Hint: it’s all about delegation
(And why does that make enforcement hard?)
What do the following companies have in common?
- Electronic data capture (EDC) software providers
- Central image / electrocardiogram (ECG) / spirometry readers
- Central clinical labs
- Electronic patient reported outcome (ePRO) software providers
They’re not Clinical Research Organizations.
That’s right. They’re not CROs.
When you finish this, you’ll be able to
- Tell the difference between a CRO and a clinical service provider who is not a CRO
- Explain why enforcement (in the U.S.) is challenging
To understand why they’re not CROs, let’s step in the time machine.
Once upon a time…
…Investigator site personnel recorded observations about clinical trial subjects in paper medical charts. Lab work was performed and interpreted at a local lab; X-rays and ECGs were taken and interpreted locally; and results were sent back to the investigator.
Site staff transcribed the relevant data onto paper CRFs, which were triplicate, carbonless forms. When the sponsor’s CRA monitored the site, a complex process of source data verification and data corrections began, all of which was recorded on paper forms, and all of which was visible to the investigator.
The CRA turned one copy of the carbonless CRFs into the sponsor’s Data Management department. The sponsor’s data entry staff performed double data entry into a clinical database. This process in turn generated additional queries that were managed on paper forms shared back with the site.
Sometimes the sponsor delegated some of their responsibilities to other people or companies. This included responsibilities like monitoring, writing protocols and clinical study reports, and managing clinical trial data.
This is the world into which 21 CFR Part 312 was born.
21 CFR Part 312
Sponsors were allowed to delegate their responsibilities to CROs, as long as that delegation was well-documented. Clinical investigators were nearly equal partners with their pharma sponsors. Clinical investigators controlled their data.
The investigator’s recordkeeping responsibilities covered in 312.62 not only made sense: they were reality.
The investigator’s recordkeeping responsibilities still make sense, but reality has changed.
What changed?
Sponsors have transferred some of the investigators’ obligations to themselves and to these clinical service providers.
EDC Example
Nearly all sponsors use EDC technologies. Let’s zoom in for a closer look at a simplified example.
312.62(b) requires investigators “to prepare and maintain adequate and accurate case histories that record all observations and other data pertinent to the investigation …. Case histories include the case report forms.” Part 312 makes no allowance for investigators to delegate these obligations.
EDC providers create software that have databases and user interfaces allowing users to design eCRFs, enter data, run automated edit checks, issue queries, monitor data, and manage users. They host the servers on which the application runs and data are stored, but are not involved in any of the data management activities.
Sponsors contract with EDC providers to use their software. Sponsors design the eCRFs in the system to collect the protocol-required data; program intra- and inter-form edit checks, test the system, deploy it for use; train the users; and manage user access.
Investigator sites use the EDC system to enter protocol-required data into the eCRFs. When they save an eCRF, a record is created in the EDC provider’s data base.
Because the sponsor has not delegated any of their responsibilities to the EDC provider, the EDC provider is not a CRO.
However, both the sponsor and the EDC provider have a role in ensuring that once an eCRF record is created by investigator site staff, it is maintained in such a way that it is still adequate and accurate, is available to the investigator, and is retained for the record retention period. After all,
- The records are not under the investigator’s control
- The investigator has no contractual relationship with the EDC provider
- Both the sponsor and the EDC provider have users with elevated privileges
- The sponsor may be making self-evident corrections to the investigator’s data
- The sponsor controls user access to the investigator’s data
You could make the case that the sponsor has transferred some of the investigator’s responsibilities to themselves and to the EDC provider.
How does this affect regulatory enforcement?
Enforcement
There aren’t many examples to draw on to demonstrate the issues with enforcement when a clinical service provider isn’t a CRO.
Why is that?
When FDA conducts an inspection, they must link findings directly back to predicate rule requirements (e.g., 21 CFR Part 312). If the actor and activity cannot be linked to the predicate rule because of the way obligations have been transferred, writing a finding becomes very difficult.
Take the 25-day inspection of CoreLab Partners, Inc. in July and August 2010 as an example (483 issued 2 September 2010, FEI number 3008410340). Because the company was not a CRO, multiple observations were written as if the company was a sponsor and its radiologists were clinical investigators. From a data integrity and availability perspective, Observations 1 and 4 are the most interesting.
Observation 1 dealt with computer systems used to blind image files, store and version image files, and read and annotate image files. Perceived inadequacies in audit trails resulted in FDA citing the company for “Failure to prepare or maintain accurate case histories with respect to observations and data pertinent to the investigation.” (An investigator responsibility under 312.62(b).)
Observation 4 dealt with copies of original source documents, which were used in the image adjudication process. These copies, which were important to determine if readers had been “truly blinded,” had been discarded. This led FDA to conclude “Records and reports were not retained for two years after marketing application approval.” (An investigator responsibility under see 312.62(c).)
Observation 2 cited the provider for failing “to select qualified investigators” and ensuring “the study is conducted in accordance with the protocol and/or investigational plan.” (A sponsor responsibility under 312.53(a).) Similarly, Observation 3 stated, “Investigators who were not qualified by training and experience as appropriate experts were selected to investigate a drug.” (See also 312.53(a).) And finally, Observation 5 cited the provider for failing “to obtain from an investigator a commitment to update financial information, to allow complete and accurate certification or disclosure statements.” (A sponsor responsibility under 312.53(c)(4).)
Well-written observations, but somehow they feel awkward.
They feel awkward because the regulations, as currently written, don’t support business as it’s conducted today.
Do we need to revise Part 312? Of course we do. What are the obligations associated with clinical trials? Who is responsible for them? Can the responsible party delegate the obligations? If not, and the obligations are delegated or transferred anyway, how can FDA effectively enforce the regulations to protect clinical trial subjects and the larger population of patients, once a drug is approved? (Too big to blog!)
For discussion
Here are some questions for you. Enter a comment below or use the “Contact Us” button at the top of the page – I can’t wait to hear what you think!
- Can you explain why the other 3 examples listed at the beginning are not CROs?
- What about IWRS providers? Where do you think they fall and why?
- Is it different in other parts of the world? If so, how? And why do you think that is?
- What do you think needs to change?
I get that aspects of 21 CFR 312 will eventually need revising in keeping with advancements in clinical trial technologies and other developments. But, unless I’m missing something, it seems to me some of the examples cited are a matter of FDA guidance than rule-making. Part 312 is fairly clear about obligations and responsibilities of clinical trial sponsors (including CROs) and how/when such obligations can be transferred. Since I couldn’t retrieve the Core Lab Partners 483, I’m unable to comment specifically on that example. However, sponsors and partner CROs sub-contract specific pieces of work to 3rd party vendors all the time (whether EDC, IV/WRS, site management, IP manufacturing, etc.) in the normal course of the clinical trial enterprise. In doing so, the sub-contracted activities don’t necessarily fall under Part 312.52 (Transfer of Obligations) provisions or, for that matter, impact on regulatory obligations per Part 312.50.
I think we’re in agreement on most things. The difficulty is that when things go wrong at these companies, enforcement is difficult because of the lack of clarity in the regulations that apply to clinical research.
The status of the company delegated research activities (CRO or whatever you want to call it) may not make the CRO responsible for the delegated activities. If the study sponsor does not clearly delegate research activities to a valid CRO, the responsibility for the delegated activities remains with the sponsor. The delegation must be in writing and it will determine if the sponsor intended to delegate some research activities to other companies and whether the delegation was done according to regulatory requirements. FDA should know whether the delegation is valid prior to inspecting the “CRO”. If not, then FDA should inspect the sponsor as the organization responsible for the activity being audited. Research activities for device studies can not be delegated to a CRO; the sponsor will always be held responsible.
That’s an interesting difference with devices. It’s not clear how the FDA could inspect a sponsor when the work is done by another company (like a central clinical lab or an ePRO provider). Could you explore that a little more?