Below is a listing of questions during Webinars and Training classes:
|Can you please distinguish the difference between QTLs and risk indicator/thresholds. How does your interpretation align/differ from recent TransCelerate paper?||Quality Tolerance Limits (QTLs) are set at a study/protocol level and are typically a sub-set of the KRIs that are being used to look at site quality. The intent of the QTL is to determine if either subject well-being/safety or data integrity are being put at risk to such a level that the overall study could be in jeopardy. The tolerance limits or thresholds set at a site level are likely to be different, possibly multiple, each with different actions e.g. watch and wait, vs act. The QTL should be set to a level that allows proactive recovery steps to be implemented and should be set based on experience and expertise (medical and statistical) and the QTL is likely to be specific to the study or therapy area/inidcation. Common inidcators where QTLs are implemented are Subject Consent Errors (particularly re-consent), Protocol Deviations (Particularly elibility), AE Rates, AEs/SAEs of Special Interest, Subject Vists Out of Window, others specific to the study e.g. Incomplete/missing end point data such as images.
I think our definition is similar to the recently published Transcelerate paper.
|What would be an example of a risk control at an organizational level? you stated risk control can be at a study, site, organization level?.||This is typically a change at a procedural level, similar to CAPA, putting preventative measures in place to avoid risk may be as a result of persistent breach of QTLs.
May also be related to vendors, if root cause has pin pointed risk with a particular vendor, they may be removed from the 'approved vendor' list.
|How is the CRO receiving Sponsor's delegation to this quality management action? Any specific message mandatory for us (CRO) being responsible?||This should be worked out as part of the contract, but it is worthwhile to have your own SOPs that cover the process of quality (risk) mgmt. I often recommend that it is good practice to perform an early critical variable and risk assessment as part of the RFP process. As the sponsors representative for the areas that are delegated to you (the CRO) you will have some level of responsibility for identifying and managing the risks in conjunction with the sponsor. I would recommend as a best practice that you (the CRO) has a risk assessment and mgmt process in place and conduct your own risk assessment of the protocol, this process can also be conducted in conjunction with the sponsor (ideally a joint process would be conducted). The outcome of risk assessment, as you will see as the presentation progresses, should inform the functional activities and functional plans, e.g. Monitoring, Data Mgmt, Supplies etc.|
|all right. I see. So this task is now implicit to contract (delegate) study activities mgmt to a CRO||Yes, as more regualtory authorities adopt R2, the expectation will be there that this process is accounted for in your QMS, and it may be conducted independently or in conjunction with the sponsor. The sponsor is ultimately responsible but as the representative, your processes should cover this.
Interestingly, in a recent presentation at the Global QA meeting in Edinburgh (02 Nov), the EMA representative, Sophia Mylona, publically stated that the EMA would expect sponsors (and their representatives) to implement R2 principles retroactively to ongoing studies, where is made sense and was practicable, I would suggest this means, if you have protocol amendments, the Q(R)M processes should be applied, but Sophia also indicated this could apply to monitoring findings e.g. applying root cause analysis methods, assessing overall risk to other sites and implementing changes to monitoring plans as necessary. So if you are working in areas under EMA jurisdiction or the study data may be submitted to the EMA, this is something to be thinking about as it is now in effect as of 14 Jun 2017.
|What is the responsibility if the CRO is in charge of drafting the protocol?||The same process would apply, risk assessment (ideally jointly with the sponsor) should be conducted, beginning with evaluating what is critical and identifying/evaluting the risk around it, where possible agreeing risk reducted/elimination with the sponsor and if not, then agreeing risk controls to implement and monitor (in the wider sense of the word) during the trial. I would recommend that the functions involved in the trial are involved in the risk assessment process|
|what if the risk is out of the CRO's management/control, though still having probability & magniture. As the budget assigned to sites for example||This is important from the CROs perspective. I think documenting the risk and agreeing the control mechanisms with the sponsor is critical in this scenario, ultimately the controls will be agreed to by the sponsor, if they do not agree to the controls, you could argue this increases the risk, but documenting the risk and the likelihood and magnitude should help the sponsor understand the rationale behind the reason for the recommended controls|
|Risks are always idenfied as potential facts righ?. I mean errors done with the ICF for example (as not timely approved by ECs although used) are already deviations, not risks||I like to think of this using the simple worked example below. What risk assessment allows us to do is to be proactive and better prepared for dealing with issues before the impact escalates.
Fact: 1) known information, The study drug has a short shell life due to lack of stability data
Risk: 1) What could go wrong?, Study duration might exceed the shelf life, 2) What is the impact?, Cost of re-labeling, cost of manufacturing additional supplies, Recruitment/treatment suspension, 3) What can be done to mitigate?, Continue with long term stability research, Budget for additional supplies, Put plan in place to determine when additional supplies will be needed.
Issues: 1) What has gone wrong?, Study term will exceed shelf life, 2) What has been affected? Nothing at this time, 3) Was it a previously identified risk? Yes, 4) If so, what has been done to mitigate already? Budget and plan for additional supplies are in place, 5) Act to resolve? Implement re-supply plan
|Where would secondary objectives fall as a structural risk, essential or non-essential?||Each objective should be evaluated in terms of it's importance to the program and drug safety profile. It would not be accurate to state that all secondary or exploratory objectives are non-essential, but they should be questioned/challenged in terms of their necessity to the program and profile and the risk-benefit should be considered, in terms of subject protection and burden to subject and site.
Also important to note that non-essential risk can be present in the processes and data related to the primary objectives, so these should be scrutinized too, to ensure that we are doing what is necessary.
|What is the definition of 'safety'. protecting subject 'safety'. I believe this really means AE/SAE, etc. However, as a CRA we often hear it referenced to 'safety' labs. e.g., general chem, haematology, etc. These are referred to safety labs and may have no bearing on critical data. Isn't it the PI's responsibility to review these 'safety labs' and track his/her subject's safety?||One of the core principles of GCP is to protect subject rights and well-being, often this is paraphrased as 'subject safety' but this is only one aspect. All parties involved in clinical trials are responsible for collectively protecting the rights and well-being of subjects. This begins with the sponsor in protocol development, evaluating the risk-benefit of the protocol procedures that the subject will undertake and ensuring that we are not exposing the subjects to risk unnecessarily, and putting controls in place where risk is necessary. You are correct, the PI is responsible for the subjects care, and ensuring that any decisions on the subject medical care has the subjects' well-being at the core. As a monitor (CRA), you are overseeing how the PI/site is conducting the protocol, ensuring they are following protocol procedures, which are in place not only to meet the objectives of the study but to protect the subjects' well-being. Not all data that is collected in a clinical trial is 'critical', what we need to do is determine what is and ensure that our activities focus on these areas. Some things, such as safety labs, are routine clinical care and is the responsibility of the PI and site staff, but there may be key elements of safety labs e.g. ALTs that are of particular interest because to the current safety profile of the drug that may be of particular interest that must be a focus of monitoring activities. There are some changes being put forward by industry bodies around the difference between SDV and SDR, you may review (SDR) and verify (SDV) specific tests in a series of labs, looking for specific values/AEs for all subjects but only review all labs for a small percentage of subjects to determine if there is any persistent behaviour/practice evident at the site that would put the subject or the data the site is producing at risk.|
|RE quantification of risk: the variables are orthogonal. Wouldn't a calculation based on sum of squares be more reasonable?||You are correct, that the variables are uncorrelated and hence can be treated independently, and your approach would make good sense. At this stage in the industry's maturity in this area we are trying to keep things simple and accessible. We have no doubt that more sophisticated algorithms will develop over time as acceptance and experience grow.
At TRI we are always researching new techniques to be more accurate in the way we measure and detects risk, but we also have to be careful not to overrun our core audience and confuse people more than we help them!
|The description of assessing probability is at odds with your earthquake insurance example - should you also assess likelihood of recurrence? Maybe something has occurred in a previous trial but you've installed mitigations for it.||The point of the earthquake example is that risk management is often emotive - through personal experience people are more likely to try and mitigate a risk even through they objectively understand that the likelihood of occurrence is much lower (due to the nature of earthquakes in this example).
In a clinical trial, we are quite likely to think first of risks which have previously occurred, those we have experience of. We must evaluate those risks objectively and not put disproportionate risk management measures in place, just because it occurred previously. If risk controls are already in place from previous experience, there is likely to be an impact on the likelihood of the risk occurring again, and this will need to be taken into account.
We do also have the opportunity to learn from any previous occurrence and should consider whether the management measures we put in place on the last trial were effective or not, and potentially consider changing our approach if they were not effective previously.
|When should the risk identification take place? during the development of the protocol or when the protocol is finalized? who/what expertise would you expect to be at the risk identification meeting?||It is an ongoing process, but should be initiated during the protocol development cycle, as early as possible, ideally with the robust synopsis where the objectives can be evaluated. The extent of the assessment will expand, more functions will become involved as more detail is added to the protocol. Any changes from the draft to the final should be assessed as control measures may change and risks may close depending on the changes.
During the conduct phase, processes should be in place to support the identification of emerging risk, which should go through the same evaluation process to determine the appropriate controls.
|When detecting risk, we are detecting risk only on the critical data that was identified, correct? We are not looking at non-critical data for risks, e.g. the fluff.||Risk is typically multi-variate, sometimes we will look at many indicators to get an idea of quality, there is not always a 1:1 relationship. What we are trying to achieve is that we focus our trial activities on those processes and data that are critical to the study success and the protection of subjects.
Sometimes looking at specific critical data could risk unblinding so often detection methods will look around the critical variable e.g. the processes associated with collection.
|If PI needs continuous access to CRF data, how do we address that many PIs do not seem to access EDC until the end of trial (just to Sign)?||The 2 requirements are not related.
The first comment about the PI not completing training to access the EDC until the end of the trial, is poor practice by the PI and the oversight and supervision responsibilities in section 4 should provide more grounds for taking action against the site(s) where the PI is not demonstrating appropriate oversight/supervision.
The second comment about the access, it is the site, under the supervision of the PI. The important point is that the site must verify access to the copies of the data before access is removed. While I take the point about continuous access cannot be assured if the PI has not been trained and therefore does not have access during the trial, other site personnel do have access, so the sponsor does not have exclusive control of the data.
|I may misunderstood but did you say that the Quality Risk Management Plan needs to be included in the CSR?||ICH E6 R2 5.0.7 Risk Reporting: The sponsor should describe the quality management approach implemented in the trial and summarize important deviations from the predefined quality tolerance limits and remedial actions taken in the clinical study report (ICH E3, Section 9.6 Data Quality Assurance).
Our recommendation is that the QRMP is included as an addendum or summarized in section 9.6 to meet the first requirements and the second requirement of deviations from QTLs are also summarized together with actions taken and any changes made to the QRMP as a result of the deviations.
|How are the regulators viewing non brick and morter sites (i.e telehealth)? How does this fit in the new Quality Management system?||Quality Mgmt still applies, infact, more sore in this scenario. The risks to the critical variables should still be assessed and controlled, and the provision for central monitoring activities should very much support the requirements of this scenario. We are expecting similar requirements to be added to E8 General Considerations for Clinical Trials, in the next 18 months, so all types of research will be expected to follow this approach.|
|When we are assessing risks should our scoring be with or without mitigation?||Good question, I would advocate both, because the mitigations can make a significant difference to how you monitor and review the risk, and the score is not static, as the process is an ongoing cycle, your risk scores may change based on real world evidence as the trial progresses|
|What is the regulatory authorities thoughts regarding introduction of bias or influncing go/no go decisions if data is being evaluated ongoing bases?||The intent of the central data review/monitoring is not to evaluate the data from the point of view of objectives, this would still be completed by the normal methods, e.g. adjutication, IDMC. The type of review being positioned in the guidance is related to data quality, and the surrounding processes being conducted accurately and timely, so as to identify problems early and rectify these to prevent them from impacting the integrity of the data and/or subject well-being, this type of review should not influence go/no go decisions on the IMP or overall success or otherwise of the trial objectives.|
|If monitoring is done by outside vendor (aside from CRO doing data management and statistics, for example), who holds the vendor management plan?||This will depend on the who holds the contract and the terms of the contract.
Would suggest if sponsor holds the contract with the monitoring vendor, they should be responsible for the vendor oversight/mgmt plan. Some activities may be delegated to DM/Biostats vendor in the scope of central monitoring, stats monitoring, in such cases vednor should ensure these are listed in the relevant function plan.
|Do you see the changes in CSV as new or just catching up with the current validation process that the FDA guidelines cover?||Mainly catching up with FDA guidelines and GaMP guidelines, GaMP5 allows for a risk based approach to validation, which is supported in E6 R2.|
|If site does not have means to access CRF data/essential document data through CDs, could memory sticks be used.||Yes, the important point is that we check with the site that they will be able to access the data on the media provided and that the site confirms access.
Memory sticks have been used as have file drops to secure sites and document portals which remain active following study close, all of which are acceptable, providing the site confirm access.
|Does root cause analysis (RCA) have to be documented for all CAPAs and to what extent.||RCA is only required for non-compliance that impact or has the potential to impact subject rights and/or reliability of trial results/data integrity. RCA should be part of the CAPA process, and the process should state when RCA is required and reference or describe the preferred method of RCA, including responsibilities, timelines.|
|What is best practice regarding implementing risk mgmt, should it be a new process or integrated into existing processes||Best practice would be both, a risk assessment and mgmt SOP that sets out the process, responsible functions etc. and then integrate this process into existing processes where applicable, e.g. project mgmt/study mgmt; protocol development; study planning.|
|Do the edata handling requirements apply to all vendors, e.g. regulatory vendors we might use for electronic publishing of regulatory submissions (eCTD format)||Yes. Best practice would be to review what the vendor is required to do and if their scope would potentially impact subject protection and/or data integrity. Based on the outcome of this assessment, the scope of expected validation activities performed by/required of the vendor should be determined and this should form part of the vendor assessment.|
|eData handling - what is the impact beyond IT, e.g. is DM responsible for checking all updates that EDC vendor makes.||No, but the EDC vendor and their SDLC/CSV SOPs should be assessed as part of the vendor assessment/qualification process conducted by QA.|
|Would you generally consider an "important" process like consent a "critical" process from a risk management perspective - for example if you have an optimized process for consenting, no historical issues with the consent process, and nothing unique about the study that would increase risk (vulnerable subjects or multiple consents), could you omit the conent process from your list of critical processes?||Great question, I would still consider it a critical process in terms of subject well being and protection, but in terms of evaluation I might rate it low probability, medium-high impact and easy to detect, and if I have good processes in place and ther ehave been no issues with consent deviations or CAPAs in the past and there is nothing unusual about the consent process in the protocol e.g. vulnerable populations, I might state that there is low/negligible risk to this critical process, and it is controlled by my standard processes. It is acceptable to state that there is no or negligible risk associated with a critical process, just because its critical does not mean there is risk associated with it.|