31
PAGES OF THEMED ARTICLES INCLUDING: A SHARED VISION FOR DATA INTEGRITY GDPR IN A GLOBAL PERSPECTIVE THE EU GDPR: PERSONAL DATA INTEGRITY N £250 RQA TR WI AI
EE
S
JANUARY 2019 | ISSN 1463-1768
STAR ARTICLE
CHERS
www.therqa.com
U VO
INFORMING AND ADVANCING OUR MEMBERS
N
G IN
QUASAR #146
P3
FO RD
ETAILS
PLUS RQA ANNUAL CONFERENCE REVIEW P50 RQA'S MARKETING, PUBLICATIONS AND CONFERENCES MANAGER, TONY WARD RETIRES P7
DATA INTEGRITY AND PRIVACY
RQA AWARD P6 TECHNICAL TOOLKIT P48
THE LATEST COURSES, SEMINARS AND FORUMS P59
SAVE THE DATE 3rd European QA Conference 6th-8th November 2019 Dublin
CONTENTS
QUASAR #146
THEMED 8 Enhancing Analytics Capabilities – The Future of Quality Assurance – Welcome to the Roche Data Analytics University Sharon Havenhand, Timothé Menard 12 The EU GDPR: Personal Data Integrity Chris Henderson
20
All published articles are automatically placed into the Star Article Competition giving you the chance to win £250 of RQA training vouchers from each Quasar edition. We welcome articles from both members and non-members.
20 A Shared Vision for Data Integrity Piran Sucindran 24 Electronic Source Records – Friend or Foe? Maxim Bunimovich, Katarina Eghan, Marina Freiberga, Matthew Jones 30 GDPR in a Global Perspective Alan Yeomans 36 Maintaining Data Integrity when Consolidating Regulatory and Clinical Information Patricia Santos-Serrao
STAR ARTICLE
SUBMITTING AN ARTICLE
NON THEMED 40 Quality Culture in the Pharmaceutical Industry – Awareness and Assessment in Clinical Research, Compared with Manufacturing Henrieke de Bie
REGULARS
If you would like to submit an article on any of the future themes or for a topic you feel would be of interest, please contact the editor: editor@therqa.com Visit www.therqa.com for guidelines on article submission.
4 Welcome
NEXT EDITION APRIL 2019
52 Keeping You Posted – Regulations and Guidelines GLP, GCP, GMP
IMPACT
48 Technical Toolkit Embracing Technology to Ensure Quality in Organisations Which Both Sponsor and Host Research
59 Calendar
Quasar is published four times a year and articles can be submitted to Quasar at anytime. If you are interested, please email editor@therqa.com. The final copy deadlines are as follows: Final copy date 11th February 2019
Publication 1st April 2019
13th May 2019
1st July 2019
12th August 2019
1st October 2019
11th November 2019
1st January 2020
Whilst every effort is made to produce and distribute Quasar as early in the month as possible, no guarantee can be given to publish on the first day of the month.
To connect with the RQA just follow these links: LinkedIn https://uk.linkedin.com/company/rqa
This publication is a service offered by RQA to its members and RQA cannot and does not guarantee that the information is complete.
Facebook www.facebook.com/researchqualityassociation
RQA shall not be responsible for any errors or omissions contained in this publication and reserves the right to make changes without notice.
Twitter https://twitter.com/The_RQA
The information provided by third parties is provided ‘as is’ and RQA assumes no responsibility for the content.
YouTube www.youtube.com/user/researchqualityass
In no way is RQA liable for any damages whatsoever and in particular RQA shall not be liable for special, indirect, consequential or incidental damages or damages for lost profits, loss of revenue arising out of any information contained in this publication.
Google+ https://plus.google.com/+Therqa1 Vimeo https://vimeo.com/therqa/videos
JANUARY 2019 | QUASAR | 3
WELCOME Hello all, Welcome to Quasar edition 146 and my first welcome to you as RQA Chair. Firstly, I can’t believe that I’ve been on the board for nearly a year now. This past year has been spent really trying to get to grips with how the association operates and how we, as a board support you, the members. I can’t say I fully understand yet how it is all supposed to work, but Anthony and Vanessa try their best to keep me on the straight and narrow.
STAR ARTICLE #145 WINNER Congratulations to Jane Wood for her article ‘Audits, a Brave New World, Time for a Refresh? Helping the World Love Clinical Quality’ Vote for your favourite article from this edition by visiting www.therqa.com/resources/ quasar/star-article
Kath Williams chairman@therqa.com
01480 892016 4 | QUASAR | JANUARY 2019
What has really impressed me is how hard those members actively supporting the Association are working to deliver quality products which help to develop us as quality professionals. It was you who made the Annual Conference in Manchester such a great success too. So, my special thanks to the committees, volunteer programme, course principals and tutors, Quasar team and of course, the RQA office for all your hard work this last year.
We value your input in how we can make things better. So, my challenge to you this year is to ‘step up and make it happen’. If anyone is interested in this initiative, please reach out to the office or you can contact me directly. Finally, to all of you, happy 2019 and please… ‘step up and make it happen’. Regards Kath
MEMBERSHIP RENEWALS ARE DUE ON 1ST JANUARY 2019
I’d like to thank Vanessa for her patience and understanding as Chair in helping a numpty like me get to grips with everything. I will continue to rely on your support and expertise over the next year. For 2019, I’d like to encourage all those active members to keep up the great work, but we would like to see others step forward and really help us to move the association in the right direction. There are many new areas of expertise to explore, get to grips with and advise on. Don’t forget, we also have the European Conference in Dublin to look forward to, so plenty of opportunities to get involved. In addition, our business models within our own organisations are constantly changing, be it due to Brexit or purely good (or bad) business reasons. This means we, as quality professionals need to be able to adapt to these constant changes. The Board has recognised the need to have a sense check on whether we continue to meet our members’ needs or whether we need a change in direction. We can’t do that without your input and support. The membership satisfaction survey is of course a valuable tool in getting feedback from you, but we also wanted to run some focus groups in 2019 to really work through and understand what you think we do well, and not so well, to support you as quality professionals (there is always room for improvement).
It is quick and easy to renew, just log in to your account on the RQA website and you will see instructions on how to complete your renewal. Did you know there are £250 worth of free products available to members? Including five publications, 17 webcasts, five eLearning courses, previous conference presentations and posters and more. To renew go to: www.therqa.com/accounts/my-account
BOARD UPDATE
RQA ANNUAL GENERAL MEETING 2018 The RQA has a duty to hold an Annual General Meeting (AGM) at least every 15 months. All RQA members have the right to vote on each AGM resolution.
the actions required to maintain financial health, highlighting ways in which RQA members can support the Association, such as developing learning material and publications through the Volunteer Programme.
By formal ballot, the revised Articles of Association were adopted with a majority of 93% (a majority of 75% is required).
Vanessa Grant, the RQA Chair of the Board, opened the meeting by welcoming all present – around 75 members.
Tracy Gilbert, the Board member with oversight of global engagement, updated the meeting on RQA collaboration activity, including the discussions and actions arising from the International QA Society Dinner in November 2017.
On a show of hands, along with 22 postal votes in favour, the minutes of the previous AGM were accepted by the meeting.
On a show of hands, along with 22 postal votes in favour, the Annual Report was adopted by the meeting.
With heartfelt sadness, the Association had announced the passing of Nicky Dodsworth earlier in the year. Nicky died after a short battle with cancer. She was an ambassador for the profession, but she will be best remembered for being an immensely likeable person.
The Chair then presented the Annual Report of the Board highlighting key activities within the year, such as the Global QA Conference. Since the Chair’s term of office draws to a close at the end of the year, Vanessa thanked Board members, Committee members, volunteers and the RQA office for their support.
On a show of hands, along with 21 postal votes in favour (one against), the Statutory Accounts were adopted by the meeting.
Roger Cope, the RQA Treasurer, presented the Financial Report including details of Association income, expenditure and the Statutory Accounts. The Treasurer explained the drop in reserves and
Since the changes to the Articles requires a Special Resolution, the Chair called for a formal ballot of members. Ballot papers were distributed to all the AGM attendees present who hadn’t voted previously. The completed papers were collected, collated and counted.
The 2018 AGM was held on the 31st October and there were four resolutions: • To accept the minutes of the previous AGM • To adopt the Annual Report of the Board • To adopt the Statutory Accounts • To adopt the revised Articles of Association.
The Chair went on to explain the changes to the Articles of Association – to increase the number of Board members by two and to commence the Board member Term of Office on 1st January following the AGM.
The Chair thanked the members for voting, before moving on to the Formal Notices and Announcements.
The next announcement was the resignation of a Board member – Louise Mawer. In presenting Louise with a set of crystal glasses, the Chair thanked Louise for her commitment, enthusiasm and approach to her Board responsibilities and to the challenges faced by the Association. The Chair confirmed that Louise will continue to support the RQA in various working parties and initiatives. After presenting the RQA Award, the Chair again thanked everyone for attending and closed the meeting. The revised Articles and the details and outcome of the Special Resolution will now be filed with Companies House for processing and approval.
JANUARY 2019 | QUASAR | 5
RQA AWARD Sameera Thanathparambil
CONGRATULATIONS Once again, the RQA Award had generated lots of lively debate at Board meetings. For 2018, the RQA Award went to two worthy recipients: • Allison Jack for her countless long-term and valuable contributions to the Association, especially her work with the PV Committee
Allison Jack
• Sameera Thanathparambil for her boundless energy and infectious enthusiasm, especially relating to GCP Committee liaison, support for the forthcoming India Regional Forum event and leadership of the award-winning RQA Volunteer Programme.
HONOURARY MEMBERSHIPS RQA Honourary Life Memberships were presented to our keynote speakers, Fergus Walsh and Simon Gillespie at the 2018 Annual Conference.
Simon Gillespie
6 | QUASAR | JANUARY 2019
Fergus Walsh
TONY WARD RETIRES Tony, RQA’s Manager (Marketing, Publications and Conferences) retired from the RQA at the end of 2018 after over 13 years with the Association (although he will tell you it was over 15!).
13
15
YEARS WITH THE ASSOCIATION (OR IS IT 15?)
CONFERENCES AND SEMINARS During his time with the RQA, Tony has literally worked tirelessly to ensure the smooth running of over 15 conferences, including the RQA annual conferences and also the European QA and Global QA Conferences hosted in the UK by the RQA. He has been the driving force of all the behind the scenes work that is involved in ensuring the conferences have been successful, as well as steering and assisting the Programme Committees where necessary. Each piece of marketing, delegate brochure, delegate handbook, printing of posters, conference flyers, banners (and the list could go on and on) was orchestrated by Tony. Every conference takes a year of preparation and both the office staff, Board and Committees are indebted to his hard work in pulling each one together. Tony has also managed, attended and arranged many one-day seminars over the years. As each seminar is ad-hoc, each one is different and has unique requirements which have not always been easy to arrange, but he has always ensured speakers’ requests are met and assisted in every way he can.
CONFERENCES SUCCESSFULLY ORGANISED
PUBLICATIONS
MARKETING
Tony has put together and managed over 50 editions of Quasar magazine, liaising with the then Publications Committee and now Quasar Group, to ensure each edition was fresh, full of themed and non-themed articles and updates and ensuring that the look and feel has been constantly updated in keeping with the times. Alongside Quasar, Tony has also managed the production of too many prospectus’ to count, taken the website from strength to strength and produced all the booklets in the RQA collection.
Another one of Tony’s roles has been to attend and exhibit at other QA society conferences globally, including both the SQA in the USA and JSQA in Japan. He has also exhibited at many other organisations, such as the NHS R&D Forum and ASPIRE Edge Conference, marketing and promoting the RQA as both a membership association and in selling our professional development offerings. Any advertisements placed in magazines, such as International Clinical Trials Magazine, have been produced and arranged by Tony, further pushing the RQA to outside organisations.
50
EDITIONS OF QUASAR MANAGED
As well as all this, Tony has been a regular contributor to the Board, Management Committee and the Association Strategy for many years. On a personal note, on behalf of all the office staff, Board and Committees, Tony will be missed for his no-nonsense approach to pretty much everything, his constant hard work and determination in making the RQA the Association it is today and his ‘sometimes’ hilarious sense of humour! Thankfully for us, Tony will be continuing to help plan and develop the European QA Conference in Dublin in a consultancy role, so although he is retiring from the Association, many of you will still get the chance to see him in Dublin. JANUARY 2019 | QUASAR | 7
THEMED
Sharon Havenhand
Timothé Menard
ENHANCING ANALYTICS CAPABILITIES – THE FUTURE OF QUALITY ASSURANCE WELCOME TO THE ROCHE DATA ANALYTICS UNIVERSITY For the last 25 years, the ‘traditional’ approach for clinical quality assurance has been to heavily rely on audits to detect compliance risks in the Good Clinical Practice (GCP) and Good Pharmacovigilance Practice (GVP) space, requiring a high level of effort and global travel by quality assurance professionals. This impacts upon the work-life balance of the quality assurance professional and has an ecological impact due to the high volume of global travel required to fulfil the audit schedule. It also puts the investment on the issue detection activities instead of the solution activities. 8 | QUASAR | JANUARY JANUARY2019 2019
D
espite increasing the number and improving the quality of audits, reoccurring issues have left stakeholders spending considerable time focusing on addressing those, with pharmaceutical companies continuously facing Health Authority inspection findings. There is a real need for a holistic and real-time solution for both detecting issues early on and predicting recurrent issues. As clinical studies become increasingly complex and investigator site numbers increase, simply doing more audits is not a realistic option without considerable investment. There would still be an imbalance between the number of entities we had to audit versus actual auditing resources. At Roche we have experimented with advanced analytics to try to answer this predicament. The use of advanced analytics brings a huge opportunity to leverage data and for quality activities to be targeted and truly risk-based. Wouldn’t it be great if we could predict quality issues instead of waiting for an audit to detect them? Could we also predict issues before they happen and then provide solutions upfront? Roche Pharmaceutical Development (PD) Quality are challenging the traditional quality approach of ‘manual’ audits that subjectively detect and confirm issues, often a long time after they have occurred, and replacing them with a proactive, ‘quality solution’ approach.
QUASAR THEMED #142 This advanced analytics effort started in early 2017 with a Proof of Concept (PoC) – see figure 1. The successful results of the PoC for predicting quality outcomes demonstrated the feasibility of the ‘advanced analytics-driven quality assurance’ model. Moving forward, audits could be undertaken with a more focused, data-driven approach and quality issues could be predicted and even prevented from occurring. Advanced analytics is now a fundamental pillar in Roche’s PD Quality strategy and vision – see figure 2 (overleaf ). In order for this transformation to happen, Roche PD Quality needed to build and embed advanced analytics capabilities within its staff. A PD Quality Analytics Team was established in January 2018. The team is led by Timothé Menard and currently consists of two Data Scientists, Yves Barmaz, PhD and Bjoern Koneswarakantha, PhD who bring strong expertise in data management, statistical visualisation and machine learning. One of the main areas of focus for them was to promote a culture where our clinical quality assurance experts can speak a common language with our data scientists, helping them focus on leveraging data in their day to day work. Although our clinical quality assurance experts bring a unique set of skills, ‘data literacy’ is becoming a necessary core capability for the quality assurance professional of the future. There was clearly a data analytics development gap to be addressed, the need to create an in-house training programme that provides a framework for clinical quality staff to develop their analytics
capabilities and increase their confidence in using data-driven approaches and solutions. During the initial discussions, we recognised the need to develop a long-term, practical and engaging training programme. The training programme had to stand out, be impactful and fully deliver its objectives. Out of those key elements and requirements, the concept of the Data Analytics University was founded.
DATA ANALYTICS UNIVERSITY CONCEPT The Data Analytics University consists of two distinct pathways, the Freshman level, to obtain the Data Basics Certificate and the Graduate level, to ‘graduate’ from the university, in the same way you would from a real university. Under the university theme, the students were sent an enrolment acceptance letter, confirming their place at the Data Analytics University and allocated optional summer homework assignments ahead of the classroom training to practice their analytic capabilities and improve their knowledge. This generated a tangible buzz and excitement in Roche PD Quality ahead of the training programme rollout. The Data Analytics University learning pathway – see Figure 3 (overleaf ), outlines the classes required to be undertaken for the Freshman and Graduate Pathways. These are short classes of about 1.5 to 2 hours which are delivered face to face by the PD Quality Analytics Team.
FIGURE 1. PROOF OF CONCEPT (POC)
© Copyright
JANUARY 2019 | QUASAR | 9
THEMED FIGURE 2. ROCHE PD QUALITY ADVANCED ANALYTICS
© Copyright
The Freshman Pathway consists of four classes, briefly outlined below: Demystifying data – the basics – This class is designed to cut through the 'data' jargon, explain data terminology and give students a high level overview and introduction to the world of data. ‘Naked’ statistics for data analysis – Students learn methods to get a sense of their data – plus some basic statistics they can perform on their data sets. Time to play (with data) – Students are asked to solve a GCP problem (safety reporting) using a simplified but real study data set. How data might fool you – The objective of this course is to develop students' critical judgement when it comes to data, statistics and visualisation. After undertaking the Freshman Pathway, students can apply to enroll on the Graduate Pathway with the prerequisite to demonstrate their learning by submitting examples of how they have used data-driven approaches and solutions to help them in their current position. Evidence of this will be assessed by the PD Quality Analytics Team and then students who meet the prerequisite criteria will be invited to join the Graduate Pathway course. The Graduate Pathway consists of three classes, briefly outlined below: Advanced strategies for data analytics – Students are taught advanced approaches to deal with more complex data sets. They can use their preferred tool to interpret the data, for example by using Excel, Tableau or even a statistical programming language, such as R.
10 | QUASAR | JANUARY 2019
Data visualisation – Students will focus on advanced visualisation for exploratory data analysis, going beyond bar and pie charts. Students will also learn how to present results using visualisation. GxP problem solving (with data!) – Students will propose a problem they identified within their area of expertise, for example in GCP or GVP. They will have to collect the relevant data and solve the problem using what they have learned in previous classes. They will be asked to share their analysis with the student community, for example by posting a video tutorial. As experts in the field, the content for the Data Analytics University classes was provided by Yves Barmaz and Bjoern Koneswarakantha. In order to engage the audience, real life scenarios were used so that the students could relate what they were learning to their everyday work. Interactive tools such as PollEverywhere allowed the trainers to periodically check students’ learning and understanding throughout the classes and address any questions they might have. The content was delivered using a mixture of slides, opportunities to pause for show and tell and interactive polls. At the end of the Freshman pathway the students were required to demonstrate their knowledge and understanding by sitting an exam, which they had to pass in order to collect their certificate in data basics.
INITIAL RESULTS AND RECEPTION The first wave of the Data Analytics University Freshman training was delivered by the PD Quality Analytics Team across three sites; Welwyn, Basel and San Francisco, with 95 potential students overall. So far we have trained 55 students with a view to have trained the remainder by the first quarter of 2019. Initial results from the feedback survey have been extremely positive and indicate that the training has been well received. 83% of students said that their analytical capabilities had either improved or greatly improved following the training. In addition, 88% of students reported that they would be able to apply what they have learnt to their role. One student fed back ‘it's probably the best designed training of any that I've ever attended in my career. The interactive nature, the interesting clips and the examples/exercises kept the learners' attention throughout’.
CONCLUSION As a result of the successful delivery of the Data Analytics University Freshman pathway, the PD Quality Analytics Team are preparing to expand this course to other departments within Roche PD Quality and also roll out the Graduate pathway training in 2019. The Data Analytics University is also a starting point for constant learning and development in the analytics space. New sets of data exercises and tutorials will be created (by teachers and students) and a section on the PD Quality data analytics website is available for the staff to practice and learn, beyond the remit of the Data Analytics University.
THEMED ACKNOWLEDGEMENTS
FIGURE 3. DATA ANALYTICS UNIVERSITY LEARNING PATHWAY
Freshman
© Copyright
Start
Sharon and Tim would like to acknowledge and recognise the following people for their key contribution and input to the development of the Data Analytics University: Yves Barmaz, PhD and Bjoern Koneswarakantha, PhD. They are both data scientists part of PD Quality Analytics at Roche. Additional contributors to the Data Analytics University: Richard Bowling, Principal GxP Auditor and Cesare Di Leo, Senior GxP Auditor.
PROFILES Demystifying Data – The Basics
'Naked' statistics for data analysis Time to play (with data)
How Data might fool you Certified in Data Basics
Graduate
Advanced strategies for data analysis
Data Visualisation GxP problem solving (with data!!) Graduate from Data Analytics University
End
Having an engaging and fit for purpose training programme focusing on embedding our analytics capabilities has now become an accepted and essential component of the Roche PD Quality transformation. The PoC and other prototypes which focused on the GCP/GVP spaces are now being fine-tuned and will be deployed during the course of 2019. These advanced analytics tools can be fully leveraged by the quality assurance professionals by using their new analytics skills obtained from the Data Analytics University.
Sharon is currently a Process and Training Lead at Roche, responsible for the learning and development strategy for her function. She has been working in the pharmaceutical industry since 2006, holding a variety of positions in Quality Assurance from Lead International Clinical Auditor to Quality Assurance Specialist, gaining extensive experience across the GxP disciplines. Her main areas of specialty and passion lie in process improvement methodologies and in learning and development. Sharon is trained as a Certified Lean Six Sigma Yellow Belt and an Accredited Advanced Professional Trainer. Timothé is a PharmD with a specialisation in pharmaceutical medicine. He started his industry career in 2009 in Pharmacovigilance (PV) and had different roles in PV (operational and strategic) that brought him to live in various parts of the world (Switzerland, Singapore and Germany). He joined Roche as a Clinical Auditor in 2015 and dived into the ‘magic world of analytics’ somewhere in 2017. He has been leading the PD Quality Analytics Team at Roche since January 2018. From simple analytics methods to machine learning, his team is creating and implementing data-driven solutions that help understand, early detect or predict clinical quality issues.
Roche PD Quality are moving towards becoming the leading clinical quality organisation who can detect, predict or even prevent issues from occurring, which the authors see as the future of quality assurance. Disclaimer: All opinions expressed are those of the authors and do not necessarily represent those of Roche.
JANUARY 2019 | QUASAR | 11
THEMED
Chris Henderson
THE EU GDPR: PERSONAL DATA INTEGRITY By now you are probably well-versed in the principles and guidance of establishing and maintaining the integrity of GxP data. The MHRA Guidance set out in March 20181 was welcomed and provides clear, black and white guidance more recognisable in the non-clinical arena to a previously grey landscape more applicable to clinical trials. Whereas this guidance was welcomed and embraced, the European Union regulation following closely on its heels regarding safeguarding personal data was not so and threw many firms in the industry into a somewhat familiar ‘What the…’ ‘Where did that come from?’ ‘What do we do!?’ situation. Welcome to the EU General Data Protection Regulation (2016/679)2 and repeal of Directive 95/46/EC – the GDPR, which was implemented within the EU on 25th May 2018.
12 | QUASAR | JANUARY JANUARY2019 2019
QUASAR THEMED #142 We as GCP and GVP auditors by definition process ‘confidential patient information’ (National Health Service Act 2006), bound by the GDPR, of which health records may be seen as sensitive. In addition, throughout our audits we process CVs, training records and other personal records of the people we interview. By their nature, the observations documented in an audit report have the potential to adversely affect an individual’s performance assessment. Therefore we have a serious obligation to process personal data responsibly.
R
eiterating the ‘What the…?’, the signs had been out there. 2012 marked the commencement of four years of deliberation, resulting in the GDPR being officially adopted by the EU in 2016. The regulation gave companies a two-year runway to get compliant, which was theoretically plenty of time to get shipshape. The reality was messier, like audit reports and tax returns, there are some who get it done early, and then there’s the rest of us. Hopefully this article will be helpful to those in the latter cohort. To where it came from, a change was required, like the revision to ICH E6 in that the guidance was no longer current with today’s environment. The now superseded EU Data Protection Directive 95/46/EC was adopted only just after the invention of the World Wide Web in 1990 and prior to the mainstream use of the internet. The amount of personal data available has multiplied exponentially with global reach. Rapid technological advances in biometric data, such as retina recognition, facial imagery and dactyloscopic data had not been developed 20 years ago, and DNA testing is now available to purchase as test kits on the internet with far-reaching consequences. Finally, the universal cry of ‘What do we do…?’ echoes, and as all good Brits we don’t panic, do we?! The good news is that we really don’t need to, it is just data after all, only a bit more personal insofar as it belongs to us and not a third party individual – and that the MHRA have already provided us with the risk-based governances we need to manage it appropriately. Yes, we do need to supplement the MHRA guidance, much as GLP bioanalysis guidance needs to be supplemented to appropriately handle GCP data, Table 1 (overleaf ) has a few suggestions how. And in the wise words of David Hutchison3, there is no substitution for reading and absorbing the requirements of the regulation itself, to check any processes
THE PRINCIPLES and procedures against the regulation and to seek appropriate legal advice prior to making any organisational policies. Why is personal data so different from GxP data that it needs further safeguarding? Under the GDPR, personal data is information which can be used to identify a person (the ‘data subject’), some categories or combinations of which have the potential to cause harm to the rights and/or welfare of that person. Knowing someones name in isolation is unlikely to harm an individual (there are many John Smiths in the world), but if you know their name and their address/phone number/ online identifiers/factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, a person with malicious intent could physically harm or damage the reputation and well-being (physical, mental and financial) of that person. We are all too familiar with the recent spate of data breaches, starting with the Facebook/Cambridge Analytica outrage early in 2018 when a security bug allowed hackers to access information from around 50 million accounts. Further breaches of security have led to bank account details being fraudulently accessed and personal health records leaked to the public. There are special or ‘sensitive’ categories of personal data which carry further risk to the individual and under the GDPR these are defined as those which reveal racial or ethnic origin, political opinions/affiliation, religious or philosophical beliefs, trade union membership, processing genetic and biometric data for the purpose of uniquely identifying an individual, and data concerning health, sex life or sexual orientation. Breaches of sensitive data have the potential to destroy an individual’s livelihood and well-being. Therefore it is of paramount importance that personal data is safeguarded appropriately and the GDPR provides a framework to do this.
Any regulation worth its salt is underpinned by principles and the GDPR is no exception. As the Declaration of Helsinki is the cornerstone to ICH GCP, the seven key principles which should lie at the heart of your approach to processing personal data are as follows (GDPR Article 5): • Lawfulness, fairness and transparency Personal data should only be processed if there is a legal reason (a ‘lawful basis’) for doing so and the processing should be done fairly and be transparent to the individual. There are six lawful bases for processing data in the EU4. Transparency involves the preparation of data processing records which document the full use of each item of personal data. These records must be retained and available to the data subject • Purpose limitation Personal data shall only be collected for specified, explicit and legitimate purposes and all further processing will be bound by the same requirements and not considered incompatible with the initial purposes • Data minimisation Data collection will be limited to what is necessary for the predefined purpose • Accuracy Personal data will remain accurate and current; inaccurate or superseded data should be erased or rectified without delay • Storage limitation Retained for no longer than is necessary for the purposes for which the personal data are processed • Integrity and confidentiality (security) Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage • Accountability Take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
JANUARY 2019 | QUASAR | 13
THEMED TABLE 1.
DEFINITION
WHO/WHAT
RESPONSIBILITIES
Regulator
EU Data Protection Board (EUDPB) is an independent body based in Brussels. The EUDPB is composed of the heads of the Supervisory Authorities (SA) in each member state.
To ensure the consistent application of the GDPR in the EU.
An independent public authority established in an EU member state.
To uphold the GDPR in their member state.
https://edpb.europa.eu/role-edpb_en GDPR Chapter VII Section 3
Supervisory Authority GDPR Chapter VI
Data Subject GDPR Chapter III Article 4 (1)
The Information Commissioner’s Office (ICO) is the SA in the UK. https://ico.org.uk/
An identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (the personal data).
• Understand your rights and how to implement them • Ensure you are fully informed of what will happen to your personal data (request records of processing) before you provide it.
A data subject is you, your employer, your colleague, client, service provider…
Data Controller GDPR Chapter IV Article 4 (7)
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data controllers can be: • A n employer as controller of its employees’ personal data • The sponsor as controller of study data.
• To determine the purposes and means of the processing of personal data • Define the lawful bases for processing • Establish means to obtain consent • Establish intercompany data processing agreements for global companies with EU offices • Prepare appropriate contracts for EU-EU data processors and EU-non EU data processors, based on the EU Model Clauses for the latter and including Data Processing Agreements • Establish data processing records and maintain them • Provide data transparency information to the data subjects (Article 13) • Facilitate the data subject rights (Article 12) • Provide information on subject access requests within 30 days (Article 12) • Only choose processors that comply with the GDPR.
14 | QUASAR | JANUARY 2019
THEMED
TASKS
COMMENTS
The SAs are responsible for raising awareness about data protection obligations. They are authorised to investigate, detect, take action and levy fines against both data controllers and processors for breaches of the regulation.
• Fines can be up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors
• P rovide consent to the controller (your employer) for them to process your data. Normally this will be embedded in your contract
• A natural person is a real living human being, a person with a distinct personality. Generally they have the power to think their own thoughts and make their own choices. This is in comparison with a legal person – a being, real or imaginary, created by the law, or which the law regards as capable of certain rights or duties
• E nsure the data you provide is maintained complete, accurate and up to date. Make periodic checks to ensure it is complete and up to date
• The Data Protection Act 2018 only takes action against the data controller with a maximum fine of £500,000 • It’s not surprising that Facebook did their investigation prior to the GDPR. They were fined the maximum of £500,000 which could have been $1.63 billion under the GDPR.
• The GDPR ceases to be applicable after the death of the data subject
• P rovide updates to HR as they occur, i.e. change of contact details, name, new phone, house move
• The GDPR may apply to pseudonymised data, but never to anonymised data
• A ttend and document periodic GDPR training
• A data subject has the following rights (Articles 15-20):
• U phold the security of your electronic data through compliant use of passwords and systems
- The right to be informed
• D o not disclose any third party data without prior consent
- The right to rectification
• Report data breaches without delay • D ouble check email recipients before you click ‘send’. This is the most common data breach! Know what to do if or rather when, it happens.
- The right of access - The right to erasure - The right to restrict processing - The right to data portability - The right to object - Rights in relation to automated decision making and profiling - The right to lodge a complaint with a SA.
Corporate Governance • E mbed data protection as integral to company culture • Appoint a Data Protection Officer (DPO) • P repare a Data Protection Impact Assessment (DPIA) • P repare a data protection policy and procedures, including how to identify and report a data breach and how to respond to subject access requests. Make the policy public • P rovide induction and periodic refresher training, including data subjects’ rights and responsibilities, and how to identify and report a breach • A udit contractors for GDPR compliance • P rovide guidance for processors regarding return or deletion of personal data on completion of contract.
• Six months on from its implementation, the biggest mistake companies are making is not taking the GDPR sufficiently seriously • Consent should be obtained in a clear, affirmative act freely given, specific and informed. Consent should be obtained for each purpose and new consent is required for new purposes and new data (Article 7) • Records of Processing (Article 30) document what personal data your organisation holds and where, what happens to it in terms of processing and how long it is retained for. Templates and guidance are available on the ICO website • Companies in France have experienced a 64% increase in complaints since last year and regulators may look more favourably on a company with a DPO • The DPO should have a legal background, be familiar with IT and security, be independent of processing (i.e. not HR) and ideally speak one other EU language as well as English. The DPO should periodically provide reports to senior management • DPIA is a risk management tool aimed to identify and minimise the data protection risks of new projects and an integral part of the ‘data protection by default and by design’ approach.
JANUARY 2019 | QUASAR | 15
THEMED DEFINITION
WHO/WHAT
RESPONSIBILITIES
Data Controller
Clinical Trials
GDPR Chapter IV
• GDPR Guidance for researchers and study coordinators (limited impact): www.hra. nhs.uk/planning-and-improving-research/ policies-standards-legislation/data-protection-and-information-governance/ gdpr-guidance
Article 4 (7)
• Prepare the clinical protocol, CRF, questionnaires, surveys, databases or other tools relating to identified or identifiable living individuals in accordance with the GDPR • Produce a DPIA • If also holding processor responsibilities, perform in compliance.
Data Processor GDPR Chapter IV Article 4 (8)
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Data processors may be a CRO, vendor, independent contractor, sub-contractor, investigator site, auditor, etc.
Data Breach GDPR Articles 4 (12), 33, 34
16 | QUASAR | JANUARY 2019
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
To process personal data on behalf of the controller in a manner compliant with the GDPR. To process personal data on behalf of the controller in a manner compliant with the GDPR.
• Data breaches must be reported to the ICO/SA if it is likely to result in a risk to the rights and freedoms of individuals • Reports must be made no later than 72 hours after you become aware of the breach.
THEMED TASKS
COMMENTS
Clinical Trials
• Clinical Trial laws provide the legal basis for retaining research data and will override applicable GDPR rights of data subjects
• D efine the lawful basis for processing personal data • O btain personal data consent in addition to clinical research consent, re-consent of existing participants prior to 25th May 2018 is not required.
• For universities, NHS organisations, Research Council institutes or other public authority, the lawful basis for processing should be a ‘task in the public interest’ • For commercial companies and charitable research organisations the processing of personal data for research should be undertaken within ‘legitimate interests’ • Same for paediatric research • Subjects should be allowed to consent to certain areas of research or research projects, as the purpose of data processing cannot always be determined at the time of data collection • While participants are taking part in the study, the sponsor’s monitor may have access to the randomisation code or to personal data (medical records and source data/documents etc.) and is therefore processing personal data. The requirements for a data processor must therefore also be upheld • Documented evidence of personal data consent will probably need to be kept in the TMF.
• P erform all data processing services under a legally binding contract with the controller
• It would be advantageous to obtain independent compliance certifications to reassure their controllers (clients)
• M aintain adequate IT security
• Care needs to be taken by the investigator sites transferring medical records in electronic form. Transfer of personal data from sites to CRO/ sponsor outside the EU is prohibited unless GDPR is complied with by the adoption of further safeguards
• W ill not subcontract audit activities unless the controller gives prior written authorisation • R eport data breaches • M aintain records of data processing activities • C omply with EU trans-border data transfer rules • D elete or return all personal data at the end of the provision of services at the controller’s choice. Delete existing copies (including backups) unless EU law requires storage of personal data • C omply with audits and other inspections carried out by the controller in order to verify compliance with the GDPR and contract • Provide an appropriate level of liability insurance.
• I f the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay • Y ou should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals • K eep records of all personal data breaches, regardless of whether they are required to be notified to the SA.
• Audits - D uring audits, we process for example staff CVs and training records, job descriptions and recorded tasks/responsibilities, and trial subject sensitive personal data - A uditors are reminded not to write down patient/trial subject names in their auditor notes - Auditor notes should be confidentially destroyed at audit close - A udit reports should be written such that personal identifiers such as names, addresses and contact information may be deleted from the report at the controller’s request - A uditors should remain vigilant for data breaches and report them to the controller/sponsor without delay if suspected or observed.
Examples of data breaches: • Loss or theft of data or equipment on which data is stored • Access by an unauthorised third party • Sending personal data to an incorrect recipient • Alteration of personal data without permission • Loss of availability of personal data, such as equipment failure • Unforeseen circumstances, such as a fire or flood • Hacking attack • ‘Blagging’ offences where information is obtained by deceit.
JANUARY 2019 | QUASAR | 17
THEMED
18 | QUASAR | JANUARY 2019
THEMED THE IMPLICATIONS OF A NO-DEAL BREXIT With speculation growing about the possibility of no formal agreement being reached during Brexit negotiations between the UK and the EU, it would be wise to consider the implications on the GDPR5. There would be no immediate change in the UK’s own data protection standards because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it. However the legal framework would change regarding transfer of data between the UK and the EU, and the UK would become a third country with respect to the GDPR. If you want to continue receiving personal data from organisations established in the EU (including data centres), then in most cases the alternative legal basis would be ‘contractual’ by utilising the ‘model data protection clauses’ (template contracts) available on the internet that have been approved by the European Commission and enable the free flow of personal data. This would be the case until an assessment of adequacy (an ‘adequacy decision’) could be made by the EC. If successful, the adequacy decision would allow the transfer of personal data to the UK without restrictions. The EC has not yet indicated a timetable for an assessment and have stated that the decision on adequacy cannot be taken until the UK has left the EU. If your company has not already begun, it could be prudent to perform a review of your current contracts by location and draw up a plan of what would need to be changed, how and to what cost in the eventuality of a no-deal.
NEXT STEPS FOR THE GDPR – AI AND THE EPR Artificial Intelligence (AI) is making its way to the forefront of our work, personal and home lives, including cloud-based virtual assistants such as Alexa and Siri, capturing our everyday choices and preferences. In healthcare, AI is already being used to detect diseases and through online tools, capture personal data to increase the ability for healthcare professionals to better understand the day-to-day patterns and needs of their patients. But according to the Guardian, ‘but for all the promise of an AI revolution, there are mounting social, ethical and political concerns about the technology being developed without sufficient oversight from regulators, legislators and governments’. This includes data protection and the next steps are to navigate data protection through this ever-increasing volume of data.
In January 2017, the EC proposed a new ePrivacy Regulation (the ePR), a Regulation on Privacy and Electronic Communications. Its full name is ‘Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)’ – including the UK’s PECR (Privacy and Electronic Communications (EU Directive) Regulations 2003). The ePR will align with and supplement the GDPR. The PECR set out the rules on: • Electronic communications, including marketing emails, faxes, texts and phone calls • The use of cookies that track website visitors’ information • The security of public electronic communications services
REFERENCES 1. The MHRA ‘GxP’ Data Integrity Guidance and Definitions, March 2018 2. General Data Protection Regulation (No. 679/2016, the GDPR) 3. A Guide to European Data Protection, Lisbethe Tofte Hemmingsen, Professor David Hutchinson, Canary Ltd, 2018 4. GDPR Article 6: Processing shall be lawful only if at least one of the following applies: a. The data subject has given consent (in the UK this is not permitted for research purposes) b. To perform a contract c. Compliance with a legal obligation to which the controller is subject d. To protect the vital interests of the data subject e. Performance of a task carried out in the public interest f. The legitimate interests pursued by the controller, except where the data subject requires protection of personal data, e.g. a child. 5. Data protection if there’s no Brexit deal (GOV.UK Published 13 Sept 2018)
PROFILE
• The privacy of end users. If you market by phone, email, text or fax, use cookies or compile public directories, the PECR currently applies. The ePR is broader in scope and aims to ensure privacy in all electronic communications – including over-the-top service providers such as instant messaging apps and Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communications such as the Internet of Things (IoT). The ePR has the same territorial scope as the GDPR, carries an identical penalty regime for non-compliance and was also intended to come into effect on 25th May 2018. However, there have been delays and it is likely to come into force in 2019, but Brexit is expected to bring complications.
Chris is a Quality Assurance professional with over 20 years of diverse global QA experience across non-clinical and clinical trials. She is currently seeking her next challenge after leaving ADAMAS Consulting where she held the positions of Director, Quality & Risk and Data Protection Representative, after managing their successful GDPR implementation. Chris is a former member of the RQA Board, an RQA MSc tutor, former Chair and current organising group member of the RQA West & Wales Regional Forum.
COLD CALLERS To end on an empowered note, you now have the tools to manage unwelcome cold callers. When you pick up the phone and are asked to confirm your name/ any personal data, you can enquire which company they represent and if you don’t remember having given consent to their processing your data (they already have your name and contact number from somewhere) you can reply that what they are doing is illegal with regard to data protection laws. Hopefully they will immediately put down the phone and won’t bother you again!
JANUARY 2019 | QUASAR | 19
THEMED
Piran Sucindran
A SHARED VISION FOR DATA INTEGRITY Hot or Not? Data integrity is the ‘hot topic’ this year! Actually, it was the ‘hot topic’ last year too… in fact, it’s been a ‘hot topic’ for so long, that the phrase ‘hot topic’ itself is very much in danger of losing all meaning! But what is data integrity? Why is it so important? What do we have to do? These are all perfectly valid questions that were asked of me by a clinical investigator site team. My answer: “What do you think?”
20 | QUASAR | JANUARY JANUARY2019 2019
QUASAR THEMED #142
JANUARY 2019 | QUASAR | 21
THEMED
T
o rewind a little bit, a couple of years ago the quality team at this investigator site/ niche CRO decided that we needed a cross-GxP approach to data integrity. The conversation was precipitated by the MHRA’s guidance on data integrity, which was in draft at the time, as well as a general focus on data integrity both nationally and internationally. We decided at that point that we wouldn’t wait until the finalised MHRA guidance and that the principles behind the data integrity requirements would help develop our strategy. The first thing to be developed was an internal policy on data integrity, reflecting the MHRA’s guidance, as well as the QA team’s own experience and insight. Once this was released, the wider team were trained on the policy and ‘data integrity’ was the subject of many internal team meetings and even made it onto several personal development plans, prompted by line managers and employees alike. However, it was still unclear at this point what needed to be done! With lack of clarity on what was required, the data integrity project seemed to run out of steam amongst the wider team. However, in the background, the QA team were busy turning the foundations of data integrity, as outlined in the internal policy and reflecting the MHRA guidance, into a three-part strategy; assessing, engaging and implementing.
RELIGHTING THE FIRE Assessing compliance with data integrity requirements throughout the company, predominantly through comprehensive gap analyses, as well as a series of internal audits and process evaluations, was expected to generate a fairly heavy workload for the teams involved. Additionally, implementing any mitigating actions that resulted from these assessments would do the same. To ensure completeness of the assessments, and effectiveness of the implementation plans, it was vital that we engaged all the relevant stakeholders in both of these areas from the start. A comprehensive gap analysis template was developed, looking at the specific details of system data integrity (e.g. audit trails, password protection, access restrictions, etc.) and paired this with a macroscopic view of the systems themselves through process mapping and risk assessment of these processes. Using these tools, the team would be able to assess the data integrity gaps and develop mitigation plans themselves, relative to the evaluated risks associated with the critical processes.
22 | QUASAR | JANUARY 2019
With these tools in place, we now needed a way to train the team to use them and to also rekindle the initial ‘buzz’ behind the data integrity project. We needed the strategy to be driven by the team, not just something else that they had to do to ‘tick a box’. We needed a unified approach. A grassroots approach. A Shared Vision. Helen Bevan et al (Bevan, Bate, & Robert, 2004) described how principles of social movements can be utilised in engaging team members in healthcare transformation. The Shared Vision is a tool to aid with this, by encouraging the team to consider what they feel is important and truly believe in the changes that they’re implementing; not just complying with the requirements, but embracing them.
Luke: “I don’t believe it” Yoda: “That is why you fail” Star Wars: The Empire Strikes Back
WHAT DO YOU THINK? As a quality professional, it can be a bit odd sometimes being in a room with ridiculously smart people, who are brilliant at what they do, some of whom have been doing their jobs for years and years, and to turn around to them and say “this is what you should do because the regulations say so”. Yes, the room should acknowledge your experience and knowledge base as a quality professional, but what I’ve often seen overlooked is the reverse; the quality professional must acknowledge the individual and collective knowledge, qualifications and experience of the room. I was particularly lucky to be working with a team who were both highly skilled, but also unwaveringly dedicated to good quality research and patient safety. Teams varied from those who were purely clinical and patient facing, to production teams who spent all day in labs, to analysts who often would go days in front of a computer screen without coming up for air. However, all had the same goals – keep subjects safe and produce good quality data to help develop treatment options of the future. Some of the clinical team had worked in clinical trials for a good few decades. Some of the production and analysis teams were internationally renowned scientists. There was no point in me standing there and telling them what to do, because they were the experts.
In fact, one of the issues with more prescriptive guidance is that people who have a high level of expertise will either be wasting time on unnecessary bureaucracy or ignore the guidance altogether and do what they feel is best. However, the guidance from the MHRA on data integrity is aiming for a risk-proportionate approach and it is this risk identification and evaluation that we wanted the team to take responsibility for. So, instead of telling them “this is what you need to do in order to be compliant with the data integrity requirements”, I asked them to ignore the guidance document for a bit. I know, I’m a terrible person. I asked them to forget that there were boxes that needed to be ticked, forget stories of inspection requests for reams of audit trail data, and, in fact, forget that there were regulations altogether. Instead, I put up a question on the wall ‘what is data integrity?’. Each person was then given some post-it notes and coloured pens – my most trusted quality weapons! I asked each person in the team to think about what data integrity meant to them and to write it on a post-it. They were allowed to do more than one post-it, but I wanted at least one from each person. They were allowed to discuss it amongst themselves, draw pictures, or write essays in tiny writing. I asked them to be honest and asked them to take their time and think about what would give them confidence in data. In short, I asked them ‘what do YOU think?’.
SHARING THE VISION Admittedly, this could have gone disastrously wrong. Often teams can be intimidated about sharing their thoughts in a forum, especially with quality professionals in the room. Some may think that if they do or say something wrong, that it’ll flag them up as the next audit ‘target’. Some may think that no matter what they say, the quality professionals are always going to think they have the right answer. Some just don’t want to sound stupid in front of their colleagues. However, this was part of a series of monthly quality forums in the organisation where engagement of the team in the continuous improvement of the quality system was encouraged from senior management and quality professionals. The MHRA data integrity guidance talks about an organisation’s culture and this was something that had been developed in this team for some time, and still continues to be developed. The culture within this forum was one of sharing, listening and engaging positively with everyone in the team. There were no stupid questions or answers, there was no hierarchical judgement, and there were no penalties for honesty and openness.
THEMED This wasn’t something we developed in a quick ice-breaker at the beginning of the session involving going around and describing your favourite pair of underpants (purple with orange spots, if you’re interested). This was a culture that had developed over time, with engagement at all levels of the team. This was the result of consultation with the team and facilitation of group development sessions, and the outcomes of these being realised in improved and efficient processes and policies. This was a team that felt comfortable enough to look inwards and express what they felt, as clinicians, scientists and subject matter experts, data integrity meant to them. And so, the post-its started going up. I went round the room and one-by-one each team member read out their post-it, explained what it meant and then stuck it on the wall. Post-its varied from quotes from ICH GCP to personal anecdotes. As we went around the room, patterns started emerging, as well as key themes. We grouped these post-its together on the wall. Each idea was received positively by the team and generated discussions where people reflected on their own experiences of other team members’ suggestions. Importantly, we started a conversation.
As a team, we’d gone from a seemingly tepid ‘hot topic’ regulatory guidance, to an active discussion on aspects of data integrity that matter to team members individually. And that’s how we shared our vision of what data integrity looked like to us (see Figure 1).
REALISING THE VISION Having highlighted key areas of data integrity that were important to the team, the next step was to see what needed to be done to assess these aspects and subsequently implement any risk-based mitigations identified. It was at this point that we introduced the data integrity tools that the QA team had developed. The gap analysis document was extensive, but by linking each section of the document back to one of the post-its still up on the board, we were able to show why each element mattered – it wasn’t just about ticking boxes, it was about a focused review of the data integrity aspects that the team themselves had identified as critical. The gap analysis was designed to highlight associated risks and evaluate the impact of these, from a data and patient safety criticality aspect. By doing this, the team could see that not all the aspects highlighted would have an impact on all areas (e.g. standard clinical equipment without any kind of log-in wouldn’t require details about e-signatures). Other systems, however, would require a far more rigorous risk analysis and, again, this would reflect the vision composed of the post-its, rather than simply trying to maintain compliance with regulatory guidance.
As a quality professional, an important part of facilitating a session like this is to let the conversation flow, but to also steer it towards the objectives of the session. Using the MHRA guidance, and subsequently the internal policy as a map, we discussed all the fundamental principles of data integrity and linked these back to the team’s own statements.
Data integrity remains a widely discussed and often controversial subject. In some ways, this will always be a hot topic, due simply to the fact that accurate and reliable data is at the heart of clinical research. Risks and benefits for subjects are weighed out before the start of a study, but this would all be for nothing if there is no confidence in the data produced. Those who work in research understand this. The MHRA data integrity guidance states explicitly that its main purpose remains providing a framework for maintaining that confidence in the data generated and the documented supporting evidence. The shared vision exercise allowed the team to map their own expectations to those of the regulators, as defined by this guidance.
REFERENCES Bevan, H., Bate, P., & Robert, G. (2004). The next phase of healthcare improvement: what can we learn from social movements? Quality and Safety in Health Care, 13(1), 62-66.
PROFILE Having worked with investigator site teams and niche CROs for a number of years, both in the NHS and commercially, Piran has a passion for the development and implementation of clinical quality management systems. Piran recently joined Biogen as part of the sponsor organisation's Clinical Operations Quality Oversight team. Piran is also a member of the RQA GCP Committee and has presented at previous conferences and regional forums on topics ranging from engagement in quality management to the impact of GDPR on research.
FIGURE 1. OUR DATA INTEGRITY VISION
Repeatable Retained AuditTrails Unchanged EssentialDocuments
Authentic
Reliable Secure
Legible
Accurate Reproducible GoodScience QualitySystems Compliance
JANUARY 2019 | QUASAR | 23
THEMED
Maxim Bunimovich
Katarina Eghan
Marina Freiberga
Matthew Jones
ELECTRONIC SOURCE RECORDS – FRIEND OR FOE? The use of electronic source records and electronic source data collection tools can be considered to be the norm in today’s clinical trials. However, regulators as well as quality and other clinical research professionals are struggling with assuring the integrity of e-records supporting the data submitted to regulatory agencies, including providing governance and provenance solutions.
24 | QUASAR | JANUARY JANUARY2019 2019
THEMED
M
any electronic medical record (EMR) systems used by healthcare providers have been developed or sourced with limited consideration for the requirements of clinical research. The principal investigator (PI) and other site staff do not always have the necessary understanding of the system characteristics and how these relate to the principles of data integrity (the EMR system is usually managed by a dedicated IT department within the institution). Moreover, monitors and other
26 | QUASAR | JANUARY 2019
clinical research professionals, including quality assurance (QA), do not always fully comprehend the data integrity principles and how these apply in practice or there are insufficient tools available to help them assure data integrity when reviewing such systems and performing source data verification. Workarounds are often put in place for the management of medical records used in clinical trials (e.g. printing of EMRs) and for the monitoring and other data and quality verification activities such as audits and inspections (e.g. in the form of signed certified copies, for which it is difficult to determine if they are current). Additionally, various electronic solutions are being used to collect trial data such as patient reported outcomes (PROs),
wearables (e.g. smart watches) and sensors (e.g. cardiac monitors). However, are these always designed and developed with the relevant data integrity principles in mind and can data integrity be demonstrated appropriately and evidence of this retained for as long as is necessary? Insufficient knowledge of data integrity principles often leads to inappropriate workarounds and solutions being put in place, which are frequently onerous and do not necessarily assure data integrity. Quality management and assurance activities regularly assess some, but not all critical elements of e-source management. This article contains some common issues and questions as well as some considerations and possible solutions.
THEMED SITE EMR SYSTEMS COMMON ISSUES AND QUESTIONS
CONSIDERATIONS AND POSSIBLE SOLUTIONS
The system meets all applicable data integrity principles (audit trails, validation, eSignatures, individual access, back-up, etc.) – what should we watch out for?
• C an audit trails be viewed by monitors, auditors or inspectors to determine when the record was first made, by whom and subsequently changed (when, who, why, how)? • Does the audit trail capture if records were deleted? • Is it possible to switch off the audit trail functionality? • I s the e-signature compliant with the relevant principles? For instance, can it be determined what the meaning of the e-signature is and are there appropriate timestamps that reflect the signatory’s current location and not the location of the server? • What evidence of validation of the system is there and does it meet all requirements? • W hat security measures are in place? Is there adequate security patching, regular planned review of firewall settings and users? • W hat are the back-up procedures and are they adequate (frequency, location – different for critical data)? Is regular restore testing performed and documented? • Are there adequate measures in place against loss or accidental destruction of data? • D o staff know that accounts cannot be shared? How do staff remember their login details (are these documented in an insecure manner, e.g. in notebooks)? • A re there appropriate governance procedures in place and are site staff appropriately trained on these as well as the use of the EMR system?
The monitor/auditor cannot be granted unaided direct read-only access to EMRs or the access cannot be restricted to trial subjects only.
• C ertified copies of the EMRs are provided for monitor/auditor review. The copying process should be validated and the copies should contain all attributes of the original (e.g. colour, metadata, etc.) • C ertified copies are available for any changes to EMRs • P eriodic spot checks of the available EMRs versus printouts (i.e. ‘over the shoulder’ review with site staff) is performed and documented (the extent and frequency should be based on a risk assessment).
The system has no audit trail/eSignature functionality/validation i.e. the site uses it as a ‘typewriter’ and the official medical documentation is paper.
• T he e-records cannot be used to make medical decisions and paper records containing appropriate sign-off must be referred to
The system is assessed during monitoring and audit activities, but the assessor is not conversant with all applicable requirements and principles.
• U pskilling and training the assessor in electronic technologies, related requirements and guidelines, as well as company rules and expectations
• E ven if the official medical documentation is paper, the monitor/auditor should perform appropriate due diligence activities to ensure that all available medical records are on file (e.g. ‘over the shoulder’ review of e-records with site staff).
• U ser-friendly tools to aid the assessment process, pointing out the potential problems and possible solutions • Simplification of technology and terms • Mindset change • Allocation of key experts in departments.
The monitor does not know what is the source for each data point and/or who performs the related procedure and/or collects the data.
• D ocument what is source for each data point in a source data agreement/location document (e.g. paper worksheet, EMR progress note, etc.) • D ocumented review of site’s data collection methodology, including continuous review for any changes • E nsure that it is clear from the records which staff member has performed each procedure and/ or collected the data. For example, if vital signs are measured by nurses they should record the relevant values or if this is typed by the investigator directly in the EMR notes, the nurse should also validate the data by appropriate sign off. Any paper records containing first entry of data is source and must be retained • R educe record duplication (e.g. transcription of source data documented on a vital signs worksheet into EMR) • I f the system allows for storage of scans, how are the original paper records maintained and are the scans accurate copies of the original, containing all attributes (e.g. colour)?
Log-in sharing by site staff.
• R eview audit trails for data entry at appropriate intervals and verify if staff were present at site at the time of data collection • Question spurious data collection patterns (e.g. all data collected using the same login).
Long-term data storage and retrieval.
• D iscuss and document long-term data storage and retrieval, including the archival of metadata • D ocument the requirements in the contract.
JANUARY 2019 | QUASAR | 27
THEMED eTOOLS (ePROS, eDIARIES, WEARABLES, ETC.) COMMON ISSUES AND QUESTIONS
CONSIDERATIONS AND POSSIBLE SOLUTIONS
How can you determine that the data have been entered by the subject (e.g. eDiaries for home use or ePROs)?
• T he simple step of adding a PIN/password security level for the entry of data by trial subjects may not be sufficient as this alone does not provide assurance that the data have been entered by the subjects themselves. Anyone who can set-up a new subject in the system can then also create the necessary PIN/password • C heck IP addresses, if possible and allowed by local data sharing laws. There have been reports that eDiary data supposedly entered by subjects at home had been entered for multiple subjects at the investigator site.
How reliable is the data entered by subjects?
• R outinely check audit trails to verify if the data have been entered at credible times. For example, does the time of eData collection by subjects coincide with other trial procedures such as ECG collection and their validity is therefore questionable? • R eview audit trails to determine how long it takes the subjects to enter the data. Are relatively long questionnaires completed within seconds as subjects get used to the questions? • Review data for reasonable variability • Change the questions around, if possible, at appropriate intervals • Verify with the subjects the validity of the provided answers and document.
Are there any changes made to e-source (e.g. ePRO data) during sponsor data management activities that are not endorsed by the subject and/or the PI (ownership of source data)?
• N o changes to source data can be made by the sponsor or Contract Research Organisation (CRO) personnel and this principle also applies to eData collected using sponsor or CRO-provided tools • V erify data changes during audits, including appropriate documented endorsement by the subject/PI • T he sponsor should not have exclusive control of the source data, including those collected electronically on tools provided to sites.
Retrospective data entry.
• U nrestricted retrospective data collection is not acceptable, unless supported by an appropriate risk assessment. For example, ePRO data collected with delays of a few months.
Safety alerts (e.g. via eDiary).
• T he set-up of any safety alerts should be appropriate for the studied population and any over-notification (e.g. via phone or email) should be corrected following an appropriate risk assessment • D ata privacy should be considered when setting up alerts (e.g. the use of subjects’ email addresses or phone numbers and their sharing with the CRO maintaining the system).
Are eTools appropriate for the target subject population (e.g. age or mental capability) and does the technology support seamless data collection?
• Ensure the design and functionality is appropriate for the target population • E nsure that subjects have appropriate technology (e.g. internet access at home to allow data transfers). • Ensure appropriate back-up procedures (e.g. paper questionnaires) • Ensure appropriate issue resolution and escalation.
Long-term data storage and retrieval.
• Are there adequate measures in place against loss or accidental destruction? • P rovide the site with a copy of the source data in a format that will allow data retrieval for the required time, including the metadata.
Is the patient the wearer? Potential for removable wearables to be ‘swapped’ with other users.
• C heck consistency of vital signs if recorded, this could give an indication that the correct person is using the device • Could the results be fabricated and not being produced by a device? • I s the device functioning correctly – are the results between patients ‘too similar’ – lack of accuracy • Biometrics (e.g. fingerprint reader).
Data transmissions.
• E xamine data for gaps and drops in connection, especially if transmitted through the patient’s smart phone • C heck the status of the data transmission – is it consistent, are there any gaps – this could signify that there are interruptions in the connection between device and internet/smart phone • C heck how those data are received by the site and the review cycle by the investigator, look for indications that they have been reviewed and acted upon e.g. out of range results.
28 | QUASAR | JANUARY 2019
THEMED REFERENCES AND FURTHER READING ICH E6 (R2) Medicines and Healthcare products Regulatory Agency (MHRA) ‘GxP’ Data Integrity Guidance and Definitions (Mar 2018) MHRA Position Statement and Guidance Electronic Health Records (September 2015) European Medicines Agency (EMA) Reflection Paper on Expectations for Electronic Source Data and Data Transcribed to Electronic Data Collection Tools in Clinical Trials (June 2010) Food and Drug Administration (FDA) Code of Federal Regulations Title 21 Part 11 Use of Electronic Health Record Data in Clinical Investigations, FDA Guidance for Industry (July 2018) Good Automated Manufacturing Practice (GAMP) 5 Guide: Compliant GxP Computerised Systems (February 2008) GAMP Guide: Records & Data Integrity (March 2017)
PROFILES Maxim is a Senior Quality Assurance Associate at TMQA. In this role he conducts a variety of audit types including investigator site, trial master file and vendors around the globe. Maxim started his career in clinical research with Quintiles following the completion of his postgraduate medical degree in 2008 and worked in different CQA positions at various companies since 2011. He is a member of RQA and he actively participates in regional RQA activities in Russia, such as the development of the Russian RQA forum.
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements Clinical Data Interchange Standards Consortium (CDISC) Standards & Electronic Source Data within Clinical Trials (November 2006) MHRA GCP Symposium 2018 MHRA Blogs.
Katarina is the Head of Clinical QA Services at TMQA, a QA consultancy providing support across all the GxPs, where she is responsible for the management of the clinical team, audit programme and TMQA Central European operation based in Bratislava, Slovakia. Previously she held the position of a clinical quality auditor at Janssen, Pharmaceutical Companies of Johnson & Johnson and she started discovering clinical research and QA within Phase I commercial CROs. Katarina graduated from the MSc in Quality Management in Scientific Research and Development in 2013, has been a member of RQA since 2008 and is presently a member of the RQA Quasar group.
Matt is Chair of the RQA DIGIT Committee and a Certified ISO31000 Risk Management Professional who is connected with many industry initiatives. He is currently the owner and managing director of Digital Quality Associates and this organisation has a deep focus on digital quality in the clinical and pharmacovigilance worlds, including enterprise risk management. Previously Matt was the Head of Global Auditing Strategy and Planning at Boehringer Ingelheim, where his primary role was forecasting audit strategy and implementing risk-based approaches and innovative audit programme design. Matt has also held the positions of Director in Janssen Pharmaceuticals Strategic Development Organisation, Therapeutic Head for Quality of Janssen’s Infectious Diseases and Vaccines Portfolio and the Head of IT Quality for Europe and Asia Pacific.
Marina is a Senior Associate at TMQA and has over 10 years of experience in the clinical research industry. She is responsible for the conduct of audits of phase I - IV studies and clinical vendors. She is a medical doctor and holds a Social Sciences Master's Degree in Company Management. Before joining TMQA in 2016, Marina was a Senior CRA with global CROs where she had full CRA responsibilities from site evaluation through to site closure and archiving, ensuring that studies were conducted in accordance with the trial protocol, GCP, SOPs and applicable regulatory requirements.
JANUARY 2019 | QUASAR | 29
THEMED
Alan Yeomans
GDPR IN A GLOBAL PERSPECTIVE On 25th May 2018 the General Data Protection Regulation (GDPR) came into effect within the EU. These requirements affect all companies within the EU, including those performing clinical research. Many of the responsibilities and obligations defined by GDPR are not new for companies in the clinical research sector, as similar requirements already exist in the regulations governing clinical research, such as ICH GCP E6 ‘Good Clinical Practice’. Many requirements are also similar to requirements to be found in local data privacy regulations in other parts of the world. GDPR applies to companies and data subjects in the EU, but clinical research has become increasingly global in its scope. This article describes how different types of global clinical research projects are affected by GDPR.
30 | QUASAR | JANUARY JANUARY2019 2019
QUASAR THEMED #142
CLINICAL RESEARCH IS A GLOBAL INDUSTRY Where many other industries are focused on local markets, clinical research has long had a global focus. This even applies to the regulation of the industry, with global regulatory initiatives such as the Declaration of Helsinki from 1964. In 1996 different mobile phone standards were used in North America, the EU and Japan and yet all three drug authorities were harmonising their clinical research standards. There are different aspects to globality in clinical trials. These include: • Global sponsors – The world’s largest pharmaceutical companies have divisions in many different parts of the world. They often perform both local and global studies, using their own personnel for monitoring and data management or using the services of local and/or global CROs. Sometimes data management services for the entire company will be concentrated in one or two physical locations, e.g. India
• Global CROs – Global CROs handle global trials both for the large pharmaceutical companies who want to outsource parts or all of the trial, but also for smaller companies who wish to perform a global trial but do not have a global presence. Global CROs handle local trials, multinational trials in the same region (such as the EU) and global trials in multiple regions around the world • Global vendors – There are many vendors of eCRF and ePRO solutions who provide their solution throughout the globe to support the global trials commissioned by pharmaceutical companies. Although they do not necessarily need to have as many local offices as the pharmaceutical companies and global CROs, they still need to be able to supply their solutions globally
• Global trials – Global trials are being performed not only by the global pharmaceutical companies but increasingly by smaller pharmaceutical companies and academic institutions. The drive to perform a global trial can be fuelled by the desire to cut costs by using low- and middle-income countries for the research, by the desire for access to a larger number of subjects, by the desire for biodiversity in the trial, by the desire for local subjects to back up local submissions or for other reasons. To illuminate some of the different cases that exist for global clinical research, the following scenarios that cover typical studies with sponsors, CROs and vendors are described. Note that if changes are made during the trial then the scenario may change and the applicability of GDPR will now be in accordance with the new scenario. One example would be if a site in the EU is added to an ongoing trial that previously had no sites within the EU.
JANUARY 2019 | QUASAR | 31
THEMED DATA SUBJECTS IN THE EU (FIGURE 1)
FIGURE 1. DATA SUBJECTS IN THE EU
If the clinical trial includes data subjects within the EU, then GDPR applies in its entirety. This applies irrespective of where the sponsor, CROs and vendors are located, where the data processing is performed or where the data submission is planned. Note that this applies even if the data subjects are not EU citizens, as long as they are resident within the EU. If a sponsor not based in the EU is processing data from data subjects within the EU, then they must nominate in writing a representative within the EU who fulfils their responsibilities with regards to GDPR.
SPONSOR IN THE EU (FIGURE 2) If the sponsor for the clinical trial is based in the EU then GDPR applies to the data processing activities, even if the processing itself is not performed within the EU and even if there are no data subjects within the EU.
SPONSOR NOT IN THE EU (FIGURE 3) A sponsor cannot avoid GDPR simply by not being based in the EU. The sponsor must perform a legal assessment, based on the specific context of its activities and territorial business and organisation, in order to determine whether GDPR applies to the data processing activities of a given clinical trial. Things a sponsor needs to carefully assess include the following criteria: • If they have offices in the EU involved in some aspects of the clinical trial (e.g. a central data management organisation and/or computerised system managed from an EU based establishment), then the sponsor may be considered as established in the EU and GDPR would apply • If the clinical trial data is intended to support a market authorisation filing in the EU, then it has to be considered that there is a data processing activity taking place in Europe for the purpose of the data submission. GDPR may therefore apply • If a full service CRO established in the EU, is being delegated the definition of the purpose of the clinical trial, and, as such, qualifies as a joint-controller, then GDPR would apply even if the sponsor is not located in the EU.
32 | QUASAR | JANUARY 2019
FIGURE 2. SPONSOR IN THE EU
THEMED FIGURE 3. SPONSOR NOT IN THE EU
A VENDOR WITH LIMITED RESPONSIBILITIES WITHIN THE TRIAL IS BASED IN THE EU (FIGURE 4) This is the case where the sponsor, CRO, sites, subjects and data submission are all outside of the EU and the only connection between the clinical trial and the EU is the use of an EU based vendor, for example an eCRF vendor. GDPR does apply to the vendor, but only to the degree represented by the degree of responsibility the vendor has for data processing within the trial. Note that this will probably not be controversial, as such vendors will normally have other customers within the EU and must fulfil the requirements in GDPR for those other customers in any event. An example would be the GDPR requirement to appoint a Data Protection Officer (DPO) and to have procedures for the disclosure, correction and erasure of privacy data. The vendor would need to fulfil these requirements for their EU customers and so could use the same DPO and procedures for all their customers. In this case GDPR does NOT apply to the sponsor or the CRO for the clinical trial.
CONSEQUENCES FOR CLINICAL RESEARCH FIGURE 4. A VENDOR WITH LIMITED RESPONSIBILITIES WITHIN THE TRIAL IS BASED IN THE EU
Data privacy needs to be considered for all participants in a clinical trial, not just for the data subjects. This includes site staff (investigators, study nurses, co-investigators, etc.) and sponsor roles including monitors, data managers, project managers, medical experts, medical writers, statisticians, etc. As part of the preparation for your trial you should define the different real persons participating in the trial and the personal data that is handled for each of them. You then need to put procedures in place to handle disclosure, correction and erasure of data in accordance with GDPR. For each category of data, the controllers and the processors for that data are defined. The sponsor will normally be the controller for all data to be collected in accordance with the study protocol, even though they will not necessarily be the first point of contact for data privacy issues.
DATA SUBJECTS It should be clearly defined that data subjects are to contact their investigator/ study site if they have data privacy questions within the trial. The data subjects should not contact the sponsor, CRO or ePRO vendor directly with these questions and if they do so then the sponsor, CRO and/or vendor should be aware that they need to refer the data subject back to their site.
JANUARY 2019 | QUASAR | 33
THEMED REPRESENTATIVE WITHIN THE EU
In agreement with both GDPR and GCP the study must collect informed patient consent for the collection of data and if the data subject decides to withdraw from the study, then no more data may be collected. The study can keep all data collected from the patient up until the patient’s withdrawal from the study.
Many global companies, especially smaller pharmaceutical, medical device and biotech companies are interested in running studies within the EU, but do not have a local presence. If they should approach an EU-based CRO (or other partner) and ask them to be their nominated representative, then an investigation of the responsibilities, legal liabilities and risk involved should be performed and a suitable contractual agreement reached.
SITE AND SPONSOR/CRO STAFF Personal data about site and sponsor/CRO staff typically includes login information (username), information about their role in the study (such as site affiliation) and information needed for the audit trail (name in clear text) for the computerised systems used in the trial, such as the eCRF and ePRO solutions. According to GDPRs consent for the use of this personal data must be collected for these participants as well.
ARTICLE 28.2 – ENGAGING ANOTHER PROCESSOR If the vendor uses suppliers for study setup and for user and site setup services then the names of those suppliers should be included in the contracts between the controller and the processor.
VENDOR RESPONSIBILITIES AND OBLIGATIONS As an example of the assessment needed for participants in a global clinical trial, let us take the example of an EU-based EDC vendor being used for a clinical trial. In this example the vendor provides both trial setup services and user management services for the trial.
Depending on the solution chosen, the handling of data privacy information may be the responsibility of the sponsor, a CRO or a vendor. For example: • If the sponsor hosts the system, then the sponsor is controller for this user information • If the CRO hosts the system, then the CRO is controller for this user information • Many vendors market cloud-based systems that are multi-tenant solutions allowing the same user to participate in multiple trials for multiple sponsors using the same login credentials. In this case the vendor is the controller for this user information. The solution chosen should always be analysed and the controllers and processors for that solution defined.
Note that this example does not cover the responsibilities and obligations of the sponsor, CRO or other vendors participating in the trial – similar assessments need to be made for them as well.
If these suppliers should change or be added to then the processor must gain the authorisation of the controller.
ARTICLE 28.3G – RETURNING THE DATA AT THE END OF THE TRIAL
The vendor is a ‘processor’ as defined in GDPR. GDPR defines general responsibilities and obligations such as the existence of contracts defining the exact nature of the work delegated to the vendor by the sponsor, that are also requirements in ICH GCP E6. Another example is Article 31, which requires the controller and the processor to cooperate with the supervising authority – something which is already required by ICH GCP E6. These obligations are considered to be already clear (as they are also required by clinical research authorities) and in the interest of brevity, they are not discussed here.
What to do at the end of the trial should be defined in the contract between the controller and the processor. Does the processor offer archiving services or is all data to be transferred to the sites?
There are however other responsibilities and obligations that are not as obviously governed by present clinical trial regulations, even if they could be considered self-apparent. These are described below (see Figure 5). In this example the processor is the EDC vendor, while the controller is the sponsor or CRO that is contracting the services of the EDC vendor.
Contracts with third parties should be compliant with the requirements of article 28.3 of GDPR. This must be included in the contracts between the controller and the processor.
At present the most common case is that the sites receive archive copies of their data from the processor (either on CD/DVD or by direct download). Once all sites have received their data, the controller initiates deletion of the data from the EDC system.
ARTICLE 28.4 – OBLIGATIONS OF CONTRACTED THIRD PARTIES
FIGURE 5. EXAMPLE OF AN EU-BASED EDC VENDOR BEING USED FOR A CLINICAL TRIAL
SPONSOR (OVERALL RESPONSIBILITY FOR THE TRIAL)
34 | QUASAR | JANUARY 2019
HELPDESK
TRIAL SITES
TRIAL SETUP
PATIENT SAFETY
MEDICAL AFFAIRS
SAE REPORTS
EFFICACY ENDPOINTS
BIOSTATISTICS
SAFETY ENDPOINTS
DATA INTEGRITY
DATA MANAGEMENT DATE CAPTURE/PRO
DATA REVIEW
MONITORING
IMP
OVERSIGHT
PROJECT MANAGEMENT
SUBMISSION
STUDY REPORT
STUDY PROTOCOL
MEDICAL WRITING
THEMED ARTICLE 29 – ONLY PROCESS DATA ON THE INSTRUCTION OF THE CONTROLLER Processor personnel (or contracted third party personnel) have access to the trial in order to perform the trial setup and to add sites and users. Sites and users are added only on the instruction of the controller. Ideally the controller should be able to remove the access that processor personnel have to the trial at any time of their choosing and processor personnel should not be able to access the trial until the controller grants them access again.
ARTICLE 30.2 – RECORD OF PROCESSING ACTIVITIES GDPR requests that specific information be recorded, this information includes: • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting and, where applicable, the controller’s or the processor’s representative and the data protection officer (if applicable) • The categories of processing carried out on behalf of each controller • Transfers of data to third countries and international organisations • A general description of the technical and organisational security measures. All the information requested by GDPR should be included in contracts between the processor and the controller.
ARTICLE 32.1 – LEVEL OF SECURITY The security measures employed by the processor should be described in the contracts, for example in a Service Level Agreement (SLA) which is appended to the contract between the controller and the processor. It should include (but is not limited to): access rights control, data encryption means, redundant storage media and servers meant to ensure availability and continuity of service, a backup strategy meant to ensure a rapid recovery in case of any physical or technical incident, a constant monitoring of production servers, penetration testing and vulnerability scan, etc.
ARTICLE 33.2 – PERSONAL DATA BREACH
REFERENCES
It is the responsibility of all personnel at the processor to inform the management immediately of any suspected fraud or misconduct (including personal data breach) connected with a clinical trial.
DPR – ‘REGULATION (EU) 2016/679 OF THE EUROPEAN G PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’ (available from the EU website)
The processor is then responsible for swiftly informing the controller and coming to an agreement on actions to be taken and to make an action plan. This includes agreement on responsibility for communications with the authorities. It is appropriate that this procedure be detailed in the processor SOPs.
ARTICLE 37 – DESIGNATION OF THE DATA PROTECTION OFFICER The processor must have a designated data protection officer.
SUMMARY GDPR places requirements on the handling of privacy data in global trials to the extent that the trials are based within the EU. Assessments should be performed of the applicability of GDPR based on the location of the data subjects, the controllers and the processors participating in the trial. Once those assessments have been performed and documented, the parties involved should address any issues arising from the assessments.
GCP – ‘Integrated Addendum to ICH E6(R1): Guideline for good clinical practice E6(R2)’ (available from the ICH website) ‘Preparing for the EU GDPR in Clinical and Biomedical Research’ 06-04-2017 Alan Yeomans, Quality Manager, PCG Solutions Isabelle Abousahl, CIPP/E (Certified Information Privacy Professional / Europe), Alcoam by Design www.viedoc.com/site/assets/files/1323/ preparing_for_the_eu_gdpr_in_clinical_and_biomedical_research.pdf
PROFILE Alan has worked with the development of computerised systems for over 30 years as hardware designer, programmer, system architect, project manager and in a number of management roles including CTO and QM. He has been Quality Manager for Pharma Consulting Group for the last 10 years and has worked as CTO for a Swedish CRO and as CTO and QM for an international ePRO provider. Alan is a member of RQA, eCF (the eClinical Forum) and EUCROF (the EU CRO Federation).
In most cases the necessary information can be addressed in the contracts between the different parties or in addenda to those contracts. Most of the requirements placed by GDPR on data privacy are similar to or the same as those that our industry already has to observe based on regulations such as the Declaration of Helsinki or GCP and are not controversial. Some of the others (such as the appointment of a Data Protection Officer) can be seen as ensuring that all companies implement the same procedures. After all, GCP requires us to maintain procedures to report fraud or misconduct and now GDPR is simply mandating that we have a contact point for such activities in all organisations called the Data Protection Officer. We should see GDPR not as a hinder to global clinical trials, rather as an aid to help us ensure that we are compliant with the ethical considerations that we should be following in any event.
JANUARY 2019 | QUASAR | 35
THEMED
Patricia Santos-Serrao
MAINTAINING DATA INTEGRITY WHEN CONSOLIDATING REGULATORY AND CLINICAL INFORMATION Creating and filing submissions to regulatory authorities requires impeccable documentation practices that conform to stringent and consistent guidelines of configuration and organisation. With electronic Common Technical Document (eCTD) standards continually advancing to mirror the ever-evolving life sciences world, it’s evident that keeping pace with technological innovations and paradigm changes is no longer optional in regulatory and clinical environments — it’s mandatory.
36 | QUASAR | JANUARY JANUARY2019 2019
QUASAR THEMED #142 DESIGNED FOR DATA INTEGRITY: THE EDM AND TMF REFERENCE MODELS Effective document management is critical to maintaining data integrity within existing technological dependencies, which is why the Electronic Document Management (EDM) Reference Model configuration was developed by members of the Drug Information Association (DIA) as an industry best practice. The primary purpose of the model is to help organisations build shareable EDM repositories that allow them to meet the requisite demands of document, taxonomy and metadata management. It defines the minimum set of metadata that enables a use context for eCTD documentation and other supporting documents that must be included in a regulatory submission (as stipulated in the M2 eCTD specification1). By enabling companies to effectively manage documents and process-based metadata in parallel, the EDM Reference Model supports the uniform compilation and integrity of the data and content required to assemble a regulatory submission. When an organisation is filing a regulatory submission for a marketing authorisation, a substantial portion of the data that has been collected and presented to the recipient regulatory body is the safety and efficacy data collected from the corresponding clinical studies that have been conducted. Analogous to the document management needs that gave rise to the EDM Reference Model, clinical research has been increasingly subject to ever-changing technology concerns that have rendered paper-based clinical studies obsolete. Good data and document management is the pre-eminent ingredient in successful clinical studies, which has necessitated an industry-wide need for data standards like those set forth by the Clinical Data Interchange Standards Consortium (CDISC) and best-practice information management frameworks like the DIA’s TMF Reference Model. These principles and constructs help organisations meet the requisite content and data integrity demands that must be maintained throughout a study in the trial master file (TMF) collection of clinical research documents and information. Although it is a reference and not intended to be a regulatory standard, the TMF Reference Model is an indispensable tool for meeting compliance requirements for the collection of the essential documents ‘that individually and collectively permit evaluation of the conduct of a trial and the quality of data produced2’.
It is the optimal mechanism for maintaining the integrity and completeness of clinical trial data because it simplifies the cross-referencing of information and maintains focus on the following data-centered activities3: • Ensuring that required data and information is collected at critical milestones • Enforcing the execution of ‘Approved for Use’ or QC checks on TMF content • Identifying changes to artifact names • Making apparent and documenting when the TMF is missing required data artifacts. The clinical trial landscape has changed dramatically over the past two decades, which has resulted in an increase in the types and total amount of integral documentation required to generate a comprehensive TMF. Clinical teams are reporting that 47% of the types of TMF documents they deal with are critical to trial data integrity and/or patient rights and safety4. This, in turn, has placed increased burdens on organisations to improve the integrity and connectedness of their clinical data. Since the TMF must include all the documents associated with a clinical trial that might be needed to reconstruct the conduct and course of the trial, the TMF Reference Model provides the most suitable and widely recognised conveyance in the industry for meeting data requirements and providing the requisite information.
THE REFERENCE MODELS’ ROLES IN RELATION TO THE ECTD The TMF Reference Model essentially serves as an extension of the EDM Reference Model that demonstrates the compliance of investigators, sponsors and vendors with good clinical practice (GCP) standards and other applicable regulatory requirements. The two Reference Models interconnect trial-related submission data, documentation and other essential content to ensure the appropriate mapping of taxonomy and alignment of metadata5. The standard for contents, naming conventions, metadata and structure provided by the TMF Reference Model helps compensate for the lack of a comprehensive contents list in the ICH GCP, which doesn’t include specific examples for some critical documentation types (i.e., data management, electronic systems, statistical methodology, safety monitoring, etc.).
THE TMF REFERENCE MODEL AND THE ETMF STANDARD: COUNTERPART REINFORCERS OF DATA INTEGRITY The TMF Reference Model works hand in hand with another technology standard for clinical information, the Electronic Trial Master File (eTMF) Standard, which was developed by the OASIS eTMF Standards Technical Committee. While the TMF Reference Model is primarily geared toward the collection and arrangement of study data content, the eTMF Standard is focused on the technical data exchange component of the TMF. Similar to the circumstances that gave rise to the Reference Models, the development of the eTMF Standard was a direct response to increasing global demands for a technology standard that supports formal representation exchange of eTMF data and information from clinical trials. The eTMF Standard is intended to meet those needs and also enable the interoperable exchange of clinical trial content among all stakeholders via electronic content management systems (CMS)6. The eTMF Standard enables users, via the Protégé open-source ontology editing tool7, to create data model instances for a clinical trial and link content items to specific content types based on categorisations in the same way a librarian shelves a book according to its classification8. Each eTMF data model that is created represents a single instance of an eTMF content model for an individual clinical trial and contains: • Data values for content items • Data values for metadata properties • Core-specific content model categories • Organisation-specific content model categories. The TMF Reference Model and eTMF Standard, along with the associated GCP ICH Standard, work in concert to perform specialised and essential functions in the compilation of an eTMF for clinical. The eCTD regulations and the corresponding EDM Reference Model fulfill similarly coordinated and crucial roles during the compilation of an eCTD for regulatory. The many distinct functions rendered by the corresponding models and regulatory standards help ensure that required data and content items are appropriately managed and classified according to regulatory expectations.
JANUARY 2019 | QUASAR | 37
THEMED BEST PRACTICES FOR UNIFYING REGULATORY AND CLINICAL INFORMATION A significant portion of the data collected in a TMF makes up the Clinical Study Report (CSR), which is a focal point of an eCTD and the essence of Module 5. The information collected in the CSR is what ‘makes the case’ to a regulatory agency when a sponsor asserts that a product is safe, effective and should be approved for market. However, even when a TMF is well organised, it can often be a challenge to readily access each artifact that contributes to the CSR’s evidence, given that the content pieces are so numerous and often dispersed amongst different databases. Beyond the utilisation of the industry-standard Reference Models, the best step an organisation can take to overcome these challenges and unify regulatory and clinical information is to connect its systems in the most economically feasible manner. Smaller companies compiling an eCTD may have to create their own connectivity-enhancing workarounds given the systems and applications they have at their disposal. If possible, however, making enough room in the budget to invest in a single-platform system for managing regulatory and clinical data can be the most important decision an organisation can make. A connected software solution that runs on a single platform can provide labels, tags or other ‘signposts’ that automatically locate any TMF artifact. A central, harmonised system can also securely maintain submission-critical documentation, data and metadata required in an eCTD, such as document versions, lifecycles, rights, workflows, electronic signatures, etc. Other best practices for information management are typically more tailored to the individual organisation and its processes. But in general terms, organisations preparing eCTDs should take steps to refine any practices that might help to: • Improve visibility into and the tracking of the progress of pending, ongoing and completed activities • Enhance the management of documents, tasks, actions and milestones (e.g. monitoring visits, audits, etc.) • Better maintain TMF-consistent document types, templates, metadata, version control, lifecycle management capabilities, routes and user roles for all artifacts • Enhance the transparency of all project plans, artifacts and related actions • Maximise the leveraging of information that is recorded with TMF-structured checklists or similar documentation and verification devices • Accelerate and smooth the transfer of TMF documentation at study closeout.
38 | QUASAR | JANUARY 2019
REGULATORY RULES FOR CLINICAL DATA INTEGRITY The EMA recommends that organisations provide an outline of their overall approach to data governance along with their regulatory submissions9. Additionally, in light of the increasing globalisation of clinical trials (and the fact that many of the same trials are used to support Marketing Authorisation Applications submitted to the EMA and New Drug Applications and Biologics License Applications to the FDA), the EMA and FDA joined forces in 2009 to devise the Good Clinical Practice Initiative10. By demonstrating how two of the largest regulatory agencies in the world can work together to better ensure the integrity of data submitted as the basis of drug approval, the initiative continues to plant the seeds for the type of framework that may someday define global data integrity standards. In the absence of universally applicable standards for data integrity, any organisation that uses computerised systems for managing and storing regulatory submissions data would do well to abide by the FDA’s general recommendations for maintaining data integrity11: • Data must be the original (or a true copy) and kept secure from modification, corruption or loss • Data must be retained throughout the data lifecycle • Data records must be complete and contain all data history information • Stored data must be accompanied by all metadata, as well as appropriate validation data • Data must be stored in a way that prevents deterioration • Data must be searchable and retrievable for audits or legal review purposes. Since submissions are now required to be submitted to the FDA electronically, all of the data integrity standards for clinical studies are transferable to the submissions as well. The FDA specifies the standards used to process, review and archive electronic submissions of all clinical and non-clinical study data in its Data Standards Catalog12. This catalogue lists the currently supported and/or required standards, their uses, the date the agency will begin (or has begun) to support a particular standard as well as the support end dates. It also provides listings of the required dates that each standard will be instituted (or was instituted) and other relevant information pertaining to study data. Accordingly, the FDA has explicitly stated that it may Refuse To File (RTF) an electronic submission that does not contain study data that conforms to the required standards specified in the catalog. This pertains to not only study data but also to labelling guidelines and the requirements for Structured Product Labelling standards.
In addition, the eCTD Extensible Markup Language (XML) ‘backbone’, the file that provides metadata about content files and lifecycle instructions for the receiving system, has its own defined data rules that must be adhered to for a submission to be accepted. Whereas the eCTD XML backbone was introduced by ICH to provide a standard for data collected for eCTD submissions, regulatory agencies have not provided a corresponding mechanism for the eTMF to specify how data should be transferred across TMF systems. However, a sub-group of the team that created the TMF Reference Model has published the eTMF Exchange Mechanism Standard (eTMF-EMS) as a specification for transferring TMF data between disparate eTMF systems13. Similar to the way the XML backbone works, the eTMF-EMS enables exchanged data to be accompanied by XML files that allow artifacts in predefined folder structures to be verified and filed against the relevant TMF Reference Model artifact numbers within the system. V1.0 of the eTMF-EMS was launched in June 2018 and is well on its way to becoming the most commonly recognised data-migration standard for sponsors, contract research organisations (CROs) and eTMF vendors to employ.
PROTECTING AND UNITING DATA WITH EDMS The use of multiple systems for managing TMF and eCTD content, while generally practiced by many organisations, often poses the greatest risk to data integrity. Whenever information is imported or exported from one system to another, there must be adequate measures in place to ensure that the transferred data is complete, accurate and uncorrupted. The most prudent tactic for preserving eCTD and TMF data integrity is to consolidate as much content as possible within a single enterprise document management system (EDMS). Data integrity is the cornerstone of any EDMS. With the continual refinement of the technology in recent years, EDMS implementation has become the most reliable path to conformity with regulatory expectations for data integrity. An effective EDMS can enable an organisation to meet the appropriate levels of quality and risk management and the ‘adherence to sound scientific principles and good documentation practices’ stipulated in the MHRA interpretation of data integrity14. Proven EDMS solutions offer many tangible benefits, all of which facilitate alignment with the data integrity prerequisites of the EMA and other regulatory agencies.
THEMED For example: • Documentation for both eCTD and TMF can coexist and be maintained during the anticipated period of storage within a secure system that provides centralised management of all document versions, lifecycles, rights, workflows, electronic signatures, etc. • By managing eCTD and TMF content within a single platform, the need for exporting/importing data can be eliminated (or at least significantly minimised), which helps reduce the number of failure points where data may potentially become corrupted • Enhanced search, reporting and taxonomy (folders) functionalities facilitate a more efficient and data integrity-focused approach to information management. These functionalities allow organisations to readily provide current, accurate and legible records to the appropriate authorities upon request • Electronic records can be better protected against damage or loss of data (via back-up, duplication and/or transfer to a separate system for storage) • Electronic audit trails can provide evidence of any changes made to electronic records and document who made the changes and when. References to and copies of previous iterations are also easier to access within EDMS systems • Metadata can be better leveraged, which streamlines the compilation and overall structure of eCTDs and TMFs. Since the methods used to verify an electronic record’s integrity may vary according to the technology in place, a configurable EDMS that integrates processes can be extraordinarily valuable when converging regulatory and clinical information. Configurable EDMS solutions typically allow organisations to fashion the system to match any unique data integrity practices or workflows in order to enable them to more precisely and expeditiously meet regulatory expectations.
ENFORCING DATA INTEGRITY GUIDELINES WITH ELECTRONIC SYSTEMS A reliable EDMS software solution can be used to uphold data integrity policies in a wide variety of instances. For example, an EDMS is the ideal tool for: • Facilitating the exact and consistent collection of data via compulsory metadata fields with predefined values • Leveraging built-in document types and categories to enforce the requisite granularity of appropriately sized content and information ‘chunks’ that meet corresponding regulatory requirements
• Ensuring the comprehensive collection of data/content via ‘placeholders’ that automatically notify users when required content pieces are missing. An EDMS will (by degrees that may vary according to the robustness of the specific system in use): • Streamline data collection and management processes • Facilitate the exchange of data between different systems • Increase data security and control over regulated content • Remove the need to distribute content via email • Automatically track changes and audit trails • Integrate data integrity with document management, quality and other essential regulatory-related processes • Simplify document search and retrieval • Improve version control • Streamline collaboration • Provide backup and disaster recovery for essential documentation and content • Minimise risk • Reduce wasted time, resources and document archiving/management costs • Increase visibility into all data management activities • Accelerate compliance • Embed quality into routine data gathering and storage practices.
CONCLUSION Since a significant portion of EDM content is derived from data managed within the TMF, the adoption of both the EDM and TMF Reference Models can enable life sciences organisations to make giant strides toward maximum data management efficiency and impeccably maintained data. For any organisation seeking eCTD submission success, the models elevate efficiency and performance while helping protect the consistency and accuracy of critical data. A reliable EDMS can be an irreplaceable and efficient tool for collecting and organising data within the EDM and TMF Reference Model structures and for enforcing the conventions of the data exchange mechanisms required for eCTD (i.e. XML backbone) and recommended for TMF (i.e. the OASIS eTMF Standard and the eTMF-EMS). By seamlessly linking data collection and management activities with their respective databases, EDMS solutions have proven to be the ideal means of connecting and ensuring the integrity of the data that will ultimately be included in an eCTD submission.
REFERENCES 1. Guidance for Industry: M2 eCTD: Electronic Common Technical Document Specification, FDA (2003) www.fda.gov/downloads/ drugs/guidancecomplianceregulatoryinformation/guidances/ ucm073240.pdf 2. ICH Harmonised Guideline: Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2) (2016) www. ich.org/fileadmin/Public_Web_Site/ICH_Products/Guidelines/ Efficacy/E6/E6_R2__Step_4_2016_1109.pdf 3. Trial Master File Reference Model, Document and Records Management Special Interest Area Committee, DIA (2015) www.diaglobal.org/en/~/media/diaglobal/files/resources/topics-ofinterest/edm/tmf-reference-model.pptx 4. Quality expectation and tolerance limits of trial master files (TMF) – Developing a risk-based approach for quality assessments of TMFs, Hecht et al., GMS German Medical Science (2015) www. ncbi.nlm.nih.gov/pmc/articles/PMC4677593/ 5. DIA Trial Master File Reference Model, DIA (2010) https:// slideplayer.com/slide/10836416/ 6. OASIS Electronic Trial Master File (eTMF) Standard Technical Committee FAQ (2017) www.oasis-open.org/committees/etmf/ faq.php 7. Protégé website https://protege.stanford.edu/ 8. Using an eTMF Data Model to Share and Export eTMF Content with W3C RDF/XML, OASIS (2013) www.oasis-open.org/ committees/download.php/52434/eTMF%20Data%20 Model%20component%20tech%20overview2013_10.pdf 9. Guidance on good manufacturing practice and good distribution practice: Questions and answers, Human Regulatory, EMA (2018) www.ema.europa.eu/human-regulatory/researchdevelopment/compliance/good-manufacturing-practice/guidancegood-manufacturing-practice-good-distribution-practicequestions-answers#data-integrity-(new-august-2016)-section 10. Foreign Inspectional Collaborations, FDA (2018) www.fda.gov/ BiologicsBloodVaccines/InternationalActivities/ucm461303.htm 11. Ensure Data Integrity With a Proactive Data Management Strategy, Jensen, David, GxP Lifeline (2018) www.mastercontrol. com/gxp-lifeline/ensure-data-integrity-with-a-proactive-datamanagement-strategy 12. Guidance for Industry: Providing Regulatory Submissions In Electronic Format – Standardised Study Data, FDA (2014) www.fda.gov/downloads/Drugs/ GuidanceComplianceRegulatoryInformation/Guidances/ UCM292334.pdf 13. Exchange Mechanism Standard: TMF Reference Model / DIA Document & Records Management Community project website https://tmfrefmodel.com/ems/ 14. ‘GxP’ Data Integrity Guidance and Definitions, Medicines & Healthcare products Regulatory Agency, MHRA (2018) https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/687246/MHRA_GxP_ data_integrity_guide_March_edited_Final.pdf
PROFILE Patricia is Director of Clinical and Regulatory Solutions at MasterControl and started her life sciences career in 1994 at Schering-Plough before joining Boehringer Ingelheim Pharmaceutical. She led both organisations’ efforts to transition business processes, document management and submission compilation from a paper to electronic system. A member of Regulatory Affairs Professional Society (RAPS), the Drug Information Association (DIA) and the DIA’s TMF Reference Model Working Group, Patricia earned her Regulatory Affairs Certification (RAC) from RAPS and the Regulatory Affairs Certification Board (RACB).
JANUARY 2019 | QUASAR | 39
NON THEMED
Henrieke de Bie
QUALITY CULTURE IN THE PHARMACEUTICAL INDUSTRY AWARENESS AND ASSESSMENT IN CLINICAL RESEARCH, COMPARED WITH MANUFACTURING
Quality in the organisational culture: • What is the impact of the organisational culture on quality and data integrity? • What is quality culture? • What is the current role of quality culture within the clinical research environment and how does that compare to the manufacturing environment? • C an we develop tools to assess quality culture in a clinical research environment? This article provides a high-level summary of results from a research project performed as part of the Quality Management in Scientific Research and Development MSc at Cranfield University (UK), which is delivered in partnership with the RQA. 40 | QUASAR | JANUARY 2019
NON THEMED PREVENTION IS BETTER THAN CURE Times are changing. Pharmaceutical companies experience increased competition due to the rise of generic products and challenges in product innovation. There is growing pressure from society to keep medicines affordable and accessible to those in need. At the same time, continuous efforts should be made to ensure that products are safe, effective and readily available to patients. In the first decades of the 21st century, both the pharmaceutical industry and health regulators have started to realise that steps in the development and manufacturing of medicinal products need to be taken towards improved quality, more process efficiency and better cost control. Quality by design, continual improvement and risk management have made their appearance in pharmaceutical quality management. This has also resulted in rising awareness that, to ensure appropriate quality and compliance behaviour and successful data governance activities, quality thinking should be part of the organisational culture.
FOCUS ON THE RIGHT ORGANISATIONAL CULTURE In 2015, the FDA issued a GMP-related draft Guidance for Industry, Request for Quality Metrics, in which they highlighted the importance of the company culture to product and process quality. During a presentation1 of this draft document, the FDA made clear that they see a company’s ‘commitment to quality culture’ as an indicator for mature quality management. Although a reference to quality culture was removed from the next (draft) version, Submission of Quality Metrics Data2, the FDA’s message certainly contributed to a public discussion about quality metrics and the role of quality culture in a production environment. A few years ago, the MHRA also started to emphasise in blogs and presentations the relationship between company culture and quality. Examples are the two blogs from March 20173,4, in which MHRA Expert GMDP Inspector, David Churchward, directly linked specific elements in an organisational culture to data integrity issues. In their GxP Data Integrity Guidance and Definitions5 from March 2018, the MHRA also refers to the impact of the right company culture on successful data governance activities as one of the principles of data integrity.
IS QUALITY CULTURE A TOPIC IN CLINICAL RESEARCH? Nowadays quality culture is a regular topic of discussion. In the past few years, quality culture was a (sub)theme in conferences organised by several leading pharmaceutical manufacturing and quality assurance organisations. The ISPE published in 2017 a report6 and tools to support and measure achievement of a culture of excellence in pharmaceutical manufacturing. The PDA developed a quality culture maturity assessment tool and associated training, which allows companies to understand, assess and build or improve quality culture in a production environment.
WHAT IS THE IMPACT OF AN ORGANISATIONAL CULTURE ON QUALITY AND DATA INTEGRITY? Performance excellence, a culture of quality, operational excellence, cultural excellence. Recognising an organisational culture that is supporting quality behaviour and data governance activities, is a topic that, understandably, may feel quite intangible and soft for quality professionals who are often so focused on facts and objective evidence. My research project therefore started with a search in quality management history for the meaning and relevance of, what is further called, a quality culture.
Although the importance of quality culture did not remain entirely unnoticed in clinical research, in the summer of 2017 GCP-related publications focusing on, or referring to, quality culture were still scarce and no published tools were found that were specifically developed to assess quality culture maturity in a clinical research area. This gave the impression that there was a greater interest in quality culture within the (GMP) manufacturing environment than within the (GCP) clinical research environment.
Although the importance of product quality has been understood for centuries, quality management really evolved in the 20th century. It started primarily in Japan, just after World War II. Japanese industry was suffering from a bad reputation when it came to quality of their products8,9, and to be able to compete in the international market, it was essential to improve product quality. The eagerness to improve their reputation resulted in the beginning of a new era, focusing on innovative approaches towards quality management, with a flourishing economy as a result.
With the above in mind, I started my research project as part of the Quality Management in Scientific Research and Development MSc, at Cranfield University (UK). This research project consisted of literature review to collect relevant background information and to investigate theories related to quality culture, followed by an online survey among quality professionals (RQA members) with a focus in their work on GCP and/or GMP. The aim was to answer the following research questions:
Statistical methods for control and improvement of quality came up8. Upper management of several companies stood up to personally take the lead in product quality improvement, all layers in the organisation were made aware of the importance of quality and were involved in quality meetings (circles), continuous improvement was introduced9, production processes were no longer seen as separate parts but were seen as one system, and, not unimportant, the customer acquired a central role8.
1. What is the current role of quality culture within GCP compared with GMP quality management?
These new management approaches did not only result in improved product quality, but also had a significant effect on production efficiency and reduction of costs. No wonder that the new insights gained in Japan were closely followed in other parts of the world and later became reference for other innovative quality management approaches, such as Total Quality Management, Lean and Six Sigma. Quality management approaches which are not only being used in a production environment, but have also been applied in other organisation types.
2. Can we develop tools to assess quality culture maturity in a GCP environment? This article presents a high level summary of results from this research project, which was performed between September 2017 and March 2018. The full thesis with more results is available upon request by contacting the author of this article.
Although the aforementioned quality management approaches have recurring themes, the vast majority of publications imply that, whichever quality management methodology you apply, it can only be successful when it is fully embedded in the organisational culture, with leadership acting as role model and the close involvement of employees.
JANUARY 2019 | QUASAR | 41
NON THEMED Looking at the pharmaceutical industry in the 20th century, quality management followed a different path. For decades, competition in pharma was limited and profit margins were high, while medicines were a first need instead of a luxury product. So the same urge to continuously improve and innovate to win the customer’s favour did not really exist as in most other industries. Quality management was rather driven by legislation that was set up, formalised and increasingly further tightened, to ensure medicinal product quality and safety, but also to protect the rights, safety and well-being of study subjects in research. Health authorities and inspectorates were established to inspect the business on strict regulatory compliance and to approve products before they could come on the market, with potentially huge consequences in case of regulatory non-compliance. It makes sense that quality management in pharmaceutical companies has therefore traditionally been more focused on satisfying the health authorities than on satisfying the customer.
Geert Hofstede, well-known for his profound research on organisational and national cultures, defined culture as something that is learned, as ‘the collective programming of the mind that distinguishes the members of one group or category of people from others’10. In his book ‘Culture and Organisations: Software of the mind’10, he presented culture as something that manifests in different ways and at different levels, like onion peels. It is easiest to change the outer layer, it is most difficult to change the inner layer. The three outer layers, i.e. symbols, heroes and rituals, are considered the cultural practices. They are more visible, but their exact cultural meaning is often only really known to the ones who are part of that culture. The inner core of a culture are the values. According to Hofstede et al10, values are mainly acquired when we are very young. While national culture is part of what they call the ‘mental software’, in Hofstede’s view, an organisational culture is mainly based on (organisational) practices, and less, if not at all, on values.
(Henry Ford)
In literature related to quality culture though, there is mostly reference to values. Companies also regularly publish core (cultural) values on their websites, often combined with missions and visions. Apparently there is a different view on what values actually stand for and how they exist in an organisational culture, either as part from what you learn or rather as a set of rules. Anyhow, in the context of a quality culture, values are considered relevant.
WHAT IS THE DEFINITION OF QUALITY CULTURE?
A combination of definitions of quality and culture finally brought the following definition of quality culture, which participants were requested to keep in mind when completing the survey.
Talking with other quality professionals about my research project, the first question that often came up was: what actually is quality culture? To avoid bias in collecting information related to quality culture from quality professionals in the online survey, it was therefore essential to come up with a definition that could be used as a starting point for the survey.
RESEARCH QUESTION 1: WHAT IS THE CURRENT ROLE OF QUALITY CULTURE WITHIN GCP COMPARED WITH GMP QUALITY MANAGEMENT?
‘Quality means doing it right when no one is looking’.
When we look at different definitions, quality is often linked to customer expectations and requirements (e.g. in ISO 9000:2015), to compliance with regulations, standards and procedures, and to consistency in execution of processes. Culture is ‘something’ that is shared by a group, linked to a nation, to a (sub) population or to an organisation. Many have tried to describe the characteristics of a culture and had to conclude that describing a particular culture is complex and includes quite intangible aspects, such as values, beliefs and morals.
42 | QUASAR | JANUARY 2019
CHARACTERISTICS OF SURVEY PARTICIPANTS On 19th December 2017 the RQA disseminated the survey with a request for completion before 12th January 2018. To complete the survey, participants had to be quality professionals working within a GMP and/or GCP environment and they had to be directly employed by a (bio)pharmaceutical company (i.e. no consultants).
To answer research question 1, the survey included a number of questions to allow good comparison in quality culture awareness between participants representing GCP and those representing GMP quality management. However, an evaluation of these responses to those questions identified significant inconsistencies, which could have been a result of e.g. misinterpretation of the question or a difference of perception. Furthermore, a retrospective evaluation of the survey raised the question whether it had actually added value to compare quality culture awareness in a GCP with a GMP environment in an era where close interaction and (virtual) information sharing between quality professionals from different areas is quite common practice. Altogether, only a simple distribution of participants was made based on indicated GxP focus (GCP, GMP or both GCP and GMP), while also the quality culture awareness in the entire participant group was evaluated to see whether culture was point of attention in the industry. The survey resulted in 146 evaluable responses. In total, 129 participants had a focus in their work on GCP and 33 on GMP. Of these participants, 16 had a shared focus on both GCP and GMP (see Figure 1). The survey also included a number of questions to assess potential biases in the perception of a company’s quality culture, such as the participant’s position in the company, influences from a national culture, employment duration (associated with level of engagement and understanding of the company culture) and the size of the participant’s company. An in-depth analysis of these responses has not been performed yet. However, it should be said that operational (non-management) staff and directors of executive level were potentially slightly under-represented. Furthermore, most participants (80%) were working either for a small company (less than 500 employees) or for a very large company (>5000 employees) and 89% of the participants were in employment with their current company for at least a year. Most participants were located in Western Europe (42% of all survey participants worked in the UK) (see Figure 2).
NON THEMED FIGURE 1. EVALUABLE SURVEYS: FINAL DISTRIBUTION OF PARTICIPANTS WITH EITHER A FOCUS IN THEIR WORK ON GCP, ON GMP OR ON BOTH
PARTICIPANTS WITH A FOCUS ON GCP (n=129) PARTICIPANTS WITH A FOCUS ON GMP (n=33)
77%
11% 12% PARTICIPANTS WITH A FOCUS ON GCP AND GMP (n=16)
FIGURE 2. LOCATION OF (HUB) SITE OR OFFICE FROM SURVEY PARTICIPANTS
63%
9%
8%
PE
1) PE
RO
W
EU
RN
S EA
L-
A TR
N
CE
RN
TE
TE
ES
= (n
RO
EU
H
RT
O
N
N ER
)
92
=1
(n
5%
)
13
PE
= (n
RO
EU
EU
)
=7
(n
IA
AS
0%
)
=9
(n
IA
O
C
N EA
)
=0
(n
8%
1%
A
IC
R AF
TH
U
SO
N ER
PE
RO
6%
)
=1
(n
CA
I ER
RN
AM
E
H RT
CA
I ER
)
=0
(n
AM
T
O
N
ED
T CA
I
D
IN
)
=1
(n
D
ID
M
/ LE
RN
E
TH
U
SO
O
N
)
12
= (n
1%
0%
JANUARY 2019 | QUASAR | 43
NON THEMED FIGURE 3. RESPONSES TO QUESTIONS 3.1, 3.2 AND 3.4 OF THE SURVEY TO ASSESS QUALITY CULTURE AWARENESS ASSESSMENT (ALL PARTICIPANTS AND PARTICIPANTS WITH A PRIMARY FOCUS IN THEIR JOB ON RESPECTIVELY GCP AND GMP)
Differences in quality culture awareness within the GCP environment and the GMP environment were finally assessed by analysis of the responses to four questions from participants who confirmed a main focus of their job on GCP or on GMP (see Figure 3). Comparison of results between the groups did not show any significant difference in quality culture awareness or activities (Fisher’s Exact Test, p-value of 0.688, 0,236 and 0.373 for, respectively, survey questions 3.1, 3.2 and 3.4, while p<0.05 would have given a significant difference). However, a small sample size representing GMP may have influenced the research outcome.
QUESTION 3.1 IS YOUR COMPANY ACTIVELY AIMING TO ACHIEVE OR SUSTAIN A QUALITY CULTURE?
90%
88% 5% 5%
94% 7% 5%
ALL (n=146)
0% 6%
GCP (n=113) NO
YES
GMP (n=17)
I DON'T KNOW
QUESTION 3.2 DOES YOUR COMPANY USE A TOOL TO ASSESS THE QUALITY CULTURE?
53%
20%
7%
20%
19%
ALL (n=146) YES
53% 7%
29%
20%
GCP (n=113)
12%
When we look at the results of questions 3.1, 3.2 and 3.4 for all respondents (see also Figure 3), there is a clear indication that quality culture awareness is currently a theme in the pharmaceutical industry. To the question whether their company was actively trying to achieve and sustain a quality culture, 90% of all survey participants answered ‘Yes’.
29% 29%
GMP (n=17)
IN SOME PARTS OF THE COMPANY
NO
I DON'T KNOW
Since that question was quite unspecific, and voluntary participation and the quality background of the participants may have biased the outcome, a more objective question whether tools to assess quality culture are being used in the company could give more direction. Around 27% answered this question with ‘Yes’. What such tools entailed, whether they only included e.g. quality metrics, such as ‘first time right’ cases or CAPA turnaround time or that they (also) measured behavioural aspects, was not always clear. Figure 4 provides an overview of the responses.
QUESTION 3.4 DOES YOUR ORGANISATION HAVE A SPECIFIC ROLE OR DEPARTMENT FOCUSING ON QUALITY CULTURE?
45%
41%
47%
46%
41%
29%
8%
6% ALL (n=146)
12%
7%
6% GCP (n=113)
YES, PART OF QUALITY DEPT NO
QUALITY CULTURE IS A THEME IN THE PHARMACEUTICAL INDUSTRY
12%
GMP (n=17)
47% of all participants indicated that their company had a role or department focusing on quality culture. This role was traditionally still primarily located within the quality department.
YES, OUTSIDE QUALITY DEPT I DON'T KNOW
FIGURE 4. QUALITY CULTURE ASSESSMENT TOOLS USED, ACCORDING TO THE PARTICIPANTS (N=39) WHO RESPONDED ‘YES’ TO QUESTION 3.2 (DOES YOUR COMPANY USE A TOOL TO ASSESS THE QUALITY CULTURE?)
QUESTION 3.3 WHICH TOOL IS YOUR COMPANY USING? n=21 n=9
44 | QUASAR | JANUARY 2019
n=2
n=1
ISPE cultural excellence assessment tool
PDA quality culture assessment tool (pilot)
n=3
n=3 Assessment tool as part of a business excellence model (e.g. Baldrige, EFQM)
A tool developed by my company
Another quality culture assessment tool (please specifiy)
I don't know
NON THEMED RESEARCH QUESTION 2: CAN WE DEVELOP TOOLS TO ASSESS QUALITY CULTURE MATURITY IN A GCP ENVIRONMENT? HOW SHOULD WE ASSESS QUALITY CULTURE MATURITY IN A GCP ENVIRONMENT? To answer the question how we should assess quality culture maturity in a GCP environment, the ‘opinion of the group’ was requested. Looking at the results for the group of participants with a focus on GCP (i.e. on GCP or on both GMP and GCP), the majority of the group proposed the following (see Figure 5): • Quality culture should preferably be assessed at a frequency of once per year (61% of the responses). Only 5% did not see the benefit of assessing the company’s quality culture • Quality culture should be assessed by a corporate role outside quality assurance, quality control or operations (71% of the responses). Interestingly, still 40% of the same participant group answered, that in their company the role or department that is focusing on quality culture is within the QA department. Apparently, many quality professionals wish to see that change • Quality culture should be assessed with a combination of management interviews and employee surveys (77% of the responses). What are the indicators of a mature quality culture in a GCP environment? The biggest challenge of assessing (and establishing) a mature quality culture is to know what the potential indicators of such an organisational culture might be. The complexity of this part of the research project would justify an entire separate article. A brief summary of the research and results follows. For the identification of the potential quality culture indicators, the characteristics of quality culture or of business excellence were evaluated as listed or described in two general quality culture studies (from Forbes-ASQ11 and the CEB12), two GMP-specific quality culture studies (from the ISPE6 and the PDA7), three business excellence models (Baldrige13, EFQM14 and Shingo15) and ISO standard 9004:200916. In addition, two more GMP-specific publications17,18 detailing quality culture elements were included, with the note though that these articles did not include any references. The evaluation of these ten sources resulted in 16 potential quality culture indicators (see Figure 6).
FIGURE 5. RESPONSES TO SURVEY QUESTIONS 3.5, 3.6 AND 3.7 TO COLLECT THE OPINION FROM PARTICIPANTS WITH A FOCUS ON GCP IN THEIR JOB ABOUT THE BEST WAY TO ASSESS QUALITY CULTURE
QUESTION 3.5 IN YOUR OPINION, HOW OFTEN DO YOU THINK A COMPANY'S QUALITY CULTURE SHOULD BE ASSESSED?
61% 24%
9%
5%
1%
RESPONDENTS WITH A GCP FOCUS (n-129) ONCE EVERY YEAR
ONCE EVERY 2-3 YEARS
AT ANOTHER FREQUENCY
I DON'T SEE THE BENEFIT
NOT RESPONDED
QUESTION 3.6 IN YOUR OPINION, WHO SHOULD BE RESPONSIBLE FOR THE ASSESSMENT OF A COMPANY'S QUALITY CULTURE?
71% 21%
7%
1% RESPONDANTS WITH A CGP FOCUS (n=123) QUALITY ASSURANCE
QUALITY CONTROL/COMPLIANCE
CORPORATE ROLE OUTSIDE QA/QC AND OPS
OTHER
QUESTION 3.7 IN YOUR OPINION, HOW COULD A COMPANY'S QUALITY CULTURE BEST BE ASSESSED?
77%
7%
2%
5%
6%
2%
RESPONDENTS WITH A GCP FOCUS (n=123) DURING AUDITS
WITH MANAGEMENT INTERVIEWS
WITH EMPLOYEE SURVEYS
COMBINATION MANAGEMENT INTERVIEWS/EMPLOYEE SURVEYS NO RESPONSE
OTHER
JANUARY 2019 | QUASAR | 45
NON THEMED FIGURE 7. QUALITY CULTURE MATURITY OF THE PARTICIPANTS’ OWN ORGANISATION AS RATED BY THE PARTICIPANTS IN THE SURVEY. THE PARTICIPANT’S GROUP USED TO IDENTIFY POTENTIAL QUALITY CULTURE INDICATORS FOR A GCP ENVIRONMENT IS ENCIRCLED
QUESTION 2.2 HOW DO YOU THINK YOUR COMPANY'S QUALITY CULTURE COULD BE DESCRIBED WHEN COMPARED WITH OTHERS IN THE INDUSTRY? 59%
30%
34%
33%
31%
25%
29%
6%
12%
8%
0%
0% GCP (n=113)
NOT DEVELOPED
27%
31%
19%
5%
ALL (n=146)
30%
25%
23%
4%
GROUP OF PARTICIPANTS THAT WAS USED FOR EVALUATION OF POTENTIAL QUALITY CULTURE INDICATORS FOR A GCP ENVIRONMENT
56%
DEVELOPING
GMP (n=17)
AVERAGE
0%
0%
BOTH GCP AND GMP (n=16)
ADVANCED
5%
7%
WITH A FOCUS ON GCP (n=129)
WORLD CLASS
FIGURE 8. RESULTS RELATED TO POTENTIAL QUALITY CULTURE INDICATOR SYSTEM APPROACH TO MANAGEMENT (ACCUMULATIVE RESULT FROM THREE STATEMENTS, CRONBACH’S ALPHA COEFFICIENT FOR CONSISTENCY OF STATEMENT RESPONSES 0.882 (>0.6 IS ACCEPTABLE))
SYSTEM APPROACH TO MANAGEMENT (RESULTS FROM THREE STATEMENTS RELATED TO INDICATOR)
5
6
1
21
20
9
40 31
1
14
43
9 53 53
12
35 2 1
5
3
NOT DEVELOPED
DEVELOPING
AVERAGE
FULLY AGREE
46 | QUASAR | JANUARY 2019
AGREE
NEUTRAL
15 ADVANCED DISAGREE
WORLD CLASS FULLY DISAGREE
NON THEMED FIGURE 6. IDENTIFIED POTENTIAL QUALITY CULTURE INDICATORS FOR A GCP ENVIRONMENT. THE 10 OUT OF 16 POTENTIAL INDICATORS TESTED IN SURVEY RESPONDENTS WITH A FOCUS ON GCP (N=129), THAT VISUALLY SHOWED THE MOST SIGNIFICANT CORRELATION WITH QUALITY CULTURE MATURITY, ARE MARKED IN BOLD
1. Leadership as a quality role model 2. Clear quality vision 3. Clearly stated quality objectives 4. P erformance goals linked to quality objectives 5. A ppropriate incentives related to quality behaviour 6. Environment of trust and respect 7. Quality is everyone’s responsibility (employee accountability) 8. Employee empowerment 9. Peers working towards common quality goals 10. Sharing best practices 11. Coaching and training to ensure quality 12. Embracing innovative approaches to improve quality 13. System approach to management 14. Managing by fact (decisions made based on quality metrics and trends) 15. Listen to the voice of the customer 16. R espectful and transparent collaboration with suppliers/vendors To explore potential quality culture indicators, the survey participants were asked to rate 24 statements for their own company, using a 5-point Likert scale (fully agree/ agree/neutral/disagree/fully disagree). Those statements were all associated with either one of the 16 potential quality culture indicators. The rating of all statements was compared with the participants’ rating, later on in the survey, of the quality culture maturity of their own company (see Figure 7). A response consistency check was performed for four potential quality culture indicators. For identification of potential quality culture indicators for the GCP environment, the results from survey participants with a focus on GCP (either in combination with GMP, or on GCP alone) were evaluated. The number of participants was small, but there was really a very limited number of participants, who rated their company’s quality culture maturity as ‘not developed’ (n=6) or ‘world class’ (n=9). It was therefore difficult to assess the correlation between a potential indicator and quality culture maturity through a reliable statistical analysis. All indicators were therefore only
visually explored on a potential positive correlation with quality culture maturity, resulting in 10 quality culture indicators with a more likely positive correlation than the others (see Figure 6). Figure 8 shows an example of a visual for one of the quality culture indicators.
CONCLUSION OF THE RESEARCH PROJECT This research project was set up to present an overview of the role quality culture plays within the (bio)pharmaceutical industry, in particular within a clinical research environment (GCP), compared with a production environment (GMP). Furthermore, opportunities were explored to assess quality culture maturity within a clinical research environment. Altogether, the results of the survey provided a good indication that quality culture is currently a theme in the pharmaceutical industry. A significant difference between the GCP and the GMP environment in quality culture awareness or activities was not observed, although a small sample size for GMP may have influenced the research outcome. This research project may be seen as a first step towards gaining insight in relevant quality culture indicators in a GCP environment. This article provides only a limited overview of results from the literature research and survey performed as part of this project. The additional results as presented in the thesis, further in-depth (statistical?) analysis of the survey and potential additional research in a more heterogenous GCP population may serve as a basis for the set-up of a quality culture assessment tool for the GCP environment. The set-up of a quality culture assessment tool for the GCP environment will be labour-intensive and time-consuming, but will likely be worth the effort. As has happened in the GMP environment by organisations, such as the ISPE and the PDA, it would therefore be interesting to join efforts and knowledge and to find like-minded within the GCP environment to work together on establishing a tool.
REFERENCES 1. FDA (2015) Draft Guidance for Industry: Request for Quality Metrics (presented during a Stakeholder Technical Webinar) [online]. Available at: www.fda.gov/downloads/drugs/ developmentapprovalprocess/smallbusinessassistance/ucm456211. pdf (accessed 23 August 2017). 2. FDA (2016) Draft Guidance for Industry: Submission of Quality Metrics Data [online]. Available at: www.fda.gov/downloads/ Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ UCM455957.pdf (accessed 01 March 2018). 3. Churchward, D. (2017a) Too much pressure: a behavioural approach to Data Integrity (Part 1) (MHRA Inspectorate Blog) [online]. Available at: https://mhrainspectorate.blog.gov. uk/2017/03/10/too-much-pressure-a-behavioural-approach-todata-integrity-part-1/ (accessed 19 February 2018).
4. Churchward, D. (2017b) Too much pressure: a behavioural approach to Data Integrity (Part 2) (MHRA Inspectorate Blog) [online]. Available at: https://mhrainspectorate.blog.gov. uk/2017/03/10/too-much-pressure-a-behavioural-approach-todata-integrity-part-2/ (accessed 19 February 2018). 5. MHRA (2018) ‘GxP’ Data Integrity Guidance and Definitions [online]. Available at: https://assets.publishing.service.gov. uk/government/uploads/system/uploads/attachment_data/ file/687246/MHRA_GxP_data_integrity_guide_March_edited_ Final.pdf (last accessed 11 November 2018). 6. ISPE (International Society for Pharmaceutical Engineering) (2017) Cultural Excellence Report [online]. Downloaded from www.ispe.org on 17 September 2017. 7. Patel, P., Baker, D., Burdick, R., Chen, C., Hill, J., Holland, M., Sawant, A. (2015) Quality Culture Survey Report, PDA Journal of Pharmaceutical Science and Technology, Vol. 69, No. 5, p. 631642 [online]. Available at: http://journal.pda.org/content/69/5/631. full (accessed 11 August 2017). 8. Deming, W.E. (2000) Out of the Crisis, The MIT Press (1st edition), Cambridge (US) / London (first published in 1982). 9. De Feo, J.A. (2016) Introduction. Quality and Performance Excellence. In: Defeo, J.A., Juran’s Quality Handbook. McGrawHill Education, New York (USA), p. 1-29. 10. Hofstede, G.H., Hofstede, G.J., Minkov, M. (2010) Cultures and Organizations, Software of the Mind, Intercultural cooperation and its importance for survival, 3rd edition, McGraw-Hill (first edition published in 1980). 11. Forbes-ASQ (Forbes Insights in association with ASQ) (2014) Culture of Quality (White Paper). Requested from ASQ via https://asq.org/quality-resources/research/culture-of-quality/ whitepaper on 06 June 2017. 12. CEB Quality Leadership Council (2013) Build a Culture of Quality [online]. Downloaded from: www.cebglobal.com/ content/dam/cebglobal/us/EN/best-practices-decision-support/ innovation-strategy/pdfs/CEB-build-a-culture-of-quality.pdf on 15 September 2017. 13. Baldrige (2017) Baldrige Excellence Builder [online]. Downloaded from www.nist.gov/baldrige on 22 August 2017. 14. EFQM (2012) EFQM Model [online]. Available at: www.efqm. org/efqm-model/model-criteria (accessed 22 August 2017). 15. Shingo Institute (2017) The Shingo Model™ [online]. Available at: www.shingoprize.org/model (accessed 19 November 2017). 16. BSI (British Standards Institute) (2009) BS EN: ISO 9004:2009: Managing for the sustained success of an organization - A quality management approach (identical to ISO 9004:2009). 17. Kieffer, R. (2015) Quality Culture and its Measurement [online]. Available at: www.pda.org/pda-europe/news-archive/ full-story/2015/01/30/quality-culture-and-its-measurement (accessed 12 October 2017). 18. Uydess, I., Meyers, C., (2011) Developing and Sustaining a Quality Culture, Pharmaceutical Technology, Vol. 35, No. 12 [online]. Available at: www.pharmtech.com/developing-and-sustainingquality-culture-0?id=&sk=&date=&pageID=2 (accessed 02 June 2017).
PROFILE Henrieke is an all-round Senior Consultant QA at ProPharma Group, with a primary focus on quality and compliance in clinical research. She has been in the industry for close to 20 years and since 2007, she has been working as an international QA auditor andmore recently as a functional and strategic quality manager for several CROs. Henrieke has a biomedical chemical background and in 2018 she successfully completed a MSc study Quality Management in Scientific Research and Development at the Cranfield University (UK). For more information contact: hjjdebie@hotmail.com
JANUARY 2019 | QUASAR | 47
TECHNICAL TOOLKIT Nick Morley talks about embracing technology to ensure quality in organisations which both sponsor and host research.
T
here is a curious relationship between pharmaceutical and healthcare organisations which is most apparent in the UK. In simplistic terms, the decisions driving pharmaceutical development are business and the decisions driving organisations like the NHS are healthcare, which in turn are frequently limited by costs; although the two decision processes are not mutually exclusive. Whilst the NHS encourage innovation and work with pharma to support the development of new drugs and novel treatment, there is a risk that once a product has received a marketing authorisation, the cost is deemed too high to purchase. In the drive to offer new treatment options to their patients, many clinicians are becoming increasingly keen to participate in clinical trials. Although most hospitals collaborate on research, the restrictions on sharing commercially sensitive information and the potential income generated from undertaking clinical trials sponsored by pharma put the different healthcare providers which comprise the NHS in competition with each other.
continuous improvement and sponsor oversight ultimately to drive up standards and make the site attractive for business. This came about through the natural progression of moving away from a paper audit tool to electronic means of data capture and investigating episodes of non-compliance. We wanted to develop software that would enable us to collate information from internal audits of different studies, download the findings into a spreadsheet and then manipulate the data to identify themes and trends. The other immediate, noticeable benefit of this software is that it negates the need to re-enter study details several times. In fact, we have been able to utilise one of the criticised elements of NHS operations in that there are too many systems which do not talk to each other. We found that we could import details of any study already captured in Edge: the National Institute for Health Research clinical trials database of choice, which has secure details of all the studies we host and sponsor at RCHT. Thereby providing a base level of information from which we can focus the audit on the systems gathering this data.
Just about all of the acute hospital trusts in the UK undertake research with a large proportion of those both sponsoring and hosting research. Most of the research is classified as non-commercial and can even be in conflict with the interests of pharma, such as clinical trials comparing less of the investigatory medicinal product against the established standard dosage. The funding of this research is complex and most acute hospital trusts are seeking to increase their research budget and autonomy by supplementing income from hosting clinical trials which have a commercial contract. The healthcare benefits for the patients of these providers are widely reported and include increasing treatment options with better outcomes, even for patients in the control arm of a placebo-controlled trial. Research active hospitals can demonstrate a significant decrease in mortality.
In effect, the software is a purpose-built, electronic database designed to facilitate audit and monitoring of research projects which fall within the UK Policy Framework for Health and Social Care Research and other relevant legislation. The database, which we have called Quality Assurance Database (QuAD) just for ease, enables the capture of data from full, partial or system audits at single or multiple sites, although there is no reason why this technology could not be adapted by other organisations, healthcare providers and industries. The advantages do not stop there.
In order to attract pharma to place their research with a particular provider, the site needs to demonstrate a proven record in delivering quality research and attaining an ambitious recruitment target. At the Royal Cornwall Hospitals NHS Trust (RCHT), we have developed software to ensure
48 | QUASAR | JANUARY 2019
One of the untapped resources of an organisation which hosts clinical research is that the sponsor of the research already provides useful information on the quality of the research undertaken by the principal investigator and the supporting team through monitoring reports. By collating the findings from monitoring reports, the database helps identify recurring themes and weakness in particular areas, departments or research teams. In effect, the collating of findings from monitoring reports provides an informed, risk-based management system that provides guidance on where to focus a systemsâ&#x20AC;&#x2122; audit.
In moving to a paperless organisation, the oversight of the vast array of electronic systems requires the support of individuals specialising in technology, in other words, an information technology department. Over time the acquisition of various electronic hardware and software to facilitate the delivery of healthcare and to keep up to date with rapid advances in healthcare technology, has resulted in a complex process to restrict access for individuals to specific technologies and software, yet ensure compliance with the general data protection regulation and NHS information governance policies. By involving the RCHT IT department (CITs), we have managed to utilise those different systems and their inherent complexities to link the database with the main system containing user details of all RCHT employees. This means we can assign individuals the right level of access to the database dependent upon their roles and responsibilities. For example, we can send a report to the research team leader (our equivalent of a clinical trial manager), for comments and review, we can send full study audit reports to the chief investigator or site findings to the principal investigator. The identification of specific personnel also enables an audit to drill down on the individual, which also has the advantage of monitoring performance and, perish the thought, help to identify fraud. All electronic systems need validating and at RCHT we have taken an indirect approach. An audit plan has been developed based on the risk assessments undertaken for all clinical trials opened at RCHT, which is modified by the themes and trends identified through the database. By enshrining an audit plan into a standard operating procedure, the organisation rather than the research department, take responsibility for ensuring the policy is adhered to and, in effect, help to validate the software. Although web-based, to comply with organisation policy the software is only accessible on our internal intranet, it is backed up by CITs, has built-in audit trails and has to undergo frequent revision to ensure it is fit for purpose.
TECHNICAL TOOLKIT Like all electronic systems, the operator needs a period of time to become familiar with the system. The design of the database is intuitive, purposefully simplistic, in other words easy to use without compromising functionality. Figure 1 shows a series of screen grabs of the database and an example of how the data can be downloaded into a spreadsheet to help identify themes and trends. On the home page the operator has the choice of accessing a previous report selected from all reports entered or just from those with outstanding actions.
Alternatively the operator or auditor can populate a new audit. They can manually enter data into all fields or automatically incorporate details of the study from Edge, as well as the details captured from monitoring reports which have been previously entered. The auditor can toggle through the sections which cover all aspects of the clinical trial. This gives the auditor control of what information is entered facilitating full or part audits. Each section has prompts to guide the auditor on where to look and on what to comment, with the
FIGURE 1. SCREEN SHOTS FROM QUAD AND EXAMPLE OF DATA ANALYSIS USING DATA FROM REPORTS
FIGURE 2. PROCESS SHOWING HOW THE DATABASE CAPTURES AND PROCESSES DATA FOR AUDIT REPORTING WITH SENIOR MANAGEMENT OVERSIGHT
QA PROCESS CHART
Risk Assessment
Audit
Audit Plan
Auditor Generates Audit Report
Monitoring
Monitor Generates Report
Themes & Trends Identified
Manager Reviews Report
emphasis on processes and systems. Each section has fields in which to populate, categorise and log findings. When the report is complete it should be submitted electronically to a senior manager for review. The system we have adopted enables only the manager to submit the report to the chief investigator, principal investigator or research team leader. This way the research department senior management team take responsibility for the audit, ensuring consistency and also retaining oversight of the auditor! Figure 2 shows the process of how the database captures and processes data for audit reporting with senior management oversight. The person receiving the audit report cannot change the information. The findings are displayed on a page at the end of the report, although each finding is referenced to the section from where it was populated, which can be viewed for further information if required. Before the audit report is signed off as complete, the recipient must confirm when each finding has been resolved. This can then be verified by the auditor. Over time the findings from multiple audits and monitoring reports can be downloaded from the database into a spreadsheet for identifying themes and trends. These will provide a key agenda item in the monthly senior management team governance meetings. However, an escalation process is in place to immediately alert the governance manager to major findings for expediting further investigation if required. On a more positive note, the database can also be used to identify and share areas of good practice. In summary, the database provides a rapid and effective means of improving the standards of research at an organisation level. It provides an essential tool for sponsor oversight, ultimately to ensure the health and well-being of participants and the integrity of the study data. In a competitive research environment where reputation can be a decisive business factor, organisations can embrace technology to gain an advantage. Ultimately the database we have created will provide our organisation with a powerful tool for Quality Assurance.
PROFILE Report Shared with PI Study team
Findings
PI/Study team respond
Senior Research Management Team Governance Meeting
Monitor Verifies Response
logged
Report Shared with CI/PI Study team
CI/PI Study team respond
Monitor Verifies Response
Nick is the QMS Manager at the Royal Cornwall Hospital and Associate Lecturer in Health Sciences with the Open University. He has a background in biological sciences and research methodology. After completing his PhD in 2003, he worked in oncology before taking up a managerial role providing guidance on research governance and training NHS staff in GCP.
JANUARY 2019 | QUASAR | 49
The 2018 RQA Annual Conference took place between the 31st October and the 2nd November at the award-winning Manchester Central, in the heart of the vibrant city of Manchester. Over 500 people attended throughout the two and a half days and the conference was informative, interactive and stimulating. With data and all its implications during 2018 and beyond, this yearâ&#x20AC;&#x2122;s theme was: DATA AND QUALITY: IS THE TAIL WAGGING THE DOG?
50 | QUASAR | JANUARY 2019
RQA ANNUAL CONFERENCE
Simon Gillespie, CEO of the British Heart Foundation discussed evidence in the era of ‘fake news’; how much data is enough? And learning in the age of uncertainty
T
he conference was opened by Vanessa Grant the current RQA Chair, with a candid look at Manchester and its rich history in music and football to name just two. Fergus Walsh (the BBC’s Medical Correspondent) then took the stage for his keynote presentation on 'Making Sense of Headlines and Health', which was followed by a very healthy questions session from the audience, who could pose a question to the speaker at any time during the session using the conference app. This turned out to be a great success with popular questions being voted to the top of the list, ensuring that everyone could openly have their say. For the rest of the morning delegates were treated to presentations on data integrity and GDPR from two regulators – Janet Messer, Health Research Authority and Andrew Gray from the MHRA. Following lunch, delegates had the choice of three streams – Data Integrity, Pharmacovigilance or the new ‘RQA Fringe Sessions’. These Fringe sessions were a chance for a roundtable discussion on six specific topics and the room was alive with chatter. Each topic was repeated three times enabling delegates to participate in each of the topics. Initial feedback suggests that this format was a success and something we can look to continue with in the future.
Fergus Walsh presenting 'Making Sense of Headlines and Health' The traditional ‘Meet the Delegates Drinks Reception’
Wednesday evening saw the traditional ‘Meet the Delegates Drinks Reception’ in the hall with the Exhibitors. This year there were a record number of exhibitors (40 exhibitor stands) both from industry and international associations. Thursday morning saw two streams offered to delegates, stream one covered the ‘EU Clinical Trial Regulation’ and ‘GCP-PV Interface: EU CTR: CT Safety Reporting: RSI and management of changes’ while stream two offered ‘Times they are a changing – where is technology taking us?’ and ‘Twists and turns of regulation’. Thursday afternoon saw the conference cover its traditional core areas with five concurrent streams throughout the venue – Good Clinical Practice, Good Laboratory Practice and Animal and Veterinary Products, Pharmacovigilance, Medical Devices and DIGIT (Computing). Following the afternoon break, each of these five areas were devoted to the now regular QA Clinics which involved lively debates around hot topics. The audio (and video, where possible) is available to RQA members on the website. The evening saw the usual extremely popular Gala Dinner with 322 delegates attending. The meal was followed by dancing to ‘Happy Hour’, who made their third appearance at the Gala Dinner.
Following dinner, Vanessa Grant took time to recognise Angelika Tillmann (2018 Conference Chair) and Jane Elliston (2018 Deputy Chair) as well as a special mention, and subsequent standing ovation, for RQA Conference Manager Tony Ward, who retired from the Association at the end of 2018. What happens in Manchester stays in Manchester, so you will have to ask any attendees you know for further details from there! Friday morning saw our second Keynote Speaker – Simon Gillespie, CEO of the British Heart Foundation, discuss ‘evidence in the era of ‘fake news’; how much data is enough? And learning in the age of uncertainty’. Following the break there was a lively debate session and then an update from JSQA including the next Global QA Conference, to be held in Sendai, Japan in 2020. The office would like to extend its thanks to all of the faculty, exhibitors, sponsors and delegates who made this year’s conference such a successful one. Next year will be the 3rd European QA Conference, and will be held in Dublin, 6th-8th November 2019. Stay tuned for more information.
JANUARY 2019 | QUASAR | 51
KEEPING YOU POSTED
REGULATIONS AND GUIDELINES
52 | QUASAR | JANUARY 2019
REGULATIONS
GLP
Question 3: Where is your electronic data stored?
Mark Goodwin and the GLP Committee
• In a cloud 18
• On-site on a separate server from our non-archived data 26 • On-site on the same server as our non-archived data 14
INFORMATION FROM RECENT EVENTS Notes from the MHRA GLP Consultative Committee Meeting (Stakeholder Engagement Meeting) that took place on 19th October 2018 were not available at the time of writing this article. Some of the items covered at the meeting were repeated in presentations by MHRA Inspectors at the RQA Conference in Manchester. Key points raised during the presentations are summarised below. Andrew Gray is now Group Manager Inspectorate and Process Licensing (and Head of GLPMA). The vacated role of Unit Manager Inspectorate Operations has yet to be filled. Key concepts around data integrity are the data lifecycle (collection, processing, reporting, review, archival) and data governance (around process and systems, ownership, monitoring/audit, environment and training). Risk assessment identifies areas of risk, allows implementation of proportionate risk mitigation measures and acceptance (justification) of residual risk. Company culture (attitudes, behaviours, beliefs) can influence compliance with data integrity (DI). The MHRA look for culture signals (positive or negative) during inspections. There has been a large increase in critical/major deficiencies associated with data integrity. These include the use of generic logins, ability to delete or edit data, gaps in audit trail and QA with no access to electronic data. The overall number of critical/major findings has increased with study conduct having the most (consistent with historical data), with QA in second place. Study management deficiencies include errors and lack of transparency in reports, misleading compliance statements, DI controls, unable to reconstruct study activities, lack of validation to support data generation and study director/ principal investigator oversight. QA deficiencies include insufficient audit coverage, failure to identify critical issues, poor audit close-out performance and failure to address CAPA. A new inspection deficiencies category has been introduced, ‘Test Facility Management Responsibilities’.
ARCHIVING SURVEY In preparation for the GLP/Animal and Veterinary Products QA Clinic at the RQA Annual Conference, an archiving survey was made available for RQA members to complete. The response rate was high (167) therefore giving meaningful output. Survey responses are summarised below with all responses expressed as percentages. Question 1: Do you work for: • Contract Research Company 40 • Sponsor company 35 • Other 25 (This question was to provide context; ‘other’ probably includes QA consultants) Question 2: Is your data (paper and/or electronic) retained in:
• Off-site company server 13 • Other 10 • Off-site contract server 7 • Don’t know 5 • On a USB 4 • On a DVD 4 Question 4: Do you transfer data electronically? • Yes, we return (make the CRO return) electronic data in the original format 32 • No, we retain (make the CRO retain) electronic data at the CRO on behalf of the sponsor 23 • Other 11 • No, we print (make the CRO print) the data before it is returned 9 • All of the above 25 Question 5: Is your electronic data transfer ever inspected? • Yes, by internal auditors 53 • No 35 • Yes, by sponsors 12 Question 6: Have you ever revisited old electronic data to ensure it is still accessible after an extended period of time? • Yes and everything was fine 50 • No, never tried it 39 • Yes and some electronic data could not be retrieved 11 Question 7: Do you think CROs should charge extra to retain electronic data in an accessible format? • Yes, for sponsors it would be worth paying to be sure they would be able to meet future regulatory inspections 40 • No, CROs should include this cost in their original quote 32 • No, sponsors should retain the data themselves at their own expense 28 Question 8: What do your study plans say? • We talk about data retention in general and don’t specify electronic or paper 43 • We specify different requirements for paper and electronic records 41 • We have no facility to hold electronic data and therefore everything is returned to the sponsor as soon as the study is completed 10 • Other 7
• A GLP Archive for the required period of time 68 • Don’t know 24 • Initially in a GLP Archive and then transferred to a non-regulated area 8
JANUARY 2019 | QUASAR | 53
REGULATIONS
GCP Angelika Tillmann, GCP Committee
MAIN REGULATORY NEWS MHRA MHRA has created a new post on the MHRA Inspectorate blog, ‘Making GCP Training Relevant and Applicable: It’s Not Just for Clinical Staff ’ which is intended to answer questions related to GCP training for laboratory staff. https://mhrainspectorate.blog.gov.uk/2018/11/05/making-gcp-trainingrelevant-and-applicable-its-not-just-for-clinical-staff/ MHRA has also posted a new post ‘MHRA Inspectorate staff changes’ to provide an update on staff changes within the Inspectorate. https://mhrainspectorate.blog.gov.uk/2018/10/19/mhra-inspectorate-staff-changes/ MHRA has published an update on their GCP part of their website with ‘Inspection Outcomes’, giving definitions and examples for the categories and outlining what to expect from an inspection.
BIA and ABPU have published their input to the MHRA consultation on EU Exit ‘no deal’ contingency legislation for the regulation of medicines and medical devices. www.bioindustry.org/news-listing/bia-and-abpi-input-to-mhra-consultation-on-eu-exit-no-deal-contingency-legislation-for-the-regulation-of-medicines-and-medical-devices.html
EU EMA has provided an update on the implementation of the EU Clinical Regulation which states that the audit can begin after the move of the EMA to Amsterdam, which is timed for March 2019, and that dependent on successful completion of the audit and review by the EMA Management Board around the end of 2019, the system could be ready to ‘go live later in 2020’. www.ema.europa.eu/human-regulatory/research-development/clinical-trials/clinical-trial-regulation The European Commission has facilitated a Privacy Code of Conduct on mobile health apps. https://ec.europa.eu/digital-single-market/en/privacy-code-conduct-mobile-health-apps.
FRANCE
www.gov.uk/guidance/good-clinical-practice-for-clinical-trials?utm_ source=ab437459-c5f8-4990-bc1a-98eb5be2136c&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate
ASNM have published a new document providing guidance on how to complete the additional document now required for the Fast-Track Procedure.
MHRA/HRA
www.ansm.sante.fr/content/download/150949/1984797/version/4/file/ AEC_DOC021A+V01_AECMED_GUIDE+REDACTIONNEL_ FAST_TRACK.pdf
The MHRA and the Health Research Authority (HRA) have published a joint statement on seeking and documenting consent using electronic methods (eConsent). The statement www.hra.nhs.uk/documents/1588/hra-mhra-econsentstatement-sept-18.pdf confirms that electronic methods may be used for seeking, confirming and documenting informed consent for participation in research and is supported and endorsed by the UK health departments in Northern Ireland, Scotland and Wales. It also sets out the legal and ethical requirements for eConsent and joint expectations regarding the use of electronic signatures in Clinical Trials of Investigational Medicinal Products (CTIMPS) www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/clinical-trials-investigational-medicinal-products-ctimps/ eConsent enables potential research participants to be provided with the information they need to make an informed decision via a tablet, smartphone or digital multimedia. It also enables their informed consent to be documented using electronic signatures. This approach can supplement the traditional paper-based approach or, where appropriate, replace it. While the statement focuses primarily on clinical trials, the basic principles can be applied to all research conducted within the UK where consent is sought.
FDA In October 2018, FDA released the draft guidance ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ http://app.info.fda.gov/e/er?utm_campaign=FDA%20 Releases%20Draft%20Recom%20on%20Premrkt%20Sub%20 Manag%20Cybersecurity&utm_medium=email&utm_source=Eloqua&s=2027422842&lid=5192&elqTrackId=3FEAE0C7FABDF2E969EC31B9016ABE6C&elq=61cecdb0ef6049f9a75de29d0e5b218b&elqaid=5530&elqat=1 The draft guidance provides the FDA’s updated recommendations for the device design, labelling and documentation to be included in premarket submissions for devices with cybersecurity risks. The technical recommendations in this draft guidance are intended to: 1) Ensure better medical device protection against cybersecurity threats that could interrupt clinical operations and delay patient care. 2) Allow for a more efficient premarket review process that would better ensure marketed medical devices are protected against cybersecurity vulnerabilities.
https://hra.nhs.uk/documents/1588/hra-mhra-econsent-statementsept-18.pdf
This draft guidance encompasses the following types of premarket submissions for medical devices that contain software (including firmware), programmable logic and software that is considered a medical device:
BREXIT
• Premarket Notifications (510(k))
MHRA has published a guidance for continuity of IMP supply in case of a ‘no-deal’ EU Exit. www.gov.uk/government/news/supply-of-investigational-medicinal-products-for-clinical-trials-in-the-event-of-a-no-deal?utm_source=c8d0d85ddfc4-4001-90ea-0e5c299a2436&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate
54 | QUASAR | JANUARY 2019
• De Novo Requests • Premarket Approval Applications (PMAs) • Product Development Protocols (PDPs) • Humanitarian Device Exemption (HDE) Applications.
REGULATIONS When finalised, this guidance will replace the original version of the ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ final guidance issued in October 2014. http://app.info.fda.gov/e/er?utm_campaign=FDA%20 Releases%20Draft%20Recom%20on%20Premrkt%20Sub%20 Manag%20Cybersecurity&utm_medium=email&utm_source=Eloqua&s=2027422842&lid=5191&elqTrackId=479DC77EB40D1EF3F08056FAA390D32B&elq=61cecdb0ef6049f9a75de29d0e5b218b&elqaid=5530&elqat=1 The consultation period for the draft guidance document is open for 150 days in the Federal Register under docket ID: FDA-2018-D3443, beginning 18th October 2018.
PUBLIC WORKSHOP On 29th-30th January 2019, the FDA will host a public workshop to discuss and answer questions about this draft guidance. The workshop is an opportunity to provide feedback on the proposed recommendations including recommendations regarding a Cybersecurity Bill of Materials (CBOM), which could become a critical element in identifying cybersecurity assets, threats and vulnerabilities in the future. Additional information about the public workshop, including registration instructions, can be found at www.fda.gov/ MedicalDevices/NewsEvents/WorkshopsConferences/ucm623171.htm.
Also, in November 2018, the FDA announced the availability of a draft guidance for industry entitled ‘Meta-Analyses of Randomised Controlled Clinical Trials to Evaluate the Safety of Human Drugs or Biological Products’. This document, when finalised, will provide guidance to applicants submitting investigational new drug applications, new drug applications, biologics license applications or supplemental applications on the use of meta-analyses of randomised controlled clinical trials (RCTs), to evaluate the safety of human drugs or biological products within the framework of regulatory decision-making. This draft guidance is also intended for FDA reviewers and for third-party entities that prepare or evaluate meta-analyses assessing the safety of drug products. Specifically, this guidance describes the factors the FDA intends to consider when evaluating the strength of evidence provided by a meta-analysis studying the safety of drugs. FDA is accepting comments on this draft guidance through 7th January 2019. www.fda.gov/ucm/groups/fdagov-public/@fdagov-drugs-gen/documents/ document/ucm625241.pdf
PAYMENT AND REIMBURSEMENT OF CLINICAL TRIAL PARTICIPANTS FDA
In November 2018, the FDA published a posting linking to computer code and a roadmap http://app.info.fda.gov/e/er?utm_ campaign=FDA%20posts%20computer%20code%20and%20 technical%20roadmap%20for%20MyStudies%20app&utm_medium=email&utm_source=Eloqua&s=2027422842&lid=5483&elq TrackId=08978672553757B639AEA971B852B4CB&elq=ec0cb70d509d492b86c3eb76f74d7adb&elqaid=5791&elqat=1 that will allow researchers and developers to customise and use the newly created MyStudies app, which is interesting information for those looking at virtualisation of clinical trials.
FDA updated their guidance on this subject in January 2018.
Patients can securely enrol and participate in large-scale pragmatic clinical trials or registries involving multiple health care systems or data sources. The agency expects that the MyStudies app will aid researchers and industry in collecting real world patient level data and that these data, when linked to existing electronic health data, will promote efficiencies in drug development and drug safety monitoring processes. The MyStudies app is also capable of supporting clinical trials that comply with FDA guidance and regulations regarding data authenticity, integrity and confidentiality (21 CFR Part 11 compliant clinical trials).
www.sahpra.org.za/documents/523beceb2.51_CT_TIE_Compensation_ Model_May18_v1.pdf
www.raps.org/news-and-articles/news-articles/2018/1/payment-and-reimbursement-for-research-subjects-f
SOUTH AFRICA In June 2018, the South African Health Products Regulatory Authority (SAHPRA), published a guidance on a compensation model for clinical trials participants’ time, inconvenience and expenses.
There are two versions of the app. One is built on the Apple ResearchKit (iOS) framework and the other is built on the open source ResearchStack framework, which runs on Google’s Android. The MyStudies app is an example of the FDA using technology to bridge initiatives and respond to stakeholder feedback. It can expand the clinical information available for clinical trials and studies, while directly capturing the perspective of patients. The FDA’s Centre for Drug Evaluation and Research led this effort and received a grant from the Patient Centered Outcomes Research Trust Fund. The open source code that serves as the foundation of the MyStudies app, as well as specifications for a secure patient data storage environment, were developed through a collaboration with Harvard Pilgrim Health Care Institute, LabKey and Boston Technology Corporation. Kaiser Permanente Washington Health Research Institute performed a pilot study of medication exposure and healthcare outcomes. www.fda.gov/Drugs/ScienceResearch/ucm624785.htm?utm_ campaign=FDA%20posts%20computer%20code%20and%20 technical%20roadmap%20for%20MyStudies%20app&utm_medium=email&utm_source=Eloqua
JANUARY 2019 | QUASAR | 55
REGULATIONS
GMP Philip Butson, GMP Committee
BREXIT As this is being written in mid-November 2018, the UK and EU may or may not be close to reaching agreement on the terms of Brexit. The situation should be clearer by the time you read this!
• The UK will continue to use existing EU GMP and GDP guidelines until further notice • Clinical trials will continue to be governed by SI 2004/1031. The CTR will not be incorporated into UK law on exit day as it will not yet be in force. However, the intent remains that the UK will align with the CTR as closely as possible when it does come into force • Initially, sponsors and ‘legal representatives’ established in the EU/EEA will continue to conduct trials in the UK, but it will be necessary to have an individual based in the UK who has overall responsibility for the trial and can be contacted to discuss any urgent issues
In August, the MHRA, together with the Department of Health and Social Care (DHSC) and the Veterinary Medicines Directorate (VMD), published guidance on ‘What the implementation period means for the life science sector’. Most of the elements covered related to marketed products, but the following points will be of interest to those working in GMP areas supporting clinical trials:
• EU centrally authorised products (CAP) will automatically be converted into UK marketing authorisations (MA) unless the MA holder opts out of this
• ‘UK batch testing release of investigational medicinal products will also be recognised in the EU and vice versa’. This applies to both products manufactured in UK/EU and those imported from current ‘third countries’ via either UK or EU
• New MA applications will need to be submitted to MHRA for national assessment. ‘MHRA will take a streamlined approach to approving UKMA applications’, but the details of this are still to be determined
• ‘A qualified person and qualified person for pharmacovigilance may continue to be located in the UK during the implementation period’
• A flexible approach will be taken on marketing authorisation holders (MAH) in that, whilst MAH should be legally established in the UK, current EU MAHs will be allowed to end 2020. There does, however, need to be an established UK contact from exit day
• The UK will continue to respect the decisions reached by various EU committees. MHRA may continue to attend EMA and EU committees, though the exact nature of this participation is a matter for further discussion • The UK will continue to access all EU databases and systems as currently • The Clinical Trial Regulation (CTR) is expected to be implemented during 2020 and would therefore apply to the UK under the terms of the time-limited implementation period. If the CTR does not come into force during the implementation period, ‘UK law will remain aligned with parts of the EU’s CTR legislation that are within the UK’s control’. Further explaining the latter point, it notes that ‘The two key elements of the Regulation that the UK would not be able to implement on its own after this time are the use of a shared central IT portal and participation in the single assessment model, both of which would require a negotiated UK/EU agreement regarding UK involvement following the end of the implementation period’ • The UK will still be an EU Member State when the ‘safety features’ requirements of the Falsified Medicines Directive (Regulation 2016/161) come into effect on 9th February 2019 and will therefore implement this in line with existing obligations. ‘When the UK exits the EU, the Withdrawal Act will convert existing EU law into UK law… [which means that] the FMD would continue to apply, unless specifically revoked’. The document may be found at www.gov.uk/guidance/technical-information-on-what-the-implementation-period-means-for-the-life-science-sector Subsequently, in September 2018, as part of the Government’s contingency planning, a series of technical notices setting out the plans for a ‘no deal’ Brexit were released. Selected points from these notices include: • In order to ensure continuity of supplies, the UK will continue to accept batch testing and QP certification from an EU/EEA country without the need for further certification. These arrangements will continue until it is considered that further change is necessary with at least two years notice being given of the introduction of any changes to allow industry time to fully prepare for their implementation. Details on the Manufacturing/Import Authorisation and UK contact requirements associated with such importations are not given, but will presumably be developed
56 | QUASAR | JANUARY 2019
• A flexible approach will also be taken on Qualified Persons for Pharmacovigilance (QPPV): whilst a QPPV should be established in the UK from exit day, if there is no current UK presence, it will be possible for an EU QPPV to take responsibility for UK MAs until the end of 2020. It must be assured that MHRA will have access to relevant safety data at any time • ‘Sharing of common systems, and formal exchange and recognition of data submitted for regulatory activities between the UK and EU countries would cease’. Although not detailed within the document, MHRA are actively working on setting up national databases and portals and plans to populate these ahead of 29th March 2019. The general guidance document may be found at www.gov.uk/ government/publications/how-medicines-medical-devices-and-clinicaltrials-would-be-regulated-if-theres-no-brexit-deal/how-medicines-medical-devices-and-clinical-trials-would-be-regulated-if-theres-no-brexitdeal A more specific paper on batch testing of medicines may be found at www.gov.uk/government/publications/batch-testing-medicines-if-theresno-brexit-deal/batch-testing-medicines-if-theres-no-brexit-deal It is important to note that these contingency plans are unilateral UK arrangements for products coming from EU/EEA into the UK. It cannot be expected that EU/EEA countries will reciprocate. Following the publication of these papers, the MHRA carried out a consultation on various proposals. The consultation closed on 1st November 2018; the responses are still being analysed as this report goes to press. The consultation website is at consultations.dh.gov.uk/ mhra/mhra-no-deal-contingency-legislation-for-the-regul/ ABPI and BIA jointly co-ordinated the UK industry response to the consultation and issued a press release about this on 1st November 2018 at http://abpi.org.uk/media-centre/news/2018/november/abpi-and-bia-input-to-mhra-consultation-on-eu-exit-no-deal-contingency-legislation-for-the-regulation-of-medicines-and-medical-devices/ They have also made the full response publicly available at http:// abpi.org.uk/publications/abpi-bia-submission-to-mhra-consultation-on-eu-exit-no-deal-contingency-legislation-for-the-regulation-of-medicines-and-medical-devices/
REGULATIONS ABPI/BIA reiterated concerns about the potential impact of a ‘no deal’ Brexit and stressed the need for close cooperation with the EU on the regulation of medicines whatever the outcome. Six key concerns are highlighted: • The potential impact on public safety of removing certain legal obligations under the Falsified Medicines Directive • The lack of incentives linked to research and development of orphan medicines • The proposal for UK paediatric investigation plans • The practical details of the proposed new targeted assessment route • The proposed requirements for data provision for grandfathered centrally-authorised products • The challenges of the proposed approach on packaging. In relation to the ‘safety features’ of the Falsified Medicines Directive, which are due to be in place from 9th February 2019, MHRA’s proposal is to revoke the legislation in the event of a ‘no deal’ Brexit. This proposal is based on an expectation that the UK medicines verification system would not have continued access to the EU central hub and would thus not be able to function as required. Although not part of the consultation response, it is understood that there are questions as to whether this is indeed the case since, although it has been put in place to deliver the requirements of an EU Regulation, the European Medicines Verification Organisation is an independent stakeholder-owned organisation that may be able to make its own decisions about continued access.
COMPARATORS UNDER THE CTR
EU GMP ANNEX 17: REAL TIME AND PARAMETRIC RELEASE By the time you read this, the new version of EU GMP Annex 17 ‘Real Time Release Testing and Parametric Release’ will have come into effect (26th December 2018). The revision expands the scope of the annex from the previous narrow application to the parametric release of terminal sterilisation processes to the broader possibility of ‘real time release’ where the use of ICH Q8 – Q11 guidelines can be shown to deliver process control through the application of process analytical technology (PAT), quality by design (QbD) and quality risk management (QRM). Potentially very beneficial. The Annex may be found at https://ec.europa.eu/health/sites/health/ files/files/eudralex/vol-4/pdfs-en/2018_annex17_en.pdf
NEW PIC/S DATA INTEGRITY GUIDELINE DRAFT The Pharmaceutical Inspection Cooperation Scheme (PIC/S) announced in the press release of its Chicago meeting (24th-28th September 2018) that it will launch a three month ‘focused stakeholders’ consultation’ of a revised draft of its guidance on Data Management and Integrity (PI 041-1 (Draft 3)). ‘This focused consultation will seek substantive comments from trade and professional associations on specific questions, which selected associations have agreed to compile (ECA Foundation, IFPMA, ISPE and PDA)’. For more details on this and the other activities in Chicago, see www.picscheme.org/layout/document.php?id=1497
The September 2017 revision of the ‘Guideline on the requirements for the chemical and pharmaceutical quality documentation concerning investigational medicinal products in clinical trials’, Section 3, states that ‘authorised, non-modified test and comparator products’ from the EU/EEA and ICH countries have ‘light’ requirements compared with the full documentation requirements for those sourced elsewhere. Authorised products from Mutual Recognition Agreement (MRA) countries will no longer have the same exemption when the Clinical Trial Regulation (CTR, 536/2014) comes into effect. This had previously been noted, but it is only recently that the Quality Working Party (QWP) have confirmed that this is intentional. The rationale is that whilst MRAs recognise the equivalence of GMP standards, they are not intended to cover the recognition of marketing authorisations. Consequently, such products sourced from Australia, New Zealand and Israel will require full details to be submitted. QWP also commented that whilst authorised products sourced from ICH member countries (USA, Japan, Canada, Switzerland, Brazil, Republic of Korea, Singapore and China), in addition to those from EU/EEA, would pass the validation stage with only a simplified IMPD, this does not preclude the assessor from raising questions or asking for more information. A clarifying Q&A is being considered. Be aware that products sourced from the UK are likely to fall into the ‘full submission’ category following Brexit since the UK will no longer be an EU/EEA country and plans for ICH membership are likely to take some time to be realised. www.ema.europa.eu/documents/scientific-guideline/guideline-requirements-chemical-pharmaceutical-quality-documentation-concerning-investigational_en-0.pdf
JANUARY 2019 | QUASAR | 57
Regulatory archive
Taking better care of your data •
Compliant
Secure
• •
Regulatory Contract Archive for the secure archive storage of material generated during the conduct of GCP, GLP, GMP and PV regulatory work. Storage of GLP specimens Inspected by the MRHA
• • • •
Robust security with CCTV and alarm monitoring Automated fire suppression system Temperature and Humidity controlled archive Secure destruction of archive materials
• •
Transportation of material by Qualogy’s transport team Managed by a dedicated archive team with over 70 years experience within the regulatory industry.
•
Qualogy has two separate buildings for the independent storage of TMF and ISF material. Flexibility to personalise our archive service to suit client requirements. Provides a Bi-annual GLP and GCP regulatory archive courses.
Dedicated
Independent
• •
Contact us today to find out more 01933 357953 | archives@qualogy.co.uk | www.qualogy.co.uk The Archivist, Qualogy Ltd, Thrapston, Northamptonshire, NN14 4ZL
CALENDAR
OUR ROUND UP OF COURSES, SEMINARS AND FORUMS
FEBRUARY 5-6
The Auditing Course Cambridge, UK
MARCH 4-6
5-6 12-13 12-14 20
APRIL 2-3 2-3
SAVE THE DATE
Good Clinical Practice Auditing â&#x20AC;&#x201C; Principles and Practice Cambridge, UK Good Laboratory Practice for Study Directors, Principal Investigators, Study Staff and Management Cambridge, UK Implementing Good Clinical Laboratory Practice Cambridge, UK Practical Pharmacovigilance Auditing Cambridge, UK Fraud and Misconduct: Detection, Investigation and Management Novotel, London
Introduction to Computer System Validation and IT Data Integrity Cambridge, UK Research Quality Assurance for Good Laboratory Practice Cambridge, UK
3rd European QA Conference 6th-8th November 2019 Dublin
PROFESSIONAL DEVELOPMENT COURSES
For full details of Courses, Seminars and Regional Forums, see the RQA website www.therqa.com, where all events can be booked online.
NEXT EDITION APRIL 2019 IMPACT
COPY DEADLINE: 11TH FEBRUARY 2019
FUTURE EDITIONS JULY 2019 SHIFTING LANDSCAPES COPY DEADLINE: 13TH MAY 2019
OCTOBER 2019 INTERNATIONAL EDITION COPY DEADLINE: 12TH AUGUST 2019
If you would like to submit an article on any of the future themes or for a topic you feel would be of interest, please contact the editor: editor@therqa.com Visit www.therqa.com for guidelines on article submission.