistently fulfilled from design until decommissioning of the system or transition to a new system.”
The system in question may be a system validated by the supplier, but installed at the sponsor premises, or a system provided as software-as-a-service (SaaS or cloud solution). If the sponsor is changing/adding functionalities to the system, different requirements would apply.
The validation approach should be based on a risk assessment that takes into consideration the intended use of the system and the potential of the system to affect subjects safety and reliability of trial results. The risk assessment should be justified by the sponsor and documented.
The sponsor requires a high level of confidence that computerized systems will meet their technical, commercial, and regulatory requirements.
The computerized system supplier should build quality and integrity into a software product during development, as it cannot been added effectively (e.g. through testing and rework) later by the sponsor. Suppliers should therefore be assessed to determine the adequacy of their development and support processes, through an in-depth assessment or audit.
The sponsor may rely on qualification documentation provided by the vendor if the qualification activities performed by the vendor have been assessed as adequate
The sponsor could use the knowledge, experience, and qualification documentation of the supplier, providing that the following conditions are met:
In case the sponsor cannot rely on a vendor to provide documentation, the sponsor must requalify the system on the basis of their own and of the vendor’s system requirement specifications.
If the clinical trial is ongoing, this has to be done without delay. If the trial is completed, this should be undertaken prior to the submission of the MAA.
A documented risk assessment needs to be conducted to assess the impact on the integrity of the data captured and held by the computer system that was not in a confirmed qualified/validated state following the retrospective qualification/validation activity.
Depending on the outcome of the requalification, the sponsor may need to change to a new vendor/system. The required migration of previously captured clinical trial data should also be validated.
Findings that are the responsibility of the sponsor will mostly be raised during an inspection for the lack of documentation and inadequate vendor assessment prior to the clinical trial initiation.
Documentation regarding the validation of processes and qualification of systems is considered essential by GCP inspectors and it is normally requested during inspections. This is irrespective of whether the sponsor has contracted out activities related to electronic systems and whether the sponsor choses to consider as an audit the above-mentioned assessment of vendor processes and documentation.
GCP inspectors do not consider the documentation/report of these activities as an audit report that falls under ICH GCP E6(R2), section 5.19.3(d) Auditing Procedures “To preserve the independence and value of the audit function, the regulatory authority(ies) should not routinely request the audit reports. Regulatory authority(ies) may seek access to an audit report on a case by case basis when evidence of serious GCP non-compliance exists, or in the course of legal proceedings”.
Records pertaining to the validation of the software are essential documents and should be retained by the sponsor (or access to them at the computerised system vendor contractually) (see Table 1).
The records demonstrating that the trial specific configuration is in the validated state are essential documents and should be part of the Trial Master File (TMF) (see Table 1).
Sponsors shall be able to provide the GCP inspectors with access to the requested documentation regarding the qualification and validation of computerised systems irrespective of who performed these activities. Failure to provide access to the documentation is likely to result in critical findings that will impact the acceptability of the clinical trial data.
It is not acceptable to use computerised systems in clinical trials for which the validation status is not confirmed or for which appropriate documentation on system validation cannot be made available to GCP inspectors. It is clearly emphasized on the EMA notice to sponsors that this requirements is irrespective of the number of sponsors making use of or having used the systems, the number of years such systems have been on the market etc., as serious GCP non-compliances and risks to data integrity, reliability and robustness could exist unnoticed if auditors and GCP inspectors are not allowed access.
Remember that you can now access our ICH GCP E6 (R2) for Investigators and Clinical Research staff online course below:
👉 JOIN NOW: ICH Good Clinical Practice (GCP) E6 (R2)
Author: Dr Leire Zúñiga, Director and Principal GCP Consultant
PHARMITY, 13th of May 2020