Clarifying ownership of patient compliance in medical device clinical trials requires building risk management into the operation and forging a good partnership between clinical operations, biostatistics and the clinical data management provider who can provide the technical infrastructure for calculating compliance indicators from the EDC, ePRO and connected medical devices in the study.
Although this might seem theoretical; as Charlie Brown notes, protocol compliance is an entirely a practical exercise in optimizing the efforts of the CRO, study monitors, clinical research coordinators and the sponsor.
Lucy: Aren’t the clouds beautiful? They look like big balls of cotton. I could just lie here all day and watch them drift by. If you use your imagination, you can see lots of things in the cloud’s formations. What do you think you see, Linus?
Linus: Well, those clouds up there look to me look like the map of the British Honduras on the Caribbean. [points up]
Linus: That cloud up there looks a little like the profile of Thomas Eakins, the famous painter and sculptor. And that group of clouds over there…[points]
Linus: …gives me the impression of the Stoning of Stephen. I can see the Apostle Paul standing there to one side.
Lucy: Uh huh. That’s very good. What do you see in the clouds, Charlie Brown?
Charlie Brown: Well… I was going to say I saw a duckie and a horsie, but I changed my mind.
Risk-based remote monitoring has been part of FDA guidance for since August 2013 and there is a plethora of articles on the topic (Google returned 713,000 results today on the search phrase “risk based monitoring in clinical trials”.
However, there are no rigorous, generally accepted definitions of risk. The clinical trials industry is presenting similar symptoms to the information security information industry where product and service vendors employ marketing words like “optimization” (IQvia talks about optimizing vendor/CRO partnerships for example and Comprehend (a serious risk-based monitoring technology company talks about how they continuously optimize a portfolio of clinical trials to improve speed and quality across teams, sites and CROs.
In mathematics, computer science and operations research, optimization is the selection of a best element (with regard to some criteria) from some set of available alternatives.
In other words, if a CRO like IQvia is serious about optimizing vendor/CRO partnerships – there should be both an objective/measurable metric (like the cost of the study monitoring and time to statistical report after data lock) as well as alternatives (using a competitor like Prometheus, Paraxel or PPD
If you have a portfolio of trials, teams, sites and CROs – you will definitely be able to optimize something – like having 1 CRO and a second source to keep them honest.
In general, mathematical optimization is not as effective as a tough contract negotiation with performance measures and enforcement.
The DIA (which is a vendor-neutral organization) talks about Vendor Life Cycle Management for Quality and Performance using CRO – Clinical Vendor Oversight. Talking about life cycles is a good way of covering all your bases – because in life cycles like in life – you can get divorced and remarry several times, have children, a second career and quit your job to grow organic food in Maine.
It is common practice to advocate developing a risk management plan before executing the study as part of the CRO/sponsor partnership. But, if the CRO is a true outsourcing organization, then the risk management and risk mitigation should be built into their service and that should be transparent to the sponsor.
Asking a vendor to develop the risk management plan is like asking the owner of a mobile handset to be a partner with their mobile operator in risk management of the cellular network. Which is absurd of course. This is like the joke about the shmates salesman making a cold call on the CEO of a women’s fashion company on Seventh Avenue:
Salesman: Thanks for taking the time to meet with me. I am a great salesman, I want to work for you. You won’t be sorry.
CEO: If you want to work for us, you start out as partner. If you succeed, we’ll let you be a salesman.
In addition, it seems to me that developing a risk management plan before the trial starts is a risky undertaking in its own right and ignores the fact that a clinical trial is a scientific experiment where anything and everything can go wrong. As a colleague told me recently – “some site monitors are great and others are like baboons”.
In fact, in the information security world, despite numerous attempts to quantify risk; risk management doesn’t work in practice as measured by the fact that over 300 million credit cards were stolen from companies with risk management plans.
While you are busy doing business process management and risk management, the baboons are not collecting quality data for your study even as your CRO is collecting their check.
So we need to be a bit more agile, if I may be permitted to use another buzz word.
What does work in other domains (like the military) is thinking about risk in terms of attacks on assets – in the case of a clinical trial, attacks on data quality and patient safety.
Using an attack model for estimating study risk, we consider 4 dimensions of a study: assets, attacks, vulnerabilities and controls.
The digital assets are the quality of data collected regarding primary endpoints. The people assets are patients and their safety, the investigators and the medical staff at the hospital or clinic actually administering the protocol.
The fun and easiest part of the attack equation is the controls – that’s a shopping list of products and services and you have plenty of options on the menu to when you talk to your CRO.
The attacks on your assets are both generic (data entry lag and recruitment rates) as well as study-specific (cytotoxicity in an oncology study that can be a quantified patient safety risk versus zero risk for a procedure measuring the color of your hair for a cosmetic product). A pharmaceutical or medical device company are well-equipped to identify and quantify threats to patients when it comes to their product.
This leaves us with vulnerabilities.
Detecting vulnerabilities is a tough challenge. But your biggest vulnerability may be your CRO – because you are outsourcing just about everything to them and we’ve already established (I hope) that risk management should be part of the CRO responsibility to get the job done just like it’s part of the responsibility for our mobile operator to connect and complete the call.
In the the next part of our Episodes series – I’ll talk about how to detect and quantify CRO vulnerabilties.
In the meantime – feel free to call me or flame me on Twitter