Category Archives: eClinical

Becoming a Data Scientist {EDC Developer + Statistical Expert + Data Manager}

At an early age, I was drawn to computers. I did well in math; I love science and I started enjoying programming when my stepfather gave me a small computer to program games. This was my real experience with programming. I think the programming language was Basic. The computer had some built-in games and basic math problems in it but you could also play around with ‘Basic‘ codes and create your own.

Then I went to a technical school and into college where you take basic classes in information system /technology and took courses in telecommunication management.  Most of the courses were around IP, PBX and Network Administration.  As part of that curriculum, I took a basic programming course and VB.net. I really like that since it has a visual interface (drag and drop to create the interface) and when you click a button you create an event so I like the design aspect of it (I am known to be very creative) then I started to design for people (website design and development, small databases). A lot better than working in telecommunications. I thought VB was a great first language to learn. Later I took a Microsoft Access database development class and we learn database design (relational) and found out I was really good at that.

Before I graduated, I was already working for a well known pharmaceutical company as a database analyst within their data management and biometrics team. They really like what I did with their clinical operations data (investigator data – you know the one that now we need CTMS systems for nowadays). So this was a confirmation that ‘databases’ was my passion. I love designing it, managing and maintaining it.

During my early years in this industry, I spent a lot of time writing SQL codes and SAS programs.  We pulled the messy data (back in those years we used the Clintrial Oracle backend system) and very problem solving oriented. A business question was asked and we would go using either SQL or SAS and go into this messy database and figure it out the answer. I really enjoyed that.

In recent years, I take data from a {EDC} system then write scripts to summarize the data for reporting and put into a data warehouse and then I use a product called ‘IBM Cognos’, which points to the data warehouse to build those reports and worked with different users across different departments (a lot of different audiences for the data) with a lot of different interesting data in there. I have spent time using APIs to extract data via Web Services (usually in XML-ODM format) and generate useful reports in SAS or Excel XML.

People think that being a data analyst is just sitting around a computer screen and crunching data. A lot of it is design-oriented, people-oriented, and problem-solving. So when people ask a question, I get to dive into the data and figure it out the answer.

Next step is to get into predictive analytics and do more data mining and data forecasting.

Are you still excited about becoming a data scientist?

You can start by reading my blog about programming languages you should learn here!

Other tools and programming languages you should learn: Anaconda, R Programming, Python, Business Intelligence Software like Tableau, Big Data Analytics with Hadoop, create new representations of the data using HTML and CSS (for example when you use APIs, XML to extract data from third-party sources).

Anayansi, MPM, an EDC Developer Consultant and clinical programmer for the Pharmaceutical, Biotech, and Medical Device industry with more than 18 years of experience.

Available for short-term contracts or ad-hoc requests.  See my contact page for more details or contact me.

Fair Use Notice: Images/logos/graphics on this page contains some copyrighted material whose use has not been authorized by the copyright owners. We believe that this not-for-profit, educational, and/or criticism or commentary use on the Web constitutes a fair use of the copyrighted material (as provided for in section 107 of the US Copyright Law).

Advertisements

EMA and The Netherlands Biopharm Opportunities

The European Medicines Agency (EMA) is relocating from London to Amsterdam.

According to EMA, the Seat Agreement allows EMA to function independently in the Netherlands. Similar agreements apply to other EU agencies located in the Netherlands.

On Friday, 13 April 2018, the Dutch Council of Ministers agreed to sign the document.

Amsterdam – EMA

Quantify research reported earlier this year that the shift of the EMA to Holland will be a welcome boon to that country, particularly due to some companies shuttering their Netherlands locations in favor of other European countries. The research report pointed to more than 1,500 job losses about eight years ago following Abbott and Merck Sharpe and Dohme closing facilities in that country. Between 2009 and 2014, Quantify said the Dutch market share in the European pharma industry plummeted from 3.3 percent in 2009 to 17 percent in 2014.

To help spur the resurgence of the Netherlands pharma industry, the Netherlands Foreign Investment Agency is hosting a landscape tour at the end of summer to showcase the country’s offerings. While the EMA is expected to become the core of the Netherlands biopharma industry, the NFIA said the country is home to facilities for more than 420 biopharmaceutical companies, such as AstraZenecaJanssen, MSD, Amgen and Teva, to name a few. The Netherlands Foreign Investment Agency pointed to the companies because they “rely on their Dutch operations for both R&D and distribution activities.”

But, it’s not just the large global pharma companies that have a home in Holland. The country is also home to a number of biopharmaceutical startups and scale-ups, like GalapagosGenmabPharming and uniQure.

Another company that will be relocating to the Netherlands is Gilead Sciences.  This new facility will be employing over 300 people. Other companies worth mentioning are GSK-Novartis, Merk and most well-known Clinical Research Organizations (CROs) have made the Netherlands their home.

For those interesting in working and living in Amsterdam, you should know that it is one of the countries with the highest taxes at a 52% income tax rate if you make over 55,000 euros per year (apparently they think this is good money). For a regular employee with benefits, your tax rate will be at a 42 %. Don’t expect to be making more than 55,000 euros a year unless you are a highly skilled employee or hold a managerial level position.

Tot Ziens!

Source:

Biospace

EMA

https://www.government.nl/latest/news/2018/04/23/the-european-medicines-agency-ema-and-the-netherlands-agree-on-seat-agreement

Fair Use Notice: Images/logos/graphics on this page contains some copyrighted material whose use has not been authorized by the copyright owners. We believe that this not-for-profit, educational, and/or criticism or commentary use on the Web constitutes a fair use of the copyrighted material (as provided for in section 107 of the US Copyright Law).

CTCAE: Common Terminology Criteria for Adverse Events

The National Cancer Institute issued the Common Terminology Criteria for Adverse Events (CTCAE) version 5.0 on November 27, 2017.

So what is CTCAE and what is it used for?

The terminology NCI CTCAE is a descriptive terminology that can be used for the declaration of adverse events (AEs). A grade scale (or severity) is provided for each term.

The oncology community has a standard classification and severity grading scale for adverse events in cancer therapy clinical trials and this is what it is described in the CTCAE reference.

The SOC (System Organ Class or Organ Class) is the highest level of the hierarchy of the
MedDRA dictionary. It is identified by a physiological or anatomical classification, etiological or a result (ex: SOC investigations for laboratory results). The terms of the CTCAE are grouped together according to the MedDRA primary SOCs. Within each SOC, the terms are listed and accompanied a description of the severity (grade).






An adverse event is an unexpected sign, symptom or disease, unexpected (this includes
biological results), associated chronologically with the use of a treatment, a procedure,
to be connected to this treatment or procedure. An IE is a unique term representing an event
specifically used for the medical report and the scientific analyzes. Each term of the CTCAE is a
MedDRA LLT level term (Low Level Term, lowest level of the hierarchy).
Grades refer to the severity of AEs. The CTCAE is divided into 5 grades, each with
unique medical description for each term, based on the following main lines:
Grade 1: Light; asymptomatic or mild symptoms; diagnosis on clinical examination only; born
not requiring treatment
Grade 2: Moderate; requiring minimal, local or non-invasive treatment; interfering with activities instrumentalities of everyday life
Grade 3: Severe or medically significant but without immediate life-threatening;
indication of hospitalization or prolongation of hospitalization; invalidating; interfering with activities elementary of everyday life
Grade 4: Life-threatening; requiring emergency care
Grade 5: Death related to AE and it is not appropriate for some AEs and therefore is not an option.
MedDRA code CTCAE v5.0 Term Grade 1 Grade 2 Grade 3 Grade 4 Grade 5 Definition
10007515 Cardiac arrest Life-threatening
consequences; urgent
intervention indicated<
Death A disorder characterized by cessation of the pumping function of the heart.

CTCAE is still the formal reporting for AEs and grading dependent upon clinician judgement of medical significance.

A copy is located here: CTCAE version 5.0.

Sources:

https://ctep.cancer.gov/protocolDevelopment/electronic_applications/docs/CTCAE_v5_Quick_Reference_8.5×11.pdf

Feature image: CTCAE-4 by Stefano Peruzzi (apple app)

Fair Use Notice: Images/logos/graphics on this page contains some copyrighted material whose use has not been authorized by the copyright owners. We believe that this not-for-profit, educational, and/or criticism or commentary use on the Web constitutes a fair use of the copyrighted material (as provided for in section 107 of the US Copyright Law).

Vandaag is GDPR dag! GDPR is in place! Are you ready for it?

According to the EU General Data Protection Regulation (GDPR), which comes into effect today, May 25th, 2018, most companies will need to inform you of their privacy policy for processing and protecting your personal information and your privacy.

The General Data Protection Regulation (GDPR) is already in place, but many companies are not yet ready - more precisely, only 45% of organizations said they had a structured plan to comply with it.

A recent survey also reveals that 54% of large organizations (with more than 5,000 employees) are better prepared to deal with GDPR; in small ones, this index drops to 37%. And, only 24% of companies use external consulting to become compatible.

With this  Regulation, individuals have the right to request that their personal data be erased or transferred to another organization. This raises questions as to what tools and processes they will need to implement. For 48% of respondents, it is a challenge to find only personal data in their own banks. In these cases, compliance with the GDPR rules will be an even more serious task.

55% of organizations are not prepared for GDPR

For EU citizens and residents, this is a welcome law. But for US citizens and residents, they will continue to suffer identity theft and data privacy violations in the hands of the same companies the EU is trying to fined and control under this law. The Googles, the Facebooks, the Twitters and most social media will be scrutinized heavily after this day.

Who does the GDPR affect?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Source:

https://www.eugdpr.org/

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Fair Use Notice: Images/logos/graphics on this page contains some copyrighted material whose use has not been authorized by the copyright owners. We believe that this not-for-profit, educational, and/or criticism or commentary use on the Web constitutes a fair use of the copyrighted material (as provided for in section 107 of the US Copyright Law).

Got Medrio? The Next Best EDC…

Medrio is a low cost solution that offers easy mid-study                changes and intuitive phase I workflows.

Medrio

One of my favorite features of Medrio is the Skip logic functionality. So what is Skip logic?

Let’s demonstrate this feature by using the Demography form / Race field:

In many EDC systems that I am currently using or used in the past, we have to create separate fields for each option and write a custom edit check to flag when data has been entered under the specify field. This scenario request data on the specify field if the OTHER race option is checked but with skip logic, no other option will be allowed to enter data (e.g. White or Black or Indian) if the user did not select OTHER as an option and the required field ‘Specify’ is made visible and available (mandatory) for data entry.

Medrio

eCRF – DEMO – Medrio

 

 

 

 

 

 

 

 

DM form – Skip Logic

 

 

 

 

 

 

 

In the above screenshot,  the query resulting from the skip logic configuration if OTHER specify is not completed. In other words, when Race other than ‘OTHER’ is checked, the specify field will be skipped (not enterable). To make this work and as a best practice, you will need to make the ‘OTHER’ field required during data entry.

If you are looking for a study builder or clinical programmer to support your clinical trials and data management department, please use the contact form.

Source: medrio.com

Disclaimer: The EDC Developer blog is “one man’s opinion”. Anything that is said on the report is either opinion, criticism, information or commentary, If making any type of investment or legal decision it would be wise to contact or consult a professional before making that decision.

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching,SCHOLARSHIP, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Legalese: Employment Contracts vs At Will Contracts Part I

In this world, we have two kinds of contracts, invisible contracts; those that somehow we have with governments (there are no paper trails and because they say so) and the paper contracts, those in which we have at least two parties agreeing to terms and conditions written on a piece of paper.

For the purpose of this article, we will refer to Employer or Company and Employee or consultants or freelancer moving forward.

the typed contracts were full of confusing legalese

So what happens when a party violates the terms of a contract to which they’ve agreed to?

Before we can answer that question, we will need to understand the legalese or legal language used and the different clauses that appear on each contract.

Trial Period / Probation Period Clauses

This clause may have something similar to:

***This agreement is subject to a trial period of 1 month.****

***The First Six (6) months of the employment contract shall be deemed a ‘probation period’. During this probational period each party of the contract shall be entitled to terminate the contract within 30 days notice to the other party.***

This clause should be pretty easy to understand. The company wants to have at least 30 days to up to 60 days to decide whether they want to keep the new employee and be able to terminate such employment contract within the specify time. If the employer does not terminate the contract within the 6 months, the contract is fully enforceable and only via court order or mutual agreement with the employee can this contract be terminated.

gamboa

At Will – Only applicable to the United States.

Many of us who has worked and lived in the USA have seen the so called ‘at will’ contracts.

At-will employment is a term used in U.S. labor law for contractual relationships in which an employee can be dismissed by an employer for any reason (that is, without having to establish “just cause” for termination), and without warning. -Wikipedia

Such a clause may read as follow:

***Employment at ABC Corporation is “at-will.” This means that you may resign at any time, for any reason or for no reason, or with or without notice. Similarly, ABC Corporation may terminate your employment at any time for any reason or for no reason, with or without notice. This offer letter is not a contract of employment for any purpose or duration. ABC Corporation reserves the right to change its policies and procedures, with the exception of its “at-will”
policy, at any time, with or without notice.***

Example 2 – At Will Clause

***Employee acknowledges that the employment relationship created by this agreement is at will and is, to the extent set forth in this agreement, temporary in nature and can be terminated at any time by Company for any reason whatsoever.***

gamboa

 

 

 

 

Termination Clause

While most At-Will contract clearly specifies that a contract can be terminated with or without reason and at any time, most employment contracts provide a clear end date.

For temporary and limited short-term contracts, there should be an end-date, for example:

***This agreement shall continue in force from the dd Month year until the dd Month year or until earlier terminated in accordance with this agreement.***

Example 2:  Common in Employment contracts

The project agreement is entered into for a fixed term and is valid for the duration of 6 months and therefore ends automatically and by operation of law, without written termination being necessary for that purpose, on <end date>.

***Either party can immediately end the employment, without a termination period and without regard to the conditions regarding termination in the event of an urgent reason, as stated in articles <xxxx> and <xxx> of the Country Civil Code.***

***The employment contract will end on the last day of the month prior to the month in which the employee reaches the retirement age.***

On part II, we will cover the confidentiality agreement clause, and some other benefits clauses added to the employment contract like bonus, relocation, job responsibilities, competing clauses, and more.

Conclusion:

Most Europeans have what we called ‘Employment Contracts’ whereas Americans have ‘At Will’ contracts. The main differences between having an European contract versus an American contract are: stability (notice period is a must) and financial compensation (severance package equals one month salary for every year you worked for the company). Usually, an employer or employee must give 3 months notice before terminating the employment contract. Americans can be terminated the same day they report to work without notice. In the other hand, Americans make more money. For example, a clinical programmer for a pharmaceutical industry could make over 80,000/year salary depend upon experience while someone from the UK will be making less than 50,000 pounds or an EU employee less than 70,000 euros/year.

Americans make the money up front which means Americans should be saving on average one month salary per year while Europeans will receive a final check , usually one month salary for every year they have worked for the company, as part of their exit package or termination of employment also knowns as ‘severance payment’.

Need legal advice in Panama? Relocating to Panama for work and need legal advice? Panamanian work visas?

Contact Us here: Panama Lawyers and click on Consultation Form

Hashgraph: Electronic Data Capture Future?

Hashgraph technology, created by Leemon Baird, it is probably going to replace blockchain technology.

Since the introduction of bitcoin there have been many thousands of blockchain based crypto currencies created and there are more being created every single day so what’s different about hashgraph?

Well it isn’t a blockchain it’s totally different in fact the way it works is a real Mindbender and a bit difficult to explain.

Instead of a block in a blockchain hash graph calls their packages of information “events”. Your computer takes a transaction like a payment or anything else for that matter such an action in the eCRF form (e.g. SDV) you want to record and puts it in the event for transmitting information quickly hash graph uses a technology that has been the gold standards in computer science for decades. Its super fast and its called ‘gossip protocol’. Your computer randomly tells another computer in the network about the even you’ve created and that computer responds by telling your computer any events it heard about then that computer tells another computer about your event and the other events it heard about and the computer its talking to responds by telling all the events its knows about. Its absolutely the best most efficient way to spread information and it’s exponentially fast  And the best part, it also includes the information of the time it heard it and who it heard it from and the time they heard it and who they heard it from and so on and it is called ‘gossip about gossip’ and it lets everyone knows what everyone else knows and exactly when they knew it and just fractions of a second.

Another key feature is ‘virtual voting’. Even though an old technology, it was slow but with hash graph, there is no voting instead because everyone already knows what everyone else knows you can mathematically calculate with 100% certainty how they would vote and allows hash graph to come to consensus almost instantly so instead of recording things on a block and adding it to the block chain once every 10 minutes hash graph events are added to the system instantly the moment they are created so they don’t have 10 minutes worth of information in them. That means they are small and contain far less data so they use very little bandwidth and are much easier to transmit and uses a minuscule amount of power which makes it fast, fair and more secure than block chain.

All events are time-stamped the moment they are woven into the system so the record of whose event came first and whose came second is instant and there is no such thing as soft forking or unconfirmed events.

It can also replace huge portions of the internet that are currently run by centralized servers by replacing them with the shared computing power of all of our own computers, iPads and cell phones.

It looks like hash graph might have all the potentials  of fulfilling all the original hopes and dreams of a true Electronic Data Capture system (e.g. eCRF forms collected at site, ePRO/eCOA data directly from subjects, external or local lab or ECG data from any lab, eSAEs, Inform consents, and more). In other words, sites, sponsors, labs, regulatory and all vendors working seamless with each other.

Imagine an investigator or research site completing an ‘event’ (e.g. Enrolled or randomized) and the system automatically sent the payment to the site at the end of each event.

The power to decentralize and remove the middleman with the speed at which technology is evolving the future is looking bright.

One of the challenges of any new technology is how do you really explain to people how do you make a compelling case for what makes a technology so compelling and one of the things that is so compelling about this technology is throughput – the speed.

You are probably thinking but what about eSignatures? Or Informed Consents? or Regulations? There is another technology ‘smart contracts‘ that could lead to substantial improvements in compliance, cost-efficiency and accountability.

What is a  Smart contracts? are contracts whose terms are recorded in a computer language instead of legal language. Smart contracts can be automatically executed by a computing system, such as a suitable distributed ledger system. The potential benefits of smart contracts include low contracting, enforcement, and compliance costs; consequently it becomes economically viable to form contracts over numerous low-value transactions. The potential risks include a reliance on the computing system that executes the contract. [Distributed Ledger Technology: beyond block chain, UK Government Office for Science, 2006]

Smart contracts

Bitcoin technology uses a tremendous amount of energy to run the system and also it is scaled up it became slower and slower to where it was no longer a currency it was basically a speculative vehicle you could make some gains in purchasing power. A transaction with bitcoin technology can take 4 hours for confirmation.  With hashgraph, compared to Bitcoin, uses no power.

If Bitcoin were to replace the entire world monetary system and financial markets, it would use more power than the entire world produces. It’s completely unsustainable.

Hashgraph, smart contracts, distributed ledgers and similar technologies offer new ways to share information, reduce errors, and it is cost effective to all users. Perhaps a new Electronic Data Capture system for clinical research will emerge.

Source:

Hashgraph.com

The Crypto Revolution

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Eliminating Informed Consent on Human Experimentation with Vaccines and Drugs

The 21st Century Cure Act would demand that the Food and Drug Administration (FDA) add an exemption from informed Consent requirements for those clinical trials that pose no more than minimal risks and the appropriate safeguards protecting the right, safety and welfare of subjects.

Informed Consent Waiver

The above can be found in section 3024 – Informed Consent Waiver or Alterations for Clinical Investigations.

So what they are saying now they don’t have to obtain informed consents to test vaccinations or drugs on humans beings if it has been determined that the proposed pose no more than minimal risks.

Let’s review the Exemption  for Devices for Investigational Use

(g)(1) The purpose of this section to encourage to the extent consistent with the protection of public health and safety and ethical standards, the discovery and development of useful devices intended for human use and to that end to maintain optimum freedom for scientific investigators in their pursuit of that purpose.

In other words, you can get an exemption for certain conditions.

Question: if you don’t have informed consent in clinical trials experimentation on people, then how does anyone knows you are not part of an experiment?

If sponsors and clinical researchers not longer has to tell you that you are part of it or get your consent to informed you what they are doing? That may sound a little crazy.

Further source of research:

The 21st Century Cures Act Implications

Say Goodbye to Vaccine Safety Science by Barbara Loe Fisher

-FAIR USE-
“Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.”

Freelancer / Consultant / EDC Developer / Clinical Programmer

* Setting up a project in EDC (Oracle InForm, Medidata Rave, OpenClinica, OCRDC)
* Creation of electronic case report forms (eCRFs)
* Validation of programs, edit checks
* Write validation test scripts
* Execute validation test scripts
* Write custom functions
* Implement study build best practices
* Knowledge of the process of clinical trials and the CDISC data structure

 

Understanding Audit Trail Requirements in Electronic GxP Systems

Computerized systems are used throughout the life sciences industry to support various regulated activities, which in turn generate many types of electronic records.  These electronic records must be maintained according to regulatory requirements contained within FDA’s 21 CFR Part 11 for US jurisdictions and Eudralex Volume 4 Annex 11 for EU jurisdictions.  Therefore, we must ensure the GxP system which maintains the electronic record(s) is capable of meeting these regulatory requirements.

What to look for in Audit Trail?

  • Is the audit trail activated? SOP?
  • Record of reviews? (most companies trust the electronic systems audit trail and generates electronic paper version of it without a full review)
  • How to prevent or detect any deletion or modification
    of audit trail data? Training of staff?
  • Filter of audit trail

Can you prove data manipulation did not occur?

Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g. 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.

Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”).

Audit trail content:

Audit trail content and reason it is required:
Identification of the User making the entry This is needed to ensure traceability.  This could be a user’s unique ID, however there should be a way of correlating this ID to the person.
Date and Time Stamp This is a critical element in documenting a sequence of events and vital to establishing an electronic record’s trustworthiness and reliability.  It can also be effective deterrent to records falsification.
Link to Record This is needed to ensure traceability.  This could be the record’s unique ID.
Original Value  

This is needed in order to be able to have a complete history and to be able reconstruct the sequence of events

New Value
Reason for Change This is only required if stipulated by the regulations pertaining to the audit trailed record.  (See below)

FDA / Regulators findings and complaints during Inspection of Audit Trail Data:

  • Audit User sometimes is hard to describe (e.g. user123 instead use full names of each user IDs thus requirement additional mapping)
  • Field IDs or Variables names are used instead of SAS labels or Field Labels (map field names with respective field text (e.g.  AETERM displayed instead use Reported Term for the Adverse Event)
  • Default values should be easily explained or meaningful (see annotated CRF)
  • Limited access to audit trail files (many systems with different reporting tools or extraction tool. Data is not fully integrated. Too many files and cannot be easily integrated).
  • No audit trail review process. Be prepared to update SOPs or current working practices to add review time of audit trails. It is expected that at least, every 90 days, qualified staff performed a review of the audit trail for their trials. Proper documentation, filing and signature should be in place.
  • Avoid using Excel or CSV files. Auditors are now asking for SAS datasets of the audit trails. Auditors are getting trained to generate their own output based on pre-defined set of parameters to allow auditors to summarize data and produce graphs.
  • Formatting issues when exporting into Excel, for example.  Numbers and dates fields change it to text fields.
Audit Trail Review

What data must be “audit trailed”?

When it comes to determining on which data the audit trail must be applied, the regulatory agencies (i.e. FDA and EMA) recommend following a risk based approach.

Following a “risk based approach”

In 2003, the FDA issued recommendations for compliance with 21 CFR Part 11 in the “Guidance for Industry – Part 11, Electronic Records; Electronic Signatures — Scope and Application” (see reference: Ref. [04]).  This guidance narrowed the scope of 21 CFR Part 11 and identified portions of the regulations where the agency would apply enforcement discretion, including audit trails. The agency recommends considering the following when deciding whether to apply audit trails:

  • Need to comply with predicate rule requirements
  • Justified and documented risk assessment to determine the potential effect on product quality
  • product safety
  • record integrity

With respect to predicate rule requirements, the agency states, “Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.”  In the docket concerning the 21 CFR Part 11 Final Rule, the FDA states, “in general, the kinds of operator actions that need to be covered by an audit trail are those important enough to memorialize in the electronic record itself.” These are actions which would typically be recorded in corresponding paper records according to existing recordkeeping requirements.

The European regulatory agency also recommends following a risk based approach.  The Eudralex Annex 11 regulations state, “consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”).”

MHRA Audit

When does the Audit Trail begin?

The question of when to begin capturing audit trail information comes up quite often, as audit trail initiation requirements differ for data and document records.

For data records:

If the data is recorded directly to electronic storage by a person, the audit trail begins the instant the data hits the durable media.  It should be noted, that the audit trail does not need to capture every keystroke that is made before the data is committed to permanent storage. This can be illustrated in the following example involving a system that manages information related to the manufacturing of active pharmaceutical ingredients.  If during the process, an operator makes an error while typing the lot number of an ingredient, the audit trail does not need record every time the operator may have pressed the backspace key or the subsequent keystrokes to correct the typing error prior to pressing the ‘‘return key’’ (where pressing the return key would cause the information to be saved to a disk file).  However, any subsequent ‘‘saved’’ corrections made after the data is committed to permanent storage, must be part of the audit trail.

For document records:

If the document is subject to review and approval, the audit trail begins upon approval and issuing the document.  A document record undergoing routine modifications, must be version controlled and be managed via a controlled change process. However, the interim changes which are performed in a controlled manner, i.e. during drafting or review comments collection do not need to be audit trailed.  Once the new version of a document record is issued, it will supersede all previous versions.

Questions from Auditors: Got Answers?

When was data locked? Can you find this information easily on your audit trail files?

When was the database/system released for the trial? Again, how easily can you run a query and find this information?

When did data entry by investigator (site personnel) commence?

When was access given to site staff?

Source:

Part of this article was taking, with permission, from Montrium – Understanding Audit Trail Requirements in Electronic GXP Systems

Fair Use Notice: Images/logos/graphics on this page contains some copyrighted material whose use has not been authorized by the copyright owners. We believe that this not-for-profit, educational, and/or criticism or commentary use on the Web constitutes a fair use of the copyrighted material (as provided for in section 107 of the US Copyright Law).