Frequently Asked Questions

An audit is a systematic and independent examination of trial-related activities and documents to determine whether the evaluated trial-related activities were conducted, and the data were recorded, analyzed and accurately reported according to the protocol, sponsor's standard operating procedures (SOPs), Good Clinical Practice (GCP), and the applicable regulatory requirement(s).

A Quality Review takes a one-time snapshot look at a trial and examines a sampling of data and documents from the major study processes (e.g. informed consent, adverse event management, investigational product control, etc.). Monitoring oversees the progress of a clinical trial from start to finish through periodic assessments of the study data and documents.

RQA creates an annual Quality Review Plan that lists the studies selected for routine Quality Reviews during the coming year.

Routine Quality Reviews are assessments of study activities and study documentation that are performed as a service to investigators, with feedback provided regarding practices associated with the conduct of the study. Studies for Routine Quality Reviews are selected by RQA using a risk-based approach based on criteria which include, but are not limited to, the following:

• Studies conducted under an IND or IDE held by UM- Investigators or units
• Expected level of risk to subjects/vulnerable populations
• Studies with a complex study design/protocol
• Federally-funded studies
• Studies overseen or conducted by first-time Principal Investigators

Directed "for-cause" Quality Reviews are conducted by RQA upon request by any of the following: IRB committee, Associate Vice Provost for Research Integrity, Regulatory Affairs and Assessment, Vice Provost for Research, Office of Research and Research Education, Audit Advisory Services, etc. A directed Quality Review is generally based on identified concerns, a complaint, or an allegation about human subject safety and rights, regulatory compliance, or data integrity.

Directed Quality Reviews may also result from complaints reported in person directly to RQA or via the University Hotline.

There can also be (routine or directed) Focused Quality Reviews, which examine a particular aspect of a clinical trial, such as the informed consent process.

No, the PI does not need to be present for the duration of the Quality Review. However, we do require the PI to attend the initial meeting at the beginning of the Quality Review, so that the auditors can explain the scope of the Quality Review, the general review process, and also to discuss the protocol with the PI and study team. If the PI is unavailable, the auditors may begin the Quality Review if a study team member can provide access to, and answer questions about, the study records; a meeting with the PI is then scheduled as soon as it is feasible. A short Debrief meeting will be held with the PI and study team on, or as soon as possible following, the last day of the review to discuss trends noted during the review or ask clarifying questions about the records. The PI and study team will receive a Draft Quality Review Report and will have the opportunity to review it with the auditors at an Exit Meeting prior to receiving the Final Quality Review Report.

RQA is always willing to work with the PI on timing. The goal is to get the Quality Review done as soon as possible with the least amount of disruption to the site's operations.  It is important to note, however, that Directed Quality Reviews must occur as soon as possible, and receive RQA's highest priority. 

No, we will not ask you to cancel any clinical activities. We want to conduct our Quality Reviews with as little disruption as possible.

The duration of a Quality Review may be affected by several variables such as the type of Quality Review, the complexity of the study, the number of subjects enrolled, the number of protocol procedures, etc. On average, a full Quality Review typically takes 3 days at a study site. Focused Quality Reviews are usually completed within a day, but may take longer, depending on the factors noted above.

No. We review studies only against the standards and regulations that apply. At minimum, all Human Subjects Research at UM must comply with the policies outlined in the 🔗 UM Investigator Manual (HRP-103), available on the IRB’s website. Human Subjects Research (except Social/Behavioral Research) may also be subject to International Conference on Harmonization (ICH) Guidelines for Good Clinical Practice (GCP), if specified in the study protocol. Additionally, FDA and OHRP (Office of Human Research Protection) regulations may apply depending on the type of study you are conducting and whether it is supported by the PHS (Public Health Service). Please contact RQA for any questions you may have.

These categories are defined in every Quality Review report. In general, an observation is classified as "Immediate Action Required" if it appears to pose a significant risk to subject rights, safety, or to data integrity, or to represent a major deviation from applicable regulations, policies or procedures. "Action Required" observations are deviations or deficiencies in adhering to regulations, policies, procedures, or data standards, which if not corrected may lead to serious issues.

The Quality Review report is issued to the PI and it is the PI's responsibility to write the response (the Corrective and Preventive Action [CAPA] Plan). While it makes sense that the study team is involved in the response, it is very important that the PI responds to his/her own Quality Review report so that he/she is fully aware of all proposed corrective and preventive actions and is able to carry them out. RQA will work closely with the PI and study team by providing feedback and recommendations on how to write a good response that is specific and measurable.

Yes. As needed, RQA will include an IRB-specific observation within the Quality Review report detailing the IRB’s role in the site’s observation. The IRB has to provide RQA and the Vice Provost for Research with a written response to their observation. These IRB responses are evaluated using the same criteria as for the PI responses, which means that they must specify both corrective actions and preventive actions. RQA  will work closely with the IRB to assist them in developing a good response that is specific and measurable. 

• At the conclusion of the Quality Review, the auditor will review the main trends with the PI and study team at an audit Debriefing meeting
• A Draft Quality Review Report will be issued to the PI and main study team members
• The auditor will schedule an Exit Meeting with the PI and study team to review the Draft Report for accuracy and to clarify any issues. The purpose of the Exit Meeting is for the auditors and the PI to have a common understanding of the observations and significance of the specific examples listed in the report
• A Final Quality Review Report is issued to the PI
• The PI will be given 15 business days to provide responses to the audit observations using the PI Quality Review CAPA Form provided by the auditor
• RQA will assist with the development of corrective and preventive actions (CAPA) intended to address the observations noted in the Final Audit Report
• RQA submits the Final Quality Review Report and the PI's signed CAPA Plan to the IRB/HSRO
• The relevant IRB Board determines if the PI CAPA Plan is appropriate and sufficient or whether additional actions are needed. The IRB may also ask for a follow-up Quality Review. The IRB's determination and/or further actions will be described in an IRB determination letter
• Once the due dates for all corrective and preventive actions have passed, the auditor will conduct a CAPA Plan Implementation Review to verify that all actions have been completed
• For any observations that were deemed “Immediate Action Required,” the auditor will follow up to verify that preventive measures were effective in preventing the recurrence of such issues

Internal Quality Review Reports are confidential and must not be shared with any 3rd parties, including, but not limited to, study Sponsors. However, the details of a specific Sponsor-related observation can be shared with your study Sponsor. Please check with RQA if you are unsure what can be shared.

Internal Quality Reviews are part of an internal quality assurance program that is designed to encourage candor and collaboration between Investigators and the various components of UM’s Human Subject Research Protection Program (RQA, IRB, etc.). For this reason, it is RQA’s practice not to provide internal Quality Review reports to the FDA (or other regulatory bodies). While the University wants to demonstrate full cooperation with Federal agencies, the risks, and benefits of full disclosure are considered on a case-by-case basis. In rare instances, UM has had to cooperate with federal agency requests for internal audit reports in order to avoid an escalation in regulatory action or the prolongation of a federal audit.

No. It is the University’s policy not to share copies of external audits/inspection reports, such as Forms FDA 483, or any other governmental inspection reports (e.g., from NIH, DOD, OHRP, EMA, OCR, HHS) with any external parties including industry sponsors or contract research organizations (CROs), that may be inquiring about the compliance status of a particular unit or investigator. See policy: Confidential Audit Reports. 

Yes, A PI may request any of the following types of reviews:

• Audit Preparation Assessment
• Study Start up Review
• Study Review
• Mock FDA Audit

An action taken to prevent non-compliance from occurring or recurring by eliminating the root cause of a problem

A plan that is developed and implemented to identify, remediate, and prevent recurrence or occurrence of existing or potential causes of non-compliance or other quality issues. A CAPA Plan is typically created in response to internal or external audits/Quality Reviews.

Root Cause Analysis (RCA) is a structured process for identifying “root causes” of problems or non-compliance. There are many approaches, tools, and techniques available to conduct a RCA. Two very common approaches are the “5 Whys” and “Fish-bone” diagrams.

Without knowing the root cause of a problem, you run the risk of only addressing or correcting the symptoms of a problem. Determining the root cause of an issue allows you to address the source of the problem and prevent its recurrence. When significant non-compliance is discovered by internal or external sources, the Principal Investigator/study team should perform a RCA and implement appropriate corrective and preventive actions. If there is more than one root cause identified (true in many cases) after conducting the RCA, all the causes should be addressed in the CAPA Plan for it to be successful. The RCA and CAPA Plan are considered successful when the problem or non-compliance does not recur.

5 Whys or Cause-and-Effect Diagrams: The “5 Whys" is an interrogative technique used to explore the cause-and-effect relationship underlying a non-compliance situation. The primary goal of this technique is to determine the root cause of a problem by repeating the question Why? (Why did this problem occur?) at least 5 times to identify the true cause of the problem. Each answer forms the basis of the next question. This technique forces you to think of several causes for a problem, instead of settling for the first cause that comes to mind. Please see link to 5 Whys or Cause-and-Effect Diagrams.

Fish-bone/Ishikawa Diagrams: This technique visually displays the many potential causes of a specific problem onto a Fish-bone/Ishikawa Diagram. It helps facilitate the brainstorming of causes by grouping the causes into major categories to identify the source of variation or non-compliance. Please see link to Fish-bone/Ishikawa Diagrams.

Yes, RQA is available to help research teams with the development, implementation, execution, and evaluation of CAPA Plans. Please contact RQA for CAPA assistance.

It depends... Human subject research conducted at the University is routinely audited and monitored by internal and external entities. As part of these visits, non-compliance with federal, state, and local regulations or institutional policies may be identified. Depending on the severity of these issues, it may be required that a CAPA plan be created and implemented. RQA assists University researchers and their team with the creation and implementation of CAPA plans in response to internal or external audits/Quality Reviews. Please refer to the University of Miami Policy: Corrective Action Preventive Action (CAPA) Plans in Human Subject Research (policystat.com).

Investigators and study teams are encouraged to contact RQA for CAPA Plans developed to correct non-compliance issues detected internally by the PI or study team. RQA is also available to support Investigators and study teams in the creation, implementation, and follow up of these CAPA Plans, if requested.

Every CAPA Plan is different in content and actions. The duration of a CAPA Plan depends on many factors, such as the severity of the non-compliance issues that need to be corrected and prevented, the risk level associated with them, the resources that each study team has, and the complexity of the clinical trial.

A CAPA Owner is the main person responsible for the creation, implementation, and evaluation of a CAPA Plan. Typically, the PI is the CAPA Owner of a CAPA Plan created in response to an internal or external audit/Quality Review. For full CAPA Plans that are created to address systemic issues affecting several clinical trials, etc., the CAPA Owner may be Department leadership or anyone designated as the CAPA Owner.

CAPA Owners are responsible and accountable for the content and implementation of their CAPA Plan.

After a CAPA Plan is written, all the corrective and preventive actions outlined in the CAPA Plan should be implemented in the timeframe documented in the CAPA Plan.

RQA follows up on CAPA Plans created in response to internal or external audits/Quality Reviews.

Effectiveness checks are conducted to verify that the implemented actions of the CAPA Plan have addressed the non-compliance issues and that the issues have not recurred. If the non-compliance issues have recurred after the implementation of the corrective and preventive actions, the CAPA Plan should be revised and new actions should be implemented.

CAPA Plans created in response to internal or external audits/Quality Reviews should be submitted to RQA , who in turn will submit them to the IRB. 

It depends. CAPA Plans created in response to an internal Quality Review should not be shared with a Sponsor. CAPA Plans requested by the Sponsor or in response to Federal or other Governmental inspections, can be shared with the Sponsor of the particular study that was inspected, but only after the CAPA Plan has been reviewed by RQA and University leadership.

Part 11 is an abbreviated way of referring to FDA’s regulation on electronic records and electronic signatures, known as 21 CFR Part 11.

It applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements (predicate rules) set by the Agency (FDA). It also applies to electronic records submitted to the FDA (even if such records are not specified in the regulations).

Any FDA regulation that requires certain records to be maintained or submitted to the Agency. For example, 21 CFR 312 for Investigational New Drug (IND) Applications requires the following:

21 CFR 312.62(b) requires an investigator to maintain case histories that record all observations and other data pertinent to the investigation on each individual administered the investigational drug or employed as a control in the investigation.

If an investigator is maintaining the above records (case histories) in electronic format, then 21 CFR Part 11 applies to these records.

Records required to be maintained under predicate rules:

• Maintained in electronic format in place of paper
• Maintained in electronic format in addition to paper format and that are relied on to perform regulated research-related activities
• Records submitted to FDA in electronic format under predicate rules (even if such records are not specified in Agency regulations)

No, FDA does not intend to assess compliance of EMR systems with 21 CFR 11. However, FDA’s acceptance of data from clinical investigations for decision-making purposes depends on FDA’s ability to verify the quality and integrity of the data during FDA inspections.

Documented evidence that a computerized system performs its intended functions, reliably, and with consistent intended performance in its operating environment.

Much like conducting a research study, system validation begins with a plan (Validation Plan) that outlines the validation tasks and deliverables. A series of documents are created to document the system installation, system’s functions, end users’ requirements for the system, test scripts, as well as how each requirement will be tested to demonstrate that the system operates as intended. When the system is tested following the approved test scripts, each executed step is recorded and many screenshots are collected as evidence. In addition, a series of SOPs are created to describe topics such as: how to use the system, system maintenance, security, access management, back- up and recovery, among others. At the end of the validation effort, a Validation Summary Report is generated and the final outcome is described.

Typically, system validations are performed by Research Information Technology (IT) along with the end users of the system who execute User Acceptance Testing to demonstrate that the system operates as intended using the end users’ workflows and configurations.

A system can only be Part 11 compliant if it meets the control requirements set forth in 21 CFR Part 11 AND if it was validated in-house. This includes User Acceptance Testing by the end users to demonstrate that the system operates as intended using the end users’ workflows and configurations.

No. A system can only be Part 11 compliant if it meets the control requirements set forth in 21 CFR Part 11 AND if it was validated at the University for its intended use.

Yes. A system can only be Part 11 compliant if it meets the control requirements set forth in 21 CFR Part 11 AND if it was validated in-house for its intended use.

Contact Helen Miletic, Director of Research Quality Assurance at hmiletic@med.miami.edu

Electronic signatures that are intended to be the equivalent of handwritten signatures or initials required by predicate rules must be executed using a system that meets the control requirements set forth in 21 CFR Part 11 AND that system must be validated at the University for its intended use.

Electronic signatures that are intended to be the equivalent of handwritten signatures or initials required by predicate rules must be executed using a system that meets the control requirements set forth in 21 CFR Part 11 AND that system must be validated in-house for its intended use.

In addition, electronic signatures that are not based on biometrics (e.g. fingerprint) must use at least two identification components such as a username and password to ensure that each electronic signature is unique to one individual. The electronic signature must also be linked to the electronic record to ensure that the signature cannot be excised, copied, or otherwise transferred to falsify an electronic record.

The electronic signature manifestation must contain the following:

• Printed name of the signer
• Date and time when signature was executed
• Meaning of the signature (e.g. approval, review or authorship)

For more details on electronic signatures, refer to 21 CFR Part 11: Electronic Records; Electronic Signatures.

The only Adobe e-signature that has been validated at the University is Adobe Self Sign Using Digital ID. You can use this electronic signature in FDA-regulated research as it meets the control requirements set forth in 21 CFR Part 11 AND it has been validated at the University for this use. Refer to the University’s training module on ULearn, by searching the key words “Digital ID.”