Subject safety and reliability of data are paramount in clinical research. This blog outlines what auditors look for when performing source data verification (SDV) and source data review (SDR) during routine investigator site audits. Understanding what auditors are looking for and why will help ensure your next site audit goes smoothly, and that your site contributes quality data to help move research and human health forward.
How Do Auditors Prepare for an Audit and Select Data for SDV or SDR?
Before an investigator site audit, the auditor reviews the protocol(s) and other study documents to determine the critical data points and procedures for the study. They also identify what data for each selected subject should be of primary focus; this is usually inclusion/exclusion criteria, primary and secondary efficacy, and safety data.
A key part of investigator site audits is the review of subject source data. The International Council for Harmonisation (ICH) defines source documents as original documents, data, and records (ICH E6[R2] 1.52). An auditor requires direct access to source data (or certified copies), and these can be in either paper or electronic format (ICH E6[R2] 4.9.7).
- Paper sources can include study-specific subject worksheets or checklists, nurse and physician notes, drug accountability forms, subject questionnaires, printouts from automated instruments, and even scribbled scrap notes/stickies.
- Electronic sources can be electronic health records (EHR) or electronic medical records (EMR), electronic patient reported outcomes (ePRO), electronic clinical outcome assessments (eCOA), electronic case report forms (eCRF), interactive response technology (IRT, IXRS), laboratory reports, scans/images, as well as certified electronic copies of paper sources (e.g., referral letters, medical history reports, study worksheets).
- In some cases, data can be recorded directly into the eCRF. However, the protocol should specifically identify the information that may be recorded into the eCRF (ICH E6[R2] 6.4.9).
The auditor looks at information differently than a monitor. Generally, site audits are performed on a sampling of sites participating in a clinical trial. Unlike a monitor, who regularly visits the site, an auditor typically only has two or three days on-site to complete the audit. Given the limited time for reviewing source data, the auditor prioritizes and typically samples the data and subjects they will examine. The auditor performs a mix of SDV and SDR, along with other activities, to assess the conduct of the trial and the integrity of the data.
Here are some quick definitions of SDV and SDR:
- SDR is the review of the source documentation to check on quality, protocol and GCP compliance, staff involvement, and other areas not associated with a case report form (CRF) data field.
- SDV is the process by which data within the CRF/eCRF are compared to the original source of information (and vice versa) to confirm accurate data transcription.
Where reduced or risk-based SDV is implemented for monitoring, the auditor will include a sample of both monitored and unmonitored data.
What Kind of Documentation Is Assessed During the SDV or SDR Process?
When performing SDV, it is important to confirm where data are first recorded and where they are located (the original source data) in case information is captured in multiple places. For example, medical history and current medication can be summarized in a study-specific subject file, but the original source would be the medical history records. Source data is the first place the information is documented. Often a site will complete a source data agreement form to identify the source.
The auditor verifies the following when conducting SDV or SDR during the audit:
Informed consent form (ICF) is signed prior to any study procedures being conducted. Without a signed ICF, the auditor is unable to access subject source documents. The auditor will verify there is documented evidence of consenting (and re-consenting, if applicable), that appropriately delegated persons conducted the consent process, and that subjects have personally signed and dated the ICF(s). In addition to signed ICFs, there should be evidence in the medical notes to confirm the subject was given the opportunity to read the ICF and ask questions, the subject consented, and the subject received a copy of the ICF.
Source data are adequate and accurate, and include all pertinent observations on each of the site’s trial subjects (ICH E6[R2] 4.9) via SDV and SDR for a sample of subjects. Source data should be:
It needs to be clear who made the entry, and the data need to be legible, clear, and recorded in a timely manner. Remember that auditors look for where data is first recorded (original). The auditor may look for things such as:
- A photocopy of an electrocardiogram (ECG) to ensure the data are enduring. ECGs are sometimes printed on thermolabile paper, which can degrade over time.
- A reason why a source entry was corrected or updated, as well as who made the entry. The original content should not be obscured, and the change should be initialed and dated by the person making the change.
- The timing of each physical examination or investigational medicinal product (IMP) if a protocol requires eCOA completion prior to such activities. If a per-protocol infusion period is specified, the start and stop times should be recorded to show protocol compliance.
Physician (a principal investigator [PI] or sub-investigator [SI]) has sufficient oversight. For example, an investigator should make the eligibility decision, prescribe IMP, and review laboratory/ECG reports, concomitant medications, and other safety information. The investigator is expected to confirm his or her review via signature and date and include a comment (e.g., normal, not clinically significant, clinically significant) on laboratory results or other protocol-required testing. The auditor will confirm the review was performed in a timely manner, as this could potentially affect subject safety. If there were significant findings, the auditor will check if adverse events (AE)/serious adverse events (SAE) have been reported.
Evidence in the source that all inclusion criteria are met, and none of the exclusion criteria are met. This includes positive and negative evidence. For example, if the protocol requires a subject to have had a stroke, then there should be evidence in the notes that a stroke occurred. If an exclusion criterion is “history of malignancy in the past five years,” and no cancer is indicated in the notes, researchers should provide a statement to confirm there was no history of cancer. This documented evidence can be in the form of a study-specific inclusion/exclusion checklist, in which the PI or SI must sign and date.
Protocol adherence. Were protocol deviations identified by the CRA? Did any deviations affect subject safety and/or scientific value of the trial? If so, what actions were put in place to correct and/or prevent these issues from recurring? How is it documented in the source (ICH E6(R2) 4.5.3)?
SAEs reported in a timely manner. This includes reporting to the sponsor and the institutional review board (IRB) or ethic committees (EC) as required. Additionally, the auditor will want to see who completed the SAE form and documented evidence of investigator oversight.
EHR is compliant with 21 CFR part 11. If an EHR is used, the auditor will request some system information from the site. This may include the system name, validation status, restricted access, details of who made an entry and when, and if changes can be made. The auditor will also ask if an audit trail is in place and, if so, is this accessible and human-readable. They will likely also want to know if it’s possible to log medical review onto, for example, an electronic local lab report.
COVID-19 Impact on Audits
Due to the COVID-19 pandemic and associated public health restrictions, recent site visits and audits were either not possible or limited. However, it is still important to review study data and source documents in a timely manner. One possible solution for remote monitoring and auditing is for the site to create certified copies of source data and make these available for remote review. ICH E6(R2) defines a certified copy as “a copy (irrespective of the type of media used) of the original record that has been verified (i.e., by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.”
The site can scan the source documents into PDF files and track them in a log. This can serve as a validated process if performed in a way that the scanned image is a complete and accurate copy of the original. The person scanning the signature can help by assuring they reviewed the scanned image and that it was a true representation of the original (complete and accurate). Of course, there are data protection regulations to consider, so access should be limited to persons who normally review (e.g., monitors, auditors, inspectors, etc.).
The rule of thumb for ensuring smooth SDV and an SDR during an audit is to document everything. As the Food and Drug Administration (FDA) notes, all information must be documented; “if it is not documented, it did not happen.”
Need assistance preparing for your next investigator site audit? Contact Advarra for global virtual and on-site support.