Vendor Quality Assurance Audits: A Formula for Success

The contracting of trial activities to vendors is now commonplace in clinical research. However, determining what regulations are in place and how to develop a system of oversight is often difficult for sponsors.

Looking through GCP regulations¹ can prove frustrating. There are no requirements for clinical quality assurance and no references to auditing vendors. Also, the FDA has well-defined expectations in some areas, but is less clear in others.

Developing a program of quality assurance for vendor oversight is important for sponsors concerned about the quality of their trials. This article attempts to provide a regulatory context for managing three important GCP vendors: CROs, clinical labs, and site management organizations (SMOs).

Where to begin

It is helpful to look at the FDA's two main concerns when conducting a GCP inspection at a sponsor of clinical research.² They are:

• The integrity of the data submitted to the agency in support of an application

• The protection of the rights and welfare of human subjects in clinical research.

A useful guidance for data integrity and human subject protection is the International Conference on Harmonization (ICH) document E6, Good Clinical Practice: Consolidated Guidance.³ We learn in section 5.1.1 that the sponsor should develop "quality control systems with written SOPs." And in section 5.1.3 we learn that "quality control should be applied to each stage of data handling."³

In some ways, the data integrity portion of GCP compliance is that simple: "Each stage of data handling." Many GCP vendors are hired to do just that. They handle and process data from a trial. So, the first component of any GCP compliance activity is to determine data flow. Each entity, such as a statistician, that handles data from the time the subjects have signed the informed consent form until the time the database is locked needs consideration.

CRO Audits: Areas to Cover

Next, "each stage of data handling" needs to be determined. For example, a study coordinator enters a subject's blood pressure into a case report form. That is a stage of data handling. The sponsor contracts with a CRO to send a monitor to review the CRF. That is a quality control system. It all sounds pretty simple at first. However, the devil is in the details. Looking at the different types of organizations that handle the data shows why.

Contract research organizations

The most common vendor performing work on clinical trials is the CRO. Most CROs provide a variety of functions. They are also the only vendor that is specifically covered in the regulations. FDA's regulations state: "A sponsor may transfer responsibility for any or all of the obligations set forth in this part to a contract research organization."⁴ This transfer must be in writing and all CRO responsibilities must be described in detail.

However, the sponsor cannot just sign away its responsibilities and forget about them. Ultimately, the sponsor is always responsible. After all, it is the sponsor's investigational product, and it is the sponsor who submits the data to the agency. Thus, it is important for a sponsor to conduct due diligence by auditing the CRO prior to the enrollment of subjects. This is particularly true if it is the first time the sponsor is using the CRO. The sponsor's clinical quality assurance team or an outside contractor can conduct the audit.

Auditing an SMO

It is important for a sponsor to have written procedures for audits. A written plan for the specific vendor audit is highly recommended. The plan should cover each stage of data handling the vendor will be performing. Other areas to cover in a CRO audit include staff qualifications, experience in the therapeutic area of the study, written procedures, workload, and internal quality control and quality assurance activities.

Sponsors should seek input from each department impacted by a CRO. Clinical development, data management, and drug safety departments can provide insight regarding CRO qualifications and should be consulted regularly.

The most common responsibility transferred to a CRO is monitoring. An important component of monitoring is reviewing CRFs against source documents for data integrity. But is that the only stage of data handling? Were specimens or ECGs collected? These are also stages of data handling and need to be conducted under quality control with written procedures.

A monitor will also have other responsibilities, including review of regulatory documents for submission of adverse event reports and IRB approval. A monitor will need to review informed consent forms. This is necessary for the protection of human subjects—FDA's second major concern—and should be a part of the monitoring plan and procedures.

It is important to note that the medical device IDE regulations⁵ are silent about CROs. Although the FDA realizes that CROs are often used in medical device clinical trials, the regulatory responsibility always rests with the sponsor.

Clinical laboratories

If the regulations are clear regarding CROs, the opposite is true for contract clinical laboratories. There is noticeable regulatory silence when it comes to clinical laboratories.

FDA does not have any specific guidance or regulations applicable to clinical labs that support trials. Consequently, many organizations look to the Clinical Laboratories Improvement Amendments (CLIA) for regulatory guidance. However, CLIA specifically states that it does not regulate research.⁶

What to do? In spite of this, CLIA is still a very good place to start. FDA recognizes CLIA certification as the principle government standard for laboratories, and it is acceptable to FDA as a standard for diagnostic laboratory tests.⁷ In addition, many industry auditors use the Good Laboratory Practice (GLP) regulations, 21 CFR Part 58, as an audit guide. These regulations govern FDA's oversight of nonclinical laboratories, primarily animal laboratories, for toxicity and other safety testing. They are not, however, meant to govern all laboratories that perform analyses for FDA regulated products.

There is no requirement for GLP, CLIA or any other lab certification for a clinical trial. The sponsor is pretty much on its own when it comes to qualifying a clinical laboratory.

So, what criteria should be evaluated in an audit of a clinical laboratory? Once again we start with quality control with written procedures at each stage of data handling.

Follow the flow of a specimen from time of receipt to storage, destruction or return. There should be written procedures at each stage of data handling. In addition, the audit should determine that employees are qualified, the equipment calibrated, and that data can be attributed to a specific sample number. Labeling by subject identifiers is essential so that specimens throughout the analysis and final lab report are accurately correlated by data to subject. The data are worthless if you do not know which subject you are dealing with.

Finally, just because a laboratory has analyzed a sample and generated a report does not mean the data have been successfully transferred to the sponsor. How does the lab send the data? By FedEx? By email? In what format is the report? Is it a printed form or a spreadsheet? This is a stage of data handling and needs quality control with written procedures.

Clinical labs are often very large places. Therefore, it is important not to get lost when conducting an audit. To avoid getting lost, focus on the areas important to the specific study.

It is worth noting that there is one place that clinical laboratories are subject to GCP regulations. The investigator is required to maintain adequate and accurate subject case histories.⁸ Laboratory reports are frequently part of those case histories, which is one reason why the investigator needs to list the clinical lab on Form FDA 1572 required by regulation.⁹

If the laboratory is under the clinical investigator's direct control and supervision, it would be covered by the regulations. This is more often the case for specialized instruments such as echocardiograph machines or ECGs and the technicians who operate them than for actual clinical labs.

Site management organizations

Many sponsors are using SMOs in an effort to improve subject recruitment and GCP compliance. However, it is a mistake to think that SMOs are regulated the same way as CROs. In fact, the regulations treat them both quite differently.

Why is this the case? It is a question of responsibility.¹⁰ Where the regulations allow the sponsor to contract certain responsibilities, they require the investigator to "personally conduct or supervise" the study.¹¹ Since the SMO contracts with the investigator and not the sponsor, it assumes responsibilities assigned to the investigator in GCP regulations.

Most SMOs provide study coordinators and other study staff. Staff members often participate in the recruitment of subjects and obtain informed consent.¹² Study staff will maintain study records, including disposition of the study drug/device¹³ and subject case histories. These are specific regulatory responsibilities of the investigator. If the FDA has a problem with the conduct of the study, it is the investigator, not the SMO, who receives regulatory correspondence, including a warning letter, from the FDA. This should be understood by every investigator prior to subject enrollment.

An SMO may have functions that are contracted responsibilities of the sponsor. These functions include the selection of a qualified investigator to conduct the study, test article accountability, and safety reporting.¹⁴ If an SMO has contracted with the sponsor or subcontracted with a CRO to perform regulatory responsibilities, then it can be held accountable by FDA. This certainly can be confusing. It's a question of responsibility—so the sponsor, investigator, and any contractors need to know exactly where responsibilities lay. This makes the auditing and qualification of an SMO a challenging task. Let's break things down into manageable portions.

SMO breakdown. An SMO is going to be critical to both data integrity and the protection of human subjects. Sometimes both of these FDA concerns are addressed in the same function. When a study coordinator elicits adverse events from a subject, there is concern regarding whether the data are accurate. There is also concern regarding whether the safety of participants in a clinical trial is being reviewed and addressed by the investigator or some other individual. So a primary concern should be the qualification of study staff.

Originally, most study coordinators were registered nurses. Nurses are trained to elicit adverse events from patients and know when to refer issues to a physician. Currently, study staff members are frequently not licensed medical professionals and there are no regulations that require an investigator to use nurses or other licensed health care workers. So it is important to examine how the investigator will delegate responsibility and supervise the trial. This should be established prior to subject enrollment and be periodically reviewed by monitors and auditors throughout the study. In addition, it still is important to have quality control with written procedures for each stage of data handling.

The sponsor will also want to conduct quality assurance activities at clinical sites during and after a study regardless if an SMO is involved. Although not specifically required, quality assurance audits are recommended by E6.¹⁵ Surveys show that most sponsors conduct audits at sites during the conduct of the study. Additionally, sponsors audit nearly 90% of sites chosen by FDA for inspection.¹⁶ These audits occur between the time FDA notifies the site and the start of the inspection, which can happen within less than one week. Although it might not be practical to audit every site, the sponsor should consider auditing sites that are high enrollers, have a very large or small number of adverse events, or have compliance issues well before FDA phones to schedule an inspection.¹⁷

Quality assurance audits should be separate from the sponsor's routine clinical trial activities. To encourage quality assurance activities, the FDA's Compliance Program Guidance Manual for sponsor audits¹⁸ prohibits review of QA audit reports under normal circumstances.¹⁹

Specialty vendors, computerized systems

CROs, clinical laboratories, and SMOs are three of the most common GCP vendors. But there are a number of other vendors, some of which should be audited.

In preparing procedures and audit plans, it is important to remember the two areas of FDA concern: data integrity and subject protection. Think about how the vendor will impact data and what steps need to be taken to ensure GCP compliance. In particular, determine whether there is quality control with written procedures at each stage of data handling.

An important area to examine with any vendor is computerized systems. The FDA is currently reassessing its implementation of the Part 11 regulation regarding computerized systems (Electronic Records; Electronic Signatures). It has issued a draft guidance for clinical trials that is less stringent than previous enforcement efforts.²⁰ The guidance states it contains "nonbinding recommendations." Although they may be nonbinding, they are the best we have until FDA determines how they intend to regulate computerized systems.

In auditing computerized systems, one will quickly discover that everyone believes they have a validated system. However, by asking a few quick questions, the term validation takes on many different meanings. The FDA guidance document offers a framework for writing an audit plan that covers Part 11. The guidance offers the minimum, not the maximum, standard that should be applied.

FDA may be using enforcement discretion for the time being, but the day will come when FDA resumes enforcement of Part 11. If the computerized system is critical for the integrity of the data being submitted to the agency, then the system should be validated and Part 11 compliant.

Conclusion

Using specialty GCP vendors is a necessity in conducting clinical research in today's research environment. By developing a strong, consistent program for quality control and quality assurance, a sponsor can ensure not only compliance with GCP regulations but also cost-effective quality research.

Carl Anderson is a senior consultant at Quintiles Consulting. Cathy Tashiro, PhD, RN, is associate professor of nursing at the University of Washington, Tacoma. Laurie Taddonio* is also with Quintiles Consulting, where she is director of bioresearch, 1801 Rockville Pike, Suite 300, Rockville, MD, 20852-1366, email: laurie.taddonio@quintiles.com

*To whom all correspondence should be addressed.

References

1. Code of Federal Regulations, Title 21, Parts 11, 50, 54, 56, 312, 511, 812 (U.S. Government Printing Office, Washington, DC).

2. Food and Drug Administration Compliance Program Guidance Manual (CPGM) 7348.810, Sponsors, Contract Research Organizations, and Monitors: Part 1–Background (FDA, Rockville, MD, 2001).

3. Food and Drug Administration ICH E6 Good Clinical Practice: Consolidated Guidance, Section 5.1, Quality Assurance and Quality Control, Federal Register Vol. 62, No. 90, pp. 25691–25709 (May 9, 1997).

4. Code of Federal Regulations, Title 21, Part 312.52 (U.S. Government Printing Office, Washington, DC).

5. Code of Federal Regulations, Title 21, Part 812 (U.S. Government Printing Office, Washington, DC).

6. Code of Federal Regulations, Title 42, Part 493.3(b)(2) (U.S. Government Printing Office, Washington, DC).

7. E-mail dated 1 August 2005 from FDA, OC GCP Questions to Carl Anderson.

8. Code of Federal Regulations, Title 21, Part 312.62(b) (U.S. Government Printing Office, Washington, DC).

9. Code of Federal Regulations, Title 21, Part 312.53(c)(1)(iv) v.

10. Code of Federal Regulations, Title 21, Part 312 Subpart D; Responsibilities of Sponsors and Investigators, 812 Subpart C; Responsibilities of Sponsors, Subpart E; Responsibilities of Investigators (U.S. Government Printing Office, Washington, DC).

11. Code of Federal Regulations, Title 21, Part 312.53(c)(1)(vi)(c) (U.S. Government Printing Office, Washington, DC).

12. Code of Federal Regulations, Title 21, Part 312.60 (U.S. Government Printing Office, Washington, DC).

13. Code of Federal Regulations, Title 21, Parts 312.62(a), 812.140(a)(2) (U.S. Government Printing Office, Washington, DC).

14. Code of Federal Regulations, Title 21, Part 312,55(b) (U.S. Government Printing Office, Washington, DC).

15. Food and Drug Administration ICH E6 Good Clinical Practice: Consolidated Guidance, Section 5.19–Audit, Federal Register Vol. 62, No. 90, pp. 25691–25709 (May 9, 1997).

16. H. Gertzen, "Clinical Quality Assurance Benchmarking," Applied Clinical Trials, June 2004.

17. M. Valania, "Quality Control and Assurance in Clinical Research," Applied Clinical Trials, March 2006.

18. Food and Drug Administration Compliance Program Guidance Manual (CPGM) 7348.810, Sponsors, Contract Research Organizations, and Monitors: Part 3–Inspectional (FDA, Rockville, MD, 2001).

19. D.R. Macintosh, V.J. Molloy, M.P. Mathieu, Good Clinical Practice: A Question & Answer Reference Guide, Barnett Educational Services, 2004.

20. Food and Drug Administration, Guidance for Industry: Computerized Systems Used in Clinical Trials, (FDA, Rockville, MD, 2004).