Sponsors contract out an increasing number of tasks in clinical trials. According to Art 7(1) of Directive 2005/28/EC and Art 71 of the Clinical Trials Regulation (EU 536/2014), any sponsor may delegate any of his trial-related tasks/functions to an individual, company, institution or organization.  Nevertheless, where tasks/functions are delegated to third-party, the sponsor remains ultimately responsible for ensuring that the conduct of the trials and the final data generated by those trials comply with the requirements of Regulation (EU) 536/2014 as well as with those of Directive 2001/83/EC in the case of a marketing authorization application. This applies in particular to the safety of the subjects and the reliability and robustness of the data generated in the clinical trial.

Any trial-related tasks/functions that are delegated to a third party should be specified in a written contract and made clear between the sponsor, third party and when relevant, with the investigator (e.g. responsibilities regarding safety reporting, see Q&A 5.4 in Q&A for Clinical Trials regulation).

Sponsors typically lack sufficient internal knowledge or resources to develop and/or manage the electronic systems used in clinical trials, such as systems used for randomisation and investigational medicinal product (IMP) distribution management/accountability (Interactive Response Technology (IRT)) and/or clinical trial data capture (eCRF and ePRO systems). Therefore, very often, sponsors delegate related tasks to third parties. In these cases, sponsors remain responsible to conduct the trial in compliance with the protocol and with principles of good clinical practice (Clinical Trials Regulation Art 47, ICH E6(R2) section 5.2.1).

During good clinical practice (GCP) inspections of commercial as well as academic trials, an increasing amount of deviations from GCP standards have been identified by the inspectors in view of sub-standard contractual arrangements and related procedures. The aim of this Q&A therefore is to highlight aspects with increased frequency of deviations during GCP inspections, which therefore should be prevented by improved contracts between sponsor and vendors of IT systems.

Special consideration should be given on relevant training and quality systems. Experience suggests that vendors accepting tasks regarding electronic systems are frequently knowledgeable about IT systems and sometimes data protection legislation, but not necessarily on ICH E6(R2) requirements, quality systems, etc. This Q&A should be read together with Q&A #2, which contains more general considerations on how contracting should be addressed, and with the Notice to sponsors regarding computerised systems, published on the EMA website in the GCP Q&As section. The examples of deviations are described as bullet points under the following headings: status of contracts, distribution of delegated tasks, standards to be followed, audits and inspections, serious breaches, compliance with the protocol, output and exemptions.

Status of contracts

The following contract-related issues have been identified by GCP inspectors in the context of clinical trial inspections:

Missing contracts or only draft contracts in place.

• Contracts that were not in place at the time when the delegated tasks were initiated.
• Contracts that were not maintained/updated.
• Contracts that were expired and had not been renewed as appropriate.

Distribution of tasks

Due diligence should be exercised from the sponsor to ensure that the distribution of tasks is clearly documented and agreed by the vendor, and that each party has the control and access to the data and information that their legal responsibilities require.

GCP inspectors have observed a lack of clarity with regards to:

• which tasks were defined in the contract (tasks are sometimes partially described or not described at all);
• which party is responsible for carrying out certain task(s) regarding generating, maintaining and archiving the relevant sections of the Trial Master File (TMF): emails, meeting minutes, system documentation such as trial-specific validation documents including documentation for user acceptance testing, specific codings, SOPs, etc.); Inspectors have seen incomplete documentation provided to the sponsor or documents that have been lost due to a lack of clarity concerning the duty of document retention;
• details concerning the retention and sponsor access to non-trial-specific documentation; for example, software/system validation documents, vendor SOPs, training records, issues log/resolutions in helpdesk/IT ticket system, etc.;
• investigator’s control of their data and ownership of the data;
• location of data storage and control of this, for example use of cloud solutions;
• addressing potential system “down-time” and the preparation of contingency plans.
• The possibility of sub-contracting by the vendor is not always defined, including how the sponsor maintains oversight of contracted activities.
• The clinical trial applications are frequently incomplete regarding information on contracting out electronic data capture and/or randomisation.

Standards to be followed

The following issues have been observed by GCP inspectors regarding certain standards to be adhered to by the vendor.

• It is unclear/not mentioned according to which standard the vendor will conduct its delegated sponsors’ tasks, e.g. current legislation, ICH E6(R2), etc.
• Some vendors are more focused on data protection legislation than ICH E6(R2), which is reflected in standard contracts.

When the vendor fails to formally agree to comply with the applicable national and EU legislation related to the conduct of clinical trials, as well as with ICH E6(R2) requirements, the sponsor should consider whether the use of the vendor is appropriate for the clinical trial.

Audits and inspections

It is sometimes not stated that the sponsor should have access to conduct audits at the vendor site and that the vendor site could be subject to inspections (by national and international authorities) and shall accept these. In addition, it needs to be specified that vendors shall provide necessary documentation (e.g. qualification documentation prepared by the vendor in relation to the system) when requested during a GCP audit/inspection process.

Serious breaches

Reporting of “serious breaches” of GCP/Trial Protocol is a legal requirement in certain Member States for clinical trials conducted under Directive 2001/20/EC, and is a legal requirement in all Member States for clinical trials conducted under the Regulation (EU) No 536/2014 (Clinical Trials Regulation [CTR]) as provided for by Article 52 of the CTR. The EU portal (Clinical Trials Information System [CTIS]) has been set up to handle the notification of serious breaches in accordance with the CTR.

It is frequently not specified in the contract that the vendor should report potential serious breaches to the sponsor (for assessment and onward reporting) and reporting timescales for such reports are missing.

Compliance with the protocol

The protocol is part of specification for IRT/eCRF builds and therefore should be consistent with the protocol approved by the regulatory authority and given a favourable opinion by the independent ethics committee. Some contracts reviewed had inconsistencies between the protocol and the wording of the contract.   Examples have also been seen where contracts referred to the version of the protocol applicable when the contract was signed, however there was no contractual requirement to cover the vendor obtaining any subsequent changes.  There is a risk that the vendor could implement changes to the electronic system based on protocol amendments sent by the sponsor that have not been approved by the CA and REC.  The contract or the vendor procedures should address how this would be prevented.

Output

In terms of output generated from the clinical trial, the following observations have been made by GCP inspectors:

• Information is often missing about agreed output during and after the trial. Output that in some cases has not been provided to the sponsor includes: metadata, specific types of queries, audit trails on CRF data, history and status of changes to users and their access rights, description of format for delivery of the complete database to sponsors, delivery to investigators, TMF delivery, etc. On several occasions it has been seen during inspections that pdf flat files have been delivered (e.g. the audit trails), which did not facilitate the production of a dataset that could be needed in an inspection.
• Arrangements about decommissioning of the database are not always clear, including the possibility to restore the database to its full functionality for instance for inspection purposes. This has resulted in a difference in how the system can be inspected if it occurred during the live phase of the trial compared to when the trial ended (for example, obtain access to the audit trial and exports of it as datasets).
• Arrangements to ensure an independent investigator copy of the data and to revoke investigator access to data were frequently not described.

Exemptions

It is important to be aware of any exemptions in the contract regarding specific functionalities of the data collection system.

For example, contracts stating, that a data collection system cannot be used in the handling of e.g. serious adverse events, although the same system was actually used for exactly that purpose (i.e. automatically generating emails to safety departments, etc.) have also been noted by the GCP inspectors.

Amendment - April 2020

Qualification and validation particulars

On the basis of recent GCP inspection findings, inspectors would like to reiterate that sponsors should contractually ensure:

• That all tasks relating to a clinical trial and/or tasks relating to the qualification and validation of a system are clearly described, including which party holds documentation for which activities.
• That sponsor pre-qualification audits or other on-site pre-qualification activities and later audits of the IT vendor can take place. It should also be ensured that these audits and/or other on-site pre-qualification activities are performed with a sufficient amount of time and that sufficiently in-depth review of the vendor qualification documentation is performed in order to establish the qualification and validation status of a system.
• That GCP inspections can take place at the vendor in case the vendor is performing services for the sponsor, when the sponsor has relied fully or partly on the vendor to perform the qualification activities and when it was established during the inspection of the sponsor that part of the documentation can only be verified by inspection of the vendor.
• That any qualification documentation prepared by the vendor in relation to the system should be available for inspection.
• That the sponsor has access to the vendor’s system requirement specifications, if the sponsor chose to perform all qualification activities themselves and/or if the vendor does not agree to undertake qualification activities for the sponsor. In case the sponsor retains the full duty/function for the qualification and validation of the software, the sponsor should possess all the necessary information and documentation upfront to be able to carry out this task.
• That the vendor should escalate any potential serious breaches to the sponsor in a timely manner, including security breaches that they become aware of (e.g. by notification from other sponsors using the same system), if they could have any impact on the data integrity, reliability and robustness and on the safety and rights of the trial subjects.

Reference document