What the New EMA Draft "Guideline on Computerized Systems and Electronic Data" Means to Your Systems
As the EMA released a new draft guideline in June 2021 for comments from the industry, those of us who manage clinical systems analyzed the 47-page document to see how the EMA sees the future of compliance of systems and data. This encompassing guideline presents a clear roadmap on how companies should be controlling their approaches to compliance of regulated systems and is a tool that can be used for updating existing procedures and planning for newer technologies such as wearables/sensors, artificial intelligence and real-world data/evidence. The new guideline is a welcome addition to the GCP world, as other previous regulatory guidance in computerized systems or data integrity has been limited to GMP scope nor included specific examples of the types of systems used in clinical research. This article highlights some of the key points for managers to be aware of for when this draft guidance is finalized in the future, as comments are still open for industry review until December 2021.
The EMA draft guideline 226170/2021 contains a broad scope of topic areas related to computerized systems and the control of electronic data in clinical trials, including the principles of data integrity, computer system validation, audit trail review, devices used in ePRO systems, migration of data, and notably a large section on information security aspects, one area that is often neglected in regulatory guidance from practical application in daily operations. Is your company meeting the expectations in these areas?
Data Integrity and ALCOA++
Many of us are familiar with the tenets of data integrity and the ALCOA concepts, but the EMA has included another “+” to the definition, additionally calling out the need for data to be traceable. To meet this requirement companies must scrutinize if they are able to construct and have the documentation readily available to display the traceability of data from all sources and into which systems for ultimate clinical analysis.
This definition of traceable may be different from the traceability matrix created for computer system validation activities, which maps requirements to design to testing, as data integrity traceability may be captured in architecture or data flow diagrams or other means to capture disparate data flows and usages. In addition, any change to the data would need to be captured to ensure traceability. The EMA stresses again how important data integrity is to the output of the clinical trials, as the draft guideline states that lack of integrity could render the data unusable and noncompliant to GCP.
Computerised Systems Validation
In the area of computer system validation, the EMA reiterates that the sponsor is responsible for the validation of computerized systems used in clinical trial processes. It is understood that the sponsor may be relying on documentation from CROs or vendors, but the sponsors must show that an assessment has been performed to determine the level of validation activities as adequate or if additional validation is needed for the platform level or for any specific configuration.
But it remains to be developed exactly how sponsors will perform their assessment, and risk assessment processes and results may vary from sponsor to sponsor. Also, these sponsor assessments will need to continue throughout the life cycle of a system, due to changes in the systems that would require further validation. In this case, sponsors should ensure they can view validation documents from other parties, whether from CROs or suppliers, in order to determine their result of the risk assessment, and have clear communication channels for when systems are upgraded and changed, and/or predetermined intervals or checkpoints in the study life cycle to decide if further validation activities are needed. These types of interactions amongst sponsors, CROs and vendors should be identified in contracts and Quality Agreements to ensure this focus area of the EMA guidance is adhered to.
Audit Trail Review
Similar to the recent data integrity guidance from several regulatory authorities, the EMA emphasizes that audit trail review should be performed as a regular part of operational processes in the clinical research, and have procedures to support this. This type of review should be proactive and not just relegated to when investigating quality issues or data corrections. The real value to proactive audit trail review can be when business operation units identify their critical data in the audit trail logs and transactions to begin to detect anomalies before quality issues arise and prevent needless undetected data integrity loss by recognizing patterns and outliers. An interesting focus of GCP audit trail review that the EMA endorses is to have the investigator also know how to navigate the audit trail logs as a part of the review process, which could greatly increase data integrity assurance due to the “closeness” to the source data and resulting changes that the investigator possesses.
Devices used in ePRO Data Collection
The EMA draft guidance devotes a large section on how to handle devices used for direct patient data entry as a part of ePRO systems, underscoring the need for controls in transferring and processing data that come from a myriad of various devices that are in the hands of patients, and not fully controlled by the sponsor, investigator nor even the supplier of an ePRO solution.
The key risk is that data stored on a device may be easily lost before transferring to a centralized server, or interrupted during a data transfer due to poor WiFi connections. There must be monitoring to ensure that all data is captured, and if data loss occurs, procedures need to be in place to instruct the patient on how to handle the re-submission of data, and how to handle data duplication from a technical perspective. In the case of Bring Your Own Device (BYOD) usage, in order to attribute the data from the patient, the devices used for the ePRO data collection may be registered or identified with the ePRO system. It is also required to account for all devices if provided to the patients for the study.
In summary, the topics highlighted in this article are only a portion of the draft EMA Guidance on Computerised Systems and Electronic Data, but hopefully, this gives the reader a glimpse into the broad and value-filled content of these proposed requirements. I recommend to all managers of systems used in clinical research to review the draft guidance further for planning and assessing your organization’s current stance to ensure full compliance once the guidance becomes finalized, and to prepare for newer technologies such as artificial intelligence, machine learning and wearables to align to these controls.