DATA MANAGEMENT IN CLINICAL TRIALS: GUIDELINES FOR RESEARCHERS

Reference Number: UHB 139 Version Number: 2 Date of Next Review: 14 Apr 2018 Previous Trust/LHB Reference Number: N/A DATA MANAGEMENT IN CLINICAL TRIALS: GUIDELINES FOR RESEARCHERS Introduction and Aim The Medicines for Human Use (Clinical ) Regulations (SI2004/1031) and subsequent amendments established standards for clinical trial research activity in the United Kingdom. For clarity, in the rest of this document, these will be referred to as the Regulations. When undertaking any research under the Regulations where patient / subject data are to be collected, all data must be collected, collated, verified, analysed and stored in a standardised, secure, reproducible, auditable and Good Clinical Practice (GCP) compliant manner and only data essential for the purpose of the study should be recorded. Researchers are advised to consider the requirements outlined in this Guideline when planning a clinical trial which is sponsored by Cardiff and Vale University Local Health Board (the UHB), since data management issues must be addressed prior to submitting the proposed clinical trial to the Cardiff and Vale Research Review Service (CaRRS) for review. These issues must be addressed to the satisfaction of CaRRS as a condition of receiving NHS R&D permission for a clinical trial to begin. It should be noted that an UHBsponsored clinical trial with an investigational medicinal product (CTIMP) must be run through a GCP-accredited Clinical Unit approved by CaRRS. This Guideline offers advice to researchers, undertaking clinical trials, particularly CTIMPS with regard to minimum requirements and best practice in data management based upon the advice in the Regulations and as outlined in the European Clinical Research Infrastructure Network (ECRIN) document D10 - GCP compliant data management in multinational clinical trials. It also draws upon the Food and Drugs Administration (FDA) document Guidance for Industry: Computerized Systems Used in Clinical Investigations (May 2007). The principles outlined in this Guideline should be used for both paper and computerised data management that is relied on by a clinical researcher as part of a clinical trial. It is not expected in non-commercial.ctimps sponsored by the UHB that the scale of funding will be such to allow for the development of novel computerised data management systems; rather, the researchers will be reliant upon the existing computer hardware systems available within the Clinical Unit for the recording and storing of data and for data analysis. If researchers undertaking CTIMPs wish to develop novel computerised data management systems, in conjunction with the Clinical Unit, adequate funding should be in place, to employ the services of an expert in the field to provide and maintain the bespoke systems,. It should be noted, in addition, that computerised Laboratory Information Management

2 of 16 Approval Date: 14 Apr 2015 Systems which capture analytical results of tests conducted during a clinical trial are to be considered as part of the data management for CTIMPs and Investigators/Clinical Units should seek assurance at the trial planning stage that the accreditation status of the computerised system in the chosen laboratory is suitable. Elements outlined below have been identified in the literature as being fundamental to the implementation of GCP compliant data management systems. These are best practice and applicable to ALL clinical trials (UHB-Sponsored and hosted CTIMPS and non- CTIMPS). Objectives To offer advice to researchers, undertaking clinical trials, particularly CTIMPS with regard to minimum requirements and best practice in data management. Scope This applies to all clinical trials (CTIMPS and Non-CTIMPS) hosted and/or sponsored by Cardiff and Vale University Local Health Board. All current clinical trial researchers and potential researchers should familiarise themselves with these guidelines before undertaking clinical trials. Equality Impact Assessment Documents to read alongside this Procedure Approved by Accountable Executive or Clinical Board Director Author(s) An Equality Impact Assessment has not been completed for this procedure. This is because this procedure has been written to support the implementation the Research Governance Policy (UHB 099). The Equality Impact Assessment completed for the policy found there to be no impact. Research Governance Policy (UHB099); Archiving of Clinical Trial and Research Study Data (SR-RG-001) and Data Protection Policy (UHB002). Research Governance Group Medical Director Director, Clinical Research Facility (Initial Author) and Commercial Manager R&D Office (Review Author) Disclaimer If the review date of this document has passed please ensure that the version you are using is the most up to date either by contacting the document author or the Governance Directorate.

3 of 16 Approval Date: 14 Apr 2015 Summary of reviews/amendments Version Number Date Review Approved Date Published Summary of Amendments 1.0 10/01/2012 10/10/2012 Review date due. Converted to new UHB format. Numbers of referenced UHB documents updated where available Paragraph removed Section 1.0 References updated and links added 2.0 14/04/2015 08/07/2015 Review date due. Guidelines updated to reflect current requirement for UHB-sponsored CTIMP to be run through Clinical Units; removal of CU-sponsored CTIMPs since CU have issued a separate F-SOP for data management for their sponsored trials; updated language for NHS approval- now permission; edits for clarification of requirements for non-ctimps (sponsored & hosted) ; guideline associated referenced documents updated and non functional hyperlinks removed.

4 of 16 Approval Date: 14 Apr 2015 CONTENTS PAGE 1. Introduction 5 2. Aims of this Guideline 5 3. Computer System Validation (Hardware and 6 Software) 4. Source Data and Documents 7 4.1 Requirements for Capturing/Acquiring/Copying Source Data 5. Data Management Plans (DMPs) 8 6. Data Entry, Validation and Processing 10 6.1 Data Entry 6.2 Data Validation 6.2.1 During and after completion of the CRFs 6.2.2 When data are entered into a spreadsheet (on Paper or computerised) 6.2.3 When data entry is complete and prior to data Analysis 7. Data Management Systems 12 7.1 Access to computerised systems 7.2 Storage and Backup of data 7.3 Transfer of Data 7.4 Data Protection 8. Resources 13 9. Training 13 10. Equality 13 11. Distribution 13 12. Review 13 Appendix 1 Essential Components of a Data 14 Management Plan Appendix 2 Additional Useful Documents 14

5 of 16 Approval Date: 14 Apr 2015 1. INTRODUCTION The Medicines for Human Use (Clinical ) Regulations (SI2004/1031) and subsequent amendments established standards for clinical trial research activity in the United Kingdom. For clarity, in the rest of this document, these will be referred to as the Regulations. When undertaking any research under the Regulations where patient / subject data are to be collected, all data must be collected, collated, verified, analysed and stored in a standardised, secure, reproducible, auditable and Good Clinical Practice (GCP) compliant manner and only data essential for the purpose of the study should be recorded. Researchers are advised to consider the requirements outlined in this Guideline when planning a clinical trial which is sponsored by Cardiff and Vale University Local Health Board (the UHB), since data management issues must be addressed prior to submitting the proposed clinical trial to the Cardiff and Vale Research Review Service (CaRRS) for review. These issues must be addressed to the satisfaction of CaRRS as a condition of receiving NHS R&D permission for a clinical trial to begin. It should be noted that an UHB-sponsored clinical trial with an investigational medicinal product (CTIMP) must be run through a GCP-accredited Clinical Unit approved by CaRRS. 2. AIMS OF THIS GUIDELINE This Guideline offers advice to researchers, undertaking clinical trials, particularly CTIMPS with regard to minimum requirements and best practice in data management based upon the advice in the Regulations and as outlined in the European Clinical Research Infrastructure Network (ECRIN) document D10 - GCP compliant data management in multinational clinical trials. It also draws upon the Food and Drugs Administration (FDA) document Guidance for Industry: Computerized Systems Used in Clinical Investigations (May 2007). The principles outlined in this Guideline should be used for both paper and computerised data management that is relied on by a clinical researcher as part of a clinical trial. It is not expected in non-commercial.ctimps sponsored by the UHB that the scale of funding will be such to allow for the development of novel computerised data management systems; rather, the researchers will be reliant upon the existing computer hardware systems available within the Clinical Unit for the recording and storing of data and for data analysis. If researchers undertaking CTIMPs wish to develop novel computerised data management systems, in conjunction with the Clinical Unit, adequate funding should be in place to employ the services of an expert in the field to

6 of 16 Approval Date: 14 Apr 2015 provide and maintain the bespoke systems.it should be noted, in addition, that computerised Laboratory Information Management Systems which capture analytical results of tests conducted during a clinical trial are to be considered as part of the data management for CTIMPs and Investigators/Clinical Units should seek assurance at the trial planning stage that the accreditation status of the computerised system in the chosen laboratory is suitable. Elements outlined below have been identified in the literature as being fundamental to the implementation of GCP compliant data management systems. These are best practice and applicable to ALL clinical trials (UHB- Sponsored and hosted CTIMPS and non-ctimps). 3. COMPUTER SYSTEM VALIDATION (HARDWARE AND SOFTWARE) All computer systems, both hardware and software, being utilised for the collection and analysis of clinical trial data, are expected to have undergone full validation. All of the processes used as part of the validation of both hardware and software should be documented by a set of Standard Operating Procedures (SOPs) covering all aspects of the validation process. For this reason, researchers undertaking non-ctimp clinical trials sponsored by the UHB are strongly recommended to utilise UHB hardware for the storage of data as it undergoes regular validation. Individuals choosing not to utilise UHB hardware and in the case of hosted trials where the Sponsor provides computer hardware, the non-uhb hardwear must undergo appropriate validation and documentary evidence of this validation should be retained in the Trial Site File. Guidance on the UK requirements for computer systems validation is available via the Association for Clinical Data Management (ACDM) publication Computer Systems Validation in Clinical Research a Practical Guide (Edition 2). This is available online via the ACDM website (http://www.acdm.org.uk/resources.aspx) or may be purchased. Hardware validation of non-uhb systems should include the following as a minimum: Hardware monitoring and load (evaluation of whether the system including the computer terminals are fit for purpose) Network Monitoring (are all parts of the system communicating with each other properly?) Server Back Up (suitability) Disaster Recovery Plans Business Continuity Plans Identification of points of failure Researchers are advised to use commercially produced and validated software packages for analysis that have been purchased through an authorised source. Specialist software that has been produced in-house or

7 of 16 Approval Date: 14 Apr 2015 as a one off application by a commercial company must be subjected to rigorous validation processes including the production of sample/dummy data. This process will usually require formal statistical input and these data should be run through the software and replicate all testing that will be undertaken with the live data. These results should be filed as evidence of validation in the Trial Site File. 4. SOURCE DATA AND DOCUMENTS DEFINITIONS Source Data*: All information in original records and certified copies of original records of clinical findings, observations or other activities in a clinical trial, necessary for the reconstruction and evaluation of the trial. Source data are contained in source documents (original documents or certified copies). Source Documents*: Original documents, data and records (e.g. hospital records, clinical charts, laboratory notes, memoranda, subject diaries or evaluation checklists), pharmacy dispensing records, recorded data from the UHB automated instruments used in the trial (e.g. ECGs), copies or transcriptions certified after verification as being accurate copies, microfiches and records kept at pharmacy, at the laboratories and at mechanotechnical departments involved in the clinical trial. Electronic Source (esource) Data* Source data captured, including digital diagnostic images, initially into a permanent electronic record. N.B. In this context permanent means that all changes in the data are recorded in an audit trail (minimum standard for this is a record of who made the change and when). Case Report Forms Data generated by clinical trials are normally recorded in Case Report Forms (CRFs). A CRF is a printed, optical or electronic document designed to record all of the protocol defined data on individual participants in a clinical trial. Where a CRF has not been provided by a Sponsor organisation, researchers undertaking CTIMPs in the UHB are required to contact the UHB R&D Office for information regarding the set up and maintenance of Case Report Forms for Research Studies For Sponsored CTIMPs the designated Clinical Unit will facilitate the design and production of the CRF. The CRF may be reviewed as part of the UHB R&D permission process when considered necessary. *All definitions from the CDISC Clinical Research Glossary Version 8.0, Applied Clinical, December 2009.

8 of 16 Approval Date: 14 Apr 2015 http://www.cdisc.org/stuff/contentmgr/files/0/be650811feb46f381f0af41ca40a de2e/misc/cdisc_2009_glossary.pdf 4.1. REQUIREMENTS FOR CAPTURING/ACQUIRING/COPYING SOURCE DATA In general, documents containing source data must first be specified in the trial protocol and these original documents must be archived. All copies should be dated and signed by a responsible person such as the Chief/Principal Investigator or their designate (certified copies). If the original data are stored electronically, a printout should be made or a list of dates and versions of stored documents signed/dated by the Investigator. In the case of esource data this is not possible but all data entries should be auditable. Appropriate handling is also required for scanning source documents. The scanning process has to be validated prior to implementation in a clinical trial to ensure the integrity of the generated record. If the CRF is the source document (e.g. in psychiatric instruments like psychometric scales) this has to be defined in the protocol. If work sheets have been used as a transcription instrument (e.g. transitional documentation prior to electronic data entry), these are to be considered as informal source data sheets and have to be filed and quality checked appropriately. In general, source data must be accessible and verifiable and all clinical trial information should be recorded, handled and stored in a way that allows accurate reporting, interpretation and verification. It should be noted that for CTIMPs where the UHB is the Sponsor, all clinical trial records (paper and computerised) must be retained for 5 years for those trials concluding and archived before 2016. Thereafter, CTIMP data must be retained for 25 years after the end of the trial. For non CTIMPs clinical trial records (paper and computerised) must be retained for 5 years. Refer to the UHB R&D SOP Archiving of Clinical Trial and Research Study Data (SR-RG- 001). 5. DATA MANAGEMENT PLANS (DMPS) All data management arrangements for a CTIMP should be described in detail in the protocol and the CaRRS should consider the appropriateness of the Data Management Plan (DMP) in their appraisal of any proposed UHB- Sponsored CTIMP. The essential components of any DMP are contained in Appendix 1 for reference purposes. A comprehensive guide to data handling can be found online as a free download at: http://www.acdm.org.uk/assets/dhp_guidelines.pdf

9 of 16 Approval Date: 14 Apr 2015 Aspects of data management may be: 1) Completely paper based; 2) A combination of paper and computerised; or 3) Entirely electronic. For the majority of non-commercial CTIMPs, it is anticipated that data will be recorded via category 2, a combination of paper and computerised records. The Chief/Principal Investigator (CI/PI) or an individual with delegated responsibility should check the appropriateness of the proposed database for data storage and analysis prior to initiating the clinical trial. The specification of this database will vary according to the type and size of study and might range from a standard spreadsheet available in a software package (Excel) for non-ctimps to - high specification databases for CTIMPS. Decisions on the most appropriate type of database for a particular study may require advice from specialists. Although researchers are reminded that there is no provision in the UHB IT department for support which may therefore have to be sought from outside agencies. In the case of UHB sponsored CTIMPS it is expected that the designated Clinical Unit will lead on this aspect. The areas listed below should be addressed when developing a database: Ensuring database security and access; Ensuring data integrity and ease/completeness of retrieval; Ensuring traceability of data corrections. For a simple spreadsheet this would involve the printing off and signing/dating of the original spreadsheet, the data revisions being done and then the altered spreadsheet being printed off and signed/dated. Copies of both versions should be filed in the Trial Site File. For more sophisticated systems this would include an automated date/time stamp for any revisions and restricting the ability to alter these settings; Revoking access when an individual user leaves and defining the fate of any data they may hold; Database backup and disaster recovery; Defining what should happen in the event that the database is not accessible for whatever reason e.g. provision for expedited Pharmacovigilance reporting via an alternative mechanism; Database maintenance and upgrading; Staff training on the functioning of the database; Decommissioning the database; Data archiving.

10 of 16 Approval Date: 14 Apr 2015 6. DATA ENTRY, VALIDATION AND PROCESSING Quality control should be applied to each stage of data handling to ensure that all data are reliable and have been processed correctly (ICH E6 Good Clinical Practice). When collecting and storing data, all systems should be secure and prevent unauthorised access to the data. This applies to both paper and electronic records and only individuals with documented delegated responsibility should have access to make changes to the data set. 6.1 DATA ENTRY When the completed CRF has been validated (see section 6.2 below) and received by the individual with delegated responsibility for data entry, the process of entering the data into a spreadsheet (paper or electronic) can begin. The process by which data is transcribed from the CRF into this spreadsheet should be described in the DMP and can take any of the forms listed below: Double data entry (one person); Double data entry (two persons); Single data entry with second look; Single data entry with reading aloud; Single data entry with source data verification. Double data entry is not required by the Regulations but it should be considered as best practice. Double data entry requires special software that allows the data to be entered a second time into a spreadsheet, checks each second entry against the first and notifies the operator of any discrepancy. This may be done by one or two persons. These programs are not widely available and therefore it is more common to set up a procedure for entering the data once and then checking it for accuracy. This can either be by having a visual inspection of the data (second look), reading the data aloud (reading aloud) or checking the data against the source data (source data verification). 6.2 DATA VALIDATION Data validation should be carried out at three main stages in a CTIMP, during and after completion of the CRFs, when data are entered into a spreadsheet

11 of 16 Approval Date: 14 Apr 2015 (on paper or computerised), and when data entry is complete and prior to data analysis. 6.2.1 DURING AND AFTER COMPLETION OF THE CRFS Best practice advocates that data validation is carried out by an independent monitor. If this is not possible then a designated member of the study team should be listed on the study delegation log and perform this. It is advisable to validate some data early in the life of the trial so that any issues of lack of accuracy can be addressed at an early stage. As well as checking for the completeness of the data, validation should include source data verification where a proportion of the data in the CRF is cross checked against the source data (patient notes, charts etc). A note should be made by the monitor of any queries / corrections that require to be made, both by annotating the CRF and by producing a file note. The file note should be dated and retained with the CTIMP essential documents as evidence of monitoring and validation of data. It should be noted that in the event of data requiring to be transformed prior to analysis, both the original data and units of measurement, as well as the formulae used for transformation, should be included in the CRF. 6.2.2 WHEN DATA ARE ENTERED INTO A SPREADSHEET (ON PAPER OR COMPUTERISED) Using best practice recommendations for data entry (Section 6.1) will ensure data quality but for some computerised data management systems it is possible to set up data checks and alerts to ensure for example that if data are entered that are outside user-defined parameters this is flagged up. For example, it is possible in Excel to use the Validation option in the Data menu to restrict the range of vales that can be entered. If an attempt is made to add a value out with the specified range, a STOP alert message will be generated which will prevent any further entry into the spreadsheet. Similarly in Microsoft Access it is possible to specify validation rules for particular fields which restrict the range of values that can be entered. 6.2.3 WHEN DATA ENTRY IS COMPLETE AND PRIOR TO DATA ANALYSIS Lists of missing data should be generated and checked for consistency with the appropriate CRFs. Lists of all values outside predefined ranges should be generated (this can be done in Excel using the AUDITING tool) and checked for consistency against CRFs and source data. After this has been completed, the database should be locked down to prevent unauthorised changes being made. This is usually done by preventing write/edit access to data. For UHB sponsored CTIMPS, the final locked dataset should be burned onto CD-ROM and sent to the Sponsor (R&D Office or delegated appropriate party). Prior to the release of code breaks from UHB Pharmacy for

12 of 16 Approval Date: 14 Apr 2015 randomised CTIMPs sponsored by the UHB, the final locked dataset on CD- ROM must be confirmed by the Sponsor (R&D Office or delegated appropriate party). In addition a dated and certified paper copy of the data may be produced and archived as described in the UHB R&D SOP: Archiving of Clinical Trial and Research Study Data (SR-RG-001). 7. DATA MANAGEMENT SYSTEMS For UHB sponsored CTIMPs, the access, storage and back up of trial data will follow the designated Clinical Units Standard Operating Procedures for data management which will include the principles of the sections below as required for UHB computer systems and primarily utilised for hosted CTIMPs and non CTIMPs (in the absence of Sponsor provided web based databases) and UHB sponsored non CTIMP trials 7.1 ACCESS TO COMPUTERISED SYSTEMS Access must be limited to authorised individuals. For most practical purposes this will involve each researcher using their UHB authorised log-on to access their own account on the UHB network. The UHB has issued IT Security Guidance in Policy Reference Number 133, which gives generic best practice guidance on computer security which is applicable to the research community. Additional protection can be built in by the use of a password for the database giving dual level security. A record of authorised personnel and their access privileges should be kept in the Trial Site File. 7.2 STORAGE AND BACKUP OF DATA Minimal standards dictate that all data should be stored on the UHB server (H: drive) or Departmental Shared Drive (S: drive). The former can only be accessed by the individual through their log-on and the latter by named individuals who can be granted access. Access to the Shared Drive can be read/write or read only, thus preventing unauthorised changes being made to the data. Both the UHB H: and S: drives are backed up every 24 hours and have disaster recovery plans in place..a backup and recovery log should be maintained in the Trial Site File to assess the nature and scope of data loss following any system failure. Consideration should be given to separate storage of backed up files. 7.3 TRANSFER OF DATA All transfer of data using email, facsimile, CD-ROMs and encrypted memory sticks should follow best practice, as outlined in the UHB guidance document Data Protection Policy Appendix 7, Patient Data Security Guidance (UHB002). All data transferred to another site should be sent by secure means (courier) and a log of items sent should be maintained. Acknowledgement of receipt should always be sought and recorded.

13 of 16 Approval Date: 14 Apr 2015 7.4 DATA PROTECTION In common with all personal data, it is important that all study data (both paper and electronic) are kept in accordance with the terms of the Data Protection Act (1998) and the information contained in the Patient Information Sheet and Consent Form. UHB Data Protection advice should be followed as described in the UHB Data Protection Policy (UHB002) available via the UHB Clinical Portal and the Data Protection Policy Appendix 7, Patient Data Security Guidance (UHB002) and where necessary specialist advice should be sought from the UHB Data Protection Officer in this regard. 8. RESOURCES No additional resources have been identified as a result of the review of this document. 9. TRAINING No training issues have been identified in the review of this document. 10. EQUALITY No equality issues have been identified as part of the review of this document. 11. DISTRIBUTION This guideline will be made available on the R&D pages of the UHB intranet site. 12. REVIEW This guideline should be reviewed every three years, or more regularly if important new legislation so requires.

14 of 16 Approval Date: 14 Apr 2015 APPENDIX 1 ESSENTIAL COMPONENTS OF A DATA MANAGEMENT PLAN Essential components of a Data Management Plan (which should form part of the protocol) include: Evidence of hardware validation if the UHB network not being utilised; Evidence of software validation if standard commercial packages not being utilised; Location of server/drive where data will be stored; Details of study personnel involved in the study and data access roles assigned to each; A complete set of finalised case report forms (CRFs) and amendments; Database design plan (data to be entered, variable names and format - string, numeric, categorical etc.); Detailed description of data entry system and Standard Operating Procedure for same; Method of data collection paper CRF, electronic devices, etc.; Data preparation before entry onto electronic system; Data query tracking and expected resolution time; Data flow and tracking to ensure optimal data completion and to facilitate reporting; Who is responsible for making required changes to the data?; Who is responsible for ensuring all queries are resolved before data is locked for analysis?; Quality Assurance including: o Audit trail checks o Sample checks of critical data o Data review checks to support monitoring Training plan and log for data entry systems if required; Electronic data transfer rules (with reference to the UHB guidelines); Back-up and recovery procedures (with reference to the UHB guidelines); Security arrangements.

15 of 16 Approval Date: 14 Apr 2015 APPENDIX 2 ADDITIONAL USEFUL DOCUMENTS Regulatory ICH Topic E6: Guideline for Good Clinical Practice Guideline, Note for Guidance on Good Clinical Practice (CPMP/ICH/135/95), EMEA, January 1997. Directive 2001/20/EC of the European Parliament and of the Council on the approximation of the laws, regulations and administrative provisions of the Member states relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use. Official Journal of the European Commission of 4 April 2001, No. L 121 p. 34. Directive 2005/28/EC of the European Commission laying down principles and detailed guidelines for good clinical practice as regards investigational medicinal products for human use, as well as the requirements for authorisation of the manufacturing or importation of such products. Official Journal of the European Commission of 9 May 2005, No. L 91/13-L91/19. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities of 23 November 1995, No. L 281 p. 31. International FDA, Guidance for Industry. Computerized Systems Used in Clinical Investigations (CSUCT) (May 2007). European Clinical Research Infrastructures Network, Deliverable D-10 GCP compliant data management in multinational clinical trials http://www.ecrin.org/index.php?option=com_content&task=view&id=81 Computer Validation and Data Management Planning http://www.acdm.org.uk/resources.aspx - Computer Systems Validation in Clinical Research A Practical Guide (Edition 2). http://www.acdm.org.uk/assets/dhp_guidelines.pdf - ACDM Guidelines to facilitate Production of a Data Handling Protocol Free Download. Internal UHB Documents IT Security Policy, UHB Reference No. 133, Version 1.0 (UHB Intranet site).

16 of 16 Approval Date: 14 Apr 2015 Data Protection Policy, UHB Reference No. 002, Version 1.0 (UHB Intranet Site).