In recent times, many pharmaceutical, biotech and medical device companies have decided to outsource their clinical data management (CDM) activities to CROs – besides other processes related to conducting a clinical trial or a project. The larger pharmaceutical companies do that in order to gain more flexibility in allocation of their own workforce. On the other hand, smaller organizations and start-up companies outsource due to the fact that they cannot afford setting up their own CDM department.

The choice, however, to outsource CDM activities requires a thorough review of the consequences related to such a decision. The following article will address some of the aspects one should take into account when outsourcing CDM activities and the potential options available ensuring a successful outcome of the outsourcing and a long term trust the data can be used in even 15 years after study or project completion.

The Planning Phase

In the outsourcing planning phase, it is crucial to have CDM sitting at the table with all the other functions involved in the operational activities. It is also extremely important to have the CRO CDM representatives attending the same meeting – something that does not always happen – since CDM people sometimes have their own language, potentially using two different dialects. Talking to each other right from the very beginning helps to clarify certain terms, abbreviations and definitions. Trying to understand each other remotely, for example via email, is not an option.

It is also extremely important for the sponsor to clarify whether they are outsourcing either a certain aspect of the study to a CRO or the whole project. The sponsor company standards – as long as they exist – have to be shared with the CRO. This includes, but is not limited to, the CRF design, the database structure, the code lists and the edit checks to be applied to the data. For smaller organizations or start-up companies, this activity may also be contracted, while it is still crucial for the sponsor company to ensure that the standards make sense, meet the regulatory requirements, and are only being changed under controlled conditions. The ultimate objective – in the best-case scenario – is that the integrated summary of safety and efficacy at the end of the project development phase can be created easily or almost without any manual intervention.

Something frequently forgotten is the decision about which SOPs are to be followed – the sponsor’s or the CRO’s? This may be a difficult one to agree upon, however, it is crucial. The advantage of using the sponsor’s SOPs and, if possible, having the CRO staff work in the company’s technical environment, is that it is easy to ‘supervise’ the activities conducted by the CRO. The other option – using the CRO’s SOPs – certainly requires less upfront training and can be implemented faster.

Another basic agreement must be the CRO and the sponsor company CDM representatives talk about any, even minor, challenges surfacing during this phase. It is time well spent if the sponsor company nurtures the CRO staff prior to the start of a study. It helps avoid any issues that may occur during the trial, such as implementation of protocol amendments or changes in the CRF design.

The basis of all of the above should be documented in a clinical data management plan, a living document describing all activities/processes planned to be applied to the clinical trial data.

The Conduct Phase

During the conduct phase of the trial, once the first patient has been enrolled, it must be totally clear how the CDM oversight will be managed between the sponsor and the CRO. This can be done via status reports or through direct access to the trial data, depending on the agreed upon method of oversight. The status reports usually work well in cases where a sponsor has worked with a CRO on several studies already. In those cases, these reports accurately reflect the status of the trial, the quality of the data, the adherence to the agreed upon standards, and shall eventually result in a reliable, medically sound and structurally clean database. The figure below shows such a report addressing various areas of the data processing steps in CDM (N.B. this is a slightly modified version of a report developed by COVANCE UK).

Such a report, however, may not suffice in cases where one has started working with a new CRO. In addition, health authorities may not accept those reports alone as sufficient proof of proper oversight. In those cases, it’s advised a sponsor CDM representative get access to the CRO EDC system or the backend database management system. Such access would facilitate a direct view of the data, in particular critical data, such as safety data, main efficacy data and enrolment information.

A smarter approach to apply proper CRO oversight by CDM may even be the development of a risk management plan, as well as the use of an off-the-shelf application for the remote review of critical processes and data at the CRO. Actually, what is currently being discussed as ‘risk-based-monitoring,’ does not apply only to a risk-based approach to source data verification and site monitoring activities, but also to the oversight of a CRO.

In such a scenario, a CDM would create a list of potential risks to the data of a trial, develop a suite of risk indicators for those risks and define the associated thresholds for those indicators. For example, define the time it takes to get a query response from the site as a risk indicator for the risk ‘in-time availability of the clean database.’ An acceptable threshold may be 10 days for the first part of the trial and five days once 90 percent of the patients had completed the trial – towards the end of the trial. Additionally, one would classify those risk indicators according to the likelihood of it happening, the impact such an occurrence may have, and how easy or difficult it is to detect the risk.

For example, the risk that sites do not respond in time on the queries may be based upon other studies a CRO already ran at the proposed sites. The impact on achieving a clean database can be devastating depending on the last site/sites response(s) in case the query responses are related to main efficacy or important safety data. The detectability is rather straightforward – if someone makes the effort to regularly analyze the response to query data, the non-performing sites should be easily identified. The beauty of this risk-based approach of CRO oversight is that the risk categories and the risks themselves shall remain rather stable. What’s more, one can learn quickly from one study to the next which of the risk indicators work well and which ones need to be adjusted.

Overall, the most important aspects of a smooth cooperation between a sponsor and a CRO are trust and communication. Trust is something that may take some time to grow. However, communication is something all involved parties should be able to apply to a cooperation without any specific training. This is even true for CDMs (like me).

After the Study

Once a study (or a series of studies) has been completed by a CRO, it is mandatory that the sponsor transfers all the data in-house, including a description of all the activities that had been applied to the data (creation of derived data, medical coding of adverse events, medical history and concomitant medication, conversion of local lab data, etc). Alternatively, the sponsor company should agree with the CRO that they maintain the database on behalf of the sponsor company and ensure accessibility to the data on demand for a period of X years (X could be up to or even longer than 15 years).

A description of the processes needs to be documented as well, such as how the serious adverse event reconciliation has been managed, which MedDRA glossary version has been used, or which coding guidelines had been applied to the data. A good document for the storage of all decisions made could be the clinical data management report.

Why is it so important to have access to those completed trials, either in the CRO environment or in the sponsor environment? Usually, the development of a new medication takes several years and once the data has been submitted to the health authorities, inspectors may want to see the data, the processes applied to the data, and documentation of all the steps taken. An extreme case might be that the study data have to be made available to lawyers, years or decades after a study had been completed. One better ensures those data are still accessible and ‘readable.’ Sounds logical and simple, however, it may not be as easy as one might think. In order to be prepared it makes a lot of sense to ensure proper planning even of those undesired events.

Johann Proeve, PhD

Clinical Data Management Consulting


A Model Data Management Plan Standard Operating Procedure: Results from the DIA Clinical Data Management Community, Committee on Clinical Data Management Plan –

About Risk-based Monitoring (Cyntegrity) –