Highlights from the EMA guidance on computerised systems and electronic data in clinical trials – Part 2

Highlights from the EMA guidance on computerised systems and electronic data in clinical trials – Part 2

You may have recently seen our part one of this two-part series exploring the retention highlights of the EMA guidance on computerised systems and electronic data in clinical trials (if not, you can access this here). For part two, we are exploring the annexes of the guidelines that offer additional guidance on standards for operating and managing computerised systems, and in particular the relationship with 3^rd party vendors.

A Quick Recap

Guidelines such as these, are there to provide clarity to sponsors around the specific regulations. This in turn, should better prepare sponsors and investigators for inspections while equipping them with more information to support compliance. Failure to comply can lead to hefty fines and delays, a situation that we all want to avoid.

So, without further ado, let’s dive right in.

“The responsible party is ultimately responsible for e.g. the validation and operation of the computerised system and for providing adequate documented evidence of applicable processes.”

The “responsible party” refers to the sponsor and investigator. Here, they are particularly responsible for the validation and operation of computerised systems. In terms of storing data, wherever this may be, the investigator and sponsor are responsible for ensuring these systems are fit for purpose and function as intended.

If data is being held by a vendor, it remains the responsibility of the sponsor and investigator to ensure that the vendor is validated and meets their specific requirements. Or if data is held in internal computerised systems, the sponsor and investigator are responsible for the validation and operation of said systems.

With either solution, the responsible party must still provide sufficient documented evidence proving the relevant processes have been followed and implemented

“The responsible party should be able to provide the GCP inspectors of the EU/EEA authorities with access to the requested documentation regarding the validation and operation of computerised systems irrespective of who performed these activities.”

No matter who performs the activities relating to validation and operation of computerised systems, the responsibility remains on the investigators and sponsors to provide this documentation to GCP inspectors.

In the case of using a third-party digital archiving system, the selected vendor should have conducted their own validation of the system to ensure that it meets redefined requirements. However, the investigator or sponsor using this system must still ensure this is the case and acquire the related documentation to present to inspectors.

Investigators and sponsors, therefore, must ensure that any computerised system vendors allow for access and review of validation and operation documentation.

“It should be specified in agreements that the sponsor or the institution, as applicable, should have the right to conduct audits at the vendor site and that the vendor site could be subject to inspections (by national and/or international authorities) and that the vendor site shall accept these.”

Agreements made with vendors should state that the sponsor or the institution have the right to conduct audits on the vendor’s location. These audits are to check the vendors’ operations, processes and compliance with relevant standards.

This section also implies that vendors could be subject to inspections “by national and/or international authorities” which must be accepted when required of the sponsor.

Therefore, appropriate agreements must be made with vendors to ensure this is communicated with vendors and that they will agree to be audited and called for inspections. These measurements ensure transparency, compliance and accountability between sponsors, institutions and vendors.

“Tasks transferred/delegated could include hosting of data. If data are hosted by a vendor, location of data storage and control (e.g. use of cloud services) should be described.”

As suggested, data hosting can be delegated, meaning that a data services vendor or location can be used. Though, it should be clearly stated where the data will be physically stored and how it will be managed. This is particularly important for third-party hosting services.

In the example of cloud services, data is commonly stored in servers located in multiple geographic locations. Therefore, the information regarding these specific locations and how the data remains secure and compliant with the applicable regulations must be defined.

Again, we see the emphasis for clarity and transparency in information involving those in control of the data.

“To ensure reliable access to the data, the sponsor/investigator should employ measures to guarantee access to data for the sponsor and investigator in case of foreclosure (bankruptcy), shutdown, disaster of the vendor or for other reasons chosen by the sponsor/investigator (e.g. change of vendor).”

Although rare, disaster cases can happen, and this section emphasises on the importance of data recovery plans and exit plans. Throughout retention periods, the access to data remains a crucial element within regulations. The sponsor/investigator therefore must ensure that plans and processes are in place in case to ensure that the data remains accessible throughout event that could otherwise threaten the data.

The primary concern here is for the sponsor and investigator to still have access to data even with any unexpected situations occurring. Wherever the data is stored, whether through a vendor or even internally, there must be an adequate plan in place to mitigate risks around these events. These plans could include having back-up copies, implementing data replication strategies, having a contingency plan, or agreements with the vendor on the access/transfer of data in this circumstance.

I good question to ask yourself of any current 3^rd party vendor, is if the worst was to happen, how would access that data?

“Agreements should ensure reliable, continued and timely access to the data in case of bankruptcy, shutdown, disaster of the vendor, discontinuation of service by the vendor or for reasons chosen by the sponsor/investigator (e.g. change of vendor).”

This section goes hand-in-hand with the previous one I covered, but this refers to the use of a vendor in the management of data. The sponsor/investigator must ensure there are agreements with vendors for “reliable, continued and timely access to data” under various circumstances. Although, the vendor should have contingency plans in place to ensure that the data is always accessible, it is up to the sponsor/investigator to ensure these are appropriate and underway throughout their contracts.

Sponsors and investigators must ensure that there are appropriate measures in place to ensure the access of data remains in the mentioned events. When signing with a vendor, it’s critical to ensure the vendor has a good and reliable disaster recovery plan that can be implemented in events of disaster, bankruptcy or shutdown. Furthermore, there should be an exit strategy in place in case the sponsor/investigator decides to discontinue with the vendor. What’s key here is to ensure the vendor does not cause you to be “locked-in” to using their service.

Therefore, regardless of adverse scenarios regarding data hosting, reliable and timely access to data should remain with these agreements.

In summary,

The annexes provide additional but valuable advice on the guidance. This particular annex gives more insight into the use of third-party vendors and how to navigate records retention and data management when using a vendor. Overall, the emphasis on this annex is to ensure clear communication, transparency, compliance and accountability for sponsors and investigators.

The key takeaways from this post include:

• The sponsor and investigator are responsible for these activities outlined above.
• The sponsor and investigator remain responsible for providing inspectors and authorities with validation and operation documentation no matter who produces these.
• Data hosting vendors shall be used, but only if information regarding where data is stored and how it is managed, is defined.
• Disaster recovery and exit plans must always be clearly defined.
• Agreements with vendors must also be defined for potential adverse events such as shutdown.