Clinical database/ecrf validation: effective processes and procedures

TITOLO SLIDE Testo Slide Testo Slide Testo Slide Clinical database/ecrf validation: effective processes and procedures IV BIAS ANNUAL CONGRESS Padova September, 26 th 2012 PQE WORKSHOP: What's new in Computerized System Validation, June 2008

Topics Under Discussion The regulatory expectations Elements of data quality and integrity The strategy to validate Clinical Database / ecrf systems Key elements regarding the release and the maintenance of validated systems 2

Topics Under Discussion The regulatory expectations Elements of data quality and integrity The strategy to validate Clinical Database / ecrf systems Key elements concerning the release and the maintenance of validated systems 3

Basic Purpose of Data.. GLP GCP NDA GMP GDP.Maintaining the Chain of Evidence 4

Requirements for Computerized System in GCP Regulations Guidelines ICH E6 Good Clinical Practice GCP 21 CFR Part 11 & related Guidance Protection of Privacy Computer system used in clinical investigations GAMP 5 PIC/S CSV 5

ICH Requirements for Computerized System ICH E6 Good Clinical Practice ICH E9 Statistical Principles For Clinical Trials 6

ICH 6 Requirements for Records And Reports ICH E6-4.9 (Records and reports) 4.9.1 The Investigator should ensure the accuracy, completeness, legibility, and timeliness of the data reported to the sponsor in the CRFs and in all required reports 4.9.2 Data reported on the CRF, that are derived from source documents, should be consistent with the source documents or the discrepancies should be explained 4.9.3 Any change or correction to a CRF should be dated, initialed and explained Sponsors should provide guidance to Investigators on making such corrections. Sponsor should have written procedures to assure that changes or corrections in CRFs made by Sponsor are documented, are necessary and are endorsed by the Investigator GCP 7

ICH E6 Req.s for Electronic Data Management ICH E6-5.5.3 (Trial Management, Data Handling, and Record Keeping) When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should: a. Ensure and document that the electronic data processing system(s) conforms to the sponsor s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation). b. Maintains SOPs for using these systems. c. Ensure that the systems are designed to grant data changes in such a way that the data changes are documented and that there is no deletion of entered data (i.e. audit trail). d. Maintain a list of the individuals who are authorized to make data change (i.e. authority checks) e. Maintain adequate backup of the data f. Safeguard the blinding, if any (e.g. maintain the blinding during data entry and processing). GCP 8

ICH E9 Requirements for Computerized Systems ICH E9-5.8 (Integrity of Data and Computer Software) The credibility of the numerical results of the analysis depends on the quality and VALIDITY of the method and software used both for data management (data entry, storage, verification, correction and retrieval) and also for processing the data statistically. The computer software used for data management and statistical analysis should be reliable and documentation of appropriate software testing procedures should be available. 9

21 CFR Part 11 & related Guidance 10

21 CFR PART 11 Requirements for Closed Systems CONTROLS FOR ELECTRONIC RECORDS Validation of computer system Human and electronic form equivalent e-copies Record retention Limiting access Audit trails Operational system checks Authority checks Control on validity of input actions Adequate education and training Written polices Control on documentation distribution and change control procedure application 11

21 CFR PART 11 Requirements for Closed Systems CONTROLS FOR ELECTRONIC SIGNATURES Using Electronic Signature when required by the predicate rule(s) Electronic Signature manifestation Electronic Signature / Electronic Record linking Procedure for managing attribution and use of ES 12

21 CFR PART 11 Requirements for Open Systems Controls for Closed System; several requirements (i.e. Device Checks) might be enforced Document encryption Digital signatures standards PLUS 13

Computerized System SOFTWARE HARDWARE Firmware OPERATING PROCEDURES AND PEOPLE EQUIPMENT COMPUTER SYSTEM (Controlling System) INFRASTRUCTURE (NETWORK) COMPUTERISED SYSTEM OPERATING ENVIRONMENT CONTROLLED FUNCTION OR PROCESS (PICS/S - Good Practices For Computerised Systems In Regulated GxP Environments). 14

Computerized System A computerized system is composed of the computer system and the controlled function or process. The computer system is composed of all computer hardware, firmware, installed devices, and software controlling the operation of the computer. The controlled function may be composed of equipment to be controlled and operating procedures that define the function of such equipment, or it may be an operation, which does not require equipment other than the hardware in the computer system. Interfaces and networked functions through LAN and WAN are aspects of the computerized system and operating environment potentially linking a multitude of computers and applications. (PICS/S - Good Practices For Computerized Systems In Regulated GxP Environments) 15

Computer System Validation CSV is the documented evidence, to a high degree of assurance, that a computer system performs its intended functions accurately and reliably. Documented evidence High degree of assurance intended functions accurately and reliably 16

GAMP 5 17

GAMP 5 Drivers 18 18

V Model Plan Specify RISK MANAGEMENT Verify Report Build 19

Managing the handle of the spoon 20

Topics Under Discussion The regulatory expectations Elements of data quality and integrity The strategy to validate Clinical Database / ecrf systems Key elements concerning the release and the maintenance of validated systems 21

Data Quality DATA SHOULD BE attributable, legible, contemporaneous (timeliness), original accurate A L C O A regardless the format PAPER format = ELECTRONIC format 22

ALCOA Attributable data is identified with a specific subject and a specific observer and recorder. (Password, audit trail and e-signature) Legible data are readable and understandable by humans (reports, tables, and listings) Contemporaneous data are recorded at the time they are generated or observed. (Time stamps and time-limited entry) Original data are recorded for the first time. (Source data and meta data) Accurate data are correct (Calculations, algorithms, analyses, and transmissions) 23

Data Quality: WHAT ARE WE LOOKING FOR? Trustworthiness of electronic records is ensured by appropriate measures for: LIMIT ACCESS PREVENT DATA MODIFICATION Security Integrity CHANGE CONTROL LINK RAW DATA AND RESULT Traceability WHO DID WHAT, WHEN AND WHY? PREVIOUS ENTRIES MUST NOT BE OBSCURED 24

. Along the whole data lifecycle Data Entry Data transfer from external sources (laboratory data, measurement equipment data, etc.) to the clinical database Data extraction Data Set preparation and transfer 25

Outcomes of inspections Data integrity: companies need to provide assurance to the Regulatory Authorities of the integrity of data; Quality and reliability of software and computerized systems: in accordance with their intended uses (this is another way of saying validate the systems you use); Record Keeping: Regulatory Authorities expects to see evidence or records created at the time of the activity and not after the fact. 26

Record integrity Company s records provide the proof of either compliance or noncompliance. Inspectors look at documents and records, and as it has been noted, sloppy records are a reflection of sloppy compliance Example of Record control violations : Missing validation documentation Inadequate documentation Inaccurate registrations Capability to alter/delete records Record retention Missing records 27

Topics Under Discussion The regulatory expectations Elements of data quality and integrity The strategy to validate Clinical Database / ecrf systems Key elements concerning the release and the maintenance of validated systems 28

Computer Systems used in Clinical Study Randomization system IXRS system Data Collection System Data Entry (In house data entry: Clinical Database, Remote Data Entry: ecrf) Data querying Data cleaning Drug Supplies Accountability System Statistical System Drug Safety System Electronic Document Management System 29

Data Collection Main Process Data Capture Data Entry Data Querying Data Cleaning Data Validation Data Reporting 30

Data Collection Paper-Based Process Medical Records Paper CRF Clinical DB CDMS Investigational Site Sponsor/CRO 1. Data are registered in the paper Medical Records 2. Data are reported in the Paper CRF 3. Data are entered in the Clinical DB (in house data entry) 31

Data Collection Electronic Web-Based Process Medical Case History Records Network Clinical DB ecrf Investigational Site Sponsor/CRO 1. Data are registered in the paper Medical Records 2. Data are entered directly in the Clinical DB through remote access. 32

Data Collection Systems: Design Workflow Library creation (Global and study-specific) Study creation and verification Study approval and release for use 33

Data Collection Systems: Data Entry and Validation Process Data Entry (single/double entry) Data validation and cleaning DB lock/export data 34

Platform Layer Multi Layer Systems 35

Risk Based Approach System Risk Assessment Functional Risk Analysis 36

System Risk Assessment System Risk Assessment PROCESS DATA SYSTEM CRITICALITY COMPLEXITY SW CATEGORY GOLD RULE VALIDATION EFFORT SHOULD BE MAXIMUN FOR HIGH CRITICAL AND COMPLEX SYSTEMS. 37

GAMP Category GAMP 5 SW Category Validation Approach Example Software / System Type I Infrastructure Record version (inc. service pack). Verify correct installation. Middleware, Operating Systems, Statistical Packages. Examples: Unix, Windows, Oracle, Databases, C++. Excel II Firmware III Nonconfigured IV Configurable V Custom THIS CATEGORY IS NO LONGER USED Record version number and verify correct installation. Risk based tests against specifications/requirements as dictated by use (calibration may substitute for qualification for simple systems). Record version number and verify correct installation. Risk based tests against specifications/ requirements to demonstrate application works as designed Procedures in place for managing data Validate lifecycle process for complete system. Firmware-based applications, COTS software including non-customized PLC ladder code). Examples: instruments, balances, scales, bar code scanners, spreadsheets LIMS, Data Acquisition Systems, SCADA, ERP, Clinical Trial Monitoring, DCS, ADR Reporting, CDS, EDMS, Building Managements Systems, CRM, Spreadsheets, Simple Human, Machine Interface Source code developed to client needs. Example: Applications developed internally. 38

Function Risk Assessment Functional Risk Analysis SYSTEM FUNCTIONS CLASS OF RISK TESTING EFFORT 39

FMEA Methodology type of failures effects and impacts of failures (Severity) probable causes of failures probability of failure causes (Occurence) ability to detect failures (Detection) CAUSE FAILURE EFFECTS

Platform (system) Two layers validation approach Validation Report Validation Plan Study Requirements Design Specification Study Qualification Study Configuration User Requirements OQ PQ System Specification IQ Installation 41

Platform (system) Two layers validation approach Validation Report Study 1 Study 2 Study n Study Study Study Study Requirements Requirements Requirements Validation Plan Design Specification Study Qualification Design Specification Study Qualification Design Specification Study Qualification Configuration Configuration Configuration User Requirements PQ OQ System Specification IQ Installation 42

Validation Deliverables: User Requirements Specification PLATFORM (SYSTEM) User Requirements: document describing the requirements applicable to the system (platform) Regulatory Requirements General Requirements Process Requirements STUDY SPECIFIC User Requirements: document or set of documents describing the study specific needs 43

Study User Requirements Specification Study Protocol Visit Flow CRF Pages List of Variables and relevant characteristics Codelists Data Validation Checks 44

Platform Testing Strategy OQ Part 11 Compliance High Risk Functions IQ Installation/ Configuraiton Platform Qualification PQ Operative flow : Study Design 45

Study Specific Testing Strategy OQ Data Validation Checks IQ Layout 1 1 : Study visits, Data entry screens, Labels, Codelists Study Qualification PQ Data Entry 46

Traceability Matrix A traceability matrix between User Requirements, Specification and Testing must be in place ensuring (and allowing to verify) that critical requirements/functions have been covered and tested System Traceability Matrix Study Specific Traceability Matrix 47

Release Approval flow of Clinical Database/eCRF Development of guidance for completion management Deployment of Clinical Database/eCRF Training material User account activation Validation statement Version History 48

Topics Under Discussion The regulatory expectations Elements of data quality and integrity The strategy to validate Clinical Database / ecrf systems Key elements concerning the release and the maintenance of validated systems 49

Operational Phase Key Elements Keep the system under control! Ensure record integrity! ACCESS CONTROL PW MANAGEMENT INCIDENT MANAGEMENT BACKUP /RESTORE ARCHIVING CHANGE CONTROL CONFIGURATION MANAGEMEN PERIODIC REVIEW TRAINING SECURITY TRACEABILITY MAINTENANCE 50

Maintenance Availability of the service Help Desk Standard Operating Procedures Change Management Incident Tracking Security Back up and Restore Disaster Recovery and Business Continuity Electronic data archiving and maintenance Periodic Review 51

Change Management definition Change Management consists of the change control and configuration management processes within an organization Fundamental to allowing a system to evolve, while maintaining control of that system. It is the process which controls the ongoing evolution of system components by ensuring that changes to components are recorded, evaluated, authorized and managed. Configuration Management CHANGE MANAGEMENT Change Control

Change Management Clinical Study Change Management Substantial Amendment (s) Approval of Substantial Amendment (s) Impact evaluation on ecrf EN D ecrf change implementation ecrf change deployment System Change Management 53

Training Training on Clinical Database/eCRF should include system security issues (i.e. good user account management! And good password management!) Documentation that the user account were activate ONLY AFTER training Availability of training records (SIV, on going following modification) 54

Access Control Physical Controlled Facility Trained and qualified personnel Logical Security Appropriately configured HW (firewall, routers, switches) User authentication User profiles (authorization levels) Data segregation 55

Conclusions 56

Validation = Good Business Practice Properly developed systems meet business needs, work as intended, work consistently and are relatively easy to maintain Properly maintained systems will continue to meet business needs, will continue to work as intended, will continue to work consistently, will continue to be relatively easy to maintain Business Impact Regulatory Impact Increased efficiency Decreased risk of noncompliance Increased quality of information Decreased cost of doing Decreased risk of nasty stuff business (e.g., warning letters, rejection of Decreased risk of client loss submissions) Do it right the first time 57

Thanks for your attention Mobile: Tel: Fax: Mail: Giulia M. Valsecchi GCP & Pharmacovigilance Compliance Manager Pharma Quality Europe +39 348 7152266 +39 055 951808 +39 055 952310 g.valsecchi@pqe.eu If you have any question, feel free to contact me