GCLP: Sample Management, Conduct of

The Work, Data Recording, and Data

Reporting
Contents
1. Contents
2. Introduction
3. Sample Management
1. Lifecyle of sample
2. Chain of custody
3. Compromised samples
4. Management of unexpected samples
5. Anonymization of samples
6. Tracking of samples
7. Sample storage
4. Conduct of the Work
1. Contracting aspects
2. Analysis of the sample
3. Responsible person within the laboratory
4. Sponsor notification of deviation
5. Documentation
5. Data Governance and Data Integrity
1. What do we mean by Data Integrity and Data Governance?
2. Data Governance
3. Organisational controls include:
4. Technical controls may include:
5. What is data?
6. Importance of Data
7. The Data Lifecycle
8. Data Risk
9. Data Backup
10. Audit Trails
6. Specific Guidance
7. Recording of Data – Laboratory Results and Associated Records
8. Reporting of Laboratory Results
9. Summary
10. Quiz

Introduction
Having reliable data is a fundamental principle to ensuring quality and safety. This can be of trial
participants and the data generated, or during the manufacture of medicinal products for
investigational and commercial use. Data that is generated by laboratories involved in the
analysis or evaluation of clinical trial samples is critical to ensure the safety of trial participants,
the integrity of trial data and ultimately in ensuring that the medicines that we all use are safe
and efficacious. This data may be used to inform key decisions during the drug development
process, such as by safety-monitoring boards when making the decision to increase the dose of
an IMP in dose escalation studies. It may also be used by regulatory agencies when making
decisions whether to grant an authorisation to market a product to treat its intended indication.

In ensuring the quality and reliability of our data we must also look at the lifecycle of the data
and how this is managed within the laboratory to ensure that what is recorded and reported is
reliable and correct and has not been altered in any way. This will include the data that supports
how samples are managed and handled within the laboratory and during the conduct of the
analysis. In recent years this has become a major focus of regulatory agencies during
inspections of organisations involved in the conduct of clinical trial work. It is often referred to as
principles of data governance and data integrity, and regulatory inspectors will evaluate an
organisation’s policies, systems and procedures for managing this. Some regulatory authorities
require organisations to notify them of significant failures in data integrity.

It is important to emphasise that this is not a new requirement or expectation. Indeed, the ICH
E6(R2) Guideline on Good Clinical Practice (ICH-GCP) makes reference to this throughout the
guideline, including: (GCP principles guidelines number):

2.10 requires that “all clinical trial information should be recorded, handled and stored in a way
that allows its accurate reporting, interpretation and verification. This principle applies to all
records referenced in the guideline, irrespective of the type of media used”

2.13 requires “systems with procedures that assure the quality of every aspect of the trial
should be implemented. Aspects of the trial that are essential to ensure human subject
protection and reliability of trial results should be the focus of such systems"

4.9.0 “The investigator/institution should maintain adequate and accurate source documents
and trial records that include all pertinent observations on each of the site’s trial
subjects. Source data should be attributable, legible, contemporaneous, original, accurate and
complete. Changes to source data should be traceable, should not obscure the original entry,
and should be explained if necessary (e.g. via an audit trail)"

5.5.1 The sponsor should utilize appropriately qualified individuals to supervise the conduct of
the trial, to handle the data, to verify the data, to conduct the statistical analyses, and to
prepare the trial reports.

5.5.3 When using electronic trial data handling and or remote electronic trial data systems, the
sponsor should:

(a) Ensure and document that the electronic data processing system(s) conforms to
the sponsor’s established requirements for completeness, accuracy, reliability and
consistent intended performance (i.e. validation)

(c) Ensure that the systems are designed to permit data changes in such a way that
the data changes are documented and that there is no deletion of entered data (i.e.,
maintain an audit trail, data trail, edit trail)

(d) Maintain a security system that prevents unauthorised access to the data

(f) Maintain adequate backup of the data

5.5.4 If data are transformed during processing, it should always be possible to compare the
original data and observations with the processed data

We are all responsible for the quality and integrity of the data that we generate. In order to
facilitate this, Laboratory Management has a responsibility to ensure that there are appropriate
data governance systems supported by documented procedures in place that address and
minimise the risks to data integrity. The measures taken should be proportionate to the risk that
the data represents. Management should also promote good cultural and behavioural practices
within the laboratory, communicating expectations to staff at all levels of the organisation,
enabling them to report failures and opportunities for improvements, without fear of retribution,
reducing incentives to falsify, alter or delete data.

This training module will examine key requirements placed on a laboratory to ensure that the
samples are managed appropriately and the work is conducted correctly according to GCP
requirements, in order to ensure the results that are reported are true and can be relied upon
when making important decisions using the data.

Sample Management
The identification, collection, processing, handling, storage, analysis and destruction of clinical
trial samples from human subjects is a vital part in ensuring the trial results that are reported to
Investigators, Sponsor’s and their representatives are true, accurate, complete and reliable.
This is essential first and foremost to ensure that the safety of trial participants is not
compromised in any way, but also to ensure the integrity of the data. Many of the points
discussed in this section will also be applicable to materials such as reference standards and
other reagents used in the analysis, as incorrect management of these may impact the trial
results.

Lifecyle of sample
In looking at sample management, we should think about the lifecycle of a sample. Firstly we
need to consider how the samples are going to be collected. Typically it will be clinical staff at
Investigator Sites that collect clinical samples from trial/study participants, but at some sites
local laboratory staff may be directly responsible for taking the sample from the subject.
Instructions for this may be specified within the trial protocol, but routinely clinical sites will be
provided with a trial-specific Laboratory Manual with detailed instructions such as the types of
tubes in which to collect the sample, how samples tubes should be labelled, how samples are to
be processed and stored, what analysis is to be performed and what samples have to be
shipped to other laboratories and when they need to be sent.

The Laboratory Manual will typically be written by the Sponsor, CRO managing the trial on behalf
of the Sponsor or central laboratories performing the analysis of samples. It is important that
these instructions are carefully reviewed and approved against the trial protocol to ensure they
are consistent and correct with the trial requirements.

Some laboratories may be involved in producing clinical sample kits which they distribute to the
clinical sites in order for the samples to be collected. Laboratories that do this must have
systems with documented procedures for producing these kits and this should include an
appropriate level of Quality Control to ensure that the tubes have been prepared and labelled
correctly.

If sample collection kits are used, whoever is involved in the collection of the samples at the
clinical site (clinical or laboratory staff) must ensure that the correct kit is used to collect the
sample from the correct subject. Mix-up of samples does occur at clinical sites (and at
laboratories) and this could have a significant impact on subject safety and data integrity.

The sample should be labelled appropriately to ensure the identity of the sample e.g. to the
subject ID and timepoint of the trial that it has been taken. Samples should not be labelled with
identifiers that could breach data confidentiality rules, such as the name of the subject and
hospitals numbers.

Regulatory requirements in some countries also do not permit subject initials and dates of birth
to be used. The general rule would be to label the tube with the ID that has been allocated to
the subject for the trial, the date and time of sampling and the initials of the person who
collected the sample. Sample containers' labels may also be bar-coded to enable the chain of
custody of a sample to be automatically tracked.

A requisition form may also accompany the sample, which repeats the details on the sample
container and includes information about the analysis to be performed on the sample. It is
important that these are kept together with the sample to prevent any mix-up. The samples
may then be analysed on site, usually for safety, whilst other samples are processed, stored and
transferred to another laboratory. It is important that the samples are shipped under the
required conditions needed to maintain the integrity and viability and again this would be
detailed within the protocol or Laboratory Manual. Validated shipping systems and containers
may be used for this purpose, or temperature-recording data loggers may be included to
monitor the temperature of the samples during transit.

Chain of custody
Laboratories must have documented procedures in place for receiving samples into the
laboratory, for dealing with poorly labelled, missing and unexpected samples, and for tracking
their chain of custody within the laboratory. The data and time of receipt at the laboratory
should be recorded. All samples received by the laboratory should be assessed on arrival to
check their physical integrity. Depending on the sample, this can include evidence of tampering
or adulteration, haemolysis, volume, clotting, identity (labelling).

Compromised samples
If samples have been compromised in transit, the Sponsor or their representative, or the
investigator, should be promptly notified. Laboratory staff must ensure that all samples that
have been sent or are expected have been accounted for and this process should be
documented.

Management of unexpected samples

Unexpected samples may be received by a laboratory. These may be additional samples that
have been taken by mistake, and they may have also been ordered by clinicians for reasons of
subject safety. It may therefore be important not to delay the processing and analysis of these
samples. There should be a mechanism in place for the laboratory to confirm with the site the
purpose of these unexpected samples. Other samples may also not be sufficiently stable, for
delays in processing and analysis could result in sample degradation and loss, so in these
circumstances the analysis of the sample should proceed. In all cases the results from
unexpected samples should not be reported until confirmation of the purpose and reason for
the sample has been received.

Anonymization of samples
If samples (and their requisition forms) are received that bear subject identifying information
such as their name, then the laboratory should have a procedure for managing these samples.
This can include deleting the information on the label and informing the Investigator/Sponsor
representative, but it is important not to hide information that may be needed to identify the
sample during the analysis. If there is no other way of identifying the sample from the label, the
laboratory may need to assign an identifier to the sample and then mask the subject personal
information.

Tracking of samples
There should be a system for booking the samples in to the laboratory and for tracking its
movement and use in the laboratory, referred to as the chain of custody. This allows for the full
reconstruction of the chain of custody of the samples. Systems for doing this vary greatly from
using simple forms or spreadsheets, to use of sample tracking software systems. The latter
makes use of the barcodes referred to in an earlier paragraph, where the barcodes on samples,
storage units and analytical instruments can be scanned to provide full traceability of the
sample. This can include movement in and out of storage units and identification of the
equipment used to perform the analysis, including sample processing.

Sample storage
The samples must be stored, according to the conditions that are specified in the protocol or
Laboratory Manual and records must be maintained to enable verification that these conditions
have been met. This usually requires a device to monitor the storage temperature to ensure
that the integrity of the sample is maintained. It is often found during audit and inspection that
the records made inadequately support this requirement. Laboratories should at a minimum use
a device that will record the maximum and minimum temperature over a defined period, usually
24 hours, and this data should either be recorded on a form, or preferably retained in the
memory of the device and downloaded and reviewed periodically. The devices used to monitor
temperature should be calibrated according to the recommendations of the supplier or
manufacturer of the device. Information on this can often be found in the literature supplied
with the device or from the manufacturer’s website. If information about this cannot be found,
then it is recommended that the device be calibrated annually. If any deviation from specified
storage temperature ranges occur, this must be documented, including any action taken, and
the Sponsor informed. It is recommended that laboratories have additional spare capacity or a
suitable contingency plan in the event that a storage unit fails. The processes involved in sample
management should include quality control checks to assure the correct receipt, handling,
processing, storage, use and disposal and these checks should be proportionate to the risks
involved. It should also be part of the internal audit programme. Failure to monitor the receipt
and accurate “booking in” of samples may have a significant impact on the integrity of data
produced by the laboratory.

Conduct of the Work

Please click on the arrow to continue.

Contracting aspects
Prior to commencing any work, there must be a written contract in place between the Sponsor
and the Laboratory. ICH GCP states that the Sponsor can transfer any trial-related duty and
function to a CRO (this includes laboratories), but this should be specified in writing. This can be
included as part of the protocol, but typically it will be documented in a separate agreement.
The laboratory should review the contract carefully to make sure that it does not conflict with
the trial protocol and any other written instruction provided to or generated by the laboratory
for the conduct of the work. Agreements should also be periodically reviewed, particularly when
there are open-ended master-services agreements put in place, to ensure the terms of the
agreement remain current e.g. with evolving regulatory requirements. Laboratories should have
a system for generating, reviewing, approving and amending agreements.

If the laboratory is subcontracting some activities, this should also be captured into the contract.

Analysis of the sample

The sample analysis must be conducted in compliance with the trial protocol that has received
regulatory and ethical approval and that the trial participants have consented to, and in
accordance with any national regulatory requirements and current guidance. This means that
samples should only be analysed for the tests that are specified in the protocol. Any additional
tests may be requested by the clinicians working on the trial for reasons of participant safety.
These should not be routinely needed for all subjects to ensure their safety. If they are, then the
protocol should be amended.

It is often seen during GCP audits that laboratories will run samples using equipment that
performs a range of analytical parameters as standard and that some of these parameters are
not specified in the protocol. In such circumstances and if it is not possible to programme the
instruments to only perform the protocol-required analysis, then the additional results should
not be reported e.g. by redacting the reports generated from the instruments or by transcribing
the protocol-required parameters on to a study specific analytical results form.

It is therefore important for the laboratory to be provided with the trial protocol and any
amendments to it so that they can meet these obligations. It is preferable that a full copy of the
protocol should be provided by the Sponsor, and as a minimum at least the parts that are
relevant to the work the laboratory will be undertaking should be provided. It is also important
for the laboratory to know that the protocol (or part thereof) provided is current and has not
been subject to amendments and has received the necessary regulatory agency and ethics
committee approvals. Protocol amendments should be provided by the Sponsor to the
laboratory in a timely manner. These considerations are often managed through clauses in
contracts and agreements between the Sponsor/CRO (contract research organisation) and the
laboratory, such as stating that samples will only be provided that comply with the protocol
which has received the necessary approvals and that any changes to the protocol that impact
the laboratory work will be notified promptly to the laboratory.

Responsible person within the laboratory

It is common practice to assign an individual within a laboratory who
has responsibility to oversee the work for a specific trial on a day to
day basis. This person is sometimes referred to as the Analytical
Project Manager. Unless it is specified in sufficient detail within the
trial protocol or other trial specific document such as a Laboratory
Manual, it is usually for the laboratory to write a detailed work
instruction under which the work will be conducted and this is often
referred to as the Bioanalytical or Analytical Plan. This document
should have sufficient detail to enable the analysts to perform the
work required. When generating the document, it should be checked
against the trial protocol, contracts and any other documentation
provided by the Sponsor or CRO to the laboratory to ensure all documents are aligned. If
updates to any of these documents occur during the trial, then the impact on the work
instruction must be evaluated and if necessary it should be updated. It is recommended that the
Sponsor reviews the detailed work instruction generated by the laboratory to confirm that it
complies with the trial protocol requirements and updates to it should not occur without
agreement from the Sponsor, as this could mean an amendment to the trial protocol is needed.

Sponsor notification of deviation

If during the conduct of the work any significant issues or deviations occur, the Sponsor should
be informed and the impact on subject safety and data integrity evaluated. This includes
deviations from the trial protocol and any other written information and instructions.

Documentation
Regardless of what work is performed and the way in which the analysis is arranged, it must be
guided by written documents such as the protocol, Laboratory Manuals, policies, procedures and
other study specific information such as the work instruction. The way in which the work is
carried out must ensure that adequate records and data are generated that will enable the
conduct of the work to be verified and the quality of the data to be assured.

Data Governance and Data Integrity

Before we talk about recording of laboratory data and reporting of trial results, it is important to
consider how we can rely on the data that is generated and reported. This relies on good data
governance practices to assure the integrity of the data.

What do we mean by Data Integrity and Data Governance?

Data Integrity is the degree to which data exhibits certain characteristics and how these are
maintained throughout the data life-cycle. The data characteristics are often referred to as
ALCOA or ALCOA+, meaning that it is:

A = Attributable (to the individual that performed the analysis and to the trial participant that
the sample was being analysed for)

L = Legible (the data has been presented in a clear readable form, without any ambiguity or
open to interpretation)

C = Contemporaneous (recorded at the time that the activity was performed by the analyst, this
would include sample handling, storage, preparation, analysis and disposal activities)

O = Original (this refers to the first time the data existed; e.g. raw data, from which certified
copies can also be made)

A = Accurate (correct in all details, without any mistakes or errors)

C = Complete (contains all of the necessary information or parts, nothing missing)

C = Consistent (being analysed and data generated in the same way)

E = Enduring (the data must remain legible and readable for the period of time that it needs to
be retained)

A = Available (it must be obtainable and usable for the period of time that it needs to be
retained)

The laboratory should consider each of these characteristics and identify how they will be
achieved during the analysis of samples and subsequent recording and reporting of trial data.

Data Governance
Assuring data integrity requires good data
governance and this covers all of the planned
arrangements that are needed to assure the
quality and integrity of the data. These
arrangements must be designed to ensure that
the data characteristics are established and
maintained throughout the lifecycle of the data,
regardless of the process, format and technology
used to generate, record, process, store, retrieve
and use the data. The data governance systems
should be integrated into the Quality Management
System of the laboratory and it should address
the ownership of data throughout its lifecycle,
taking into account the design, operation and monitoring of processes and systems to comply
with data integrity principles with appropriate controls over deliberate and inadvertent changes
to, and deletion of data. This requires a laboratory to implement appropriate quality and risk
management systems, including adherence to sound scientific principles and good
documentation practices, to ensure that data is generated, collected and maintained in a secure
and controlled manner.

It will not usually be possible to remove all risk to data integrity failure, but an indicator of the
maturity of data governance systems is the prioritisation by an organisation of risk control
measures that are proportionate to the data criticality and data risk, whilst recognising that
some residual risk remains but has been reduced to an acceptable level and this should be
documented as part of the data integrity risk assessment. An organisation that concludes from
its risk assessment that there is ‘no risk’ to data integrity is unlikely to have made an adequate
assessment of inherent risks in the data lifecycle. Good data governance systems are designed
and controlled that will enable easy detection of errors, omissions, and aberrant results to
ensure that the integrity of data is controlled throughout its lifecycle. These control measures
should be proportionate to the risk that the data represents to subject safety and the overall
trial results, and the risks associated with deliberate or inadvertent changes or deletion of the
data. Controls are usually divided into organisational controls and technical controls.

Organisational controls include:

Creating a quality culture within an organisation and making sure staff are aware of
expectations and behaviours

Promoting a no blame culture enabling staff to own up to their mistakes and take
responsibility for their actions and decisions

Training staff and providing them with the necessary authority to undertake their work, in
particular those who generate and approve data

Implementing robust data governance systems with documented procedures

Routinely checking and verifying data as part of the process – Quality Control

Monitoring the health and effectiveness of the data governance systems e.g. as part of the
internal audit programme

Technical controls may include:

Automating processes wherever possible to avoid the need for human intervention

Using validated computerised systems and processes, and maintaining control of these

Let’s look in more detail at data and what needs to be considered as part of good
data governance practices.

What is data?
In the context of the laboratory it is of course the results from the analysis, but it is not only this
and there are many other sources of data that support the final results that need to be
considered. It could be the raw data that has been captured and analysed by specialist software
to produce the end result. It may also be records relating to the handling, storage and
preparation of samples, reagents and reference standards used in the analysis. It may include
the metadata; the data about the data. This is the information that is needed to be able to
understand the data, which on its own would be meaningless. For example, a value of 1.1 for
creatinine on its own does not mean anything without its unit of measure mg/dL. Other
metadata can include the date and time stamp that the data was generated or acquired, the
identity of the person that performed the analysis to generate the data, the identity of the
equipment that was used to perform the analysis, and audit trails. There may be environmental-
monitoring records that show that samples and reagents have been stored under the required
conditions. And also personnel and training records that show analysts have the necessary
education, training and competence to perform the analysis. This is not an exhaustive list and
the laboratory needs to identify what data will be generated in support of the analytical work
they perform and how critical the data is to the trial, as some data that will be generated will not
be as critical as others.

Raw data is the original record which can be described as the first-capture of the information,
whether it be recorded on paper or electronically. Information that is originally captured in a
dynamic state (i.e. data that is initially captured by an instrument that is subsequently analysed
or transformed by software associated with the instrument and analysis), should remain
available in its original state. Raw data must permit full reconstruction of the activities. Where
this has been captured in a dynamic state and generated electronically, paper copies cannot be
considered as ‘raw data’. In the case of basic electronic equipment that does not store
electronic data, or provides only a printed data output (e.g. balances or pH meters), then the
printout constitutes the raw data. Where the basic electronic equipment does store electronic
data permanently and only holds a certain volume before overwriting, this data should be
periodically reviewed and where necessary reconciled against paper records and extracted as
electronic data where this is supported by the equipment itself.

Data may also exist in different forms. It can be paper, electronic or a hybrid of both, and may
also include formats such as image files of chromatography plates. Where hybrid records exist,
it should be clearly documented what constitutes the whole data set and all records that are
defined by the data set should be reviewed and retained. Hybrid systems should be designed to
ensure they meet the desired objective.

Importance of Data
In establishing the criticality of data based on the analytical plan, the laboratory needs to
consider the following:

What decisions in a clinical trial will be influenced by the data? For example, it could be
safety data used to determine the eligibility of a trial subject for inclusion in a trial

What is the impact of the data on trial subject safety and the objectives/endpoints of a
trial?

Trials vary immensely in their design and procedures that need to be performed, including
the analytical tests that are required to be carried out, and the significance of those tests
to the safety of the trial subjects and the outcome of the trial. The laboratory should
evaluate each trial protocol in order to answer these questions and determine which data is
critical to the trial conduct.

The Data Lifecycle

Once we understand what the data is in our own organisation, we then need to consider the
lifecycle of the data. This relates to how the data is generated, processed (analysed,
transformed, migrated), checked (QC), reported, used (in decision making), stored and disposed
of at the end of its retention (archive) period. Data can cross many boundaries during its
lifecycle; this may be physical such as transfer from paper to electronic format, and
organisationally e.g. internally between different department, or externally with Sponsors and
other parties involved in a clinical trial, and with cloud-based applications for data storage and
archiving period depending on the sponsor and regulation. The integrity of the data can be
affected at any stage in the lifecycle. It is therefore necessary for a laboratory to understand
the lifecycle elements for each type of data or record that it generates, including any metadata
that supports the data.

Data Risk
The risk to the data should then be evaluated at each stage of its lifecycle and it is
recommended that the laboratory undertakes a data integrity risk assessment. It will not be
necessary to do this for every clinical trial because the type of analysis, processes, instruments
and software involved will often be repetitive, but it should be reviewed for each trial to ensure
there will be nothing different introduced that could impact the data risk assessment. Simple,
repetitive, well defined and documented analysis will usually be of lower risk to more complex
analysis involving inconsistent or new processes, the output from which may be variable and
subjective.

In undertaking a data integrity risk assessment we need to consider how vulnerable the data is
to involuntary alteration, deletion, loss or re-creation or deliberate falsification, and the
likelihood that these actions would be detected. We also need to think about how complete
recovery of data would be ensured in the event of a disaster. In order to mitigate the identified
risks, control measures should be implemented that are proportionate to the risk to the data at
each step of its generation, processing, handling and reporting, and to the criticality of that data
to the safety of trial subjects and how that data is to be used in the drug development process.
Control measures may include those needed to prevent unauthorised activity and those needed
to detect these actions.

Data risk assessments are not just about the computerised systems that are used in the conduct
of the work, and the should evaluate they laboratory processes at each stage of the analysis,
from sample receipt, storage, sample preparation, analysis, destruction, QC, and reporting, to
evaluate the flow of data and how the data is generated, processed and recorded throughout
these activities. When undertaking the data integrity risk assessment, consideration should be
given to the following:

The people involved

Training
 Available guidance

Current quality management systems

Complexity of the processes involved – this can be processes involving multiple steps, how
data is transferred between processes and systems, the complexity of data processing

How the data is generated, processed, stored and archived or destroyed, and how data
quality and integrity can be ensured

Process consistency – e.g. biological analytical techniques that can exhibit higher degrees
of variability versus small molecule chemical analysis

Human interaction versus use of automated systems

Subjectivity of the results obtained

The outcome of a comparison between electronic system data and manually recorded
events could be indicative for malpractices (e.g. apparent discrepancies between analytical
reports and raw-data acquisition times)

Manual interactions with computerised systems. For instance is the user able to influence
the reported data from a validated system. A fully automated and validated process
together with a configuration that does not allow human intervention, or reduces human
intervention to a minimum, is preferred as this design lowers the data integrity risk.
Appropriate procedural controls should be installed and verified where integrated controls
are not possible for technical reasons. A typical example of this could be appropriate
procedural controls around manual integration of chromatographic peaks.

Data Backup
We talked earlier about the need to ensure that
the integrity of the data needs to be maintained
throughout the period that it needs to be retained.
Data that is generated electronically that needs to
be retained under GCP requirements should be
backed-up and archived. The FDA guidance states
that a backup should be a:

“true copy of the original record that is

maintained securely throughout the record
retention period. Backup data must be exact,
complete, and secure from alteration, inadvertent
deletion, or loss. The backup file should contain
the data (which includes associated metadata) and should be in the original format or in a
format compatible with the original format”.

Backup and recovery processes employed by an organisation should be documented, validated

and periodically tested. It is recommended that each backup performed is verified for
completeness and there are many methods for doing this such as use of validated software and
comparing the size of data transfers with the original data. Data backup for the purpose of
recovery is not a replacement for the long term retention of the data in its final form for the
purposes of audit and inspection to enable verification of the activity. Backup of printed data
adheres to the same rules.

Audit Trails
Audit trails are increasingly a focus of audits and regulatory inspections and laboratories may be
asked to produce the audit trail that relates to a specific trial result. So what do we mean by
Audit Trail? For a simple paper record this would be the original result, signed and dated by the
analyst to show who performed the analysis and when they did it. Any corrections to the paper
record should be signed and dated by the person who made the change and a reason for the
change be stated on the record so that there is an auditable record of when changes were
made, by whom and for what reason.

When we talk about audit trails relating to data that has been generated, processed and stored
electronically, we are referring to the metadata that provides the information necessary to be
able to verify the activities relating to the creation, modification or deletion of a record.

The FDA data integrity guidance defines an audit trail as:

“a secure, computer-generated, time-stamped electronic record that allows for reconstruction

of the course of events relating to the creation, modification, or deletion of an electronic
record. For example, the audit trail for a high performance liquid chromatography (HPLC) run
should include the username, date/time of the run, the integration parameters used, and
details of a reprocessing, if any. Documentation should include change justification for the
reprocessing”.

This means that computerised systems that are used by the laboratory to capture, process,
report, store or archive raw data electronically, should be designed to provide and retain audit
trails that show all changes to data including the deletion of data whilst retaining the original
data and all versions of it. All data and changes to the data must be attributable to the persons
who were responsible for generating and changing the data, and it must be dated and time
stamped (time and time zone where applicable). The reason for any change should also be
recorded. The items included in the audit trail should be those of relevance to permit
reconstruction of the process or activity. Where electronic systems have audit trail functionality,
these must be switched on and it must not be possible for general users of the system to switch
it off; this should only be done by authorised persons, e.g. the system administrator and a
record of the actions performed by the system administrator should be maintained. If systems
do not have audit trail functionality, alternative controls should be implemented e.g. through
SOPs and laboratory logbooks.

Audit trails include those that track creation, modification, or deletion of data (such as
processing parameters and results) and those that track actions at the record or system level
(such as attempts to access the system or rename or delete a file).

Specific Guidance
Many of the guidance documents have previously been discussed in other modules of the
course on Good Clinical Laboratory Practice. These include guidance released by the World
Health Organisation, European Medicines Agency, UK Research Quality Association and the UK
Medicines and Healthcare Products Regulatory Agency. However, there are several guidance
documents in existence which can assist laboratories in implementing data integrity and data
governance policies and procedures as part of its Quality Management System. Many of these
guidances stem from the Good Manufacturing and Good Distribution Practices of the
pharmaceutical industry, but the principles within them are equally applicable to laboratories
analysing clinical trial samples. We also have the OECD Principles of Good Laboratory Practice
applicable to non-clinical toxicology studies which includes references to requirements for data
integrity which are equally applicable to GCP. In addition, the UK Medicines and Healthcare
Products Regulatory Agency has produced detailed guidance which is applicable across all the
Good Pharmaceutical Industry Practices. The following reference sources have been used in
producing this training module. Please follow the links below to access some of these for further
reading around this topic.

MHRA GXP Data Integrity Guidance and Definitions March 2018

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/687246/MHRA_GxP_data_integrity_guide_March_edited_Final.pdf

USA FDA Data Integrity and Compliance With Drug CGMP December 2018

https://www.fda.gov/media/119267/download

EMA Guidance on Good Manufacturing Practice and Good Distribution Practice: Questions
and Answers; Data Integrity August 2016

https://www.ema.europa.eu/en/human-regulatory/research-
development/compliance/good-manufacturing-practice/guidance-good-manufacturing-
practice-good-distribution-practice-questions-answers#data-integrity-(new-august-
2016)-section

PIC/S (draft) Good Practices for Data Management and integrity in Regulated GMP/GDP
Environments

https://picscheme.org/en/publications

OECD Principles of GLP, in particular:

No.1 OECD Principles of Good Laboratory Practice

http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?
cote=env/jm/mono(2016)13&doclanguage=en

and No.17, Application of GLP Principles to Computerised Systems

http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?
cote=env/mc/chem(98)17&doclanguage=en

Other reference sources:

World Health Organisation Good Clinical Laboratory practice Guideline

https://www.who.int/tdr/publications/documents/gclp-web.pdf

EMA Reflection Paper for Laboratories that Perform the Analysis or Evaluation of Clinical
Trial Samples

https://www.ema.europa.eu/en/documents/regulatory-procedural-guideline/reflection-
paper-laboratories-perform-analysis-evaluation-clinical-trial-samples_en.pdf

Recording of Data – Laboratory Results and Associated Records

What does GCP specifically state in relation to recording of data?

There are several references to this within ICH GCP that point to the recording of data.

One of the fundamental principles of ICH GCP (2.10) states:

“All Clinical Trial Information should be recorded, handled, and stored in a way that allows its
accurate reporting, interpretation and verification. The principle applies to all records
referenced in this guideline irrespective of the type of media used”.

Section 5.0 which relates to the Sponsor (and Contract research Organisations such a
laboratories) states:

5.1.1 “The sponsor is responsible for implementing and maintaining quality assurance and
quality control systems with written SOPs to ensure that trials are conducted and data are
generated, documented (recorded), and reported in compliance with the protocol, GCP,
and the applicable regulatory requirement(s).” (emphasis added)

5.5.1 “The sponsor should utilize appropriately qualified individuals to supervise the
overall conduct of the trial, to handle the data, to verify the data, to conduct the
statistical analyses, and to prepare the trial reports”. (emphasis added).

5.5.3 “When using electronic trial data handling and/or remote electronic trial data systems,
the sponsor should:

(a) Ensure and document that the electronic data processing system(s) conforms to the
sponsor’s established requirements for completeness, accuracy, reliability, and consistent
intended performance (i.e. validation). The sponsor should base their approach to validation of
such systems on a risk assessment that takes into consideration the intended use of the system
and the potential of the system to affect human subject protection and reliability of trial
results”.

(b) Maintains SOPs for using these systems.

The SOPs should cover system setup, installation, and use. The SOPs should describe system
validation and functionality testing, data collection and handling, system maintenance,
system security measures, change control, data backup, recovery, contingency planning, and
decommissioning. The responsibilities of the sponsor, investigator, and other parties with
respect to the use of these computerized systems should be clear, and the users should be
provided with training in their use.

(c) Ensure that the systems are designed to permit data changes in such a way that the
data changes are documented and that there is no deletion of entered data (i.e.
maintain an audit trail, data trail, edit trail).

(d) Maintain a security system that prevents unauthorized access to the data.

(e) Maintain a list of the individuals who are authorized to make data changes.

(h) Ensure the integrity of the data including any data that describe the context, content, and
structure. This is particularly important when making changes to the computerized systems,
such as software upgrades or migration of data”. (emphasis added).

5.5.4 ”If data are transformed during processing, it should always be possible to compare the
original data and observations with the processed data”.

Within section 4 of ICH GCP, there are specific requirements placed on the Investigator with
regard to records and reports, but the essence of these requirements applies equally to
laboratories and other research organisations involved in the trial. These state:

4.9.0. “The investigator/institution should maintain adequate and accurate source

documents and trial records that include all pertinent observations on each of the site’s trial
subjects. Source data should be attributable, legible, contemporaneous, original,
accurate, and complete. Changes to source data should be traceable, should not obscure
the original entry, and should be explained if necessary (e.g., via an audit trail)” (emphasis
added).

4.9.1. “The investigator should ensure the accuracy, completeness, legibility, and
timeliness of the data reported to the sponsor in the CRFs and in all required reports.
(emphasis added).

4.9.3. “Any change or correction to a CRF should be dated, initialled, and explained (if
necessary) and should not obscure the original entry (i.e. an audit trail should be
maintained); this applies to both written and electronic changes or corrections” (emphasis
added).

So, it is clear from these statements that the recording

of the data is an important activity to ensure the
reliability and integrity of the trial data and the safety of
the trial subjects. The current guidelines for laboratories
requires that all of the data must be recorded directly,
promptly, accurately and legibly. This takes us back to
Data Governance and Data Integrity within this module
and the principles of ALCOA+ when recording data. It
must be possible to identify who performed the work
and the date on which they did it and all of the staff
responsible for recording of the data are responsible for
the quality of their data. The manner in which the data
is recorded will vary between laboratories and the
equipment and methods that they use, but it should be specified within the quality systems of
the laboratory how the data will be recorded. ICH GCP requires laboratories to implement
Quality Assurance and Quality Control procedures to ensure the quality of the data and thus the
safety of the trial subjects and reliability and integrity of the data. It is therefore recommended
that laboratories implement appropriate Quality Control procedures to ensure that the data
generated complies with the ALCOA+ requirements.

As has previously been stated in this module, any changes to the data must be carried out
according to GCP principles, in that the change must not obscure the original entry and it must
be possible to identify the person who made the change, when they made it, and what the
reason was for doing so. For electronic records, this requirement should be achieved through
the audit trail.

Reporting of Laboratory Results

It is essential to ensure that the results from the analysis
are reported to the correct persons. Incorrect reporting
could have serious implications for the conduct of the
trial. For instance, this could result in a blinded trial
being incorrectly unblinded if individuals who are
supposed to remain blinded receive data that could
unblind them. It could also result in significant safety
data being sent to the incorrect persons, thus delaying
treatment of trial subjects and putting their safety at
risk. It is important therefore to establish with the
Sponsor/Sponsor’s CRO the reporting requirements and
mechanisms before any analysis is performed. This
should be documented, typically in the work instructions
generated by the laboratory as referred to in section 3,
but it may also be specified in the trial protocol,
laboratory manual provided by the Sponsor or contract
between the laboratory and the Sponsor.

The manner in which the results may be reported will also vary and may depend upon the
purpose for which the data is to be used. This can be data used for interim analysis for safety
review meetings and dose escalation studies, PK data, safety data, biomarkers, etc. A formal
report may be issued on completion of the work, sometimes referred to as a Bioanalytical
Report. Some results may be issued using printouts obtained from the analytical equipment or
tabulated in MS Office files. Regardless of what data and how it is to be reported, it must be
complete. It is recommended that before analytical datasets are sent, they are subject to formal
QC review and approval. The file type/format, method of reporting/transfer and frequency of
reporting should be specified, e.g. in the laboratory work instruction and there should be a
means of verifying that the data sent was received in full. It may be prudent to undertake a test
transfer before actual data is sent.

Summary
The work undertaken by a laboratory in the analysis and evaluation of samples from human
clinical trials is a key part of the drug development process. It is used to make important
decisions with regard to the safety and tolerability of the investigational medicinal product given
to trial subjects and we should recognise the courage and commitment of these individuals in
assisting to develop new drugs that will benefit the human population. We therefore owe it to
them to ensure that the data that is generated during a trial is true and reliable so that the
safety of them is ensured. We also need to think about how the data will be used when it comes
to determining the efficacy of an investigational product for the condition that it is being
developed to treat. The ultimate objective is of course providing new medicines that are both
safe and effective; we may end up taking it ourselves one day.

In order to achieve this objective, we have learnt in this module how samples being received in
the laboratory should be managed to ensure that the chain of custody and identity of the
sample is managed and that it is handled and stored appropriately to ensure that the integrity of
each sample is maintained. We have also learnt about the general principles relating to the
conduct of the work, in that it must be performed in compliance with the trial protocol and other
written instructions and that records must exist that will enable how the work has been
performed to be verified. And finally, we have discussed how results should be recorded and
reported. The key message behind this is looking at how a laboratory governs the data
generated within its organisation and by doing so, how the integrity of that data can be ensured.

Quiz
Please ensure you have answered all questions before clicking the ‘submit’ button

1. According to GcLP, if you have to make a change to a paper record how should this be
done?

(Please choose from the following text and images)

i
ii
iii

2. What characteristic should an electronic system that generates trial data/results possess
when changes need to be made to the data?

An Audit Trail
System interface
automatic printer
thermal printer

3. It is acceptable to switch off the Audit Trail functionality of a computerised system used to
generate trial data/results

True
False

4. From where is the statement “All Clinical Trial Information should be recorded, handled,
and stored in a way that allows its accurate reporting, interpretation and verification. The
principle applies to all records referenced in this guideline irrespective of the type of media
used” taken from?

ICH GCP: 2.10

EMA guidance
US FDA guidance
WHO guidance

5. What is meant by the term ALCOA+

A= Attributable, L = Legible, C = Contemporaneous, O = Original, A =Accurate,

C=Complete, C = Consistent, E = Enduring, A = Available
A= Alert, L= light, C= Cautious, O= Open, A= Average, I= Important
A= Alive, L= long, C= Clean, O= Obedient, A= Awful, F= Fair
A= Agreeable, L= lively, C= Cooperative, O= Obnoxious, A= Adventurous, P=
Perfect

6. Which of the following steps are undertaken in the lifecycle of the data?

(Pick all that apply)

data is generated
data is processed (analysed, transformed, migrated)
data is checked (QC)
data is reported

7. When reporting results, what aspects do we need to know?

(Pick all that apply)

Who the results should be reported to

In what format the results should be reported
The methods that will be used to report the data
The name of the analyst

8. Before we send laboratory results what should we do to the data?

(Pick all that apply)

Subject it to Quality Control

Re-analyse it
Delete any that we haven't used
Anonymize them
Contact the participant

9. When reporting results should we check that the results have been received in full by the
recipient?

Yes
No

10. When we conduct the analysis of samples from clinical trials what do we need to ensure?

(Pick all that apply)

The work is conducted in compliance with the Clinical Trial Protocol

The work is conducted in compliance with the Lab Manual
The work is conducted in compliance with the ICF
The work is conducted in compliance with the SOPS

Submit