When Is A CRO Not A CRO? (And why does that make enforcement hard?)

It sounds like a CRO.
But is it really a CRO?

What do the following types of companies have in common?
  • Electronic data capture (EDC) software providers
  • Central image / electrocardiogram (ECG) / spirometry readers
  • Central clinical labs
  • Electronic patient reported outcome (ePRO) software providers
They're not Clinical Research Organizations. 
That's right. They're not CROs.

When you finish reading this article, you’ll be able to:
  •  Tell the difference between a CRO and a clinical service provider who is not a CRO
  • Explain why enforcement (in the U.S.) is challenging
  • To understand why they’re not CROs, let's step in the time machine.
Once upon a time...
Investigator site personnel recorded observations about clinical trial subjects in paper medical charts. Lab work was performed and interpreted at a local lab; X-rays and ECGs were taken and interpreted locally; and results were sent back to the investigator.

Site staff transcribed the relevant data onto paper CRFs, which were triplicate, carbonless forms. When the sponsor's CRA monitored the site, a complex process of source data verification and data corrections began, all of which was recorded on paper forms, and all of which was visible to the investigator.

This article is related to the White Paper:
How Regulated Companies Can Improve the Contract Management Process to Increase Efficiency and Reduce Risks

To get the full details, please download your free copy.

The CRA turned one copy of the carbonless CRFs into the sponsor's Data Management department. The sponsor's data entry staff performed double data entry into a clinical database. This process in turn generated additional queries that were managed on paper forms shared back with the site.
Sometimes the sponsor delegated some of their responsibilities to other people or companies. This included responsibilities like monitoring, writing protocols and clinical study reports, and managing clinical trial data.

This is the world into which 21 CFR Part 312 was born.

21 CFR Part 312
Sponsors were allowed to delegate their responsibilities to CROs, as long as that delegation was well-documented. Clinical investigators were nearly equal partners with their pharma sponsors. Clinical investigators controlled their data.

The investigator's recordkeeping responsibilities covered in 312.62 not only made sense: they were reality.

The investigator's recordkeeping responsibilities still make sense, 
but reality has changed.

What changed?

Sponsors have transferred some of the investigators' obligations to 
themselves and to these clinical service providers.

EDC Example

Nearly all sponsors use EDC technologies. Let's zoom in for a closer look at a simplified example.

312.62(b) requires investigators “to prepare and maintain adequate and accurate case histories that record all observations and other data pertinent to the investigation …. Case histories include the case report forms.” Part 312 makes no allowance for investigators to delegate these obligations.

EDC providers create software that have databases and user interfaces allowing users to design eCRFs, enter data, run automated edit checks, issue queries, monitor data, and manage users. They host the servers on which the application runs and data are stored, but are not involved in any of the data management activities.

Sponsors contract with EDC providers to use their software. Sponsors design the eCRFs in the system to collect the protocol-required data; program intra- and inter-form edit checks, test the system, deploy it for use; train the users; and manage user access.

Investigator sites use the EDC system to enter protocol-required data into the eCRFs. When they save an eCRF, a record is created in the EDC provider’s data base.

Because the sponsor has not delegated any of their responsibilities to the EDC provider, the EDC provider is not a CRO.

However, both the sponsor and the EDC provider have a role in ensuring that once an eCRF record is created by investigator site staff, it is maintained in such a way that it is still adequate and accurate, is available to the investigator, and is retained for the record retention period. After all,

  • The records are not under the investigator’s control
  • The investigator has no contractual relationship with the EDC provider
  • Both the sponsor and the EDC provider have users with elevated privileges
  • The sponsor may be making self-evident corrections to the investigator’s data
  • The sponsor controls user access to the investigator’s data

You could make the case that the sponsor has transferred some of the investigator’s responsibilities to themselves and to the EDC provider.

How does this affect regulatory enforcement?

There aren’t many examples to draw on to demonstrate the issues with enforcement when a clinical service provider isn’t a CRO.

Why is that?

When FDA conducts an inspection, they must link findings directly back to predicate rule requirements (e.g., 21 CFR Part 312). If the actor and activity cannot be linked to the predicate rule because of the way obligations have been transferred, writing a finding becomes very difficult.

Take the 25-day inspection of CoreLab Partners, Inc. in July and August 2010 as an example (483 issued 2 September 2010, FEI number 3008410340). Because the company was not a CRO, multiple observations were written as if the company was a sponsor and its radiologists were clinical investigators. From a data integrity and availability perspective, Observations 1 and 4 are the most interesting.

Observation 1 dealt with computer systems used to blind image files, store and version image files, and read and annotate image files. Perceived inadequacies in audit trails resulted in FDA citing the company for “Failure to prepare or maintain accurate case histories with respect to observations and data pertinent to the investigation.” (An investigator responsibility under 312.62(b).)

Observation 4 dealt with copies of original source documents, which were used in the image adjudication process. These copies, which were important to determine if readers had been "truly blinded," had been discarded. This led FDA to conclude “Records and reports were not retained for two years after marketing application approval.” (An investigator responsibility under see 312.62(c).)

Observation 2 cited the provider for failing "to select qualified investigators" and ensuring "the study is conducted in accordance with the protocol and/or investigational plan." (A sponsor responsibility under 312.53(a).) Similarly, Observation 3 stated, "Investigators who were not qualified by training and experience as appropriate experts were selected to investigate a drug." (See also 312.53(a).) And finally, Observation 5 cited the provider for failing "to obtain from an investigator a commitment to update financial information, to allow complete and accurate certification or disclosure statements." (A sponsor responsibility under 312.53(c)(4).)

Well-written observations, but somehow they feel awkward.

They feel awkward because the regulations, as currently written, don’t support business as it’s conducted today.

Do we need to revise Part 312? Of course we do. What are the obligations associated with clinical trials? Who is responsible for them? Can the responsible party delegate the obligations? If not, and the obligations are delegated or transferred anyway, how can FDA effectively enforce the regulations to protect clinical trial subjects and the larger population of patients, once a drug is approved? (Too big to blog!)

Jamie Colgin specializes in integrated computer system compliance audits. Unlike other CSV consultants and auditors, her comprehensive approach clearly identifies where your risks and issues are, links them to GLP and GCP regulatory requirements, and visually interprets them for easier understanding and communicating with your executive team or sponsors. Contact her for assistance with audits, mock inspections, remediation, or on-the-job training for your promising staff. http://www.colginconsulting.com.