The 2021 Annual Report from the GCP Inspectors Working Group was posted on 21 November, 2022. It always makes for interesting reading. Due to Covid, only triggered inspections were conducted in 2021.
There was an increase in CRO inspections compared to the previous report. Also of note was an increase in findings related to computer systems! I am going to focus on those findings in this post.
Audit Trails and Authorized Access:
- Lack of procedure for period review of user accesses.
- Lack of audit trail to reconstruct the course of events.
- Deficiencies in/ late provision of access to electronic systems for relevant team members (PI, monitors)
- Lack of risk assessment of the computer system.
- Lack of procedure for validation of computerised systems.
- Lack of testing documentation and conduct.
Physical Security System and Backup:
- Security issues for the remote internet access to the system (no encrypted channel).
- Lack of periodic reviews of firewalls protecting the system.
- Lack of record of security incidents.
- Lack of deployment of critical patches
There has been a draft guideline on computerized systems and electronic data in clinical trials available on the GCP Inspectors Working Group website since June 2021. However, audit trails, computer systems validation and User Acceptance Testing and documentation have been findings in MHRA inspections and EMA inspections in the past. So much so that the Inspectors Working Group issued a notice to sponsors in April 2020 on validation and qualification of computerized systems in which they emphasized the following:
Data integrity, reliability and robustness will depend on the design and the validation status of the computerised systems used. Failure to document and therefore demonstrate the validated state of a computerised system is likely to pose a risk to data integrity, reliability, and robustness, which depending on the criticality of the affected data may result in a recommendation from the GCP inspectors to the Committee for Medicinal Products for Human Use (CHMP) not to use the data within the context of an Marketing Authorization Application (MAA).
They went on to say that inspection findings relating to the qualification and validation of computerised systems were of concern, as some sponsors have not been able to provide adequate documentation of the required qualification and validation activities for computerised data collection tools/software during inspections.
It is not acceptable, they said, to use computerised systems in clinical trials for which the validation status is not confirmed or for which appropriate documentation on system validation cannot be made available to GCP inspectors. If appropriate contracts cannot be put in place, e.g., because a vendor does not allow access to system requirements specifications, prequalification audits, access for GCP inspectors, etc. systems from such a vendor shall not be used in clinical trials. This is irrespective of the number of sponsors making use of or having used the systems, the number of years such systems have been on the market etc., as serious GCP non-compliances and risks to data integrity, reliability and robustness could exist unnoticed if auditors and GCP inspectors are not allowed access as well as if potential serious breaches are not escalated appropriately by the vendor.
They have made their expectations very clear. There is no excuse for not having the required documentation available or accessible by an inspector.