The Only Thing You Have to Fear Is...
In last week’s blog, Risk Averse? [31-Jan-2018], driving to work was used as an example to alleviate anxiety about risk assessment and risk management. While that was hopefully a useful, and a bit humorous, analogy, let’s move on to some GCP specific examples this week.
For this exercise, our GCP activity will be clinical investigator study site monitoring for a phase 3 registrational trial with US only study sites. The goal of the risk assessment is to develop and document the monitoring plan for this study. Monitoring plans are perhaps the most common GCP example of risk management and are mentioned by the FDA, EMA, and in the ICH E6_R2 guidance.
In order for risk management to be effective, we must focus time and effort on the first two steps of risk assessment: 1) Be clear about what exactly is being assessed in order to adequately define the possible unintended outcomes specific to the conditions of that situation and; 2) For those conditions, what is the likelihood of those issues occurring?
Let’s make our example a pediatric study of a new drug for treating the flu in 5 to 16-year olds. What are some “conditions” of this situation that you might need to understand to define the possible ‘things that could go wrong, and likely will go wrong’? Here are just a few examples of what you could need to consider:
Conditions of the protocol: Length of enrollment and follow-up periods; extent of assessments; primary endpoints and exploratory ones; potential side effects of the study drug?
Conditions of the clinical investigator/study sites: Types of sites; level of experience of the clinical investigators; Sponsor’s previous experience with the study site?
Conditions of the data collection and management: EDC or not; DSMB or none?
This is not a complete list, but just a few ideas to help illustrate that developing an effective monitoring plan relies on mitigating what might go wrong in that specific study, not just in clinical trials in general.
Why such emphasis on these first two steps? Well, let’s think about just this one component:
If the monitoring plan assumes that all the clinical investigators/study sites are experienced academic research institutions, what if the reality is that there are several study sites that are brand new, never did a clinical trial before, pediatric private practices?
With those inexperienced, possibly overwhelmed during the flu season private practices, what are some of the risks and their likelihood that just got left out of the risk management (monitoring) plan based on the initial, incorrect assumption?
It’s realistic to assume that the incidence of issues and their frequency is potentially greater at a busy, inexperienced site whose focus is not clinical research. They are not unmanageable risks, they just require different mitigation because they are different risks specific to those conditions. For example, allocating resources for monitoring those sites early on in person, focusing on GCP compliance, could be very helpful to avoiding, or quickly correcting, issues that could impact study subject safety or data integrity.
Which brings us to the next phase of the risks assessment process: evaluating the potential impact of the risks, especially the most significant ones. In the case of clinical trials, the most important risks to consider and manage are those with the potential to impact study subject rights, safety and welfare, and/or data integrity. Things like enrolling ineligible subjects, not completing safety and efficacy assessments, not documenting the informed consent process are obvious examples of potentially significant impact.
The ability to detect (or not detect) risks can be often overlooked in the risk assessment process. But this can be quite important to mitigation, depending on the situation and the conditions. Here is an example:
If the study is using EDC for data management, detecting missed visits/missing information can be relatively easy to do remotely and quickly.
Inadequate documentation of informed consent (indicating that the process might have been insufficient to adequately protect the subjects’ rights) generally requires an onsite monitoring visit to review source documentation.
So, consider in your monitoring plan how you would accommodate the difference in these risks, their impact, and ability to detect them and therefore, correct them before they become systemic.
These four steps lead to the conclusion of the risk assessment process which is ranking the risks from critical (high) to minimal (low). That is usually done by assigning weighted numeric values to what has been defined – the issue, its likelihood, its impact, and its detectability – and calculating a final score or rank. The final ranking guides risk management time, effort, and resource planning.
It is important that your risk management activities do not completely ignore the moderate (or low) risk areas that could accumulate and become serious, high risk problems. In the scenario used above, don’t entirely disregard monitoring the experienced academic research sites just because their risk ranking might be lower.
Finally, because the occurrence of risks in human based activities like clinical trials (or driving to work) are dynamic, your risk management plan needs to include not only executing the mitigations but evaluating their effectiveness and if necessary, making adjustments at meaningful intervals. For example, in our short duration flu study, evaluating the effectiveness of the monitoring plan would need to be early and often; in a longer term, slower enrolling oncology study, the first evaluation might be early and then based on the rate of enrollment thereafter.
Whew, that was a lot of information to cover! But, I only scratched the surface and provided just a few, hopefully helpful examples. It would be great to hear from you about your experiences with risk assessments and risk management. What are some of the ‘road maps’ you have used to reach the GCP compliance destination?
Let’s start a conversation! Follow QCRP Solutions, Inc. on LinkedIn for more quality assurance, regulatory compliance and process excellence topics. Contact me at firstname.lastname@example.org to learn more about our services.