Clinical Trial Management Systems and Compliance

In David Fogel’s published review of 30 years of clinical trial research operations, he sums up the likelihood of study success by saying:

 “Clinical trials for pharmaceuticals and medical devices offer many opportunities for failure.”1

In recent years, technological advances are helping streamline clinical trial management processes using clinical trial management systems (CTMSs). The opportunities for failure in research are being minimized by centralized electronic systems ensuring study integrity and subject safety. However, to validate and maintain these E-Systems for clinical research takes a concerted regulatory guidance effort by numerous governing bodies that are currently a project in fluidity as the electronic market continues to blossom and change. 

This article will briefly cover regulations that touch on CTMSs and the primary considerations for institutional compliance.

To begin, we should understand what a CTMS is and why it is needed.

A CTMS is a one-stop shop that houses the documents, data, and information needed to organize, run, and maintain clinical trials. Often, there is confusion and misunderstanding regarding what a CTMS is and its application in the clinical trial arena. It is essential to point out that a Clinical Trial Management System is distinct from a clinical trial management software. This is because it is relatively uncommon for a single user to touch all aspects of the system as a whole. Many research professionals who utilize a CTMS think of it as a primary way to capture trial data or a recruiting tool, but this is only the tip of the iceberg. A CTMS’s primary function should be to centralize and streamline the way a trial is conducted, providing an end-to-end solution for managing all aspects of a clinical trial.

Although some users will only have a working knowledge of a portion of the system, understanding the system in its entirety ensures its successful application and allows for appropriate compliance considerations.

As clinical trials become increasingly complex, healthcare systems and research organizations alike are depending more on the benefits of a CTMS. The right CTMS can support every aspect of the clinical trial, from recruiting and retention to safety and billing compliance and beyond. With the increased need for and use of CTMSs, there has been a subsequent increase in the need for compliance regulations to maintain the integrity of the clinical trial and to protect the subjects throughout this process of integrating electronic systems to facilitate medical care and clinical research. This has prompted several governing bodies to develop regulations and guidelines concerning the use of electronic systems in clinical care. As expected, these are being carried over to research requirements.

To ensure a seamless and speedy approval process, any software or software system used in clinical trials should comply with regulatory guidelines. Some cloud-based systems allow for the integration of clinical trial data into the current electronic medical record system already employed. But often, the sponsor or Contract Research Organization (CRO) will provide a working CTMS for contracted trials. In this case, it is crucial to ensure compliance guidelines are met to allow for appropriate use of the data, safety tracking, and overall subject health across multiple software systems.

Five main compliance guidelines are concerned with clinical trial software. We will touch on each one briefly:

• FDA 21 Code of Federal Regulations (CFR) Part 11
• General Data Protection Regulation (GDPR) 
• HIPAA
• EU GMP Annex 11 
• GCP compliant

FDA 21 Code of Federal Regulations (CFR) Part 11

The primary objective of 21 CFR Part 11 is to ensure that electronic records and electronic signatures are equally valid as paper records and handwritten signatures. The FDA maintains that 21 CRF Part 11 is a guidance or recommendation, not a regulation currently. However, they make it clear that they intend to enforce Part 11.

The main points of 21 CRF Part 11 focus on the following for electronic documents and records:

• Limiting system access to authorized individuals
• Use of operational system checks
• Use of authority checks
• Use of device checks
• Determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks
• Establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures
• Appropriate controls over systems documentation
• Controls for open systems corresponding to controls for closed systems bulleted above (§ 11.30)
• Requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300)

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the world's strictest privacy and security law. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

GDPR provides a legal framework for keeping personal data safe by requiring companies to have robust processes for handling and storing personal information.

The GDPR’s privacy and data protection regulations include the following.

• Request the people’s permission before processing their data.
• Using anonymization to safeguard acquired data’s privacy.
• Notifying users of data breaches.
• Managing the cross-border flow of data securely.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

As we all know, HIPAA is the federal law that ensures protected health information (PHI) is used and disclosed by appropriate parties and in accordance with the laws enforced by the Office of Civil Rights. The privacy and security rule are the two fundamental components of HIPAA. The HIPAA Privacy Rule defines standards for the protection of PHI. The Security Rule creates a set of federal security requirements for safeguarding health information stored or moved electronically.

By addressing the technical and non-technical measures that covered businesses must implement to secure persons’ electronic PHI, the Security Rule operationalizes the Privacy Rule’s protections (e-PHI).

European Union Good Manufacturing Practice, Annex 11: Computerized Systems

Annex 11 states, “Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control, or quality assurance. There should be no increase in the overall risk of the process.”

Annex 11 is not a legal requirement, but the EU recommends its guidance.

International Council on Harmonisation Guidelines for Good Clinical Practice (GCP)

Good Clinical Practice (GCP) is an international ethical and scientific quality standard for designing, conducting, recording, and reporting clinical trials.

A combination of risk assessment, SOP (Standard Operating Procedure) adherence, and a security system that prevents unauthorized access to the data makes software compliant with GCP.

A CTMS is a valuable tool that allows visibility into a site's research operations at the touch of a button and, in real-time, changes the clinical trial world for the better. In today’s clinical research environment, having a disparate stand-alone system that tracks clinical trials is no longer enough. A successful CTMS solution will require integration with other systems, such as electronic health records (EHR), Institutional Review Boards (IRB), and financials, linking all pre-clinical and clinical research processes together. The marriage of these processes comes with the responsibility of system compliance to ensure that clinical trials meet the definitions of success in terms of safety, reliability, and integrity and are financially beneficial. While these five governing bodies and their goals in E-Systems' compliance are not a comprehensive list, these are the guidelines CTMSs should be striving to maintain. CTMS compliance will result in a more comprehensive approach to clinical trial management, hopefully leading to a more rewarding research experience for the subjects and the investigators. Adherence to guidelines across these new electronic platforms will also allow for the future advancement and development of more complex clinical trials.

As we move forward with technology integration in healthcare and clinical research, the development of compliance guidelines surrounding these ventures will change constantly. While David Fogal prefers to highlight the opportunities for failure in clinical research, I prefer the approach of Thomas Edison as he points out, “I have not failed. I’ve just found 10,000 ways that won’t work.” CTMS integration and compliance will ensure that our 10,000 ways will always be leveraged in the thriving clinical research market.  

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.